Difference between revisions of "IPsec VPN"

From Amahi Wiki
Jump to: navigation, search
 
(46 intermediate revisions by 6 users not shown)
Line 1: Line 1:
There is a [http://www.amahi.org/apps/ipsec-vpn IPsec VPN] Amahi application fro your HDAThis VPN stack requires two port to be forwarded from your router to your HDA. These are
+
 
 +
We now have a new Amahi [http://www.amahi.org/apps/ipsec-vpn IPsec VPN app] for your HDA!
 +
 
 +
= Introduction =
 +
This VPN stack has many advantages, although it still requires two ports to be forwarded from your router to your HDA. These are
  
 
   '''500 UDP''' and '''4500 UDP'''
 
   '''500 UDP''' and '''4500 UDP'''
  
Not TCP.  
+
UDP, not TCP.
 +
 
 +
Here is how to set up clients for various client operating systems:
 +
 
 +
* [[IPSec VPN iOS Client | iOS]] (iPad, iPhone, iPod) built-in client
 +
* [[IPSec VPN Windows Client | Windows 7]]
 +
* [[IPSec VPN Mac OS X Client | Mac OS X]] built-in client
 +
* [[IPSec VPN Android Client | Android]] built-in client, (ICS, i.e. 4.x or later)
 +
 
 +
 
 +
The Android (2.x/3.x) OS is known to be broken with respect to [http://www.amahi.org/apps/ipsec-vpn IPSec VPN].  See [[IPSEC/L2TP_VPN_Server|here]] for a manual implementation that should work.
 +
 
 +
'''NOTE:'''  By default, the VPN will only route traffic destined for your home network via the VPN.  General web traffic etc, will *not* be encrypted.  To change this behaviour so that all network traffic from your client is routed via your VPN, edit /etc/racoon/racoon.conf and remove the lines beginning "split_network" and "split_dns". The restart racoon.
 +
 
 +
= Changing Secret and/or Group Name =
 +
 
 +
Optionally, you can change the secret and/or group name.
 +
 
 +
For that, you have to be able to edit a system file as root.
 +
 
 +
Become root via ssh or a terminal and then edit this file:
 +
 
 +
          /etc/racoon/psk.txt
 +
 
 +
This file has two field separated by at least one space. The first one is the Group name and the second is the Secret. Change them , keeping in mind that.
 +
 
 +
The changes will be picked up automatically a few seconds later. If you want to make sure, perform a:
 +
 
 +
        service racoon restart
 +
 
 +
= Route All traffic through VPN (Amahi 6/Ubuntu) =
 +
 
 +
After you install IPSEC VPN and configure your router and iPhone correctly, you may find that Twitter and Facebook are still blocked by some networks. Also searching for "what is my ip" via Google or your favorite search engine will report back that you are still on the local network.
 +
 
 +
The Amahi VPN is set to use a split VPN tunnel by default.  If you want to use blocked services while behind somebody's internet filters, you can use these steps to encrypt your traffic and use blocked services like Twitter and Facebook.
 +
 
 +
Below are the steps to direct all traffic through the VPN.  Please note this will divert all of your traffic through your HDA, but you will not be able to access some of your network resources.
 +
 
 +
1. Open a terminal on your HDA or use SSH.<br />
  
= iOS Setup =
+
2. Go to /etc/racoon.
 +
cd /etc/racoon
  
Go to Settings > Network > VPN > IPSec, enter the settings below and click on Save.
+
3. Back up the original racoon.conf in case things break.<br />
 +
cp racoon.conf racoon.conf.orig
  
* Description: Amahi IPSec VPN
+
4. As root user, open racoon.conf with your favorite editor.
* Server: YOURNICK.yourhda.com            (put your Amahi dyndns address, nickname and host)
+
  sudo nano racoon.conf
* Account: USERNAME
 
* Password: leave it as "Ask Every Time" or put one if you feel it's safe to leave it there
 
* Use Certificate: leave it as OFF
 
* Group Name: Amahi (with a capital A)
 
* Secret: this is the 4-character you got the when you installed the IPSec VPN app in your HDA
 
* Proxy: leave it as off
 
  
Below you can see how the setup area looks in a few Apple iOS devices.
+
5. Go to the line with "mode_cfg".
 +
<pre>mode_cfg {
 +
auth_source system;
 +
        save_passwd on;
 +
        network4 10.8.1.1;
 +
        netmask4 255.255.255.0;
 +
        pool_size 10;
 +
        dns4 192.168.1.10;
 +
        wins4 192.168.1.10;
 +
        default_domain "amahi3.com";
 +
        auth_throttle 60;
 +
        split_network include 198.162.1.0/24 10.100.100.0/24;
 +
        split_dns "home.com";
 +
        banner "/etc/racoon/welcome.txt";
 +
}</pre>
  
== iPad ==
 
  
It should look something like this on the [http://www.apple.com/ipad/ iPad 2], iOS 4.x
 
  
[[Image:IPSec VPN iPad 2.png]]
+
<b>NOTE:</b> Let's concentrate on the two lines that were changed: "split_network" and "split_dns".
  
