Linux L2TP/IPSec with iPhone and Mac OS/X clients
After moving to China I ran into a few issues that got me to install a VPN. Namely:
- Latency. I frequently use SSH to access remote servers in US and EU and for some reason the latency here is terrible. Running SSH over a VPN seems to resolve this. A nice bonus is that idle sessions aren’t timed out (which they otherwise would with a little help of China’s Great Firewall.)
- Location aware websites. A number of websites will adjust their content based on your location. This is fine if you’re able to adjust it manually, but many of these websites don’t allow this as they are trying to restrict content to US and/or EU users. (Which just so happens to be the content I’m looking for.)
- Blocked websites. Although most websites that are blocked in China are not of particular interest to me, the GFW will occasionally put a ban on sites that I do like to use.
After using OpenVPN for a while I got mildly annoyed by:
- High CPU usage (99%) on Ubuntu systems after running it for extended periods of time.
- Not being able to use it on OS/X very easily or on my iPhone at all.
This made me switch to IPSec instead. IPSec requires a little more effort to configure but it has proven rock solid and cross-platform in several of my past projects. Having used Freeswan and Openswan before, I now decided to use Strongswan instead as it requires no kernel tweaks on Debian/Ubuntu making the installation a matter of minutes. (This is well documented on www.strongswan.org and I know you’re just here to read about the iPhone, so I won’t go into that now. ;-)
Making IPSec work with iPhone and OS/X’s native clients requires installing an L2TP daemon.
First the fairly standard Strongswan configuration:
config setup # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=yes charonstart=yes plutostart=yes conn L2TP authby=psk pfs=no rekey=no type=tunnel esp=aes128-sha1 ike=aes128-sha-modp1024 left=your.ip.goes.here leftnexthop=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any rightsubnetwithin=0.0.0.0/0 auto=add
your.ip.goes.here %any: PSK "yoursharedkeygoeshere"
As you can see we’re enabling nat-traversal and transport mode at the same time. And that’s really the only ‘hack’ we need to do as it’s disabled by default.
On a Debian or Ubuntu system this should get you a long way:
apt-get install build-essential fakeroot dpkg-dev devscripts apt-get source strongswan apt-get install libcurl4-openssl-dev apt-get build-dep strongswan cd strongswan-4.2.4/ dch -i
Now edit debian/rules and change –disable-md5 –disable-sha1 –disable-sha2 to –disable-md5 –disable-sha1 –disable-sha2 –enable-nat-transport and continue:
dpkg-buildpackage -rfakeroot -uc -b dpkg -i ../strongswan_4.2.4-5ubuntu2_i386.deb /etc/init.d/ipsec restart
Alright. IPSec is good to go. Next the L2TP daemon for iPhone and OS/X:
apt-get install xl2tpd
[global] debug network = yes debug tunnel = yes [lns default] ip range = 10.0.0.200-10.0.0.254 local ip = 10.0.0.1 require chap = yes refuse pap = yes require authentication = yes name = NIELSPEEN.COM ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
10.0.0.0/24 is your local LAN. 10.0.0.200-10.0.0.254 are IP addresses that we can freely assign to the users. 10.0.0.1 is a free IP on your local LAN. (It should not be the IP bound to your LAN interface!)
Note: you don’t need an actual LAN to make this work. In fact, the server I use the above config on is not connected to one.
* * l2tppassworduser1 *
ipcp-accept-local ipcp-accept-remote ms-dns you.dns.ip.here noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
Great! Now to configure your iPhone:
- Open the Settings app and navigate to General->Network->VPN->Add VPN Configuration…
- Make sure the selected VPN type is L2TP. (Not IPSec.)
- Fill in anything you like for Description.
- Server should be the hostname or IP of the machine you just installed Strongswan and xl2tpd on.
- Account is not checked by xl2tpd. You can give your users a random username.
- RSA SecurID is to be switched OFF.
- Password is the password as put in /etc/xl2tpd/l2tp-secrets.
- Secret is the PSK you’ve put into /etc/ipsec.secrets.
- Send All Traffic is typically turned on.
If, like me, you’re not using this to hook your iPhone to your office network, but want to use the connection to access the Internet, you’ll need to add a masquerading rule to iptables:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE