Bering-uClibc 7.x - User Guide - Advanced Topics - Setting Up a Virtual Private Network
Advanced Topics - Setting Up a Virtual Private Network | ||
---|---|---|
Prev | Bering-uClibc 7.x - User Guide | Next |
Contents
Introduction
The whole topic of Virtual Private Networks can appear somewhat confusing at first sight because there are:
- Several different use case scenarios (e.g. mobile user remote access versus persistent site-to-site connections)
- Several different VPN tunnel encryption solutions (e.g. SSL/TLS versus IPsec)
- Several different authentication solutions (e.g. X.509 PKI certificates, Pre-Shared-Keys or EAP - much the same options as exist for WiFi networks)
- Several different open source implementations of some of the protocols (e.g. OpenSwan versus strongSwan versus LibreSwan which all implement IPsec-based VPNs)
Where there are only a few endpoints involved and where one person or team has control of all of them, the WireGuard package wireguard.lrp
is recommended because:
- It is much simpler to configure than other solutions, reducing the risk of introducing security vulnerabilities due to accidental mis-configuration
- It has only a few components - most of the work is done by a single kernel Module which is relatively small
- It has slightly better performance than IPsec and much better performance than SSL/TLS
For more complex deployment scenarios or where a specific encryption technology is mandated by a third-party, one of the other VPN solutions included in Bering-uClibc 7.x might be appropriate:
- The StrongSwan package
strongswan.lrp
to implement an IPsec-based VPN - The OpenVPN package
openvpn.lrp
to implement a TLS-based VPN - The EoIP package
eoip.lrp
which implements a MikroTik-specific Ethernet-over-IP protocol- Note this package is based on rather old source code - the last update was in 2012
StrongSwan IPsec VPN
Use Case
The following assumes an IPsec VPN server is being configured to allow mobile 'road warrior' clients such as commercial smartphones to access network(s) protected by a Bering-uClibc 7.x firewall.
Pre-Requisites
In order to configure StrongSwan, you will need:
- An X.509 digital Certificate to identify the VPN server (known as the 'responder' in IPsec terminology), stored in the form of a
.pem
file- For the purposes of this document, assuming the VPN server is identified as
ipsec.example.com
, this file will be namedipsec.example.com-cert.pem
- For the purposes of this document, assuming the VPN server is identified as
- A corresponding private Key, stored in the form of a
.pem
file, together with the Passphrase for the private Key- For the purposes of this document, this file will be named
ipsec.example.com-key.pem
- For the purposes of this document, this file will be named
- The public Key(s) for the Certification Authority chain used to issue the VPN server's digital Certificate
- For the purposes of this document, this file will be named
ca.example.com-cert.pem
- For the purposes of this document, this file will be named
There is nothing uniquely IPsec-specific about the generation of these Certificates and Keys so the exact procedure is not described here. Note however there are a few requirements:
- The server Certificate must specify a Subject Alternative Name (SAN) which matches the way the client will identify the server (either a DNS name or an IP address)
Best practice is to have the VPN clients reference the VPN server by DNS name (rather than IP address) - not least because that allows the use of IPv6 where available - so IPv4 and / or IPv6 DNS records should be configured to reference the public Internet address(es) of the firewall and visible from the DNS server(s) used by the clients.
Package Installation
Install package strongswan.lrp
in the usual way and add it to leaf.cfg
so it gets loaded automatically on a reboot.
Package Configuration
Install Certificates and Keys
- Copy file
ipsec.example.com-cert.pem
into directory/etc/ipsec.d/certs/
- Copy file
ipsec.example.com-key.pem
into directory/etc/ipsec.d/keys/
- Copy file
ca.example.com-cert.pem
into directory/etc/ipsec.d/cacerts/
- Note that all files in this directory are automatically loaded when StrongSwan starts; they do not need to be specifically referenced in any configuration file
- In the event that further Certification Authority configuration settings need to be specified (such as a Certificate Revocation List URL) this can be done in the 'ca' section of
ipsec.conf
- see https://wiki.strongswan.org/projects/strongswan/wiki/CaSection - If the CA that signed the Certificate is not a Root CA, this directory needs to be populated with the Certificates for the Root CA, the Signer CA and any intermediate CAs
Configure Secrets
Edit file /etc/ipsec.secrets
and add a line like the following:
: RSA ipsec.example.com-key.pem "secret passphrase for private key"
Note that the colon (:) must be the first character on the line (no leading whitespace). See https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecret for full documentation of the RSA configuration entry format.