== iPhone 3, iPod Touch ==
+
6. Change split_network from "include" to "local_lan" and delete the 198.162.... range.
 +
<pre>mode_cfg {
 +
~~
 +
        split_network local_lan 10.100.100.0/24;</pre>     
  
It should look something like this on the [http://www.apple.com/iphone/iphone-3gs/ iPhone 3], iOS 4.x
 
  
[[Image:IPSec VPN iPhone 3.png]]
+
7. Also change "split_dns" to the name that I changed home domain to...
 +
<pre>mode_cfg {
 +
~~
 +
        split_dns "amahi3.com";</pre>
  
== Windows 7 ==
 
  
Currently we only support one IPSec VPN client, a free client from Shrew Soft
+
8. Save your work<br />
  
* Download and install the [http://www.shrew.net/download/vpn/vpn-client-2.2.0-beta-2.exe Shrew Soft Client]. (Their [http://www.shrew.net/download/vpn Windows VPN Client download page] may have more recent versions.)
+
9. Restart the racoon server
* Open the client, called '''VPN Access Manager''' and click on + (Add) to add a configuration
 
* Enter '''YOURNICK.yourhda.com'''. Replace YOURNICK with your actual HDA nickname, so that your DynDNS works.
 
  
[[Image:IPSec VPN Win7.png]]
+
sudo service racoon restart     
  
* Go into the Authentication tab
 
* Select '''Mutual PSK + XAuth'''
 
* Under the Local Identity tab, select Key Identifier, enter Amahi (this is called the Group Name and acts as an extra layer of protection)
 
  
[[Image:IPSec VPN Win7 Client.png]]
+
Or open up your HDA dashboard, click on settings->servers and restart the IPSEC server.
  
* In the Credentials tab, the Pre Shared Key should be ready to take the VPN secret obtained in the VPN web page inside your HDA.
+
Searching for "what is my ip" via Google or your favorite search engine should now report your home VPN.  You should then be able to use Twitter and Facebook through your VPN.
* The rest of things should work as default
 
* Save
 
  
[[Image:IPSec VPN Win7 Client Credentials.png]]
+
= Route all traffic through VPN (Fedora) =
  
* Finally click on connect or double click on the profile for your VPN
 
* Input your username and password for a user in your Amahi HDA
 
  
[[Image:IPSec VPN Win7 Client Connect.png]]
+
Solution for IPSec VPN Server in Fedora 19 with Amahi 7 in order to Forward all traffic through the VPN
  
* If all goes well, you should be connected and you should see this welcome message:
+
<br>
 +
1. At /etc/racoon/racoon.conf
 +
delete the 2 lines with split in mode_cfg  :
  
[[Image:IPSec VPN Win7 Client Connected.png]]
+
split_network include 192.168.1.0/24, 10.8.1.0/24;
 +
split_dns "home.com";
  
* Press OK. To disconnect, close this window or press on Disconnect.
 
  
* For easy use, these are the recommended settings
+
2. At your Hda run ifconfig to see what is your network interface.
* Enable it to be visible in the Tray only, so that it's less obtrusive when it connects
+
<br>At /etc/racoon/amahi-up-down change the lines 19 and 26 from eth0 to em1 because this is the network interface of my Hda. The changes are
* If this is a computer you trust, you may want to also set the "remember the connection username", for even easier use
+
<br>from:
 +
iptables -t nat -A POSTROUTING -s ${INTERNAL_ADDR4}/32 -o eth0 -j MASQUERADE
 +
to
 +
iptables -t nat -A POSTROUTING -s ${INTERNAL_ADDR4}/32 -o em1 -j MASQUERADE
  
[[Image:IPSec VPN Win7 Client Preferences.png]]
+
and from:
 +
iptables -t nat -D POSTROUTING -s ${INTERNAL_ADDR4}/32 -o eth0 -j MASQUERADE
 +
<br>to
 +
iptables -t nat -D POSTROUTING -s ${INTERNAL_ADDR4}/32 -o em1 -j MASQUERADE
  
[[Category:Apps]]
+
Finally go to <nowiki>http://hda</nowiki>->Setup->Settings->Servers and restart the IPsec VPN Server.

