FollowMeDown/l2tp_ipsec_setup_arch_linux_raspberry_pi.sh

## l2tp_ipsec_setup_arch_linux_raspberry_pi.sh
#!/bin/bash

# Guide to install L2TP-IPSEC VPN Server on a Raspberry Pi with ArchLinux

# Used parts of several instructions,
# http://nls.io/setup-an-ipsec-l2tp-vpn-with-text-or-ldap-auth-on-arch-linux/
# https://smileykeith.com/2014/01/27/ipsec-l2tp-vpn-on-a-raspberry-pi-running-arch-linux/
# http://linux.tips/tutorials/how-to-setup-l2tp-vpn-server-on-raspberry-pi

# Tested and works with OSX and iOS 7.1 supplied vpn client

#===============================================================================
# Router Configuration
#===============================================================================

# Create a DHCP Reservation or static ip for the server
# Can get the MAC address of the device with
cat /sys/class/net/eth0/address

# Port forward ports 500,4500,1701 to the server

# Setup a DDNS service if public ip can change

#===============================================================================
# Install IPSEC-L2TP VPN on Arch Linux for the Raspberry Pi
#===============================================================================

# SSH into the machine with root/root and update the password
ssh root@ip-address
passwd

# Apply updates
pacman -Syu

# Download the requirements for L2TP-IPSEC server
pacman -S openswan xl2tpd ppp lsof python2

touch /usr/local/bin/vpn-boot.sh
chmod +x /usr/local/bin/vpn-boot.sh
vim /usr/local/bin/vpn-boot.sh
# And paste the content below
##!/usr/bin/env bash
#
#echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
#echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
#echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
#echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
#echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
#echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
#echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf
#
#for vpn in /proc/sys/net/ipv4/conf/*; do
#    echo 0 > $vpn/accept_redirects;
#    echo 0 > $vpn/send_redirects;
#done
#
#iptables --table nat --append POSTROUTING --jump MASQUERADE
#
#sysctl -p

# Aside:
# Ensure possible to access devices on LAN
# cat /proc/sys/net/ipv4/ip_forward

# Create the service
vim /etc/systemd/system/vpn.service
# And paster the content below
#[Unit]
#Description=IPSec VPN
#After=netctl@eth0.service
#Before=openswan.service xl2tpd.service
#
#[Service]
#ExecStart=/usr/local/bin/vpn-boot.sh
#
#[Install]
#WantedBy=multi-user.target

# Activate the service
systemctl enable vpn.service

# Configure the IPSec daemon, Openswan
vim /etc/ipsec.conf
# Replace protostack=auto with protostack=netkey
# At the end of the file add and replace xxx.xxx.xxx.xxx with server ip on the
# LAN, ex 10.0.1.x or 192.168.1.x
#conn L2TP-PSK-NAT
#        rightsubnet=vhost:%priv
#        also=L2TP-PSK-noNAT
#
#conn L2TP-PSK-noNAT
#        connaddrfamily=ipv4
#        authby=secret
#        #shared secret. Use rsasig for certificates.
#        pfs=no
#        #Disable pfs
#        auto=add
#        #start at boot
#        keyingtries=3
#        #Only negotiate a conn. 3 times.
#        ikelifetime=8h
#        keylife=1h
#        type=transport
#        #because we use l2tp as tunnel protocol
#        left=xxx.xxx.xxx.xxx
#        #fill in server IP above
#        leftprotoport=17/%any
#        right=%any
#        rightprotoport=17/%any

# Add the shared key authentication
vim /etc/ipsec.secrets
# Add below to the empty file, replace xxx.xxx.xxx.xxx witht he server ip
#xxx.xxx.xxx.xxx  %any:   PSK "xxxxxxxxxxxxxxxxxxx"

# Start the openswan daemon
systemctl enable openswan
systemctl restart openswan

# Ensure the openswan daemon starts last
vim /etc/systemd/system/multi-user.target.wants/openswan.service
# Make After=xxx into After=xl2tpd.service

# Check the config
ipsec verify

# If error from ICMP default/send_redirects then vpn.sh did not execute

# If errors are seen for Pluto Listening, use to check for listening
netstat -tulpan

# Also can use the command below while restarting the service
journalctl -f

# Configure xl2tpd
vim /etc/xl2tpd/xl2tpd.conf
#[global]
#ipsec saref = no
#auth file = /etc/ppp/chap-secrets
#debug avp = no
#debug network = no
#debug packet = no
#debug state = no
#debug tunnel = no
#
#[lns default]
#ip range = 172.16.1.30-172.16.1.100
#local ip = 172.16.1.1
#refuse pap = yes
#require authentication = yes
#ppp debug = yes
#pppoptfile = /etc/ppp/options.l2tpd
#length bit = yes