Configure Connections
TODO
OpenVPN TLS VPN
TODO - Any volunteers?
Configuring Wireguard
Objectives
This is a short introduction on how to configure the wireguard VPN on your LEAF system.
Prerequisites
The software used build a VPN tunnel using wireguard is packaged in the wireguard.lrp LEAF package. You should be familiar on how to obtain LEAF packages from either a tarball in the LEAF file area or to download it using your internet connection. You should also be familiar on how to set up LEAF to automatically install packages.
Dependencies
As of LEAF 7.x wireguard.lrp depends on the following packages:
- bash.lrp
Configuration
The wireguard VPN software is configured using a text file /etc/wireguard/wg<tunnel ID>.conf, typically /etc/wireguard/wg0.conf. It is also controlled by the file /etc/default/wireguard where a few start parameters are defined. The wireguard.lrp package includes a copy of these two files for your reference.
/etc/wireguard/wg0.conf
The /etc/wireguard/wg0.conf file is used to tell hold the wireguard keys and information about the wireguard peer. The wireguard VPN is a peer network, however slight differences in the configurations exist, especially the initiator side uses the parameter Endpoint to address its peer. The example below shows the client or initiator side of the wireguard VPN.
# This is a dummy configuration file for the wireguard VPN server. # It should reside in /etc/wireguard and is designed to be used # by the wg-quick script viz: # 'wg-quick up wg0' to start the VPN server and # 'wg-quick down wg0' to stop it. # # Generate the private & public keys required thus: # umask 077 # wg genkey | tee private_key | wg pubkey > public_key # # Dummy config: # [Interface] Address = 192.168.17.2/24 ListenPort = 11194 PrivateKey = EKufmuT959jTCnFlK+jjhJvzPQWdEaEzNWsHIYnzTV8= # # # Peer1 [Peer] PublicKey = DJDe260WVX8Cm2gjf/0nmklHkO8N8XgSTpvB34zJzz0= AllowedIPs = 192.168.17.1 Endpoint = the_other_side.example.net:11194 # # Peer2 #[Peer] #PublicKey = <Peer 2 public key base64 string> #AllowedIPs = <comma-separated address/cidr ranges allowed access from Peer 2> #
To configure wireguard you need to edit the wg0.conf file and generate a private and public key pair for each of the tunnel endpoints.
For detailed information on how to set the up wireguard please refer to wireguard.
/etc/default/wireguard
This file controls the wireguard daemon. It just defines if the daemon is started at all and the name of the wireguard interface used.
# Configuration for Wireguard init script # # Set to "yes" to start the VPN server at boot time START="yes" # # Interface name. It must have a matching ${INTERFACE}.conf file in /etc/wireguard INTERFACE="wg0"
Firewall settings
If you have to pass a firewall then you need to provide a way, possibly on both sides, for the tunnel and the tunneled packages to reach their respective destination. Shorewall provides a configuration file /etc/shorewall/tunnels which can be used to provide this access.
Appendices
VPN Client Notes
iOS VPN Options
As of Apple iOS version 11, the options supported by the standard VPN client implementation are:
- IKEv2 - Supported by Bering-uClibc 7.x using strongSwan
- IPsec - Supported by Bering-uClibc 7.x strongSwan?
- L2TP - Not currently supported by Bering-uClibc 7.x - Needs an L2TP server in addition to strongSwan
See also https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
Android VPN Options
As of Android version 6.0, the VPN options supported by the standard VPN client implementation are:
- PPTP - AVOID, see https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
- L2TP/IPsec PSK
- L2TP/IPsec RSA
- IPSec Xauth PSK
- IPsec Xauth RSA
- IPsec Hybrid RSA
Other options such as IKEv2 can be supported by installing a custom VPN client - for example the StrongSwan VPN Client for Android
Prev | Up | Next |