Difference between revisions of "Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up a Virtual Private Network"
From bering-uClibc
Davidmbrooke (Talk | contribs) (Created as skeleton for further content) |
Davidmbrooke (Talk | contribs) (Started to populate StrongSwan section) |
||
| Line 10: | Line 10: | ||
=Introduction= | =Introduction= | ||
| − | The whole topic of Virtual Private Networks can appear somewhat confusing at first sight since there are several different use case scenarios (e.g. remote access versus site-to-site VPNs), several different VPN tunnel encryption solutions (e.g. SSL/TLS versus IPsec) and several more authentication solutions (e.g. X.509 PKI certificates, Pre-Shared-Keys or EAP - much the same options as exist for WiFi networks). Furthermore, there are different open source implementations of some of the protocols (e.g. OpenSwan versus | + | The whole topic of Virtual Private Networks can appear somewhat confusing at first sight since there are several different use case scenarios (e.g. mobile user remote access versus site-to-site VPNs), several different VPN tunnel encryption solutions (e.g. SSL/TLS versus IPsec) and several more authentication solutions (e.g. X.509 PKI certificates, Pre-Shared-Keys or EAP - much the same options as exist for WiFi networks). Furthermore, there are different open source implementations of some of the protocols (e.g. OpenSwan versus strongSwan versus LibreSwan). |
In practice, things aren't as complex as they first appear because there are only really two underlying encryption solutions (SSL/TLS and IPsec) and - if the intention is to support a proprietary device such as a commercial smartphone as the VPN client - several constraints are imposed by the client-side VPN implementation which limit the options at the server-side. | In practice, things aren't as complex as they first appear because there are only really two underlying encryption solutions (SSL/TLS and IPsec) and - if the intention is to support a proprietary device such as a commercial smartphone as the VPN client - several constraints are imposed by the client-side VPN implementation which limit the options at the server-side. | ||
| − | Fundamentally, for Bering-uClibc 6.x, it comes down to choosing between: | + | Fundamentally, for [[Bering-uClibc 6.x]], it comes down to choosing between: |
| − | * Using the StrongSwan package | + | * Using the StrongSwan package <code>strongswan.lrp</code> to implement an IPsec-based VPN |
| − | * Using the OpenVPN package | + | * Using the OpenVPN package <code>openvpn.lrp</code> to implement a TLS-based VPN |
| − | * ''What about eoip.lrp which references http://code.google.com/p/linux-eoip/ - a MikroTik-specific Ethernet over IP protocol?'' | + | * ''What about eoip.lrp which references http://code.google.com/p/linux-eoip/ - seems to be a MikroTik-specific Ethernet over IP protocol?'' |
| − | =StrongSwan= | + | =StrongSwan IPsec VPN= |
| + | ==Use Case== | ||
| + | The following assumes an IPsec VPN server is being configured to allow mobile 'road warrior' clients such as commercial smartphones to access network(s) protected by a [[Bering-uClibc 6.x]] firewall. | ||
| + | |||
| + | ==Pre-Requisites== | ||
| + | In order to configure StrongSwan, you will need: | ||
| + | * An X.509 digital ''Certificate'' to identify the VPN server (known as the 'responder' in IPsec terminology), stored in the form of a <code class="filename">.pem</code> file | ||
| + | ** For the purposes of this document, assuming the VPN server is identified as <code>ipsec.example.com</code>, this file will be named <code>ipsec.example.com-cert.pem</code> | ||
| + | * A corresponding private ''Key'', stored in the form of a <code>.pem</code> file, together with the Passphrase for the private Key | ||
| + | ** For the purposes of this document, this file will be named <code>ipsec.example.com-key.pem</code> | ||
| + | * The public Key(s) for the Certification Authority chain used to issue the VPN server's digital Certificate | ||
| + | ** For the purposes of this document, this file will be named <code>ca.example.com-cert.pem</code> | ||
| + | There is nothing uniquely IPsec-specific about the generation of these Certificates and Keys so the exact procedure is not described here. | ||
| + | Note however there are a few requirements: | ||
| + | * The server Certificate must specify a Subject Alternative Name (SAN) which matches the way the client will identify the server (either a DNS name or an IP address) | ||
