VPN
VPN
The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular packages.
IPSEC
Information on how to setup IPSEC tunnels.
MikroTik to strongSwan
Use the following configurations to connect a system running stongSwan[1] to a MikroTik[2] device using IPSEC.
strongSwan config
The following configuration will work on FreeBSD or Linux systems with strongSwan installed.
ipsec.conf
/etc/ipsec.conf:
conn <name> authby=secret auto=route keyexchange=ike left=<your local IP> right=<remote IP of Mikrotik system> leftikeport=500 rightikeport=500 type=transport ike=aes256-sha1-modp1024! esp=aes256-sha1! dpddelay=5 dpdtimeout=20 dpdaction=clear
ipsec.secrets
/etc/ipsec.secrets:
<your local IP> <remote IP of Mikrotik system> : PSK "<Put your preshared key here>"
MikroTik Config
/ip ipsec policy add src-address=0.0.0.0/0 dst-address=<remote IP of strongswan system> proposal=ike2 ipsec-protocols=esp /ip ipsec proposal add name="ike2" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none /ip ipsec peer add name="<name of strongswan system>" address=<local IP> profile=ike2 exchange-mode=main send-initial-contact=yes /ip ipsec identity add peer=<remote IP of strongswan system> auth-method=pre-shared-key secret="<Put your preshared key here>" generate-policy=no /ip ipsec profile add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
OpenVPN
Information on OpenVPN is available from https://openvpn.net/[3]
TINC
Tinc is an open-source, self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks.
Tinc is available for FreeBSD, OpenBSD, NetBSD, Dragonfly BSD, Mac OS X, Linux, Microsoft Windows, Solaris, IOS (jailbroken only), and Android with full support for IPv6.
You can download tinc for *nix and Windows systems from https://www.tinc-vpn.org/
The tinc website includes many examples on common setups. They can be found at https://www.tinc-vpn.org/examples/
Standard tinc setup
Tinc can be setup in a mesh network with multiple systems.
Note: You can setup tinc with just two systems using these instructions and adjusting the steps accordingly.
For this setup we will have three hosts called Server 1, Server 2, and Server 3. The following is a brief synopsis of the network config for each:
VPN NAME: NoMoreSecrets
SERVER 1:
public ip: 1.1.1.100 vpn ip: 10.0.0.1 connects to: server 2, server 3
SERVER 2:
public ip: 1.1.2.100 vpn ip: 10.0.0.2 connects to: server 1, server 3
SERVER 3:
public ip: 1.1.3.100 vpn ip: 10.0.0.3 connects to: server 1, server 2
The following directory tree will be present on all three hosts for this setup:
/etc
└── tinc
└── NoMoreSecrets
├── hosts
│ ├── server1
│ ├── server2
│ └── server3
├── rsa_key.priv
├── tinc.conf
├── tinc-down
└── tinc-up
Individual node setup and configuration
All servers used in this example will be running Ubuntu 18.04.
Server1
- Install tinc
apt install tinc -y
- Create directories
mkdir -p /etc/tinc/NoMoreSecrets/hosts/
Create the following files:
- /etc/tinc/NoMoreSecrets/hosts/server1:
Address = 1.1.1.100 Subnet = 10.0.0.1
- /etc/tinc/NoMoreSecrets/tinc.conf:
Name = server1 Interface = tun0 AddressFamily = ipv4 ConnectTo = server2 ConnectTo = server3
- /etc/tinc/NoMoreSecrets/tinc-up:
#!/bin/sh ip link set $INTERFACE up ip addr add 10.0.0.1/32 dev $INTERFACE ip route add 10.0.0.0/24 dev $INTERFACE
- /etc/tinc/NoMoreSecrets/tinc-down:
#!/bin/sh ip route del 10.0.0.0/24 dev $INTERFACE ip addr del 10.0.0.1/32 dev $INTERFACE ip link set $INTERFACE down
Server2
- Install tinc
apt install tinc -y
- Create directories
mkdir -p /etc/tinc/NoMoreSecrets/hosts/
Create the following files:
- /etc/tinc/NoMoreSecrets/hosts/server2:
Address = 1.1.2.100 Subnet = 10.0.0.2
- /etc/tinc/NoMoreSecrets/tinc.conf:
Name = server2 Interface = tun0 AddressFamily = ipv4 ConnectTo = server1 ConnectTo = server3
- /etc/tinc/NoMoreSecrets/tinc-up:
#!/bin/sh ip link set $INTERFACE up ip addr add 10.0.0.2/32 dev $INTERFACE ip route add 10.0.0.0/24 dev $INTERFACE
- /etc/tinc/NoMoreSecrets/tinc-down:
#!/bin/sh ip route del 10.0.0.0/24 dev $INTERFACE ip addr del 10.0.0.2/32 dev $INTERFACE ip link set $INTERFACE down
Server3
- Install tinc
