Bo's Ipcop Tidbits
Bo's IPCop Tidbits
*******************************************************************
IPCop non-root SSH tunnel login
07/27/2007
So I had an issue with my home network and throughput through a secure channel, SSH, from the WAN. I am running IpCop and was port forwarding to an internal server running Cygwin for SSH functionality. Some will know better than others it is more secure to open one port on the firewall then many for all your service needs. So I have this configuration but my firewall is virtualized and I was having throughput issues. From what I figured with the firewall forwarding to its physical host and doing bulk transfers off said physical host through Cygwin SSH server so the virtual to physical was the bottleneck. My solution was to setup IpCop with a new unique user and allow tunneling via SSH from IPCop for this user. This process would eliminate the need of tunneling through Cygwin on the physical host. Here are the steps:
0) Enable SSH via the web interface on IpCop
1) SSH to IpCop as root
2) execute "useradd newusername -g users"
3) execute "passwd newusername"
4) execute "cd /home"
5) execute "mkdir newusername"
6) execute "chown newusername:users newusername"
7) execute "cd /etc/ssh"
8) execute "vi sshd_config"
8a) change "Port *wanted port*"
8b) change "PermitRootLogin no"
8c) change "AllowTCPForwarding yes"
8d) add "AllowUsers newusername" (location nondependant?, I added on new line after 8c change)
9) execute "restartssh"
Entry 8b will prohibit root from logging into the SSH after the restart but your root session will not be kicked. To regain root access to SSH login as "newusername" and vi the sshd_config file and change the for the "PermitRootLogin no" line to "PermitRootLogin yes" and execute restartssh. You can also just "su" once logged in as well.
After this change I went from 1000 bytes a second outbound to 90,000 bytes a second outbound, a 9000% percent gain in throughput.
*******************************************************************
IPCop L2TP/IPSEC "RoadWarrior" for IPhone
09/07/2008
First and foremost the drive to achieve this goes solely to DigitalDan. His free IPhone app drove me batty with determination when I stumbled upon it 'googling' "hai open source". His project (http://digitaldan.com/projects/home) was a blessing for my needs, my geeky desires that is. I had a home built a few years ago and my father (Self-employed 40 year master electrician) and I did the entire electrical infrastructure. Of course he wanted nothing to do with either "computer wiring", as he calls it, or the audio, automation and security wiring. After nearly two weeks of working I had the core wiring done, not the setup mind you. Over the years I have slowly hooked everything up and now it is completely functional. I have the Omni Pro IIe with nearly all (for that time) the bells and whistles (audio, touch screens, therms, dealer and web-link II software, etc). Unincorporated into the automation is the POE cameras located around the house. For these I use Zoneminder (http://www.zoneminder.com) storing a rolling 250 days on mirrored RAID. If your interested in hardware setup thats another IT Tidbit to come. My internal network as of this writing for further understanding:
Oh, have to thank work too for the IPhone!
I used IPhone firmware 2.1.0 for the initial installation with IpCop 1.21. As of 09/14/2009 I am using the latest IPhone 3.1 firmware without issue but note the BOLDED changes below.
This took me about 15 years experience and a day of research but the real fun started after research was complete. A total of about 36 hours with a 4 hour sleep break to get it working. About five days to find time for the documentation. Never give up.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It is important to understand why one should NEVER open and forward ports on their home systems to software and/or hardware that was NOT intended to be exposed to the Internet. When using a device/computer security should be top priority and SHOULD NEVER be ordered before any other goal. Your compromised identify is one thing, your compromised home is a whole different game of which you may not even know your playing. See "Security is a State of Mind" Dr. Dobbs October 2008 pg. 20 w/ Bruce Schneier
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This setup is optimal for really only one user, you can always trust yourself.
Here are the steps:
0) Backup your existing Ipcop configuration
1) Install IpCop using the previous backup (Be wary as all steps above "non-root ssh tunnel" not needed if restored from backup)
2) Upgrade IpCop if needed (v1.20 to 1.21)
3) Download and install IpCop addon http://sourceforge.net/projects/firewalladdons/
3a) Execute "cd /tmp
3b) Execute "tar vxzf addons-2.3-CLI-b2.tar.gz
3c) Execute "cd addons
3d) Execute "./addoncfg -i
4) Download and install l2tpd-1.0-b1.tar.gz from http://www.elminster.com/downloads
4a) Do not run the "setup" script, I choose to do it manually since it has some errors and I wanted to control everything that happened. I removed the need to configure/change "status.cgi' and the installed empty "l2tpd.cgi" file. There was no gui interface through IpCop to configure L2TPD and I did feel like coding one.
4b) Execute "tar vxzf l2tpd-1.0-b1.tar.gz
4c) Execute "tar -zxf patch.tar.gz -C /"
5) IPhone 2.0.2 does not support certs so I remove the unneeded items.
5a) Execute "rm /usr/local/l2tpvpn/create_roadwarrior_cert.sh
5b) Execute "rmdir /usr/local/l2tpvpn
5c) Execute "rm /usr/lib/pppd/radattr.so
5d) Execute "rm /usr/lib/pppd/radius.so
5e) Execute "rm /usr/lib/pppd/radrealms.so
6) Next is to make devices
6a) Execute "cd /dev"
6b) Execute "vi /make_devices"
6c) Uncomment first ptyp0 line
6d) Uncomment first ttyp0 line
6e) Save and exit vi
6f) Execute "./make_devices"
7) Setup the firewall rules needed
7a) Execute "vi /etc/rc.d/rc.firewall.local"
----------------------------------------------------------------------------
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
/sbin/iptables -t nat --append CUSTOMPREROUTING -i ipsec0 -p udp --dport 1701 -j DNAT --to-destination 10.11.12.1
/sbin/iptables -A CUSTOMINPUT -i ppp+ -m state --state NEW -j ACCEPT -p ! icmp
/sbin/iptables -A CUSTOMFORWARD -i ppp+ -m state --state NEW -j ACCEPT
;;
stop)
## add your 'stop' rules here
/sbin/iptables -t nat --delete CUSTOMPREROUTING -i ipsec0 -p udp --dport 1701 -j DNAT --to-destination 10.11.12.1
/sbin/iptables -D CUSTOMINPUT -i ppp+ -m state --state NEW -j ACCEPT -p ! icmp
/sbin/iptables -D CUSTOMFORWARD -i ppp+ -m state --state NEW -j ACCEPT
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
----------------------------------------------------------------------------
8) Setup the Layer 2 Tunnel Protocol daemon configuration requirements
8a) Execute "vi /etc/l2tpd/l2tpd.conf"
----------------------------------------------------------------------------
; This is a minimal sample l2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by l2tpd as its address on pppX interfaces.
[global]
listen-addr = 10.11.12.1
[lns default]
ip range = 10.11.12.100-10.11.12.105
local ip = 10.11.12.2
require chap = yes
refuse pap = yes
require authentication = yes
name = GiganetVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
----------------------------------------------------------------------------
9) Setup the Layer 2 Tunnel Protocol start/stop script
9a) Execute "vi /etc/rc.d/rc.l2tpd"
----------------------------------------------------------------------------
#!/bin/sh
# Bo Kohut 09-08-2008 - Created for IPCop 1.4.21
case "$1" in
start)
[ -x /usr/sbin/l2tpd ] && /usr/sbin/l2tpd >/dev/null && echo -n 'l2tpd start'
;;
stop)
/bin/kill l2tpd && echo "l2tpd stopped"
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: `basename $0` {start|stop|restart}" >&2
;;
esac
exit 0;
----------------------------------------------------------------------------
10) Setup the Layer 2 Tunnel Protocol options file
10a) Execute "vi /etc/ppp/options.l2tpd"
----------------------------------------------------------------------------
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.11.12.1
ms-wins 10.11.12.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#plugin radius.so
----------------------------------------------------------------------------
11) Prevent PPP unneeded network issues
11a) Execute "mv ip-up ip-up.orig"
11b) Execute "mv ip-down.orig"
12) Add Layer 2 Tunnel Protocol start/stop script to local start script
12a) Execute "vi /etc/rc.d/rc.local"
----------------------------------------------------------------------------
#!/bin/sh
/etc/rc.d/rc.l2tpd start
----------------------------------------------------------------------------
13) Enter your username and password for IPhone authentication. It important to note the format here, quotation marks and the relevant single space. My analytical skills led me to find the IPhone 2.x firmware is adding an extra byte (0x\32) in front of the provided username. I spent hours on this so appreciate it :). You will find IPhone 3.0 firmware corrected this in an UNDISCLOSED bug fix.