| + | |||
| + | Best practice is to have the VPN clients reference the VPN server by DNS name (rather than IP address) - not least because that allows the use of IPv6 where available - so IPv4 and / or IPv6 DNS records should be configured to reference the public Internet address(es) of the firewall and visible from the DNS server(s) used by the clients. | ||
| + | |||
| + | ==Package Installation== | ||
| + | Install package <code>strongswan.lrp</code> in the usual way and add it to <code>leaf.cfg</code> so it gets loaded automatically on a reboot. | ||
| + | |||
| + | ==Package Configuration== | ||
| + | ===Install Certificates and Keys=== | ||
| + | # Copy file <code>ipsec.example.com-cert.pem</code> into directory <code>/etc/ipsec.d/certs/</code> | ||
| + | # Copy file <code>ipsec.example.com-key.pem</code> into directory <code>/etc/ipsec.d/keys/</code> | ||
| + | # Copy file <code>ca.example.com-cert.pem</code> into directory <code>/etc/ipsec.d/cacerts/</code> | ||
| + | #* Note that all files in this directory are automatically loaded when StrongSwan starts; they do not need to be specifically referenced in any configuration file | ||
| + | #* In the event that further Certification Authority configuration settings need to be specified (such as a Certificate Revocation List URL) this can be done in the 'ca' section of <code>ipsec.conf</code> - see https://wiki.strongswan.org/projects/strongswan/wiki/CaSection | ||
| + | #* If the CA that signed the Certificate is not a Root CA, this directory needs to be populated with the Certificates for the Root CA, the Signer CA and any intermediate CAs | ||
| + | |||
| + | ===Configure Secrets=== | ||
| + | Edit file <code>/etc/ipsec.secrets</code> and add a line like the following: | ||
| + | : RSA ipsec.example.com-key.pem "secret passphrase for private key" | ||
| + | Note that the colon (:) must be the first character on the line (no leading whitespace). | ||
| + | See https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecret for full documentation of the RSA configuration entry format. | ||
| + | |||
| + | ===Configure Connections=== | ||
TODO | TODO | ||
| + | |||
| + | |||
| + | =OpenVPN TLS VPN= | ||
| + | TODO - Any volunteers? | ||
| Line 29: | Line 69: | ||
===iOS VPN Options=== | ===iOS VPN Options=== | ||
| − | As of Apple iOS version 11, the | + | As of Apple iOS version 11, the options supported by the standard VPN client implementation are: |
| − | * IKEv2 | + | * IKEv2 - Supported by [[Bering-uClibc 6.x]] using strongSwan |
| − | * IPsec | + | * IPsec - Supported by [[Bering-uClibc 6.x]] strongSwan? |
| − | * L2TP | + | * L2TP - Not currently supported by [[Bering-uClibc 6.x]] - Needs an L2TP server in addition to strongSwan |
| + | See also https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients | ||
===Android VPN Options=== | ===Android VPN Options=== | ||
As of Android version 6.0, the VPN options supported by the standard VPN client implementation are: | As of Android version 6.0, the VPN options supported by the standard VPN client implementation are: | ||
| − | * PPTP | + | * PPTP - '''AVOID''', see https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol |
* L2TP/IPsec PSK | * L2TP/IPsec PSK | ||
* L2TP/IPsec RSA | * L2TP/IPsec RSA | ||
| Line 42: | Line 83: | ||
* IPsec Xauth RSA | * IPsec Xauth RSA | ||
* IPsec Hybrid RSA | * IPsec Hybrid RSA | ||
| − | + | Other options such as IKEv2 can be supported by installing a custom VPN client - for example the [https://play.google.com/store/apps/details?id=org.strongswan.android&hl=en_GB StrongSwan VPN Client for Android] | |
---- | ---- | ||
Latest revision as of 19:23, 17 March 2018
| Advanced Topics - Setting Up a Virtual Private Network | ||
|---|---|---|
| Prev | Bering-uClibc 6.x - User Guide | Next |
Introduction
The whole topic of Virtual Private Networks can appear somewhat confusing at first sight since there are several different use case scenarios (e.g. mobile user remote access versus site-to-site VPNs), several different VPN tunnel encryption solutions (e.g. SSL/TLS versus IPsec) and several more authentication solutions (e.g. X.509 PKI certificates, Pre-Shared-Keys or EAP - much the same options as exist for WiFi networks). Furthermore, there are different open source implementations of some of the protocols (e.g. OpenSwan versus strongSwan versus LibreSwan).
