Tantas · December 14, 2019 01:38
diff --git a/l2tp_ipsec_setup_arch_linux_raspberry_pi.sh b/l2tp_ipsec_setup_arch_linux_raspberry_pi.sh
 #!/bin/bash

 # Guide to install L2TP-IPSEC VPN Server on a Raspberry Pi with ArchLinux

 # Used parts of several instructions,
 # http://nls.io/setup-an-ipsec-l2tp-vpn-with-text-or-ldap-auth-on-arch-linux/
 # https://smileykeith.com/2014/01/27/ipsec-l2tp-vpn-on-a-raspberry-pi-running-arch-linux/
 # http://linux.tips/tutorials/how-to-setup-l2tp-vpn-server-on-raspberry-pi

 # Tested and works with OSX and iOS 7.1 supplied vpn client

 #===============================================================================
 # Router Configuration
 #===============================================================================

 # Create a DHCP Reservation or static ip for the server
 # Can get the MAC address of the device with
 cat /sys/class/net/eth0/address

 # Port forward ports 500,4500,1701 to the server

 # Setup a DDNS service if public ip can change

 #===============================================================================
 # Install IPSEC-L2TP VPN on Arch Linux for the Raspberry Pi
 #===============================================================================

 # SSH into the machine with root/root and update the password
 ssh root@ip-address
 passwd

 # Apply updates
 pacman -Syu

 # Download the requirements for L2TP-IPSEC server
 pacman -S openswan xl2tpd ppp lsof python2

 touch /usr/local/bin/vpn-boot.sh
 chmod +x /usr/local/bin/vpn-boot.sh
 vim /usr/local/bin/vpn-boot.sh
 # And paste the content below
 ##!/usr/bin/env bash
 #
 #echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
 #echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
 #echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
 #echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
 #echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
 #echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
 #echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf
 #
 #for vpn in /proc/sys/net/ipv4/conf/*; do
 #    echo 0 > $vpn/accept_redirects;
 #    echo 0 > $vpn/send_redirects;
 #done
 #
 #iptables --table nat --append POSTROUTING --jump MASQUERADE
 #
 #sysctl -p

 # Aside:
 # Ensure possible to access devices on LAN
 # cat /proc/sys/net/ipv4/ip_forward

 # Create the service
 vim /etc/systemd/system/vpn.service
 # And paster the content below
 #[Unit]
 #Description=IPSec VPN
 #After=netctl@eth0.service
 #Before=openswan.service xl2tpd.service
 #
 #[Service]
 #ExecStart=/usr/local/bin/vpn-boot.sh
 #
 #[Install]
 #WantedBy=multi-user.target

 # Activate the service
 systemctl enable vpn.service

 # Configure the IPSec daemon, Openswan
 vim /etc/ipsec.conf
 # Replace protostack=auto with protostack=netkey
 # At the end of the file add and replace xxx.xxx.xxx.xxx with server ip on the
 # LAN, ex 10.0.1.x or 192.168.1.x
 #conn L2TP-PSK-NAT
 #        rightsubnet=vhost:%priv
 #        also=L2TP-PSK-noNAT
 #
 #conn L2TP-PSK-noNAT
 #        connaddrfamily=ipv4
 #        authby=secret
 #        #shared secret. Use rsasig for certificates.
 #        pfs=no
 #        #Disable pfs
 #        auto=add
 #        #start at boot
 #        keyingtries=3
 #        #Only negotiate a conn. 3 times.
 #        ikelifetime=8h
 #        keylife=1h
 #        type=transport
 #        #because we use l2tp as tunnel protocol
 #        left=xxx.xxx.xxx.xxx
 #        #fill in server IP above
 #        leftprotoport=17/%any
 #        right=%any
 #        rightprotoport=17/%any

 # Add the shared key authentication
 vim /etc/ipsec.secrets
 # Add below to the empty file, replace xxx.xxx.xxx.xxx witht he server ip
 #xxx.xxx.xxx.xxx  %any:   PSK "xxxxxxxxxxxxxxxxxxx"

 # Start the openswan daemon
 systemctl enable openswan
 systemctl restart openswan

 # Ensure the openswan daemon starts last
 vim /etc/systemd/system/multi-user.target.wants/openswan.service
 # Make After=xxx into After=xl2tpd.service

 # Check the config
 ipsec verify

 # If error from ICMP default/send_redirects then vpn.sh did not execute

 # If errors are seen for Pluto Listening, use to check for listening
 netstat -tulpan

 # Also can use the command below while restarting the service
 journalctl -f

 # Configure xl2tpd
 vim /etc/xl2tpd/xl2tpd.conf
 #[global]
 #ipsec saref = no
 #auth file = /etc/ppp/chap-secrets
 #debug avp = no
 #debug network = no
 #debug packet = no
 #debug state = no
 #debug tunnel = no
 #
 #[lns default]
 #ip range = 172.16.1.30-172.16.1.100
 #local ip = 172.16.1.1
 #refuse pap = yes
 #require authentication = yes
 #ppp debug = yes
 #pppoptfile = /etc/ppp/options.l2tpd
 #length bit = yes