13a) Execute "vi /var/ipcop/ppp/secrets"
----------------------------------------------------------------------------
# Secret for authentication using CHAP
# client server secret IP address
" username" * "password" *
* " username" "password" *
----------------------------------------------------------------------------
14) Enter the IPSec tunnel information, if you know what you are doing use the web gui but you are already wet from the command line...
14a) Execute "vi /var/ipcop/vpn/config"
----------------------------------------------------------------------------
1,on,iphonetunnel,,host,psk,secretphrase,off,,10.11.12.0/255.255.255.0,,,,off,off,on,off,1,8,3des,sha,1536|1024,aes128,sha1,,on,iphone tunnel,RED,clear,off
----------------------------------------------------------------------------
15) Edit IPSec configuration file. I changed the domain, you need to set it to either your public ip address or your public domain that resolves to your external ip address. Note my internal segment is 10.11.12.x, so take note of the bang (!) preceding the "virtual_private" variable as well as the bang following in other variables.
15a) Execute "vi /var/ipcop/vpn/ipsec.conf"
----------------------------------------------------------------------------
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
forwardcontrol=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.11.12.0/255.255.255.0
conn %default
keyingtries=3
disablearrivalcheck=no
conn iphonetunnel #RED
left=put_your_publically_resolvable.domain_name_here.com
leftprotoport=17/1701
leftnexthop=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
rekey=no
ike=3des-sha-modp1536,3des-sha-modp1024!
esp=aes128-sha1!
ikelifetime=1h
keylife=8h
dpdtimeout=60
dpdaction=clear
pfs=no
authby=secret
auto=start
----------------------------------------------------------------------------
16) Enter the IPSec secrets information.
16a) Execute "vi /var/ipcop/vpn/ipsec.secrets"
----------------------------------------------------------------------------
put_your_publically_resolvable.domain_name_here.com %any : PSK 'secretphrase'
----------------------------------------------------------------------------
17) Now test it all.
17a) Execute "/etc/rc.d/rc.firewall.local restart"
17b) Execute "/etc/rc.d/rc.l2tpd start" This should output a "*binary* *kernel L2TPD" message, ignore it.
17c) Execute "/etc/rc.d/ipsec restart"
18) Configure a Ipcop firewall rule to allow inbound UDP port 500 from anywhere. For some reason the older 2.x firmware did not require this step but I'm stumped how it ever worked in the first place.
19) Setup your IPhone
18a) "Settings" > "General" > "Network" > 'VPN" > "Add VPN Configuration..."
18b) Select "L2TP"
18c) Populate "Description"
18d) Populate "Server" with your public dns name or ip address
18e) Populate "Account" with chosen "username"
18f) Populate "Password" with chosen "password"
18g) Populate "Secret" with chosen "secretphrase"
18h) Disable "Send All Traffic"
19) It is important to note to NOT edit your VPN tunnels with the web gui in anyway. While I did not test the extent of these claims I can only warn of the edits to files such as ipsec.conf which would be broken after a gui save.
*) If you get 'bad interpreter' error when executing scripts run this to fix Carriage Return / Line Feeds: "perl -i -pe's/\r$//;' <file name here>"
**) I have only been running this for about a week now and have found L2TPD dieing for reasons unknown at this point. A CRON job will fix that...
***) Thanks to:
-http://www.natecarlson.com/linux/ipsec-l2tp.php
-Various other linux posting to help me figure it out
****) If this helps you drop me a 'thank you' email.
IPCop L2TP/IPSEC "RoadWarrior" for IPhone Followup
03/11/2009
I experienced my first IP address change over the weekend and I was away from home. To my disappointment IpCop required a reboot, not a VPN services restart as I tried too, in order for me to be able to reconnect using the IPhone. The IP address auto updated but something must have been ?cached? and a reboot cleared it.
06/17/2009
IPhone 3.0 firmware update and required changes.
09/14/2009
IPhone 3.1 firmware update.
01/28/2010
Moved to the Android.