# Create the directory for the pid
mkdir -p /var/run/xl2tpd/

# Configure xl2tpd options, replace the variable server_name
vim /etc/ppp/options.l2tpd
#login
#lcp-echo-interval 10
#lcp-echo-failure 2
#noipx
#
#logfd 2
#logfile /var/log/l2tpd.log
#
#ms-dns 8.8.8.8
#ms-dns 8.8.4.4
#
#refuse-pap
##refuse-chap
#refuse-mschap
#
#require-chap
##require-mppe
#require-mschap-v2
#
#name server_name
#
##defaultroute
#nodefaultroute
#proxyarp

# Note the server should match the /etc/ppp/options.l2tpd line 'name server_name'
vim /etc/ppp/chap-secrets
## Secrets for authentication using CHAP
## client server secret IP addresses
#username   server_name   password       *

# Activate the service
systemctl enable xl2tpd

# Restart everything to be sure
systemctl restart openswan
systemctl restart xl2tpd

#===============================================================================
# Ready on boot Hack
#===============================================================================

# Openswan only seems to work if it has been restarted. This hack restarts it 5
# seconds after it is initially created

# Create a hack service to reboot openswan
vim /etc/systemd/system/openswanrestart.service
#[Unit]
#Description=IPSec VPN Restart
#After=openswan.service
#
#[Service]
#ExecStart=/usr/local/bin/openswan-restart.sh
#
#[Install]
#WantedBy=multi-user.target

# Create the restart script
vim /usr/local/bin/openswan-restart.sh
##!/bin/bash
#bash -c "sleep 5; systemctl restart openswan"

# Give the script the correct permissions
chmod +x /usr/local/bin/openswan-restart.sh

# Add the service to autostart and start the service
sudo systemctl enable openswanrestart.service
sudo systemctl start openswanrestart.service

#===============================================================================
# VPN Performance
#===============================================================================

# Testing Methodology
# Tested with a gigabit router, 28Mbps external download and a powerful client
# accessing the VPN from inside the LAN. Used http://www.speedtest.net/?test-2
# to determine the VPN performance.  Executed without VPN from inside network to
# verify external connection would be faster than through the VPN on a weak CPU.

# Results
# Throughput ~7.2Mbps
	#!/bin/bash

	# Guide to install L2TP-IPSEC VPN Server on a Raspberry Pi with ArchLinux

	# Used parts of several instructions,
	# http://nls.io/setup-an-ipsec-l2tp-vpn-with-text-or-ldap-auth-on-arch-linux/
	# https://smileykeith.com/2014/01/27/ipsec-l2tp-vpn-on-a-raspberry-pi-running-arch-linux/
	# http://linux.tips/tutorials/how-to-setup-l2tp-vpn-server-on-raspberry-pi

	# Tested and works with OSX and iOS 7.1 supplied vpn client

	#===============================================================================
	# Router Configuration
	#===============================================================================

	# Create a DHCP Reservation or static ip for the server
	# Can get the MAC address of the device with
	cat /sys/class/net/eth0/address

	# Port forward ports 500,4500,1701 to the server

	# Setup a DDNS service if public ip can change

	#===============================================================================
	# Install IPSEC-L2TP VPN on Arch Linux for the Raspberry Pi
	#===============================================================================

	# SSH into the machine with root/root and update the password
	ssh root@ip-address
	passwd

	# Apply updates
	pacman -Syu

	# Download the requirements for L2TP-IPSEC server
	pacman -S openswan xl2tpd ppp lsof python2

	touch /usr/local/bin/vpn-boot.sh
	chmod +x /usr/local/bin/vpn-boot.sh
	vim /usr/local/bin/vpn-boot.sh
	# And paste the content below
	##!/usr/bin/env bash
	#
	#echo "net.ipv4.ip_forward = 1" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.all.accept_redirects = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.all.send_redirects = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.default.rp_filter = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.default.accept_source_route = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.default.send_redirects = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" \| tee -a /etc/sysctl.conf
	#
	#for vpn in /proc/sys/net/ipv4/conf/*; do
	# echo 0 > $vpn/accept_redirects;
	# echo 0 > $vpn/send_redirects;
	#done
	#
	#iptables --table nat --append POSTROUTING --jump MASQUERADE
	#
	#sysctl -p

	# Aside:
	# Ensure possible to access devices on LAN
	# cat /proc/sys/net/ipv4/ip_forward

	# Create the service
	vim /etc/systemd/system/vpn.service
	# And paster the content below
	#[Unit]
	#Description=IPSec VPN
	#After=netctl@eth0.service
	#Before=openswan.service xl2tpd.service
	#
	#[Service]
	#ExecStart=/usr/local/bin/vpn-boot.sh
	#
	#[Install]
	#WantedBy=multi-user.target

	# Activate the service
	systemctl enable vpn.service

	# Configure the IPSec daemon, Openswan
	vim /etc/ipsec.conf
	# Replace protostack=auto with protostack=netkey
	# At the end of the file add and replace xxx.xxx.xxx.xxx with server ip on the
	# LAN, ex 10.0.1.x or 192.168.1.x
	#conn L2TP-PSK-NAT
	# rightsubnet=vhost:%priv
	# also=L2TP-PSK-noNAT
	#
	#conn L2TP-PSK-noNAT
	# connaddrfamily=ipv4
	# authby=secret
	# #shared secret. Use rsasig for certificates.
	# pfs=no
	# #Disable pfs
	# auto=add
	# #start at boot
	# keyingtries=3
	# #Only negotiate a conn. 3 times.
	# ikelifetime=8h
	# keylife=1h
	# type=transport
	# #because we use l2tp as tunnel protocol
	# left=xxx.xxx.xxx.xxx
	# #fill in server IP above
	# leftprotoport=17/%any
	# right=%any
	# rightprotoport=17/%any

	# Add the shared key authentication
	vim /etc/ipsec.secrets
	# Add below to the empty file, replace xxx.xxx.xxx.xxx witht he server ip
	#xxx.xxx.xxx.xxx %any: PSK "xxxxxxxxxxxxxxxxxxx"

	# Start the openswan daemon
	systemctl enable openswan
	systemctl restart openswan

	# Ensure the openswan daemon starts last
	vim /etc/systemd/system/multi-user.target.wants/openswan.service
	# Make After=xxx into After=xl2tpd.service

	# Check the config
	ipsec verify

	# If error from ICMP default/send_redirects then vpn.sh did not execute

	# If errors are seen for Pluto Listening, use to check for listening
	netstat -tulpan

	# Also can use the command below while restarting the service
	journalctl -f

	# Configure xl2tpd
	vim /etc/xl2tpd/xl2tpd.conf
	#[global]
	#ipsec saref = no
	#auth file = /etc/ppp/chap-secrets
	#debug avp = no
	#debug network = no
	#debug packet = no
	#debug state = no
	#debug tunnel = no
	#
	#[lns default]
	#ip range = 172.16.1.30-172.16.1.100
	#local ip = 172.16.1.1
	#refuse pap = yes
	#require authentication = yes
	#ppp debug = yes
	#pppoptfile = /etc/ppp/options.l2tpd
	#length bit = yes

	# Create the directory for the pid
	mkdir -p /var/run/xl2tpd/

	# Configure xl2tpd options, replace the variable server_name
	vim /etc/ppp/options.l2tpd
	#login
	#lcp-echo-interval 10
	#lcp-echo-failure 2
	#noipx
	#
	#logfd 2
	#logfile /var/log/l2tpd.log
	#
	#ms-dns 8.8.8.8
	#ms-dns 8.8.4.4
	#
	#refuse-pap
	##refuse-chap
	#refuse-mschap
	#
	#require-chap
	##require-mppe
	#require-mschap-v2
	#
	#name server_name
	#
	##defaultroute
	#nodefaultroute
	#proxyarp

	# Note the server should match the /etc/ppp/options.l2tpd line 'name server_name'
	vim /etc/ppp/chap-secrets
	## Secrets for authentication using CHAP
	## client server secret IP addresses
	#username server_name password *

	# Activate the service
	systemctl enable xl2tpd

	# Restart everything to be sure
	systemctl restart openswan
	systemctl restart xl2tpd

	#===============================================================================
	# Ready on boot Hack
	#===============================================================================

	# Openswan only seems to work if it has been restarted. This hack restarts it 5
	# seconds after it is initially created

	# Create a hack service to reboot openswan
	vim /etc/systemd/system/openswanrestart.service
	#[Unit]
	#Description=IPSec VPN Restart
	#After=openswan.service
	#
	#[Service]
	#ExecStart=/usr/local/bin/openswan-restart.sh
	#
	#[Install]
	#WantedBy=multi-user.target

	# Create the restart script
	vim /usr/local/bin/openswan-restart.sh
	##!/bin/bash
	#bash -c "sleep 5; systemctl restart openswan"

	# Give the script the correct permissions
	chmod +x /usr/local/bin/openswan-restart.sh

	# Add the service to autostart and start the service
	sudo systemctl enable openswanrestart.service
	sudo systemctl start openswanrestart.service

	#===============================================================================
	# VPN Performance
	#===============================================================================

	# Testing Methodology
	# Tested with a gigabit router, 28Mbps external download and a powerful client
	# accessing the VPN from inside the LAN. Used http://www.speedtest.net/?test-2
	# to determine the VPN performance. Executed without VPN from inside network to
	# verify external connection would be faster than through the VPN on a weak CPU.

	# Results
	# Throughput ~7.2Mbps