No choice thus but to modify our standard images to support L2TP over IPsec with PSK (Pre-shared key). Chromeos also supports L2TP over IPsec with certificate-based authentication and OpenVPN but these are more complicated to set-up, especially if you need to support a wide range of devices.
Goal of our set-upThe goal of this procedure is to document a quick and dirty method to set-up a single L2TP VPN server with PSK to be used for our Chromebooks. It should work with other clients too.
Note that we will be using a Google DNS server (18.104.22.168) and once a client is connected, all traffic is allowed through the VPN, including internet traffic.
The documented method should be fine for a single VPN server in a simple environment. If you have a more complicated setup, please spend some weeks cursing and reading on the intricacies of a VPN set-up using Linux.
ProcedureFirst create a (micro) EC2 instance (64 bits). We used the latest available Amazon Linux AMI (v2013.03.1). Login as ec2-user, and enter the following in the shell:
sudo su -
yum install -y --enablerepo=epel openswan xl2tpd
Note that the enablerepo switch enables the Amazon Extra Packages for Enterprise Linux repository.
Use your favourite editor (e.g. ‘nano’) to modify the file /etc/xl2tpd/xl2tpd.conf to read:
ip range 192.168.22.70-79 local ip 192.168.22.1 require chap=yes name = myVPNServer
You can of course use other IP addresses. The above instructs the VPN to use 192.168.22.1 as a local address, and give remote clients an IP address between 192.168.22.70 and 192.168.22.79. Note the name myVPNServer that we will need in the next step.
Edit the file /etc/ppp/chap-secrets:
# Secrets for authentication using CHAP # client server secret IP addresses Zaphod myVPNServer Beeblebrox *
This will set the user-id to “Zaphod” and the password to “Beeblebrox”. Next edit /etc/ipsec.conf and add the following:
conn EC2 authby=secret pfs=no rekey=no keyingtries=3 left=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any auto=add
Now edit/create the file /etc/ipsec.d/ec2.secrets and insert the following:
%any %any : PSK "milliways;2013"
This will set the shared secret (PSK) for the L2TP VPN connection to “milliways;2013”. Please do change this password and use a much, much longer one.
Open /etc/sysctl.conf via a text editor and change the following line to read ‘= 1” (default is “0”):
net.ipv4.ip_forward = 1
Now execute the following commands:
# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done # for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
We are nearly there:
sysctl -p iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart chkconfig xl2tpd on chkconfig ipsec on
If there are no errors, execute:
Now configure your EC2 security groups for this VPN to allow:
- UDP port 1701 (for L2TP)
- UDP port 500 (for IKE)
- UDP port 4500 (for IPSec over UDP)
That’s it! Check here for more information on how to set-up your Chromebook for a L2TP VPN with pre-shared key.