I thought I would share my experience of setting up a L2TP/IPsec virtual private network using SoftEther VPN on a Raspberry Pi...
I have recently started playing around with SoftEther VPN as an alternative to pptpd or openswan/xl2tpd/ppp for remote access.
Point-to-Point Tunnelling Protocol in combination with MS-CHAPv2 authentication has been declared effectively broken by Microsoft, which is a shame because pptpd is very easy to set up and pretty much any operating system you care to name supports it. If you're using PPTP for any kind of production VPN that hosts anything you consider sensitive I strongly suggest you stop and migrate to something better.
Openswan/xl2tpd/ppp works OK but I find it's a bit of a hassle to set up. So I started looking for alternatives and found SoftEther.
I use Windows as my primary operating system, and the server management tool provided will administer servers on any OS which is a handy feature. It provides a fairly decent GUI for configuring the various options.
We will be focusing on configuring it to operate as L2TP/IPsec as most OSs have a compatible client built in, although it supports all sorts of VPNs (it has its own Ethernet over HTTPS VPN which requires their client software; it also supports OpenVPN, MS-SSTP and other things).
At this point the following assumptions are being made:
- You have root access or access to sudo.
- You are generally familiar with networking (i.e you're familiar with NAT, DHCP, port forwarding, subnets, firewalls, iptables, routing tables etc.).
- You have a computer or virtual machine running Windows that can run the Server Manager (if not you can do everything from the command line, it's just easier to configure it with a GUI).
First of all we need to download the software. SoftEther VPN (Freeware) is selected by default. Then choose SoftEther VPN Server as the Component. Select Linux as the Platform. Select ARM EABI (32bit) as the CPU. You'll get a link to the latest version (at the time of writing: Ver 2.00, Build 9387, rtm)
From a terminal use wget to download the software:
tar zxvf softether-vpnserver-v2.00-9387-rtm-2013.09.16-linux-arm_eabi-32bit.tar.gz
It will ask if you want to read the license agreement, choose 1 for yes. Read it. Choose 1 for yes. Choose 1 for agree.
It should then compile and run some checks. At some point you should see a line like:
All checks passed. It is highly likely that SoftEther VPN Server / Bridge can operate normally on this system.
Re-locate the compiled binaries and update some permissions:
sudo mv vpnserver /usr/local
sudo chmod 600 *
sudo chmod 700 vpncmd vpnserver
Run a final check:
Choose 3. Type check and hit return. Everything should pass. Type exit and hit return.
The next step is to create a startup script so it will automatically start with the RasPi. Mine is here. Using the editor of your choice create /etc/init.d/vpnserver (you'll need root access/sudo to write there) and paste the script into it.
Update the file's permissions and run update-rc.d:
sudo chmod 755 /etc/init.d/vpnserver
sudo update-rc.d vpnserver defaults
Now it will start when your Pi starts. You can either reboot or start it manually:
sudo /etc/init.d/vpnserver start
You can verify it is running:
You should see vpnserver listed. Now we will set a password on the VPN server:
Choose 1. Hit return for default settings. Hit return for default settings. At the prompt:
Type a new password, hit return, type again, hit return. If you intend to make the server manageable from the internet make it a good password. We will change the port the server listens on in a moment. Type exit and hit return to close vpncmd.
Go back to the download page. Choose SoftEther VPN Server Manager for Windows and download the file.
Once installed, run it. Select New Setting
In the next screen, fill in the details:
If you're remotely accessing your Pi you'll need to make arrangements for TCP port 443 to be forwarded to it (and allow through your Pi's firewall. You *do* have a firewall configured, right?). If you need to find your public IP for the Host Name entry you can do this from the command line quite simply:
wget http://ipecho.net/plain -O - -q ; echo
Don't worry if your public ip changes regularly, we only need it temporarily. There's a free SoftEther DDNS service that you can make use of, and you'll be assigned a hostname shortly...
Click OK. Then double-click the entry in the list to connect. When connecting for the first time you'll get an easy setup screen. Check the Remote Access VPN Server tick box and click Next. Click Yes. Keep the suggested name VPN for simplicity.
On the next screen you are assigned a DDNS hostname. You can customise it if you wish. When done click Exit.
Next you'll get a screen for choosing server settings. Tick the box for L2TP over IPsec, leave the others unticked. Enter an IPsec Pre-Shared Key in the box. Make this something good (it is beyond the scope of this blog to tell you what constitutes a good password). If you put something in there longer than 9 characters it will warn you about possible incompatibility with Android VPN clients.
The next screen asks if you want to use their Azure Cloud VPN relay service.
The next screen has a list of tasks to complete the setup. I won't go into the detail of creating users, click the button, it's fairly self-explanatory.
For step 3 you need to select the ethernet adapter on the Pi, if you are just using the built-in interface select eth0, otherwise use ifconfig to find the appropriate interface to use. Click Close when done.
You'll now be taken back to the VPN server screen where you can find lots more settings. For a start under the Listeners section create a new listener on a random port somewhere high up where people are unlikely to be port scanning unless they're taking a serious interest, then Stop the other listeners apart from 443. Now click Exit, then edit the settings for the server and enter the new port number and reconnect (don't forget to forward the new port and configure the firewall first). Now you can Stop the listener on 443 as well.
Now there are a couple more things to configure.
Click OpenVPN / MS-SSTP Setting, untick the two boxes and click OK.
Click Encryption and Network.
Now we are almost ready to try connecting a client. First you will need to forward the following UDP ports to your Pi and configure your firewall appropriately: 500, 4500. You will also need to make sure you have configured your router to allow VPN traffic through. Look for VPN-passthru or something similar. If there is no passthrough option but you can forward protocols manually, then forward protocol 50.
If there is no passthrough and no way to forward protocols a last resort is to use the DMZ function to forward all unknown traffic to the Pi's IP but it's not a great way of doing things, obviously. (Just to spell it out, if you have not configured any sort of firewall on the Pi DO NOT USE THE DMZ METHOD).
To configure a Windows 7 client....
Go to Network and Sharing Center in Control Panel. Click on Set up a new connection or network. Choose Connect to a workplace. Click Next. If you already have VPN connections configured it will ask if you really want to create a new one, funnily enough you do. Click Next. Choose Use my Internet connection (VPN).
The internet address is the public IP or DDNS hostname. Tick the box Don't connect now; just set it up so I can connect later. Click Next. Enter the username and password that you set up earlier.
Append @VPN to the username. If you changed the default virtual hub name from VPN when setting it up earlier then append @<virtual hub name>.
Tick Remember this password. Click Next. Click Close.
Back in Network and Sharing Center choose Change adapter settings. Right-click the VPN connection you just made and choose Properties.
Click the Options tab, untick Prompt for name and password, certificate, etc. and Include Windows logon domain.
Click the Security tab, change the VPN type to L2TP/IPsec. Click Advanced settings and enter the IPsec Pre-Shared Key that you set earlier.
Configure any other settings you want like using the default gateway on the remote network etc. Click OK.
Double-click the connection and let it connect. Try and access a known host/device on the remote network.
Enjoy your VPN.