apt install tinc -y
- Create directories
mkdir -p /etc/tinc/NoMoreSecrets/hosts/
Create the following files:
- /etc/tinc/NoMoreSecrets/hosts/server3:
Address = 1.1.3.100 Subnet = 10.0.0.3
- /etc/tinc/NoMoreSecrets/tinc.conf:
Name = server3 Interface = tun0 AddressFamily = ipv4 ConnectTo = server1 ConnectTo = server2
- /etc/tinc/NoMoreSecrets/tinc-up:
#!/bin/sh ip link set $INTERFACE up ip addr add 10.0.0.3/32 dev $INTERFACE ip route add 10.0.0.0/24 dev $INTERFACE
- /etc/tinc/NoMoreSecrets/tinc-down:
#!/bin/sh ip route del 10.0.0.0/24 dev $INTERFACE ip addr del 10.0.0.3/32 dev $INTERFACE ip link set $INTERFACE down
Create keypair
- On all servers create public/private keypair with:
tincd -n NoMoreSecrets -K4096
Synchronize host files
- Synchronize host files with public keys between all three servers with rsync:
- From Server1:
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server2:/etc/tinc/NoMoreSecrets/hosts/ rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server3:/etc/tinc/NoMoreSecrets/hosts/
- From Server2:
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server1:/etc/tinc/NoMoreSecrets/hosts/ rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server3:/etc/tinc/NoMoreSecrets/hosts/
- From Server3:
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server1:/etc/tinc/NoMoreSecrets/hosts/ rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server2:/etc/tinc/NoMoreSecrets/hosts/
- On all servers set the executable bit on the tinc-up and tinc-down scripts
chmod +x /etc/tinc/NoMoreSecrets/tinc-up chmod +x /etc/tinc/NoMoreSecrets/tinc-down
Start tinc
- On all servers enable and start tinc
systemctl enable tinc@NoMoreSecrets systemctl start tinc@NoMoreSecrets
Once tinc is up and running on all three servers you should be able to communicate over the 10.0.0.0/24 network.
Since this is a mesh network, if direct communication between two nodes drops, tinc will route all traffic through the remaining node until direct communication is restored.
Troubleshooting
- Check tinc logs to see what the error shown is. Refer to official documentation at https://www.tinc-vpn.org/docs/
- Check firewall on both hosts to make sure port 655 is being accepted.
- Check IP on Address line of hosts to ensure they are correct.
- Check IP on Subnet line of hosts files to ensure they are correct.
Simplified tinc 1.1 Windows setup
Examples on how to setup tinc 1.1 on Windows as either a server or client.
Server side config
- Download tinc
- Install tinc
- Open command prompt and type the following:
cd "C:\Program Files\tinc" tinc -n vpn init master tinc -n vpn add subnet 10.0.1.1 tinc -n vpn add address=public.domain-or-ip cd tap-win64 addtap.bat netsh interface ipv4 show interfaces (Note disconnected interface. May be called Ethernet 2) netsh interface set interface name = "Ethernet 2" newname = "tinc" netsh interface ip set address "tinc" static 10.0.1.1 255.255.255.0 netsh interface ipv4 show config (Should create a tinc interface with IP and subnet) cd ..
To start tinc:
tincd -n vpn
To invite clients:
tinc -n vpn invite client1
Client side config
- Download tinc
- Install tinc
- Open command prompt and type the following:
cd "C:\Program Files\tinc" tinc join <invite-url> tinc -n vpn add subnet 10.0.1.2 cd tap-win64 addtap.bat netsh interface ipv4 show interfaces (Note disconnected interface. May be called Ethernet 2) netsh interface set interface name = "Ethernet 2" newname = "tinc" netsh interface ip set address "tinc" static 10.0.1.2 255.255.255.0 cd ..
To test connection:
tincd -n vpn -D -d3
To run tinc as service:
tincd -n vpn
Notes
Tinc will automatically register itself as a service when started without -D or --no-detach option.
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
Softether
SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.
You can download SoftEther for FreeBSD, Linux, Mac, Solaris, and Windows from https://www.softether.org/[4]
Features
- SSL-VPN tunnelling on HTTPS to pass though NATs and firewalls
- Revolutionary VPN over ICMP and VPN over DNS featuers
- Ethernet-bridging (L2) and IP-routing (L3) over VPN.
