Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up a Virtual Private Network
Advanced Topics - Setting Up a Virtual Private Network | ||
---|---|---|
Prev | Bering-uClibc 6.x - User Guide | Next |
Introduction
The whole topic of Virtual Private Networks can appear somewhat confusing at first sight since there are several different use case scenarios (e.g. mobile user remote access versus site-to-site VPNs), several different VPN tunnel encryption solutions (e.g. SSL/TLS versus IPsec) and several more authentication solutions (e.g. X.509 PKI certificates, Pre-Shared-Keys or EAP - much the same options as exist for WiFi networks). Furthermore, there are different open source implementations of some of the protocols (e.g. OpenSwan versus strongSwan versus LibreSwan).
In practice, things aren't as complex as they first appear because there are only really two underlying encryption solutions (SSL/TLS and IPsec) and - if the intention is to support a proprietary device such as a commercial smartphone as the VPN client - several constraints are imposed by the client-side VPN implementation which limit the options at the server-side.
Fundamentally, for Bering-uClibc 6.x, it comes down to choosing between:
- Using the StrongSwan package
strongswan.lrp
to implement an IPsec-based VPN - Using the OpenVPN package
openvpn.lrp
to implement a TLS-based VPN - What about eoip.lrp which references http://code.google.com/p/linux-eoip/ - seems to be a MikroTik-specific Ethernet over IP protocol?
StrongSwan IPsec VPN
Use Case
The following assumes an IPsec VPN server is being configured to allow mobile 'road warrior' clients such as commercial smartphones to access network(s) protected by a Bering-uClibc 6.x firewall.
Pre-Requisites
In order to configure StrongSwan, you will need:
- An X.509 digital Certificate to identify the VPN server (known as the 'responder' in IPsec terminology), stored in the form of a
.pem
file- For the purposes of this document, assuming the VPN server is identified as
ipsec.example.com
, this file will be namedipsec.example.com-cert.pem
- For the purposes of this document, assuming the VPN server is identified as
- A corresponding private Key, stored in the form of a
.pem
file, together with the Passphrase for the private Key- For the purposes of this document, this file will be named
ipsec.example.com-key.pem
- For the purposes of this document, this file will be named
- The public Key(s) for the Certification Authority chain used to issue the VPN server's digital Certificate
- For the purposes of this document, this file will be named
ca.example.com-cert.pem
- For the purposes of this document, this file will be named
There is nothing uniquely IPsec-specific about the generation of these Certificates and Keys so the exact procedure is not described here. Note however there are a few requirements:
- The server Certificate must specify a Subject Alternative Name (SAN) which matches the way the client will identify the server (either a DNS name or an IP address)
Best practice is to have the VPN clients reference the VPN server by DNS name (rather than IP address) - not least because that allows the use of IPv6 where available - so IPv4 and / or IPv6 DNS records should be configured to reference the public Internet address(es) of the firewall and visible from the DNS server(s) used by the clients.
Package Installation
Install package strongswan.lrp
in the usual way and add it to leaf.cfg
so it gets loaded automatically on a reboot.
Package Configuration
Install Certificates and Keys
- Copy file
ipsec.example.com-cert.pem
into directory/etc/ipsec.d/certs/
- Copy file
ipsec.example.com-key.pem
into directory/etc/ipsec.d/keys/
- Copy file
ca.example.com-cert.pem
into directory/etc/ipsec.d/cacerts/
- Note that all files in this directory are automatically loaded when StrongSwan starts; they do not need to be specifically referenced in any configuration file
- In the event that further Certification Authority configuration settings need to be specified (such as a Certificate Revocation List URL) this can be done in the 'ca' section of
ipsec.conf
- see https://wiki.strongswan.org/projects/strongswan/wiki/CaSection - If the CA that signed the Certificate is not a Root CA, this directory needs to be populated with the Certificates for the Root CA, the Signer CA and any intermediate CAs
Configure Secrets
Edit file /etc/ipsec.secrets
and add a line like the following:
: RSA ipsec.example.com-key.pem "secret passphrase for private key"
Note that the colon (:) must be the first character on the line (no leading whitespace). See https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecret for full documentation of the RSA configuration entry format.
Configure Connections
TODO
OpenVPN TLS VPN
TODO - Any volunteers?
Appendices
VPN Client Notes
iOS VPN Options
As of Apple iOS version 11, the options supported by the standard VPN client implementation are:
- IKEv2 - Supported by Bering-uClibc 6.x using strongSwan
- IPsec - Supported by Bering-uClibc 6.x strongSwan?
- L2TP - Not currently supported by Bering-uClibc 6.x - Needs an L2TP server in addition to strongSwan
See also https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
Android VPN Options
As of Android version 6.0, the VPN options supported by the standard VPN client implementation are:
- PPTP - AVOID, see https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
- L2TP/IPsec PSK
- L2TP/IPsec RSA
- IPSec Xauth PSK
- IPsec Xauth RSA
- IPsec Hybrid RSA
Other options such as IKEv2 can be supported by installing a custom VPN client - for example the StrongSwan VPN Client for Android
Prev | Up | Next |