Configuring VPN connection with l2tp + ipsec using OpenVZ container as server

Hello,

Not so long ago, the OpenVZ team released a new kernel with ipsec support inside the container . I have long wanted to abandon third-party software on a local Windows machine and use the ability to configure a secure VPN channel by the system itself. We will use the Debian 7 container on OpenVZ as the server. As a client - a standard VPN client Windows. As authorization - authorization by PSK (by key).


First of all, we activate the net_admin feature for the container and give the ppp container a device for operation, as indicated in the tooltip from the developers:

vzctl set CTID --capability net_admin:on --save vzctl set CTID --devices c:108:0:rw --save vzctl restart CTID 

')
Inside the container, create a ppp device and set the correct access rights to it:

 mknod /dev/ppp c 108 0 chmod 600 /dev/ppp 

load the necessary modules on HN via modprobe:

 modprobe ppp_async modprobe pppol2tp modprobe xfrm4_mode_transport modprobe xfrm4_mode_tunnel modprobe xfrm_ipcomp modprobe esp4 

Inside the container we will use openswan as the ipsec daemon, and the standard xl2tpd from the repositories as the l2tp server:

 apt-get install openswan xl2tpd 

Next, we configure forwarding and the rest of the network subsystem to work correctly with NAT and VPN:

 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source <main IP of server> iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done 

Let's start configuring the ipsec daemon.

We give the config /etc/ipsec.conf to the form:

 config setup protostack=netkey nat_traversal=yes # Enables NAT traversal virtual_private=%v4:192.168.1.0/8 # with this option you can add your local IP in NAT conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret # Auth with PSK ( preshared key ) pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h salifetime=10m type=tunnel # type of l2tp connection ( tunnel / transport ) left=11.11.11.11 # left - is internet IP of l2tp server leftprotoport=17/1701 right=%any # right - is IP of client ( if client NATed , that IP of client is IP in NAT ) rightprotoport=17/1701 

The most important points of the config are commented. You should also remember to create a config in exactly the same way as above, that is, with the spaces at the beginning of the line being preserved for those commands that have them, since the command indent by the daemon is tied to the block defined by the inevitable “conn”.

Now we will set authorization for work with ipsec. There are two authorization methods - by certificate and by key (PSK). In this example, we will configure key authorization in the /etc/ipsec.secrets file:

 11.11.11.11 %any: PSK "mykey" 

11.11.11.11 is the external IP address of our server.
% any is a built-in variable representing any IP address
PSK - authorization method (can be RSA)
"Mykey" is the secret key for authorization, which you will need to transfer to the client.

Now it's time to set up a l2tp server. It will work through the ppp protocol.

We give the configuration of /etc/xl2tpd/xl2tpd.conf to the form:

 [global] port = 1701 auth file = /etc/xl2tpd/l2tp-secrets # auth file with pars login/password for l2tp auth [lns default] ip range = 10.0.0.2-10.0.0.200 # range of IP's , that give to clients when auth is good local ip = 10.0.0.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = no # debug mode pppoptfile = /etc/ppp/options.xl2tpd # this is ppp options config file length bit = yes exclusive = no assign ip = yes name = VPN-Server 

In this config, again, all critical places are commented, and the rest are intuitive. When configuring the server, comments from the config must be removed.

Configure the l2tp authorization file - / etc / xl2tpd / l2tp-secrets. In the file we will allow everyone to connect, since l2tp works for us through ppp, then we will use ppp authentication.

 # Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop * * * # let all , because we use auth with ppp 

Next, configure the ppp config, which is requested by our l2tp daemon (/etc/ppp/options.xl2tpd):

 refuse-mschap-v2 refuse-mschap ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts idle 1800 mtu 1200 mru 1200 lock hide-password local #debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 

In case of problems with a connection or with a connection for debugging l2tp, simply uncomment "#debug" and look into the system log / var / log / syslog for errors.

Configure ppp authorization (/ etc / ppp / chap-secrets):

 # Secrets for authentication using CHAP # client server secret IP addresses test2 l2tpd test * 

Login - test2
Server for which this pair is valid for authorization - l2tpd
Password - test
Clients from all IP addresses can connect with this password - *

Restart both services:

 /etc/init.d/ipsec restart /etc/init.d/xl2tpd restart 

Now let's check the correctness of the modules of the ipsec itself inside the container:

 ipsec verify 

The output of a working ipsec will be something like this:

 root@XXX:~# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.37-g955aaafb-dirty/K2.6.32-042stab084.10 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support 

Now let's configure a client in Windows 7 to connect to our VPN l2tp with ipsec encryption.

First, create a new VPN connection.

Next, specify the IP address or FQDN name of the l2tp server

Enter the username and password from l2tp

Do not connect and close the connection settings

Go to the properties of our new connection and check once again the correctness of the input server address (General tab)

In the “Security” tab, set the correct type of our connection (l2tp over ipsec) and enable authentication using CHAP. In the advanced settings of l2tp, we select authorization by key and enter our PSK from IPsec


Setup is over. Now you can use the new VPN connection.

Thanks for attention

Nikolay Vaganov, FastVPS LLC Senior System Administrator

UPD At the moment, the kernel specified in the article is unstable and is not installed on our nodes. I think that within a couple of weeks, kernel developers will include it in a stable branch.