- Embedded dynamic-DNS and NAT-traversal
- SSL-VPN (HTTPS) and support for 6 major VPN protocols: OpenVPN, IPSEC, L2TP, MS-SSTP, L2TPv3, and EtherIP)
WireGuard
WireGuard can be downloaded from https://www.wireguard.com/[5]
Other
Any other information that doesn't fit elsewhere.
Firewall
Information regarding firewall setup as related to the VPN configs above.
Linux
The following script can be used to setup a basic firewall on a Linux based system using iptables.
Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them.
#!/bin/bash #Modify to match your network interface INET_IF=eth0 #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to #"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV4 with #the changes System1="XX.XX.XX.XX/YY" System2="XX.XX.XX.XX/YY" ManagementFilterV4=$System1,$System2 #Flush and zero all tables modprobe ip_tables modprobe ipt_limit modprobe iptable_mangle modprobe ipt_state modprobe ipt_LOG modprobe iptable_filter modprobe ipv6 iptables -F INPUT iptables -F FORWARD iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING ip6tables -F INPUT ip6tables -F FORWARD #init the log-and-drop chain iptables -F log-and-drop iptables -X log-and-drop iptables -N log-and-drop ip6tables -F log-and-drop ip6tables -X log-and-drop ip6tables -N log-and-drop iptables -F log-and-reject iptables -X log-and-reject iptables -N log-and-reject ip6tables -F log-and-reject ip6tables -X log-and-reject ip6tables -N log-and-reject #Now add in rules to affect DOCKER containers - uncomment if using Docker #See https://unrouted.io/2017/08/15/docker-firewall/ #iptables -F DOCKER-USER #iptables -X DOCKER-USER #iptables -N DOCKER-USER #ip6tables -F DOCKER-USER #ip6tables -X DOCKER-USER #ip6tables -N DOCKER-USER #iptables -F FILTERS #iptables -X FILTERS #iptables -N FILTERS #ip6tables -F FILTERS #ip6tables -X FILTERS #ip6tables -N FILTERS echo "all tables flushed and dropped" # Specific chain used for logging packets before blocking them iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop " iptables -A log-and-drop -j DROP ip6tables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop " ip6tables -A log-and-drop -j DROP # Specific chain used for logging packets before blocking them iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject " iptables -A log-and-reject -j REJECT ip6tables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject " ip6tables -A log-and-reject -j REJECT echo "logging chains setup" # The packets having the TCP flags activated are dropped # and so for the ones with no flag at all (often used with Nmap scans) iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop #setup DOCKER-USER related rules - uncomment if using Docker #iptables -A DOCKER-USER -i $INET_IF -j FILTERS #Now add any rules you want Docker to abide by for containers to -A FILTERS #limit traffic to 80 an 443 #DCQ="2" #max requests in 1 second #DCH="25" #max requests over 7 seconds #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop #default return chain #iptables -A FILTERS -j RETURN #Global blocks #iptables -t filter -A INPUT -j DROP -s 12.34.56.78/32 #Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on. # Requests per second #RQS="15" # Requests per 7 seconds #RQH="35" #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP #Uncomment the next sections if using IPSEC #Clamp MSS on IPSEC tunnels #iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 #iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 # allow IPSEC from other boxes #IPSECsrc='XX.XX.XX.XX/YY' # Put in the form of XX.XX.XX.XX = IP address you want to allow IPSEC in from and YY is the netmask. #Technically the next two are not needed as we have the policy #iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc" #iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc" #iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc" #iptables -A INPUT -i $INET_IF -p udp --dport 4500 -j ACCEPT --src "$IPSECsrc" # this is needed to allow all ipsec packets when it's host to host #iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" #allow DNS in #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53 #iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53 #ip6tables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53 #allow port 80 in #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80 #allow port 443 in #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443 # allow all ssh in - uncomment ManagemetnFilterV4 and comment out the two lines below to restrict SSH access on port 22 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4 iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 echo "end of services" # allow ping at 2 per sec iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3 iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF --protocol icmp --icmp-type echo-request ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT # allow responces to local initated connections #iptables -A INPUT -i $INET_IF --match state --state NEW,INVALID -j log-and-drop #iptables -A FORWARD -i $INET_IF --match state --state NEW,INVALID -j log-and-drop iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED ip6tables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED # Set rp_filter to 2 for i in `find /proc/sys/net/ipv*/conf -name rp_filter` do echo "2" >$i done # setup a default deny rule for outside traffic iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop #uncomment if you are using Docker #echo "Restarting Docker" #systemctl restart docker #uncomment the next two lines if fail2ban is installed #echo "Restarting fail2ban" #systemctl restart fail2ban