In practice, things aren't as complex as they first appear because there are only really two underlying encryption solutions (SSL/TLS and IPsec) and - if the intention is to support a proprietary device such as a commercial smartphone as the VPN client - several constraints are imposed by the client-side VPN implementation which limit the options at the server-side.
Fundamentally, for Bering-uClibc 6.x, it comes down to choosing between:
- Using the StrongSwan package
strongswan.lrpto implement an IPsec-based VPN - Using the OpenVPN package
openvpn.lrpto implement a TLS-based VPN - What about eoip.lrp which references http://code.google.com/p/linux-eoip/ - seems to be a MikroTik-specific Ethernet over IP protocol?
StrongSwan IPsec VPN
Use Case
The following assumes an IPsec VPN server is being configured to allow mobile 'road warrior' clients such as commercial smartphones to access network(s) protected by a Bering-uClibc 6.x firewall.
Pre-Requisites
In order to configure StrongSwan, you will need:
- An X.509 digital Certificate to identify the VPN server (known as the 'responder' in IPsec terminology), stored in the form of a
.pemfile- For the purposes of this document, assuming the VPN server is identified as
ipsec.example.com, this file will be namedipsec.example.com-cert.pem
- For the purposes of this document, assuming the VPN server is identified as
- A corresponding private Key, stored in the form of a
.pemfile, together with the Passphrase for the private Key- For the purposes of this document, this file will be named
ipsec.example.com-key.pem
- For the purposes of this document, this file will be named
- The public Key(s) for the Certification Authority chain used to issue the VPN server's digital Certificate
- For the purposes of this document, this file will be named
ca.example.com-cert.pem
- For the purposes of this document, this file will be named
There is nothing uniquely IPsec-specific about the generation of these Certificates and Keys so the exact procedure is not described here. Note however there are a few requirements:
- The server Certificate must specify a Subject Alternative Name (SAN) which matches the way the client will identify the server (either a DNS name or an IP address)
Best practice is to have the VPN clients reference the VPN server by DNS name (rather than IP address) - not least because that allows the use of IPv6 where available - so IPv4 and / or IPv6 DNS records should be configured to reference the public Internet address(es) of the firewall and visible from the DNS server(s) used by the clients.
Package Installation
Install package strongswan.lrp in the usual way and add it to leaf.cfg so it gets loaded automatically on a reboot.
Package Configuration
Install Certificates and Keys
- Copy file
ipsec.example.com-cert.peminto directory/etc/ipsec.d/certs/ - Copy file
ipsec.example.com-key.peminto directory/etc/ipsec.d/keys/ - Copy file
ca.example.com-cert.peminto directory/etc/ipsec.d/cacerts/- Note that all files in this directory are automatically loaded when StrongSwan starts; they do not need to be specifically referenced in any configuration file
- In the event that further Certification Authority configuration settings need to be specified (such as a Certificate Revocation List URL) this can be done in the 'ca' section of
ipsec.conf- see https://wiki.strongswan.org/projects/strongswan/wiki/CaSection - If the CA that signed the Certificate is not a Root CA, this directory needs to be populated with the Certificates for the Root CA, the Signer CA and any intermediate CAs
Configure Secrets
Edit file /etc/ipsec.secrets and add a line like the following:
: RSA ipsec.example.com-key.pem "secret passphrase for private key"
Note that the colon (:) must be the first character on the line (no leading whitespace). See https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecret for full documentation of the RSA configuration entry format.
Configure Connections
TODO
OpenVPN TLS VPN
TODO - Any volunteers?
Appendices
VPN Client Notes
iOS VPN Options
As of Apple iOS version 11, the options supported by the standard VPN client implementation are:
- IKEv2 - Supported by Bering-uClibc 6.x using strongSwan
- IPsec - Supported by Bering-uClibc 6.x strongSwan?
- L2TP - Not currently supported by Bering-uClibc 6.x - Needs an L2TP server in addition to strongSwan
See also https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
Android VPN Options
As of Android version 6.0, the VPN options supported by the standard VPN client implementation are:
- PPTP - AVOID, see https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
- L2TP/IPsec PSK
- L2TP/IPsec RSA
- IPSec Xauth PSK
- IPsec Xauth RSA
- IPsec Hybrid RSA
Other options such as IKEv2 can be supported by installing a custom VPN client - for example the StrongSwan VPN Client for Android
| Prev | Up | Next |
