wiki:vpn_server
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:vpn_server [2018/07/12 09:52] ghi [Secrets] |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== VPN - Server configuration ====== | ||
| - | ===== IPsec / strongswan ===== | ||
| - | |||
| - | ==== Requirements ==== | ||
| - | |||
| - | Please install strongswan and check that the version matches the one installed in the iBTS. For example, on firmware 3.4.2, the ipsec version is: | ||
| - | |||
| - | <code bash> | ||
| - | ipsec --version | ||
| - | Linux strongSwan U5.5.2/K4.1.15-klk | ||
| - | Institute for Internet Technologies and Applications | ||
| - | University of Applied Sciences Rapperswil, Switzerland | ||
| - | See 'ipsec --copyright' for copyright information. | ||
| - | </code> | ||
| - | |||
| - | A server with root access is required. This guide was written with Debian 8. | ||
| - | |||
| - | It is assumed that the PKI was set up, if not, please see the [[ wiki:vpn_pki| PKI configuration]] page. | ||
| - | |||
| - | ==== Configuration ==== | ||
| - | |||
| - | The main configuration file describes the VPN connection: | ||
| - | |||
| - | <code file /etc/ipsec.conf> | ||
| - | # ipsec.conf - strongSwan IPsec configuration file | ||
| - | |||
| - | # basic configuration | ||
| - | |||
| - | config setup | ||
| - | |||
| - | conn %default | ||
| - | keyexchange=ikev2 | ||
| - | ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! | ||
| - | esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! | ||
| - | dpdaction=clear | ||
| - | dpddelay=300s | ||
| - | rekey=no | ||
| - | auto=add | ||
| - | |||
| - | conn kerlink | ||
| - | leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld" | ||
| - | leftsubnet=your_server_subnet | ||
| - | leftcert=vpncert.pem | ||
| - | rightid="C=FR, O=Kerlink, CN=klk-lpbs-060434" | ||
| - | rightsubnet=your_network_subnet | ||
| - | </code> | ||
| - | |||
| - | Most of the parameters are defined in the default section, but they could be put under the ''kerlink'' connection should the server have more than one VPN connection. | ||
| - | |||
| - | ==== Secrets ==== | ||
| - | |||
| - | The secrets file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate): | ||
| - | |||
| - | <code file /etc/ipsec.secrets> | ||
| - | # This file holds shared secrets or RSA private keys for authentication. | ||
| - | |||
| - | # RSA private key for this host, authenticating it to any other host | ||
| - | # which knows the public part. | ||
| - | |||
| - | # this file is managed with debconf and will contain the automatically created private key | ||
| - | include /var/lib/strongswan/ipsec.secrets.inc | ||
| - | |||
| - | : RSA vpnkey.pem | ||
| - | |||
| - | </code> | ||
| - | |||
| - | The syntax is ''identifier : type <parameters>''. | ||
| - | |||
| - | * When the ''identifier'' is empty, it is assumed that it describes the server. Hence, ''type'' is ''RSA'' and the ''parameters'' is the RSA key file name, relative to ''/etc/ipsec.d/private''. | ||
| - | * Otherwise, this can identify clients. In this case, we identify the certificate in the ''identifier'', and the private RSA key. | ||
| - | |||
| - | ===== OpenVPN ===== | ||
| - | |||
| - | Here is a sample server side configuration file: | ||
| - | |||
| - | <code conf /etc/openvpn/server.conf> | ||
| - | # UDP tunnel on port 1194 | ||
| - | port 1194 | ||
| - | proto udp | ||
| - | dev tun | ||
| - | |||
| - | # Server identification and security parameters | ||
| - | pkcs12 /etc/openvpn/server-cert.p12 | ||
| - | dh /etc/openvpn/dh2048.pem | ||
| - | |||
| - | # LAN information and network configuration | ||
| - | topology subnet | ||
| - | server 10.8.0.0 255.255.255.0 | ||
| - | ifconfig-pool-persist ipp.txt 86400 | ||
| - | mssfix 1200 | ||
| - | push "route 172.17.0.0 255.255.0.0" | ||
| - | push "route 172.18.0.0 255.255.0.0" | ||
| - | push "dhcp-option DNS 10.8.0.1" | ||
| - | |||
| - | # Connection management | ||
| - | comp-lzo | ||
| - | keepalive 15 120 | ||
| - | cipher AES-256-CBC | ||
| - | |||
| - | # Daemon configuration | ||
| - | user nobody | ||
| - | group nogroup | ||
| - | |||
| - | # Persist across restarts | ||
| - | persist-key | ||
| - | persist-tun | ||
| - | persist-local-ip | ||
| - | persist-remote-ip | ||
| - | |||
| - | # Management options | ||
| - | status openvpn-status.log | ||
| - | verb 4 | ||
| - | management localhost 6666 | ||
| - | script-security 2 | ||
| - | </code> | ||
| - | |||
| - | Start with: | ||
| - | |||
| - | <code bash> | ||
| - | openvpn /etc/openvpn/server.conf | ||
| - | </code> | ||
| - | ===== Next ===== | ||
| - | |||
| - | Next, [[ wiki:vpn_client|setup the VPN client]] on the iBTS. | ||
wiki/vpn_server.1531381929.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