 # Create the directory for the pid
 mkdir -p /var/run/xl2tpd/

 # Configure xl2tpd options, replace the variable server_name
 vim /etc/ppp/options.l2tpd
 #login
 #lcp-echo-interval 10
 #lcp-echo-failure 2
 #noipx
 #
 #logfd 2
 #logfile /var/log/l2tpd.log
 #
 #ms-dns 8.8.8.8
 #ms-dns 8.8.4.4
 #
 #refuse-pap
 ##refuse-chap
 #refuse-mschap
 #
 #require-chap
 ##require-mppe
 #require-mschap-v2
 #
 #name server_name
 #
 ##defaultroute
 #nodefaultroute
 #proxyarp

 # Note the server should match the /etc/ppp/options.l2tpd line 'name server_name'
 vim /etc/ppp/chap-secrets
 ## Secrets for authentication using CHAP
 ## client server secret IP addresses
 #username   server_name   password       *

 # Activate the service
 systemctl enable xl2tpd

 # Restart everything to be sure
 systemctl restart openswan
 systemctl restart xl2tpd

 #===============================================================================
 # Ready on boot Hack
 #===============================================================================

 # Openswan only seems to work if it has been restarted. This hack restarts it 5
 # seconds after it is initially created

 # Create a hack service to reboot openswan
 vim /etc/systemd/system/openswanrestart.service
 #[Unit]
 #Description=IPSec VPN Restart
 #After=openswan.service
 #
 #[Service]
 #ExecStart=/usr/local/bin/openswan-restart.sh
 #
 #[Install]
 #WantedBy=multi-user.target

 # Create the restart script
 vim /usr/local/bin/openswan-restart.sh
 ##!/bin/bash
 #bash -c "sleep 5; systemctl restart openswan"

 # Give the script the correct permissions
 chmod +x /usr/local/bin/openswan-restart.sh

 # Add the service to autostart and start the service
 sudo systemctl enable openswanrestart.service
 sudo systemctl start openswanrestart.service

 #===============================================================================
 # VPN Performance
 #===============================================================================

 # Testing Methodology
 # Tested with a gigabit router, 28Mbps external download and a powerful client
 # accessing the VPN from inside the LAN. Used http://www.speedtest.net/?test-2
 # to determine the VPN performance.  Executed without VPN from inside network to
 # verify external connection would be faster than through the VPN on a weak CPU.

 # Results
 # Throughput ~7.2Mbps
	#!/bin/bash

	# Guide to install L2TP-IPSEC VPN Server on a Raspberry Pi with ArchLinux

	# Used parts of several instructions,
	# http://nls.io/setup-an-ipsec-l2tp-vpn-with-text-or-ldap-auth-on-arch-linux/
	# https://smileykeith.com/2014/01/27/ipsec-l2tp-vpn-on-a-raspberry-pi-running-arch-linux/
	# http://linux.tips/tutorials/how-to-setup-l2tp-vpn-server-on-raspberry-pi

	# Tested and works with OSX and iOS 7.1 supplied vpn client

	#===============================================================================
	# Router Configuration
	#===============================================================================

	# Create a DHCP Reservation or static ip for the server
	# Can get the MAC address of the device with
	cat /sys/class/net/eth0/address

	# Port forward ports 500,4500,1701 to the server

	# Setup a DDNS service if public ip can change

	#===============================================================================
	# Install IPSEC-L2TP VPN on Arch Linux for the Raspberry Pi
	#===============================================================================

	# SSH into the machine with root/root and update the password
	ssh root@ip-address
	passwd

	# Apply updates
	pacman -Syu

	# Download the requirements for L2TP-IPSEC server
	pacman -S openswan xl2tpd ppp lsof python2

	touch /usr/local/bin/vpn-boot.sh
	chmod +x /usr/local/bin/vpn-boot.sh
	vim /usr/local/bin/vpn-boot.sh
	# And paste the content below
	##!/usr/bin/env bash
	#
	#echo "net.ipv4.ip_forward = 1" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.all.accept_redirects = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.all.send_redirects = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.default.rp_filter = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.default.accept_source_route = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.conf.default.send_redirects = 0" \| tee -a /etc/sysctl.conf
	#echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" \| tee -a /etc/sysctl.conf
	#
	#for vpn in /proc/sys/net/ipv4/conf/*; do
	# echo 0 > $vpn/accept_redirects;
	# echo 0 > $vpn/send_redirects;
	#done
	#
	#iptables --table nat --append POSTROUTING --jump MASQUERADE
	#
	#sysctl -p

	# Aside:
	# Ensure possible to access devices on LAN
	# cat /proc/sys/net/ipv4/ip_forward

	# Create the service
	vim /etc/systemd/system/vpn.service
	# And paster the content below
	#[Unit]
	#Description=IPSec VPN
	#After=netctl@eth0.service
	#Before=openswan.service xl2tpd.service
	#
	#[Service]
	#ExecStart=/usr/local/bin/vpn-boot.sh
	#
	#[Install]
	#WantedBy=multi-user.target

