Setup VPN Server with Ubuntu

It’s pretty easy to setup a VPN server on Ubuntu with openswan or strongswan, and there are several very good guides on the web which document step by step instructions about how to do it. I just installed one recently and this is just to document what I did.

1. Install all required packages: apt-get install openswan xl2tpd ppp

2. Create CA certificate: cd into /etc/ipsec.d, run openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/vpnpk.pem -out cacerts/vpnca.pem to create CA certificate and its private key, run openssl rsa -in private/vpnpk.pem -outform dem -out vpnpk.dem to get a copy of private key in dem format. [SIDE NOTE] openswan requires private key to be in dem format.

3. Modify openssl config file: gedit /usr/lib/ssl/openssl.cnf, change the CA_default section to make the dir and filenames sync with previous step:

[CA_default]
dir = /etc/ipsec.d
certificate = $dir/cacerts/cacerts/vpnca.pem
private_key = $dir/private/vpnpk.pem

4. Create an empty file named index.txt and another file named serial with string “00”, these two are required by openssl in next step.

5. Create client certificate: first create a request openssl req -newkey rsa:2048 -keyout private/clientpk.pem -out reqs/clientreq.pem, sign it with CA certificate openssl ca -in reqs/clientreq.pem -days 730 -out certs/clientcert.pem –notext, and optionally export the client certificate and its private key openssl pkcs12 -export -inkey private/clientpk.pem -in certs/clientcert.pem -certfile cacerts/vpnca.pem -out client.p12, this p12 file can be used to import client certificate into Windows.

6. Modify /etc/ipsec.conf, connection examples can be copied from /etc/ipsec.d/examples/l2tp-cert.conf, make sure leftcert is pointing to the CA certificate.

7. Modify /etc/ipsec.secrets (and/or files included by it), put password to the CA private key there: : RSA vpnpk.dem “password”

8. Modify /etc/xl2tpd/xl2tpd.conf, change the ip address and/or change authentication settings.

9. Check /etc/ppp/options.xl2tpd, change noauth to auth if necessary.

10. Modify /etc/ppp/chap-secrets, put username and password there, they are the ones be entered on client.

11. Modify firewall rules: ufw allow proto udp from any to any port 500 and ufw allow proto udp from any to any port 4500.

12. Restart services: /etc/init.d/ipsec restart and /etc/init.d/xl2tpd restart.

13. Install certificate on client and test. When importing p12 files on Windows, don’t import them from Windows Explorer. Instead, launch mmc.exe, add “certificate” snap-in into “computer account”, after which right click on personal certificates and use import wizard from there. This is to make sure the certificate is imported into computer account rather than user account.

References:

IPsec/L2TP VPN server with Ubuntu 12.04

Setting Up an IPsec L2TP VPN Server on Ubuntu

Advertisements

Posted on February 7, 2013, in vpn. Bookmark the permalink. 1 Comment.

  1. Gustavo Bublil

    thank you very much, everything works perfectly!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: