Thursday, 21 November 2013

Setting up a L2TP/IPsec VPN with SoftEther VPN on a Raspberry Pi

I thought I would share my experience of setting up a L2TP/IPsec virtual private network using SoftEther VPN on a Raspberry Pi...

I have recently started playing around with SoftEther VPN as an alternative to pptpd or openswan/xl2tpd/ppp for remote access.

Point-to-Point Tunnelling Protocol in combination with MS-CHAPv2 authentication has been declared effectively broken by Microsoft, which is a shame because pptpd is very easy to set up and pretty much any operating system you care to name supports it. If you're using PPTP for any kind of production VPN that hosts anything you consider sensitive I strongly suggest you stop and migrate to something better.

Openswan/xl2tpd/ppp works OK but I find it's a bit of a hassle to set up. So I started looking for alternatives and found SoftEther.

I use Windows as my primary operating system, and the server management tool provided will administer servers on any OS which is a handy feature. It provides a fairly decent GUI for configuring the various options.
We will be focusing on configuring it to operate as L2TP/IPsec as most OSs have a compatible client built in, although it supports all sorts of VPNs (it has its own Ethernet over HTTPS VPN which requires their client software; it also supports OpenVPN, MS-SSTP and other things).

At this point the following assumptions are being made:


First of all we need to download the software. SoftEther VPN (Freeware) is selected by default. Then choose SoftEther VPN Server as the Component. Select Linux as the Platform. Select ARM EABI (32bit) as the CPU. You'll get a link to the latest version (at the time of writing: Ver 2.00, Build 9387, rtm)

From a terminal use wget to download the software:


wget http://www.softether-download.com/files/softether/v2.00-9387-rtm-2013.09.16-tree/Linux/SoftEther%20VPN%20Server/32bit%20-%20ARM%20EABI/softether-vpnserver-v2.00-9387-rtm-2013.09.16-linux-arm_eabi-32bit.tar.gz

Decompress it:


tar zxvf softether-vpnserver-v2.00-9387-rtm-2013.09.16-linux-arm_eabi-32bit.tar.gz

Compile it:

cd vpnserver
sudo make

It will ask if you want to read the license agreement, choose 1 for yes. Read it. Choose 1 for yes. Choose 1 for agree.
It should then compile and run some checks. At some point you should see a line like:

All checks passed. It is highly likely that SoftEther VPN Server / Bridge can operate normally on this system.

Re-locate the compiled binaries and update some permissions:

cd ..
sudo mv vpnserver /usr/local
cd /usr/local/vpnserver
sudo chmod 600 *
sudo chmod 700 vpncmd vpnserver

Run a final check:

sudo ./vpncmd

Choose 3. Type check and hit return. Everything should pass. Type exit and hit return.

The next step is to create a startup script so it will automatically start with the RasPi. Mine is here. Using the editor of your choice create /etc/init.d/vpnserver (you'll need root access/sudo to write there) and paste the script into it.

Update the file's permissions and run update-rc.d:

sudo chmod 755 /etc/init.d/vpnserver
sudo update-rc.d vpnserver defaults

Now it will start when your Pi starts. You can either reboot or start it manually:

sudo /etc/init.d/vpnserver start

You can verify it is running:

ls /var/lock

You should see vpnserver listed. Now we will set a password on the VPN server:


sudo /usr/local/vpnserver/vpncmd

Choose 1. Hit return for default settings. Hit return for default settings. At the prompt:


ServerPasswordSet

Type a new password, hit return, type again, hit return. If you intend to make the server manageable from the internet make it a good password. We will change the port the server listens on in a moment. Type exit and hit return to close vpncmd.

Go back to the download page. Choose SoftEther VPN Server Manager for Windows and download the file.

Once installed, run it. Select New Setting




In the next screen, fill in the details:



If you're remotely accessing your Pi you'll need to make arrangements for TCP port 443 to be forwarded to it (and allow through your Pi's firewall. You *do* have a firewall configured, right?). If you need to find your public IP for the Host Name entry you can do this from the command line quite simply:

wget http://ipecho.net/plain -O - -q ; echo

Don't worry if your public ip changes regularly, we only need it temporarily. There's a free SoftEther DDNS service that you can make use of, and you'll be assigned a hostname shortly...

Click OK. Then double-click the entry in the list to connect. When connecting for the first time you'll get an easy setup screen. Check the Remote Access VPN Server tick box and click Next. Click Yes. Keep the suggested name VPN for simplicity.



On the next screen you are assigned a DDNS hostname. You can customise it if you wish. When done click Exit.



Next you'll get a screen for choosing server settings. Tick the box for L2TP over IPsec, leave the others unticked. Enter an IPsec Pre-Shared Key in the box. Make this something good (it is beyond the scope of this blog to tell you what constitutes a good password). If you put something in there longer than 9 characters it will warn you about possible incompatibility with Android VPN clients.


The next screen asks if you want to use their Azure Cloud VPN relay service. I don't much care for the idea of that, as it will only decrease performance. This only applies to MS-SSTP VPNs, which we are not configuring here, so don't enable.


The next screen has a list of tasks to complete the setup. I won't go into the detail of creating users, click the button, it's fairly self-explanatory.
For step 3 you need to select the ethernet adapter on the Pi, if you are just using the built-in interface select eth0, otherwise use ifconfig to find the appropriate interface to use. Click Close when done.



You'll now be taken back to the VPN server screen where you can find lots more settings. For a start under the Listeners section create a new listener on a random port somewhere high up where people are unlikely to be port scanning unless they're taking a serious interest, then Stop the other listeners apart from 443. Now click Exit, then edit the settings for the server and enter the new port number and reconnect (don't forget to forward the new port and configure the firewall first). Now you can Stop the listener on 443 as well.



Now there are a couple more things to configure. 
Click OpenVPN / MS-SSTP Setting, untick the two boxes and click OK.
Click Encryption and Network. Change the encryption algorithm to DES-CBC3-SHA, or if you prefer a different one then use that one. Choose whichever encryption algorithm you prefer. Click VPN over ICMP / DNS Settings, untick the two boxes and click OK. Click OK.


Now we are almost ready to try connecting a client. First you will need to forward the following UDP ports to your Pi and configure your firewall appropriately: 500, 4500. You will also need to make sure you have configured your router to allow VPN traffic through. Look for VPN-passthru or something similar. If there is no passthrough option but you can forward protocols manually, then forward protocol 50.
If there is no passthrough and no way to forward protocols a last resort is to use the DMZ function to forward all unknown traffic to the Pi's IP but it's not a great way of doing things, obviously. (Just to spell it out, if you have not configured any sort of firewall on the Pi DO NOT USE THE DMZ METHOD).

To configure a Windows 7 client....

Go to Network and Sharing Center in Control Panel. Click on Set up a new connection or network. Choose Connect to a workplace. Click Next. If you already have VPN connections configured it will ask if you really want to create a new one, funnily enough you do. Click Next. Choose Use my Internet connection (VPN).

The internet address is the public IP or DDNS hostname. Tick the box Don't connect now; just set it up so I can connect later. Click Next. Enter the username and password that you set up earlier.
Append @VPN to the username. If you changed the default virtual hub name from VPN when setting it up earlier then append @<virtual hub name>.
Tick Remember this password. Click Next. Click Close.

Back in Network and Sharing Center choose Change adapter settings. Right-click the VPN connection you just made and choose Properties.
Click the Options tab, untick Prompt for name and password, certificate, etc. and Include Windows logon domain.
Click the Security tab, change the VPN type to L2TP/IPsec. Click Advanced settings and enter the IPsec Pre-Shared Key that you set earlier.

Configure any other settings you want like using the default gateway on the remote network etc. Click OK.

Double-click the connection and let it connect. Try and access a known host/device on the remote network.

Enjoy your VPN.

30 comments:

  1. Great post and in english ! (It's quite hard to translate japanese)
    I use softether on windows but i really think buy raspberry and try your tuto !
    Are you satisfied of your VPN server, is it reliable ?
    Thanks,
    Sylvain E.

    ReplyDelete
  2. Thanks. Yes it seems to work very well, have not had any stability issues. I don't transfer vast amounts of data over it or anything, it's mostly just logging in occasionally to use printers etc. from remote locations. I haven't tried using the VPN over DNS or VPN over ICMP features yet either, as I have not found myself on such a restricted network that I need to try that.

    ReplyDelete
  3. Hi there! So I must say: "Great tutorial, awesome explanation"
    I've been running OpenVPN in many of my servers, and it just works LOL, but I've sent a RaspberryPI to my home town to create a VPN to remove my geo-restriction problem to see IPTV from my home country and I installed OpenVPN but it's dam slow giving the video low quality and a lot of buffering. So I went and gave a chance at this, and also reduced the recommended encryption to see if it would help with the speed, but it didn't!
    So long story short, did you tested RaspberryPI with OpenVPN and SoftEther VPN? Did you saw actually a increase in speed?

    I've really like to get your commend on this "speed" thing.....

    Thank you,

    Jose Pontes

    ReplyDelete
  4. Sorry, I haven't tried OpenVPN on my RasPi so I can't comment on the relative speeds.

    The limiting factor in your case might be the available upstream bandwidth of the connection that your RasPi is sat on, as all of the data for video streaming is coming via that connection.

    To test the speed of the connection from the command line of the RasPi you can try the following:

    wget https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
    python speedtest_cli.py

    I don't know what streaming service you are attempting to use, but for example Netflix recommend that if you want to watch HD videos you require 5Mbps available bandwidth.
    So in that case the RasPi would need 5Mbps downstream available to fetch the video from Netflix, and would simultaneously require 5Mbps (+ extra for VPN overhead) upstream available to send the video data on to you.
    Certainly on my connection I would not be able to do that. I have 60Mbps downstream, but my upstream is capped at 3Mbps.

    The style of connection (e.g. ADSL, Cable) will have an effect. I am on cable and an upstream cap of 3Mbps is fairly typical in the UK. For ADSL the cap is more likely to be 0.25Mbps - 0.5Mbps in the UK, unless you specifically go looking (and pay more money) for a provider offering greater upstream bandwidth.

    With ADSL especially there is also the issue of contention ratios. There is a finite amount of bandwidth available at any one time from the equipment in the telephone exchange, and you are likely to be sharing bandwidth with 19, or maybe 49, other users (i.e. 20:1 and 50:1 contention ratios).
    The bottom line is that upstream bandwidth costs your ISP money, which is why it is always limited.

    ReplyDelete
  5. Great explanation. Congrats.
    I've been trying to install SoftEther Client in Linux to access restricted contents. No way. Did you try that?

    ReplyDelete
  6. A pitty that the raspberry is so slow. On an old windows machine I get 7 mb speed with softether while on the raspberry it slows down to 700 k

    ReplyDelete
  7. I have been setting a vpn up using softether on my Pi and came across some problems with authenticating using L2TP / IP Sec, when doing some research i came across your walk through guide. I have set port forwarding on my router so ports 50, 500 and 4500 are routed to the Pi but still cant authenticate.

    If i use the Windows client and tell it the DDNS address, user credentials and my listening port it connects fine. As soon as i try authenticating with Android or Windows through adding a VPN network using L2TP / IP Sec i am unable to connect.

    I have also attempted to use the DMZ options on my router but still have no connectivity.

    Does anyone have any ideas please?

    ReplyDelete
    Replies
    1. It is *protocol* 50 that needs to be forwarded, which will be satisfied if you have a vpn pass-thru option somewhere in your router settings.

      Are you using an IPsec pre shared key longer than 9 characters? SoftEther gives a warning about long IPsec PSKs as there is a known issue with Android clients.

      Delete
    2. thanks for the reply tom. After logging into the router i could see the attempts to connect via IPSec. Turned out the firmware needed to be update.
      Thanks

      Delete
  8. Tom, your guide helped me a lot in the initial set up of my servers, but I really hate having everything manual, especially the configuration of the server via the Windows utility. I spent a few hours putting together these guides + scripts on my github to easily install all the packages, install softether, configure the firewall and network interfaces, and update the firmware. I have used it to create raspberry pi VPNs successfully in about 45 minutes, most of which is waiting for Raspbian to install via the net, and for the packages I require to install via apt. I hope it helps those who find it here or elsewhere. Leave me comments if you have issues with it, I can see if I can help.

    https://gist.github.com/jhenkens/11190151

    ReplyDelete
  9. i can't ping to the raspi machine, but can ping to gateway/router. whats wrong?

    ReplyDelete
    Replies
    1. I follow this http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/ (by using TAP).
      Now I can ping to SoftEther/RasPI server and the other machines too.. problem SOLVED.

      Delete
  10. Very nice how to but I have one question that maybe you can help.
    How can I be protected from brute force attack for the "ServerPasswordSet".
    What I mean is that even if I have certificates and all the security options on any of the various vpn modes
    somebody can brute force "ServerPasswordSet" in other words the password for the remote management
    and after he breaks it add himself to the server enable users and etc...
    Is there a way to turn off remote management of the ethervpnserver??


    ReplyDelete
    Replies
    1. delete all of the listener if you paranoid.
      if i were you, i simple set firewall/iptables on softether server.

      Delete
    2. I understand what you saying but the problem is that the port 443 is used for both
      a)the remote management and
      b)for the softether vpn protocol,
      (I do not want to use pptp, ipsec or openvpn)
      How can I move the a) to another port?
      because if I just close the listener for 443 then I am also closing the softhether vpn protocol

      Delete
    3. To properly secure an internet-facing service is not simple, and generally requires a combination of measures.

      The measures I tend to employ on my remote access setups are:
      Strong management passwords, changed at regular intervals.
      IP-based filtering of incoming client connections.
      Rate-limiting of incoming client connections.
      Logging of successful and unsuccessful connection attempts.

      If you are not already using one, consider using a password manager so that you don't have to think about remembering management passwords. A lot of the password managers have mobile apps, integration with cloud storage services etc. so you can always have your passwords with you.

      There are lots of tutorials on ip filtering and rate limiting using iptables. Used together they can be very effective in reducing the amount of unwanted traffic reaching the vpn server.

      My preferred method of logging connection attempts is ulogd (version 2.x), as it offers more flexibility in terms of output (e.g. can carry out further processing of headers, can log to SQL/MySQL/PostgreSQL databases, or pcap files for later analysis with Wireshark etc.) than the simple "-j LOG" option in iptables.

      Delete
  11. Hi
    Thanks a lot for your guide. I managed to establish connection my raspi vpn server from a windows client. I can ping the gateway address and other servers on the vpn's network. However, I cannot ping the IP of the VPN server. I followed the link suggested above by mat JaDoel (http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/ by using TAP), I used address 192.168.7.1 as TAP address, but cannot ping 192.168.7.1. I have only one NIC on my VPN server.
    What are your thoughts about this ?
    Thanks
    Pat

    ReplyDelete
  12. Not sure if you are still reading the comments here, but might as well ask. When I attempt to run 'sudo update-rc.d vpnserver defaults' I am informed that 'insserv: script vpnserver is not an executable regular file, skipped!'. How should I attempt to go about fixing this?

