Setup VPN Server with Ubuntu
It’s pretty easy to setup a VPN server on Ubuntu with openswan or strongswan, and there are several very good guides on the web which document step by step instructions about how to do it. I just installed one recently and this is just to document what I did.
1. Install all required packages: apt-get install openswan xl2tpd ppp
2. Create CA certificate: cd into /etc/ipsec.d, run openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/vpnpk.pem -out cacerts/vpnca.pem to create CA certificate and its private key, run openssl rsa -in private/vpnpk.pem -outform dem -out vpnpk.dem to get a copy of private key in dem format. [SIDE NOTE] openswan requires private key to be in dem format.
3. Modify openssl config file: gedit /usr/lib/ssl/openssl.cnf, change the CA_default section to make the dir and filenames sync with previous step:
[CA_default] dir = /etc/ipsec.d certificate = $dir/cacerts/cacerts/vpnca.pem private_key = $dir/private/vpnpk.pem
4. Create an empty file named index.txt and another file named serial with string “00”, these two are required by openssl in next step.
5. Create client certificate: first create a request openssl req -newkey rsa:2048 -keyout private/clientpk.pem -out reqs/clientreq.pem, sign it with CA certificate openssl ca -in reqs/clientreq.pem -days 730 -out certs/clientcert.pem –notext, and optionally export the client certificate and its private key openssl pkcs12 -export -inkey private/clientpk.pem -in certs/clientcert.pem -certfile cacerts/vpnca.pem -out client.p12, this p12 file can be used to import client certificate into Windows.
6. Modify /etc/ipsec.conf, connection examples can be copied from /etc/ipsec.d/examples/l2tp-cert.conf, make sure leftcert is pointing to the CA certificate.
7. Modify /etc/ipsec.secrets (and/or files included by it), put password to the CA private key there: : RSA vpnpk.dem “password”
8. Modify /etc/xl2tpd/xl2tpd.conf, change the ip address and/or change authentication settings.
9. Check /etc/ppp/options.xl2tpd, change noauth to auth if necessary.
10. Modify /etc/ppp/chap-secrets, put username and password there, they are the ones be entered on client.
11. Modify firewall rules: ufw allow proto udp from any to any port 500 and ufw allow proto udp from any to any port 4500.
12. Restart services: /etc/init.d/ipsec restart and /etc/init.d/xl2tpd restart.
13. Install certificate on client and test. When importing p12 files on Windows, don’t import them from Windows Explorer. Instead, launch mmc.exe, add “certificate” snap-in into “computer account”, after which right click on personal certificates and use import wizard from there. This is to make sure the certificate is imported into computer account rather than user account.