Tuesday, 4 June 2013

Howto: L2TP VPN with PSK on EC2 Linux AMI to support your Google Chromebook

Chromebooks are great devices. Unfortunately they do not support a wide range of VPN technologies, and PPTP - what we tend to use at Astyran since it is supported by most devices – is not in the list.
No choice thus but to modify our standard images to support L2TP over IPsec with PSK (Pre-shared key). Chromeos also supports L2TP over IPsec with certificate-based authentication and OpenVPN but these are more complicated to set-up, especially if you need to support a wide range of devices.

Goal of our set-up

The goal of this procedure is to document a quick and dirty method to set-up a single L2TP VPN server with PSK to be used for our Chromebooks. It should work with other clients too.
Note that we will be using a Google DNS server (8.8.8.8) and once a client is connected, all traffic is allowed through the VPN, including internet traffic.
The documented method should be fine for a single VPN server in a simple environment. If you have a more complicated setup, please spend some weeks cursing and reading on the intricacies of a VPN set-up using Linux.

Procedure

First create a (micro) EC2 instance (64 bits). We used the latest available Amazon Linux AMI (v2013.03.1). Login as ec2-user, and enter the following in the shell:

sudo su -
yum update
yum install -y --enablerepo=epel openswan xl2tpd

Note that the enablerepo switch enables the Amazon Extra Packages for Enterprise Linux repository.
Use your favourite editor (e.g. ‘nano’) to modify the file /etc/xl2tpd/xl2tpd.conf to read:

ip range 192.168.22.70-79
local ip 192.168.22.1
require chap=yes
name = myVPNServer

You can of course use other IP addresses. The above instructs the VPN to use 192.168.22.1 as a local address, and give remote clients an IP address between 192.168.22.70 and 192.168.22.79. Note the name myVPNServer that we will need in the next step.

Edit the file /etc/ppp/chap-secrets:

# Secrets for authentication using CHAP
# client     server        secret        IP addresses
Zaphod       myVPNServer   Beeblebrox        *

This will set the user-id to “Zaphod” and the password to “Beeblebrox”. Next edit /etc/ipsec.conf and add the following:
conn EC2
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add



Now edit/create the file /etc/ipsec.d/ec2.secrets and insert the following:

%any %any : PSK "milliways;2013"



This will set the shared secret (PSK) for the L2TP VPN connection to “milliways;2013”. Please do change this password and use a much, much longer one.

Open /etc/sysctl.conf via a text editor and change the following line to read ‘= 1” (default is “0”):
net.ipv4.ip_forward = 1



Now execute the following commands:
# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
# for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done


We are nearly there:
sysctl -p
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart
chkconfig xl2tpd on
chkconfig ipsec on

If there are no errors, execute:

init 6

Now configure your EC2 security groups for this VPN to allow:

  • UDP port 1701 (for L2TP)
  • UDP port 500 (for IKE)
  • UDP port 4500 (for IPSec over UDP)

That’s it! Check here for more information on how to set-up your Chromebook for a L2TP VPN with pre-shared key.
Enjoy!

1 comment:

  1. Things have been pretty quiet on the Chromebook front since the launch of Google's gorgeous but pricey flagship, the Pixel.

    ReplyDelete