Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up a Virtual Private Network

From bering-uClibc
Jump to: navigation, search
Advanced Topics - Setting Up a Virtual Private Network
Prev Bering-uClibc 6.x - User Guide Next


Introduction

The whole topic of Virtual Private Networks can appear somewhat confusing at first sight since there are several different use case scenarios (e.g. mobile user remote access versus site-to-site VPNs), several different VPN tunnel encryption solutions (e.g. SSL/TLS versus IPsec) and several more authentication solutions (e.g. X.509 PKI certificates, Pre-Shared-Keys or EAP - much the same options as exist for WiFi networks). Furthermore, there are different open source implementations of some of the protocols (e.g. OpenSwan versus strongSwan versus LibreSwan).

In practice, things aren't as complex as they first appear because there are only really two underlying encryption solutions (SSL/TLS and IPsec) and - if the intention is to support a proprietary device such as a commercial smartphone as the VPN client - several constraints are imposed by the client-side VPN implementation which limit the options at the server-side.

Fundamentally, for Bering-uClibc 6.x, it comes down to choosing between:

  • Using the StrongSwan package strongswan.lrp to implement an IPsec-based VPN
  • Using the OpenVPN package openvpn.lrp to implement a TLS-based VPN
  • What about eoip.lrp which references http://code.google.com/p/linux-eoip/ - seems to be a MikroTik-specific Ethernet over IP protocol?


StrongSwan IPsec VPN

Use Case

The following assumes an IPsec VPN server is being configured to allow mobile 'road warrior' clients such as commercial smartphones to access network(s) protected by a Bering-uClibc 6.x firewall.

Pre-Requisites

In order to configure StrongSwan, you will need:

  • An X.509 digital Certificate to identify the VPN server (known as the 'responder' in IPsec terminology), stored in the form of a .pem file
    • For the purposes of this document, assuming the VPN server is identified as ipsec.example.com, this file will be named ipsec.example.com-cert.pem
  • A corresponding private Key, stored in the form of a .pem file, together with the Passphrase for the private Key
    • For the purposes of this document, this file will be named ipsec.example.com-key.pem
  • The public Key(s) for the Certification Authority chain used to issue the VPN server's digital Certificate
    • For the purposes of this document, this file will be named ca.example.com-cert.pem

There is nothing uniquely IPsec-specific about the generation of these Certificates and Keys so the exact procedure is not described here. Note however there are a few requirements:

  • The server Certificate must specify a Subject Alternative Name (SAN) which matches the way the client will identify the server (either a DNS name or an IP address)

Best practice is to have the VPN clients reference the VPN server by DNS name (rather than IP address) - not least because that allows the use of IPv6 where available - so IPv4 and / or IPv6 DNS records should be configured to reference the public Internet address(es) of the firewall and visible from the DNS server(s) used by the clients.

Package Installation

Install package strongswan.lrp in the usual way and add it to leaf.cfg so it gets loaded automatically on a reboot.

Package Configuration

Install Certificates and Keys

  1. Copy file ipsec.example.com-cert.pem into directory /etc/ipsec.d/certs/
  2. Copy file ipsec.example.com-key.pem into directory /etc/ipsec.d/keys/
  3. Copy file ca.example.com-cert.pem into directory /etc/ipsec.d/cacerts/
    • Note that all files in this directory are automatically loaded when StrongSwan starts; they do not need to be specifically referenced in any configuration file
    • In the event that further Certification Authority configuration settings need to be specified (such as a Certificate Revocation List URL) this can be done in the 'ca' section of ipsec.conf - see https://wiki.strongswan.org/projects/strongswan/wiki/CaSection
    • If the CA that signed the Certificate is not a Root CA, this directory needs to be populated with the Certificates for the Root CA, the Signer CA and any intermediate CAs

Configure Secrets

Edit file /etc/ipsec.secrets and add a line like the following:

: RSA ipsec.example.com-key.pem "secret passphrase for private key"

Note that the colon (:) must be the first character on the line (no leading whitespace). See https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecret for full documentation of the RSA configuration entry format.

Configure Connections

TODO


OpenVPN TLS VPN

TODO - Any volunteers?


Appendices

VPN Client Notes

iOS VPN Options

As of Apple iOS version 11, the options supported by the standard VPN client implementation are:

See also https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients

Android VPN Options

As of Android version 6.0, the VPN options supported by the standard VPN client implementation are:

Other options such as IKEv2 can be supported by installing a custom VPN client - for example the StrongSwan VPN Client for Android


Prev Up Next