12/2018
Still pinging along although the setup has changes a lot. ;)
*******************************************************************
IPCop L2TP/IPSEC "RoadWarrior" for Android
02/15/2010
Firmware: 2.0.1
I was forced to move off the IPhone (IFlop) as the actual phone service was HORRIBLE (I dropped every third call at least!!!). I choose the Android and have visions of the Nexus One when is comes to Verizon. I had to give up the DigitalDan app which hurt but the Android browser is great so the home web over VPN is fine for now. Anyway the setup is the same from above with two gotchas on the server setup side. The Pre Shared Key MUST BE less then 10 characters long as this must be a coding snafu as I had it 15 long on the IPhone. Also the ESP in the VPN setup must be 3des and not aes128 (Needs changing in TWO PLACES!). If you have questions email me.
03/31/2010
Android 2.1 firmware update and all is well with VPN still.
08/16/2010
Android 2.2 Build FRG01B firmware update and all is well with VPN still. I must note however that my secure storage ended up being deleted by some action I took I assume so I therefore had to reenter my preshared key.
08/31/2010
Android 2.2 Build FRG22D firmware manually updated and all is well with VPN.
10/23/2012
Some time ago, about six months, my wife moved to the fruit phone and I received a hand me down upgrade to the Droid Bionic. Being the older firmware the VPN worked great until today when I got my much anticipated ICS version 4.0.4 upgrade. I did my normal quick "what changed?" review as most geeks do and found that my VPN connection was deleted - Oh No! I had to go back and get the info to recreate it and then - Bam, no connection. Crap I said. So back to the grind stone and my hopes faded as I found several links, one on google as well, with people barking to 'fix the issue'. Knowing -a little- about VPN I realized right off the bat that my issue may be different. I noticed "no acceptable Proposal in IPsec SA" and not the error the boards were barking about. I took to logs to figure out what the Android was looking for (Ipcop Vpn log snip):
...
"tunnel"[2] nnn.nnn.nnn.nnn:7665 #2: no acceptable Proposal in IPsec SA
"tunnel"[2] nnn.nnn.nnn.nnn:7665 #2: IPsec Transform [ESP_AES (256), AUTH_AL GORITHM_HMAC_SHA1] refused due to strict flag
"tunnel"[2] nnn.nnn.nnn.nnn:7665 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
"tunnel"[2] nnn.nnn.nnn.nnn:7665 #1: received and ignored informational mess age
"tunnel"[2] nnn.nnn.nnn.nnn:7665 #1: ignoring informational payload, type IP SEC_INITIAL_CONTACT
"tunnel"[2] nnn.nnn.nnn.nnn:7665 #1: sent MR3, ISAKMP SA established
| NAT-T: new mapping nnn.nnn.nnn.nnn:7663/7665)
"tunnel"[2] nnn.nnn.nnn.nnn:7663 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"tunnel"[2] nnn.nnn.nnn.nnn:7663 #1: deleting connection "tunnel" instance with peer nnn.nnn.nnn.nnn
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: Main mode peer ID is ID_IPV4_ADDR: 'nnn.nnn.nnn.yyy'
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: transition from state (null) to state S TATE_MAIN_R1
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA, OAKLEY_GROUP_MODP1024] refused due to strict flag
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA, OAKLEY_GROUP_MODP1024] refused due to strict flag
"tunnel"[1] nnn.nnn.nnn.nnn:7663 #1: responding to Main Mode from unknown peer nnn.nnn.nnn.nnn:7663
...
Seeing it wanted the "Transform"s from above I logged in to the firewall and dug into the ipsec configs to see what I had them set to. After running the "ipsec auto --status" command I deduced what I could set them to versus what it wanted and restarted the tunnel. voilĂ . I ended up setting in the /var/ipcop/vpn/ipsec.conf the values "ike=aes-sha-modp1024!" and "esp=aes-sha1!" while I changed the /var/ipcop/vpn/config to match as well to "...,aes,sha,1024,aes,sha1,..."
Don't forget to restart l2tpd and ipsec after these changes. Happy Remoting.
***********************************************************
07/2015
So after over a decade of using IpCop I was graciously given a NGFW device and moved my home network over. Yes, the VPN from the Nexus 6P still just works.
***********************************************************
If you have interest in my work contact me off my resume.