Smokes your problems, coughs fresh air.

Tag: vpn

Openswan random failures

I have an annoying problem with my Openswan VPN server. When I connect from a Windows XP machine, from that point on, I can only connect with that machine (or perhaps other Windows XP machines as well). On the other hand, when I connect with a Windows 7 machine first, connecting from Windows XP is no longer possible.

This is the error I get:

ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory

If I restart ipsec after each session, it works. So, I put this in /etc/ppp/ip-down.d/99-ipsec-restart:

#!/bin/sh
 
/etc/init.d/ipsec restart

A super ugly hack that makes it impossible to connect twice, but it’s better than not at all…

Versions:

Openswan: 2.6.37-1
xl2tpd: 3.1+dfsg-1
Ubuntu 12.04

Setting up pptpd and pptp for a VPN

source and source and source. I’m keeping it as simple as possible.

The serverside LAN in this example is 10.50.0.0/16.

On the server, install pptpd. Then edit /etc/pptpd.conf and set:

# This is the IP the server will have from the clients perspective. SHould be the servers local IP.
localip 10.50.0.1
# And from this range, the client IPs will be given. Here, the range 10.50.91.x is reserved for VPN hosts.
remoteip 10.50.91.1-254

Then edit /etc/ppp/pptpd-options and set options (comments have been removed from this example):

name my-pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
lock
nobsdcomp

Then restart pptpd.

Then edit accounts in /etc/ppp/chap-secrets. Example:

user            my-pptpd   password                       *

On the client, /etc/options.pptp (comments once again removed):

lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

/etc/ppp/chap-secrets:

user      my-pptpd    password        *

Then make /etc/ppp/peers/johnsvpn:

pty "pptp hostname --nolaunchpppd"
name user
remotename my-pptpd
require-mppe-128
file /etc/ppp/options.pptp
ipparam johnsvpn

You should then be able to turn it on with “pon johnsvpn”. Use poff to turn it off.

To be able to access the entire LAN from the client, run this:

route add -net 10.50.0.0 netmask 255.255.0.0 dev ppp0

More is necessary, like permanent host-to-LAN config (with route pushing or something), DNS, testing if windows works, etc. More is to come.

Configuring VPN server and client on Linux

Basically, there are two types of VPN’s: IP route and ethernet bridge. I configured an IP route VPN, based on this document.

First you need to generate certicifcates. The example scripts for that are located in “/usr/share/doc/openvpn/examples/easy-rsa/2.0”. I copied these to /etc/openvpn/easy-rsa for convenience.

Cd to /etc/openvpn/easy-rsa and edit vars to enter the data that is going to be included in your certifcates. You can also set the expiration time and key size here. Then do:

source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2
./build-key client3 (repeat as necessary. You can also name the keys properly, of course)
./build-dh

Then I’d copy the keys dir to /etc/openvpn.

You need to copy the ca.crt file to each client, as well as the clientx.crt and clientx.key, but then per client.

The server conf is this:

port 1194
proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh dh2048.pem
server 10.66.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# Redirect all traffic through VPN by setting 'almost default' gateway
push 'redirect-gateway def1'
# Replace DNS config with a server you specify, which can be access on the VPN.
push "dhcp-option DNS 10.66.0.1"

Then on the server, you need to configure SNAT (I don’t know if you also need to put “net.ipv4.ip_forward = 0” in /etc/sysctl.conf). If I understand correctly, you need to have such a rule per eth device you have. If you have a machine that has both a WAN and LAN and you want them to allow access on both the local net and internet, you need a rule like this for both ports.

iptables -t nat -A POSTROUTING -s 10.66.0.0/24 -o lan-eth-device -j MASQUERADE --match comment --comment "Allow VPN users to connect to things on this LAN."

Then on the client:

client
dev tun0
proto udp
remote <serveraddress> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
comp-lzo
verb 3

You should then be able to connect. Remember to allow IPtables access on all the machines. Configuring a proper firewall can be tricky. You can’t just use simple connection tracking; you must allow certain forward rules on the server (and client as well, I believe). On the client, you must allow everything on the input with UDP source port 1194. On the server, you must open incoming UDP target port 1194 as well, of course

It depends on the distro you’re using how to include the config into the boot procedure. Debian starts all config files per default (which can be configured in /etc/default/openvpn), Gentoo needs a specially named symlink in /etc/init.d.

© 2024 BigSmoke

Theme by Anders NorenUp ↑