Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
ipsec [2013/07/27 22:31] |
ipsec [2021/04/24 15:12] cubebuilder created |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Setting up an IPSEC tunnel ====== | ||
+ | This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows. | ||
+ | |||
+ | If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, | ||
+ | |||
+ | If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]]. | ||
+ | ===== Supported Operating Systems ==== | ||
+ | |||
+ | All operating systems with IPSEC support are, you guessed it, supported. | ||
+ | |||
+ | We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs. | ||
+ | |||
+ | Please note, if you're setting this up on an OpenVZ with us, **you must use a 64bit based template**. | ||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * iptables installed on your BuyVM VPS (included already in most cases) | ||
+ | * **A 64bit based distribution if you're doing this on OpenVZ**. This can't be stressed enough and will not work on a 32bit distribution (for the time being). | ||
+ | |||
+ | ===== Setup ===== | ||
+ | |||
+ | First you must install openswan & xl2tpd. | ||
+ | |||
+ | On Debian/ | ||
+ | |||
+ | < | ||
+ | apt-get update | ||
+ | apt-get install openswan xl2tpd | ||
+ | </ | ||
+ | |||
+ | **Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here. | ||
+ | |||
+ | On CentOS: | ||
+ | |||
+ | < | ||
+ | yum -y install xl2tpd openswan | ||
+ | </ | ||
+ | ===== Setup ipsec.conf ===== | ||
+ | |||
+ | Open up ''/ | ||
+ | |||
+ | < | ||
+ | |||
+ | # / | ||
+ | |||
+ | # This file: / | ||
+ | # | ||
+ | # Manual: | ||
+ | |||
+ | version 2.0 # conforms to second version of ipsec.conf specification | ||
+ | |||
+ | # basic configuration | ||
+ | config setup | ||
+ | # Do not set debug options to debug configuration issues! | ||
+ | # plutodebug / klipsdebug = " | ||
+ | # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" | ||
+ | # eg: | ||
+ | # plutodebug=" | ||
+ | # | ||
+ | # enable to get logs per-peer | ||
+ | # plutoopts=" | ||
+ | # | ||
+ | # Again: only enable plutodebug or klipsdebug when asked by a developer | ||
+ | # | ||
+ | # NAT-TRAVERSAL support, see README.NAT-Traversal | ||
+ | nat_traversal=yes | ||
+ | # exclude networks used on server side by adding %v4: | ||
+ | virtual_private=%v4: | ||
+ | # OE is now off by default. Uncomment and change to on, to enable. | ||
+ | oe=off | ||
+ | # which IPsec stack to use. auto will try netkey, then klips then mast | ||
+ | protostack=netkey | ||
+ | |||
+ | conn %default | ||
+ | authby=secret | ||
+ | pfs=no | ||
+ | auto=add | ||
+ | keyingtries=3 | ||
+ | rekey=no | ||
+ | ikelifetime=8h | ||
+ | keylife=1h | ||
+ | type=transport | ||
+ | leftprotoport=17/ | ||
+ | rightprotoport=17/ | ||
+ | |||
+ | conn L2TP-PSK-NAT | ||
+ | rightsubnet=vhost: | ||
+ | left=YOUR_BUYVM_IP | ||
+ | |||
+ | conn L2TP-PSK-noNAT | ||
+ | left=YOUR_BUYVM_IP | ||
+ | right=%any | ||
+ | </ | ||
+ | |||
+ | Make sure you update '' | ||
+ | ===== Setup xl2tpd.conf ===== | ||
+ | |||
+ | |||
+ | Open up ''/ | ||
+ | |||
+ | < | ||
+ | [global] | ||
+ | ; | ||
+ | port = 1701 ; * Bind to port 1701 | ||
+ | auth file = / | ||
+ | access control = no ; * Refuse connections without IP match | ||
+ | rand source = dev ; Source for entropy for random | ||
+ | |||
+ | [lns default] | ||
+ | exclusive = yes ; * Only permit one tunnel per host | ||
+ | ip range = 10.1.0.2 - 10.1.0.100 | ||
+ | local ip = 10.1.0.1 | ||
+ | refuse authentication = yes ; * Refuse authentication altogether | ||
+ | refuse pap = yes ; * Refuse PAP authentication | ||
+ | refuse chap = yes | ||
+ | ppp debug = no ; * Turn on PPP debugging | ||
+ | pppoptfile = / | ||
+ | </ | ||
+ | |||
+ | **Optional: | ||
+ | ===== Setup options.l2tpd ===== | ||
+ | |||
+ | Open up ''/ | ||
+ | |||
+ | < | ||
+ | # Do not support BSD compression. | ||
+ | nobsdcomp | ||
+ | passive | ||
+ | lock | ||
+ | |||
+ | # Allow all usernames to connect. | ||
+ | name * | ||
+ | proxyarp | ||
+ | ipcp-accept-local | ||
+ | ipcp-accept-remote | ||
+ | lcp-echo-failure 10 | ||
+ | lcp-echo-interval 5 | ||
+ | nodeflate | ||
+ | |||
+ | # Do not authenticate incoming connections. This is handled by IPsec. | ||
+ | noauth | ||
+ | refuse-chap | ||
+ | refuse-mschap | ||
+ | refuse-mschap-v2 | ||
+ | |||
+ | # Set the DNS servers the PPP clients will use. | ||
+ | ms-dns 8.8.8.8 | ||
+ | |||
+ | mtu 1400 | ||
+ | mru 1400 | ||
+ | </ | ||
+ | |||
+ | ===== Setup ipsec.secrets ===== | ||
+ | |||
+ | Open up ''/ | ||
+ | |||
+ | < | ||
+ | YOUR_BUYVM_IP %any: " | ||
+ | </ | ||
+ | |||
+ | The '' | ||
+ | |||
+ | ===== Allow traffic to route out your VPS ===== | ||
+ | |||
+ | As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS: | ||
+ | |||
+ | < | ||
+ | iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_BUYVM_IP | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Apply the configuration files ===== | ||
+ | |||
+ | You must now restart the '' | ||
+ | |||
+ | < | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== Client side configuration ===== | ||
+ | |||
+ | From here you must configure your client side. | ||
+ | |||
+ | For a good Windows 2008/ |