    ReplyDelete
    Replies
    1. It is complaining that the vpnserver file is not executable. Check that you have run the preceding command:

      sudo chmod 755 /etc/init.d/vpnserver

      You can check the file has the proper permissions by using ls:

      ls /etc/init.d/vpnserver

      You should see something like this, the important bit is the "-rwx-r-x-r-x":

      -rwxr-xr-x 1 root root 346 May 13 2014 vpnserver

      Delete
  13. My normal connection is around 60mbps, with an up to 100mbps connection. I am right next to the pi on my computer. When I attempt to use the VPN, the download speed is reduced about 10fold, whilst the upload speed of approx. 6mbps is unaffected. How do I increase the download speed? Speedtesting on the pi gives a speed of 40mbps download and 6mbps upload, with latency at 30ms (my normal latency is 10ms on desktop computer, and when I use the VPN the latency remains 10ms (strangely)).

    Another question: with my iPhone, I attempted to connect using two methods: IPSec and OpenVPN. With IPSec I am unable to connect at all, despite having entered all the required details. I am informed that I am unable to connect with my server. With OpenVPN I mange to connect for a short time but then the connection times out. I have the same problem on an android device. I use SoftEther's OpenVPN file export function to get the configurations onto both. How should I go about fixing this?

    ReplyDelete
  14. This was a great how to. I had no issues getting this to work. I just had to make a few changes to get it working in my network environment. Thank you for the help and I'll drink a beer in your name.

    Best regards :-)

    ReplyDelete
  15. Hello Tom, Great tutorial. well explained. just wanted to ask. what if you using 3g dongle. 3g dongle directly create global ip and there is not router firewall. will it work or not ??

    ReplyDelete
    Replies
    1. Hi Anand,

      It is generally not possible to use a setup like this if you're on a "consumer" 3G/4G connection. There will most likely be a combination of NAT and PAT in use by the network provider, and you generally won't have any options available to you for port forwarding. There is such a thing as NAT hole-punching but I wouldn't like to say whether or not it would be a workable solution. Also on consumer 3G/4G connections hosting of any kind is typically against the Terms of Service and may result in you getting your access suspended.

      In the UK it is possible to get 3G/4G connections that allow port forwarding. Typically these are available through business resellers, and they are expensive. They are, however, the closest thing you can get to a real internet connection on 3G/4G. One thing I have learnt using this style of connection for hosting remote-access VPNs is that you need to be mindful of the MTUs in the various networks your data is passing through, as otherwise you can end up with a lot of fragmentation and very poor through-put. There are plenty of articles that describe the process of testing in order to find an MTU value that will give you the best performance.

      If getting a business-grade 3G/4G connection is not an option then there is another option available in SoftEther. You can use it to provide an MS-SSTP VPN and use the Azure VPN relay service. There are MS-SSTP clients available for linux but I have never tried to use one, clients are included in all recent versions of Microsoft Windows. It's pretty much a case of selecting the relevant tick boxes in the configuration. You will be assigned a hostname that you can use to connect to the VPN. The way it works is very similar to TeamViewer etc. and has the advantage that it can circumvent firewalls and address translation schemes as both parties make an outgoing connection (probably on port 80, I've never looked that closely) to the relay server in order to initiate a VPN connection.

      Hope this helps.

      Delete
  16. Hello Yoseph, i know this is way to late, but im running Softether and connecting on OpenVPN protocol. Its all running on Raspberry Pi 2, Using 1 core i get 25/25 mbit through output.
    Its quite simple to setup.

    ReplyDelete
  17. can anyone explain exactly how to allow a client to be able to access the VPN server directly? I want to be able to connect via VPN and the SSH onto the VPN server.

    It simply doesn't work and I can't work it out.

    the solution that "mat JaDoel" suggested (http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/ (by using TAP)) doesn't work.

    Help!!

    ReplyDelete
  18. Hi Tom - I use Softether on a Linux server behind an LTE router at a remote house (where the LTE router is the only Internet connection) and it's been working fine for remote access to the house. I'm new to RPi and wanted to replace bigger Linux Server with small efficient RPi so it can run on battery backup a while. This was a great tutorial to get it up and running quickly - thanks for saving me a bunch of time!

    Cheers!

    ReplyDelete
  19. Great! Many thanks Tom! Really really useful!!!

    ReplyDelete