Contributed by jj on from the its-a-truck-not-a-series-of-tubes dept.
Read on for the story of how one man conquered his corner of the internet.An OpenBSD user since 3.2, I deploy OpenBSD on anything what I want to be secure and stable(yes, even -current is STABLE, as long as you know what you are doing).
This guide is split into two sections. The first and major one is server-side configuration. The second is about what should be done on client-side. I use npppd both at home and at the office. My office setup is a bit more complicated than the one described here.
Server
The server needs to run OpenBSD 5.1-current with /usr/src populated according documentation. npppd is in development, so it is good idea to have your sources up to date, else you might miss an important patch.
1. Compile and InstallAs npppd is not yet linked to the build, you have to compile it yourself:
cd /usr/src/usr.sbin/npppd && make depend && make && make install2. ConfigurationAfter that it is good practice to take a look at HOWTO in the same directory - HOWTO_PIPEX_NPPPD.txt . There is no manual for npppd yet, so more info can only be gathered by reading the source code.[this should change relatively quickly - ed.] Info provided by Yasuoka in the above mentioned HOWTO covers pretty much all we need for a basic setup; however, I'll write my working Home-configuration here.
Let's start with pf.conf:
pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state pass on enc0 from any to any keep state (if-bound)Now the IPSec part; isakmpd should start at boot and load rules from ipsec.conf, thus add following to rc.conf:
isakmpd_flags="-K"Then the ipsec.conf itself. Make sure to replace IP 1.2.3.4 with your own external IP.ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "password"Finally, npppd.conf. At home I use RADIUS for authentication for a few reasons. If you plan to use plain password file, then uncomment lines after "Local file authentication" Again, the HOWTO mentioned above provides info in how to create this file. My internal network is 192.168.78.x . The 192.168.80.0/25 is the range there clients connected through the VPN will get their addresses from. 192.168.80.1 will be their gateway to internal network.
interface_list: tun0 interface.tun0.ip4addr: 192.168.80.1 pool.dyna_pool: 192.168.80.0/25 pool.pool: 192.168.80.128/25 # Local file authentication #auth.local.realm_list: local #auth.local.realm.acctlist: /etc/npppd/npppd-users.csv #realm.local.concentrate: tun0 #RADIUS authentication / accounting auth.radius.realm_list: radius auth.radius.realm.server.address: 192.168.78.1:1812 auth.radius.realm.server.secret: radius_password auth.radius.realm.acct_server.address: 192.168.78.1:1813 auth.radius.realm.acct_server.secret: radius_password realm.radius.concentrate: tun0 lcp.mru: 1400 lcp.timeout: 18 auth.method: mschapv2 ipcp.dns_primary: 192.168.78.123 ipcp.dns_secondary: 192.168.78.123 ipcp.assign_fixed: true ipcp.assign_userselect: true
l2tpd.enable: true #l2tpd.listener: L2TP 4.3.2.1:1701 l2tpd.ip4_allow: 0.0.0.0/0 l2tpd.require_ipsec: true l2tpd.accept_dialin: true pipex.enabled: trueA note about l2tpd.listener: this configuration directive can be used with more advanced setups, for instance when you have a CARP:ed range of IP addresses.
3. Start upApply the pf.conf first:
pfctl -f /etc/pf.confThen start isakmpd and apply IPSec rules/etc/rc.d/isakmpd start ipsecctl -f /etc/ipsec.confNow start npppd/usr/sbin/npppd -DAll debugging, in case of misconfiguration or not working VPN, is done with isakmpd/npppd running in foreground and tcpdump listening for relevant packets on relevant interfaces.
Client
Both OSX and Win7 offer to route ALL traffic via VPN-tunnel. Usually no one wants this, thus one have to disable it and set up routing manually.Until then DNS resolves will not work, eg. for instance I'll not be able to reach my internal 192.168.78.123.
I use OSX, thus I'll cover how to set up routing upon established VPN. Basically we need a helper-script. OSX will run in automatically, but on Win7 it has to be executed with Administrative permissions.
[root@grey] [/etc/ppp] $ cat /etc/ppp/ip-up #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin export PATH HOME_GW="192.168.80.1" HOME_NET="192.168.78.0/25" OFFICE_GW="172.17.0.1" OFFICE_NET="172.16.0.0/21" NET="" GW_FROM_L2TP=`ifconfig ppp0|grep inet| awk '{print $4}'` if [ $GW_FROM_L2TP == $OFFICE_GW ] then NET=$OFFICE_NET fi if [ $GW_FROM_L2TP == $HOME_GW ] then NET=$HOME_NET fi route -qn add $NET -interface ppp0That's it. I'd like to thank all developers working on OpenBSD, making it polished and good looking!
Special thanks to Yasuoka Masahiko (yasuoka@) for his technical review of this submission.
It should be noted, however, that there is a planned change to the npppd() configuration, which will quickly deprecate these instructions. When that time comes, we hope to provide information concerning the migration of your npppd() configurations.
(Comments are closed)
By Anonymous Cowbell (anon) M8R-2m2huq@mailinator.com on
This should have 'make obj' in it too.
By sneaker (sneaker) sneaker@noahpugsley.net on
Thanks!
By Tamotsu (tamo) on http://tamo.tdiary.net/
according to his site: http://yasuoka.net/
Comments
By tbert (tbert) on
> according to his site: http://yasuoka.net/
Fixed; thanks for the heads-up, and apologies to yasuoka@ for the oversight!
By 0tto (0tto) otto.bretz@gmail.com on
By rdk (rdk) on
If the syntax of npppd.conf has changed in 5.3 and this article needs to be updated, would be great if somebody did it. I am really looking for working L2TP/IPSec npppd.conf.
Thanks, rdk
By Anonymous Coward (161.53.120.254) on