IPSEC/L2TP questions
Anyways, I found http://www.jacco2.dds.nl/networking/openswan-l2tp.html
1) do I need to buy another IP for my linode to use a VPN setup, or can I forward from my main linode IP?
2) is there a more up-to-date step-by-step setup than the one linked above?
3) I've also seen racoon mentioned elsewhere; is that a proprietary implementation that I'd need to root my android devices for also?
4) is there any other information that might help me? (like something easier than this that works)
If there is a better way to do a VPN for Android than this, I'm quite open to it. I could use OpenVPN on my Windows systems, which I've done before and prefer.
Also, FYI, I have two android 2.2 devices (Galaxy Tab 7inch and Thunderbolt) right now that need to connect and also a Debian 6 laptop and Windows 7 desktop to connect. I do have a Netgear router at home that I should be able to use NAT-T through and I want to use various public wifi connections as well.
Thanks for your help!
10 Replies
What does VPN offer that SSH with Cert's don't?
SSH has less overhead, easier to setup (both on server and client), with certs is portable, and just as secure as VPN.
VPN is great for setting up network-to-network tunnels, but for one client-to-server tunnel SSH is just as good and much simpler.
@vonskippy:
What does VPN offer that SSH with Cert's don't?
SSH has less overhead, easier to setup (both on server and client), with certs is portable, and just as secure as VPN.
VPN is great for setting up network-to-network tunnels, but for one client-to-server tunnel SSH is just as good and much simpler.
Well, perhaps SSH tunneling would work better for me? Mainly, my goal is to ensure ALL my data on mobile devices (phone, tablet, laptop) goes through a secure tunnel when I'm on wifi other than my home (and mobile data connections maybe). I know on Android I can use ConnectBot for some of that, but it takes a bit of time to setup and I have to do it every time I want to use the tunnel as far as I know. Correct me if I am wrong, but if I setup a VPN on my chosen systems I can use it on-demand easily and quickly without any fuss.
I guess, if I really think about it, I only really need tunneling for port 80 and 443, but I really don't want to have to think about it and possibly forget to setup the SSH tunnel when I'm away from home.
You won't need another IP address - everything will be done through the one public IP you currently have. You will end up setting up "tunnel" interfaces within the VPN software with private IPs that will terminate the VPN tunnels you create. The IPsec/L2TP software will take care of the "magic" that creates/tears down these interfaces and forwards traffic between these tunnel interfaces and your Ethernet interface w/ the public IP.
You will need to set up some iptables rules, both for SNAT masquerading traffic from your VPN tunnels out your public IP (and don't forget to allow IP forwarding as well), as well as basic security (including ensuring that traffic that hits your L2TP daemon comes only from within IPsec-encrytped tunnels). Many of the good tutorials include information about iptables setup like this.
There are a number of good tutorials online - I wish I could remember the URLs of the ones I used. I just found them via Google.
Package-wise I'm using Openswan for IPsec and xl2tpd for L2TP. The package web sites offer some tutorials as well as mailing lists that are useful in getting things set up.
Once set up both the OpenVPN and IPsec/L2TP VPNs work flawlessly with one exception. In order to have multiple IPsec/L2TP devices connect from the same NATed local network you have to make use of SAref within IPsec (in order for the IPsec layer to be able to distinguish between two devices behind the same NAT firewall). At least w/ Fedora and Openswan this requires some kernel modifications. I started down that path but dropped it since my wife and I rarely need to have our iPhones on the same non-home wifi network at the same time.
Cheers.
Doug
@fischerdk:
I have an IPsec/L2TP VPN setup I use for my and my wife's iPhones when we're out and about, as well as OpenVPN for our laptops. I've got my Linode running Fedora F14 rather than Ubuntu (from my experience I prefer to use Ubuntu for Linux desktops but a Red Hat derivative for servers). However, it won't be that much different to set up under Ubuntu. I'm also not familiar with Android's VPN capabilities and limitations but I imagine there is good information out there about the specific configuration you'll need both on the device and on the server.
You won't need another IP address - everything will be done through the one public IP you currently have. You will end up setting up "tunnel" interfaces within the VPN software with private IPs that will terminate the VPN tunnels you create. The IPsec/L2TP software will take care of the "magic" that creates/tears down these interfaces and forwards traffic between these tunnel interfaces and your Ethernet interface w/ the public IP.
You will need to set up some iptables rules, both for SNAT masquerading traffic from your VPN tunnels out your public IP (and don't forget to allow IP forwarding as well), as well as basic security (including ensuring that traffic that hits your L2TP daemon comes only from within IPsec-encrytped tunnels). Many of the good tutorials include information about iptables setup like this.
There are a number of good tutorials online - I wish I could remember the URLs of the ones I used. I just found them via Google.
Package-wise I'm using Openswan for IPsec and xl2tpd for L2TP. The package web sites offer some tutorials as well as mailing lists that are useful in getting things set up.
Once set up both the OpenVPN and IPsec/L2TP VPNs work flawlessly with one exception. In order to have multiple IPsec/L2TP devices connect from the same NATed local network you have to make use of SAref within IPsec (in order for the IPsec layer to be able to distinguish between two devices behind the same NAT firewall). At least w/ Fedora and Openswan this requires some kernel modifications. I started down that path but dropped it since my wife and I rarely need to have our iPhones on the same non-home wifi network at the same time.
Cheers.
Doug
Thanks! This is what I needed. I found a good instructional page for installing this setup, but it was a bit old. Still has good info, though. I'm sad to hear that I'd need kernel mods for multiple devices, but I suppose I really only need to use one at a time. I also think I might just do OpenVPN now, because I just got a Verizon LTE phone with wifi hotspotting. I hear their LTE uses a very secure protocol, so perhaps that's good enough(TM).
@zeroturn:
I found a good instructional page for installing this setup, but it was a bit old. Still has good info, though.
I'm trying to get a similar set up going (linode running Ubuntu Lucid Lynx, Android running 2.3.3 non-rooted). Did you manage to set this up, and if so can you share your config or the instructional pages? I've been searching around the internet all day, lots of info, but most of it is designed to let you access a home network. I want to have all internet access from my phone routed via the VPN, and I can't get the routing working…
Thanks in advance.
m
@jebblue:
Please fix your bathroom talk and then I might be able to read your message one professional to another and possibly help you.
I'll read it for you; his questions were answered.:roll:
@iml:
@jebblue:Please fix your bathroom talk and then I might be able to read your message one professional to another and possibly help you.
I'll read it for you; his questions were answered. :roll:
They were? Not in this thread or even this forum as far as I can tell, and as I said I found many guides on the web, but all implementing a different topology from what I'm trying to do. I was politely asking the OP a question.
Anyway, there is a word to describe jebblue's "response", but I'll refrain from bathroom talk.