This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.
If you're needing a tunnel between a EidolonHost Linux-based virtual server and a Linux-based destination, we highly recommend you use a GRE tunnel documented here: GRE tunnelling your filtered IP.
If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: Redirecting your filtered IP.
All operating systems with IPSEC support are, you guessed it, supported.
We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.
Please note, if you're setting this up on an OpenVZ with us, you must use a 64bit based template.
First you must install openswan & xl2tpd.
apt-get update apt-get install openswan xl2tpd
Note: During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.
yum -y install xl2tpd openswan
/etc/ipsec.conf with your favorite editor. Replace the entire contents with the following:
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey conn %default authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport leftprotoport=17/1701 rightprotoport=17/%any conn L2TP-PSK-NAT rightsubnet=vhost:%priv left=YOUR_EidolonHost_IP conn L2TP-PSK-noNAT left=YOUR_EidolonHost_IP right=%any
Make sure you update
YOUREidolonHostIP with your EidolonHost IP.
/etc/xl2tpd/xl2tpd.conf with your favorite editor. Replace the entire contents with the following:
[global] ;listen-addr = 127.0.0.1 ; Global parameters: port = 1701 ; * Bind to port 1701 auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are access control = no ; * Refuse connections without IP match rand source = dev ; Source for entropy for random [lns default] ; Our fallthrough LNS definition exclusive = yes ; * Only permit one tunnel per host ip range = 10.1.0.2 - 10.1.0.100 local ip = 10.1.0.1 refuse authentication = yes ; * Refuse authentication altogether refuse pap = yes ; * Refuse PAP authentication refuse chap = yes ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
Optional: Update the
ip range &
local ip to fit your needs.
/etc/ppp/options.l2tpd with your favorite editor. Replace the entire contents with the following:
# Do not support BSD compression. nobsdcomp passive lock # Allow all usernames to connect. name * proxyarp ipcp-accept-local ipcp-accept-remote lcp-echo-failure 10 lcp-echo-interval 5 nodeflate # Do not authenticate incoming connections. This is handled by IPsec. noauth refuse-chap refuse-mschap refuse-mschap-v2 # Set the DNS servers the PPP clients will use. ms-dns 18.104.22.168 mtu 1400 mru 1400
/etc/ipsec.secrets with your favorite editor. Replace the entire contents with the following:
YOUR_EidolonHost_IP %any: "mysecretpresharedkeypassword"
mysecretpresharedkeypassword is the
shared key you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.
As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:
iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_EidolonHost_IP
You must now restart the
/etc/init.d/ipsec restart /etc/init.d/xl2tpd restart
From here you must configure your client side.
For a good Windows 2008/2012/7/8 guide, please check out http://www.x4b.net/wiki/WindowsVPNConnecting. Follow all the steps except 9 & 10 as it's specific to their platform.