OpenBSD Journal

L2TP/IPSec with OpenBSD and npppd

Contributed by jj on from the its-a-truck-not-a-series-of-tubes dept.

Maxim Bourmistrov writes in to share his L2TP/IPSEC setup using npppd.

An OpenBSD user since 3.2, I deploy OpenBSD on anything what I want to be secure and stable(yes, even -current is STABLE, as long as you know what you are doing).

This guide is split into two sections. The first and major one is server-side configuration. The second is about what should be done on client-side. I use npppd both at home and at the office. My office setup is a bit more complicated than the one described here.

Read on for the story of how one man conquered his corner of the internet.

Server

The server needs to run OpenBSD 5.1-current with /usr/src populated according documentation. npppd is in development, so it is good idea to have your sources up to date, else you might miss an important patch.

1. Compile and Install

As npppd is not yet linked to the build, you have to compile it yourself:

cd /usr/src/usr.sbin/npppd && make depend && make && make install

2. Configuration

After that it is good practice to take a look at HOWTO in the same directory - HOWTO_PIPEX_NPPPD.txt . There is no manual for npppd yet, so more info can only be gathered by reading the source code.[this should change relatively quickly - ed.] Info provided by Yasuoka in the above mentioned HOWTO covers pretty much all we need for a basic setup; however, I'll write my working Home-configuration here.

Let's start with pf.conf:

pass quick proto { esp, ah } from any to any
pass in quick on egress proto  udp from any to any port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)

Now the IPSec part; isakmpd should start at boot and load rules from ipsec.conf, thus add following to rc.conf:

isakmpd_flags="-K"
Then the ipsec.conf itself. Make sure to replace IP 1.2.3.4 with your own external IP.
ike passive esp transport \
        proto udp from 1.2.3.4 to any port 1701 \
        main auth "hmac-sha1" enc "3des" group modp1024 \
        quick auth "hmac-sha1" enc "aes" \
        psk "password"

Finally, npppd.conf. At home I use RADIUS for authentication for a few reasons. If you plan to use plain password file, then uncomment lines after "Local file authentication" Again, the HOWTO mentioned above provides info in how to create this file. My internal network is 192.168.78.x . The 192.168.80.0/25 is the range there clients connected through the VPN will get their addresses from. 192.168.80.1 will be their gateway to internal network.

interface_list:                 tun0
interface.tun0.ip4addr:         192.168.80.1 

pool.dyna_pool:                 192.168.80.0/25
pool.pool:                      192.168.80.128/25

# Local file authentication
#auth.local.realm_list:                  local
#auth.local.realm.acctlist:              /etc/npppd/npppd-users.csv
#realm.local.concentrate:                tun0

#RADIUS authentication / accounting
auth.radius.realm_list:                radius
auth.radius.realm.server.address:      192.168.78.1:1812
auth.radius.realm.server.secret:       radius_password
auth.radius.realm.acct_server.address: 192.168.78.1:1813
auth.radius.realm.acct_server.secret:  radius_password
realm.radius.concentrate:              tun0

lcp.mru:                        1400
lcp.timeout:                    18
auth.method:                    mschapv2
ipcp.dns_primary:               192.168.78.123
ipcp.dns_secondary:             192.168.78.123
ipcp.assign_fixed:              true
ipcp.assign_userselect:         true

l2tpd.enable: true #l2tpd.listener: L2TP 4.3.2.1:1701 l2tpd.ip4_allow: 0.0.0.0/0 l2tpd.require_ipsec: true l2tpd.accept_dialin: true pipex.enabled: true

A note about l2tpd.listener: this configuration directive can be used with more advanced setups, for instance when you have a CARP:ed range of IP addresses.

3. Start up

Apply the pf.conf first:

pfctl -f /etc/pf.conf
Then start isakmpd and apply IPSec rules
/etc/rc.d/isakmpd start
ipsecctl -f /etc/ipsec.conf
Now start npppd
/usr/sbin/npppd -D

All debugging, in case of misconfiguration or not working VPN, is done with isakmpd/npppd running in foreground and tcpdump listening for relevant packets on relevant interfaces.

Client

Both OSX and Win7 offer to route ALL traffic via VPN-tunnel. Usually no one wants this, thus one have to disable it and set up routing manually.Until then DNS resolves will not work, eg. for instance I'll not be able to reach my internal 192.168.78.123.

I use OSX, thus I'll cover how to set up routing upon established VPN. Basically we need a helper-script. OSX will run in automatically, but on Win7 it has to be executed with Administrative permissions.

[root@grey] [/etc/ppp] $ cat /etc/ppp/ip-up
#!/bin/sh

PATH=/bin:/sbin:/usr/bin:/usr/sbin
export PATH

HOME_GW="192.168.80.1"
HOME_NET="192.168.78.0/25"

OFFICE_GW="172.17.0.1"
OFFICE_NET="172.16.0.0/21"

NET=""

GW_FROM_L2TP=`ifconfig ppp0|grep inet| awk '{print $4}'`

if [ $GW_FROM_L2TP == $OFFICE_GW ]
then
	NET=$OFFICE_NET
fi

if [ $GW_FROM_L2TP == $HOME_GW ]
then
	NET=$HOME_NET
fi

route -qn add $NET -interface ppp0

That's it. I'd like to thank all developers working on OpenBSD, making it polished and good looking!

Special thanks to Yasuoka Masahiko (yasuoka@) for his technical review of this submission.

It should be noted, however, that there is a planned change to the npppd() configuration, which will quickly deprecate these instructions. When that time comes, we hope to provide information concerning the migration of your npppd() configurations.

(Comments are closed)


  1. By Anonymous Cowbell (anon) M8R-2m2huq@mailinator.com on

    "cd /usr/src/usr.sbin/npppd && make depend && make && make install"

    This should have 'make obj' in it too.

  2. By sneaker (sneaker) sneaker@noahpugsley.net on

    Wow, I was just 2 weeks ago having trouble finding info on exactly this setup.

    Thanks!

  3. By Tamotsu (tamo) on http://tamo.tdiary.net/

    typo: s/Masohiko/Masahiko/
    according to his site: http://yasuoka.net/

    1. By tbert (tbert) on

      > typo: s/Masohiko/Masahiko/
      > according to his site: http://yasuoka.net/

      Fixed; thanks for the heads-up, and apologies to yasuoka@ for the oversight!

  4. By 0tto (0tto) otto.bretz@gmail.com on

    Thank you very much for this helpful guide. I got it working fine with OSX. Can someone please post some hints on how to configure Win7 clients?

  5. By rdk (rdk) on

    This npppd.conf does not work for me in OpenBSD 5.3.
    If the syntax of npppd.conf has changed in 5.3 and this article needs to be updated, would be great if somebody did it. I am really looking for working L2TP/IPSec npppd.conf.
    Thanks, rdk

  6. By Anonymous Coward (161.53.120.254) on

    Port 1701 doesn't need to be open in PF, it should be protected by IPsec anyway, so you don't want to allow connections coming in over the internet, only enc0.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]