Latest revision as of 10:30, 13 June 2017

We now have a new Amahi IPsec VPN app for your HDA!

Introduction

This VPN stack has many advantages, although it still requires two ports to be forwarded from your router to your HDA. These are 

 500 UDP and 4500 UDP

UDP, not TCP.

Here is how to set up clients for various client operating systems:


The Android (2.x/3.x) OS is known to be broken with respect to IPSec VPN. See here for a manual implementation that should work.

NOTE: By default, the VPN will only route traffic destined for your home network via the VPN. General web traffic etc, will *not* be encrypted. To change this behaviour so that all network traffic from your client is routed via your VPN, edit /etc/racoon/racoon.conf and remove the lines beginning "split_network" and "split_dns". The restart racoon.

Changing Secret and/or Group Name

Optionally, you can change the secret and/or group name.

For that, you have to be able to edit a system file as root.

Become root via ssh or a terminal and then edit this file: 

         /etc/racoon/psk.txt

This file has two field separated by at least one space. The first one is the Group name and the second is the Secret. Change them , keeping in mind that.

The changes will be picked up automatically a few seconds later. If you want to make sure, perform a: 

        service racoon restart

Route All traffic through VPN (Amahi 6/Ubuntu)

After you install IPSEC VPN and configure your router and iPhone correctly, you may find that Twitter and Facebook are still blocked by some networks. Also searching for "what is my ip" via Google or your favorite search engine will report back that you are still on the local network.

The Amahi VPN is set to use a split VPN tunnel by default. If you want to use blocked services while behind somebody's internet filters, you can use these steps to encrypt your traffic and use blocked services like Twitter and Facebook.

Below are the steps to direct all traffic through the VPN. Please note this will divert all of your traffic through your HDA, but you will not be able to access some of your network resources.

1. Open a terminal on your HDA or use SSH.

2. Go to /etc/racoon. 

cd /etc/racoon

3. Back up the original racoon.conf in case things break.

cp racoon.conf racoon.conf.orig

4. As root user, open racoon.conf with your favorite editor. 

sudo nano racoon.conf

5. Go to the line with "mode_cfg". 

mode_cfg {
	auth_source system;
        save_passwd on;
        network4 10.8.1.1;
        netmask4 255.255.255.0;
        pool_size 10;
        dns4 192.168.1.10;
        wins4 192.168.1.10;
        default_domain "amahi3.com";
        auth_throttle 60;
        split_network include 198.162.1.0/24 10.100.100.0/24;
        split_dns "home.com";
        banner "/etc/racoon/welcome.txt";
}


NOTE: Let's concentrate on the two lines that were changed: "split_network" and "split_dns".

6. Change split_network from "include" to "local_lan" and delete the 198.162.... range. 

mode_cfg {
~~
        split_network local_lan 10.100.100.0/24;


7. Also change "split_dns" to the name that I changed home domain to... 

mode_cfg {
~~
        split_dns "amahi3.com";


8. Save your work

9. Restart the racoon server 

sudo service racoon restart


Or open up your HDA dashboard, click on settings->servers and restart the IPSEC server.

Searching for "what is my ip" via Google or your favorite search engine should now report your home VPN. You should then be able to use Twitter and Facebook through your VPN.

Route all traffic through VPN (Fedora)

Solution for IPSec VPN Server in Fedora 19 with Amahi 7 in order to Forward all traffic through the VPN


1. At /etc/racoon/racoon.conf delete the 2 lines with split in mode_cfg : 

split_network include 192.168.1.0/24, 10.8.1.0/24;
split_dns "home.com";


2. At your Hda run ifconfig to see what is your network interface.
At /etc/racoon/amahi-up-down change the lines 19 and 26 from eth0 to em1 because this is the network interface of my Hda. The changes are
from: 

iptables -t nat -A POSTROUTING -s ${INTERNAL_ADDR4}/32 -o eth0 -j MASQUERADE

to 

iptables -t nat -A POSTROUTING -s ${INTERNAL_ADDR4}/32 -o em1 -j MASQUERADE

and from: 

iptables -t nat -D POSTROUTING -s ${INTERNAL_ADDR4}/32 -o eth0 -j MASQUERADE


to 

iptables -t nat -D POSTROUTING -s ${INTERNAL_ADDR4}/32 -o em1 -j MASQUERADE

Finally go to http://hda->Setup->Settings->Servers and restart the IPsec VPN Server.

Retrieved from "https://wiki.amahi.org/index.php?title=IPsec_VPN&oldid=108626"