The goal here is to provide quick and easy but secure client VPN that can be configured natively without any additional software on:
- Linux
- iOS
- Android
- Windows
- OSX
OpenWrt IPsec Road Warrior Configuration by tmomas is an excellent resource for configuring client VPN. However, if you want a super easy client VPN solution to roll out to inexperienced and non-technical remote access users, similar to the philsophy of Cisco Meraki client VPN, try this alternative. VPN server setup is also very quick and easy in this implementation.
In the examples, the following assumptions have been made:
- OpenWrt is the gateway VPN server (any Linux box can be used, just install
strongswanusing the appropriate package manager). - The gateway router has WAN side FQDN is
gateway.example.com. If no FQDN, just substitute for the IP address. - The gateway inside LAN to be accessed is
10.1.1.0/24 - The virtual IP address pool for VPN clients is
10.1.2.0/16
VPN configuration choices:
- IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 gains adequate support across all of the main platforms, I would switch to it straight away.
- Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
- XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, strongSwans XAUTH works well.
- Split tunnel: While split tunnel creates a potential security risk in that the client could create a bridge, you can trick the client OS and create a bridge with a full tunnel anyway. Split tunnel prevents unnecessary load on the gateway and faster connectivity for VPN clients who may need simultaneous LAN and internet access.
Install strongSwan:
# opkg update
# opkg install strongswan-full
If you are light on storage, the minimum number of modules can be installed with:
opkg install strongswan-default strongswan-mod-xxx strongswan-mod-yyy...
As I prefer to tinker with different configurations, I install the full package.
There are 4 files to configure:
/etc/strongswan.conf: strongSwan configuration file/etc/ipsec.conf: Tunnel definitions/etc/ipsec.secrets: List of secrets and keys/etc/config/firewall: Firewall changes to allow VPN traffic
charon {
threads = 16
dns1 = 10.1.1.1
nbns1 = 10.1.1.1
}
pluto {
}
libstrongswan {
crypto_test {
on_add = yes
}
}
This is the heart of the strongSwan configuration. There are literally hundreds of thousands of connection configurations possible by adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but do take the time to gain a basic understanding of the IPsec protocol suite, Internet Key Exchange and the various authentication methods.
To keep things modular, break up config sections and inherit parameters with also=conn-name. In this example, I have a roadwarrior-base for all client VPN as I have other connections available. I also may have site-to-site VPN configured so have any common parameters to all connections in conn %default.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn roadwarrior-base
left=%any
[email protected]
leftfirewall=yes
right=%any
rightsourceip=10.1.2.0/16
auto=add
# iOS, Android, Linux and Windows friendly remote access VPN
# need keyexchange=ikev1 as Android doesnt support ikev2
# leftsubnet is inside LAN only for split tunnelling or 0.0.0.0/0 for full tunnel
# save on data usage and just use local subnet, less secure though
# rightsourceip is the VPN address pool
# 2-step security:
# 1. pre-shared key
# 2. xauth
# use vitual IP address pool to control VPN clients 'rightsourceip'
conn rw-ikev1-psk-xauth-splittun
also=roadwarrior-base
keyexchange=ikev1
leftsubnet=10.1.1.0/24,::/0
leftauth=psk
rightauth=psk
rightauth2=xauth
If you want full tunnel for added security, replace leftsubnet=10.1.1.0/24 with leftsubnet=0.0.0.0/0.
If you want to try IKEv2, you can use the following config. You'll need to install the strongSwan app for Android. Native iOS IKEv2 only allows certificate OR username/password OR PSK, not a combination, to keep things simple I've chosen PSK authentication:
# stronger faster ikev2 but not supported on Android yet
# auth with pre-shared key
conn rw-ikev2-psk-splittun
also=roadwarrior-base
keyexchange=ikev2
leftsubnet=10.1.1.0/24,::/0
authby=secret
Without blowing your mind, for many more examples, head to the strongSwan website.
conn rw-ikev2-psk-xauth-splittun
also=roadwarrior-base
keyexchange=ikev2
leftsubnet=10.1.1.0/24,::/0
authby=secret
There are more secure ways of storing passwords than in plain text on the VPN server but this exercise we will drop them in the /etc/ipsec.secrets file:
# pre-shared key
gateway.example.com %any : PSK "my super secret pre-shared key goes here"
# XAUTH
[email protected] : XAUTH "password 1"
[email protected] : XAUTH "password 2"
We need to edit the firewall rules to allow the following incoming traffic:
- UDP port 500
- UDP port 4500
- Encapsulating Security Payload (ESP) IP protocol 50
- Authentication Header (AH) IP protocol 51
Make sure if the VPN server is behind a NAT router, the device has port forwards set up. UDP 500 and UDP 4500 should be sufficient.
In OpenWrt, edit /etc/config/firewall:
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
On Openwrt:
# /etc/init.d/ipsec restart
In a seperate ssh session, open a live log. In OpenWrt:
# logread && logread -f
Also check with:
# ipsec statusall
TODO
TODO
TODO
TODO
TODO