	# Activate the service
	systemctl enable vpn.service

	# Configure the IPSec daemon, Openswan
	vim /etc/ipsec.conf
	# Replace protostack=auto with protostack=netkey
	# At the end of the file add and replace xxx.xxx.xxx.xxx with server ip on the
	# LAN, ex 10.0.1.x or 192.168.1.x
	#conn L2TP-PSK-NAT
	# rightsubnet=vhost:%priv
	# also=L2TP-PSK-noNAT
	#
	#conn L2TP-PSK-noNAT
	# connaddrfamily=ipv4
	# authby=secret
	# #shared secret. Use rsasig for certificates.
	# pfs=no
	# #Disable pfs
	# auto=add
	# #start at boot
	# keyingtries=3
	# #Only negotiate a conn. 3 times.
	# ikelifetime=8h
	# keylife=1h
	# type=transport
	# #because we use l2tp as tunnel protocol
	# left=xxx.xxx.xxx.xxx
	# #fill in server IP above
	# leftprotoport=17/%any
	# right=%any
	# rightprotoport=17/%any

	# Add the shared key authentication
	vim /etc/ipsec.secrets
	# Add below to the empty file, replace xxx.xxx.xxx.xxx witht he server ip
	#xxx.xxx.xxx.xxx %any: PSK "xxxxxxxxxxxxxxxxxxx"

	# Start the openswan daemon
	systemctl enable openswan
	systemctl restart openswan

	# Ensure the openswan daemon starts last
	vim /etc/systemd/system/multi-user.target.wants/openswan.service
	# Make After=xxx into After=xl2tpd.service

	# Check the config
	ipsec verify

	# If error from ICMP default/send_redirects then vpn.sh did not execute

	# If errors are seen for Pluto Listening, use to check for listening
	netstat -tulpan

	# Also can use the command below while restarting the service
	journalctl -f

	# Configure xl2tpd
	vim /etc/xl2tpd/xl2tpd.conf
	#[global]
	#ipsec saref = no
	#auth file = /etc/ppp/chap-secrets
	#debug avp = no
	#debug network = no
	#debug packet = no
	#debug state = no
	#debug tunnel = no
	#
	#[lns default]
	#ip range = 172.16.1.30-172.16.1.100
	#local ip = 172.16.1.1
	#refuse pap = yes
	#require authentication = yes
	#ppp debug = yes
	#pppoptfile = /etc/ppp/options.l2tpd
	#length bit = yes

	# Create the directory for the pid
	mkdir -p /var/run/xl2tpd/

	# Configure xl2tpd options, replace the variable server_name
	vim /etc/ppp/options.l2tpd
	#login
	#lcp-echo-interval 10
	#lcp-echo-failure 2
	#noipx
	#
	#logfd 2
	#logfile /var/log/l2tpd.log
	#
	#ms-dns 8.8.8.8
	#ms-dns 8.8.4.4
	#
	#refuse-pap
	##refuse-chap
	#refuse-mschap
	#
	#require-chap
	##require-mppe
	#require-mschap-v2
	#
	#name server_name
	#
	##defaultroute
	#nodefaultroute
	#proxyarp

	# Note the server should match the /etc/ppp/options.l2tpd line 'name server_name'
	vim /etc/ppp/chap-secrets
	## Secrets for authentication using CHAP
	## client server secret IP addresses
	#username server_name password *

	# Activate the service
	systemctl enable xl2tpd

	# Restart everything to be sure
	systemctl restart openswan
	systemctl restart xl2tpd

	#===============================================================================
	# Ready on boot Hack
	#===============================================================================

	# Openswan only seems to work if it has been restarted. This hack restarts it 5
	# seconds after it is initially created

	# Create a hack service to reboot openswan
	vim /etc/systemd/system/openswanrestart.service
	#[Unit]
	#Description=IPSec VPN Restart
	#After=openswan.service
	#
	#[Service]
	#ExecStart=/usr/local/bin/openswan-restart.sh
	#
	#[Install]
	#WantedBy=multi-user.target

	# Create the restart script
	vim /usr/local/bin/openswan-restart.sh
	##!/bin/bash
	#bash -c "sleep 5; systemctl restart openswan"

	# Give the script the correct permissions
	chmod +x /usr/local/bin/openswan-restart.sh

	# Add the service to autostart and start the service
	sudo systemctl enable openswanrestart.service
	sudo systemctl start openswanrestart.service

	#===============================================================================
	# VPN Performance
	#===============================================================================

	# Testing Methodology
	# Tested with a gigabit router, 28Mbps external download and a powerful client
	# accessing the VPN from inside the LAN. Used http://www.speedtest.net/?test-2
	# to determine the VPN performance. Executed without VPN from inside network to
	# verify external connection would be faster than through the VPN on a weak CPU.

	# Results
	# Throughput ~7.2Mbps