Alright, so no network would be complete if someone didn't use pine or otherwise configure SSH in a way that did some type of port forwarding. As it turns out, I have been using SSH for quite some time for a number of reasons including website management, email, and system administration. Although it's a convenient way to tasks remotely, it's certainly not intuitive nor does it provide the level of simplicity and convenience I wanted. I literally wanted to point and click my way to having secure remote access to my home network from anywhere in the world. So sure, you can configure your SSH client to log into a remote server and forwards ports to other systems like a mail server. That's how a number of my friends access their email on my network. From a command line, that looks something like...

ssh my.ip.address -l username -L 10025:my.email.server:25
ssh my.ip.address -l username -L 100993:my.email.server:993

Wait, you aren't done yet, because now you have to configure your email client to point to localhost and then the correct ports. Yeah, it works, but it's way too clunky for me. C'mon man, I'm a Mac user, I want simplicity, not chaos. So there just has to be a better alternative out there.

Since Mac OSX Tiger and WindowsXP (and Vista) all have built-in support for certain types of VPN connectivity, I decided to try and implement a VPN service that didn't require any third-party applications.

A while back, I heard about this project called Openswan. According to their website:

'Openswan is an implementation of IPsec for Linux. It supports kernels 2.0, 2.2, 2.4 and 2.6, and runs on many different platforms, including x86, x86_64, ia64, MIPS and ARM.'

So to get the party started, I ended up reading through a number of extremely helpful guides for setting up a Linux VPN server.

• Using a Linux L2TP/IPSec VPN Server – A phenomenal guide by Jacco de Leeuw. This is probably the one of the more widely recognized guides on the net, at least that I could find. It has a wealth of useful and fairly up-to-date information on how to use Openswan and L2TP to setup a VPN server.

• Configuring an IPSec tunnel with Openswan and L2TPD – Another great step-by-step guide for implementing a VPN and providing remote access to users. This fine piece of reference material also includes directions for setting up your own certificate authority, useful if you want to do certificate-based authentication instead of pre-shared keys (PSK).

Using those resources as my guide, I kindly did an apt-get install openswan on my Ubuntu server. From the start, I ran into roadblocks about every three keystrokes. I found the Openswan documentation somewhat lacking for all the configuration parameters and some of the ones mentioned in the guides weren't even included on their website. No 'swan' for me.

To give you a basic idea of the network architecture I wanted to implement, here's a quick image.

Note: You may be asking yourself, does he really have 4 interfaces on that one computer? Yes, that's correct. Unlike typical NICs, I'm using one that contains 4 ports so I can have 4 different physical network interfaces (e.g., eth0, eth1, eth2, eth3).

Before you begin asking questions, let me clarify a few things:

• Yes, I really did set this up to support little ole me and maybe a friend or two.
• Correct, I realize that this network architecture is a little excessive.
• Of course, I know implementing a VPN service for a total of 2 users doesn't even make sense.

With that out of the way, let us begin. Here are the major configuration files you need to be aware of:

• ipsec.conf – This file is typically located in '/etc' and holds the configuration for setting up the IPSec tunnel itself.

• ipsec.secrets – This file is also located in '/etc' and contains the secrets for IKE/IPsec authentication.

• l2tpd.conf – On Ubuntu, this is found in '/etc/l2tpd' and contains all the configuration information for L2TP daemon.

• chap.secrets – On Ubuntu, this is found in '/etc/ppp' and contains the secrets for CHAP authentication.

• options.l2tp – I created this file myself, it is referenced in the l2tpd.conf file and contains various options for the L2TP daemon.

Note: I will not be going into depth on how I managed to configure certificate-based authentication.

Alright, get to it already. Here's what my working configuration looked like using pre-shared keys (PSKs).

ipsec.conf

version 2.0
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,
        %v4:192.168.0.0/16,%v4:172.17.17.0/32,%v4:!192.168.100.0/24

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-osx
        leftprotoport=17/1701
        rightprotoport=17/%any
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=<your external ip address>
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

#Disable Opportunistic Encryption              
include /etc/ipsec.d/examples/no_oe.conf

ipsec.secrets

my.public.ip.address %any: PSK "my top secret password" 

l2tpd.conf

[global]
port = 1701
listen-addr = my.public.ip.address

[lns default]
ip range = 192.168.100.100-192.168.100.110
local ip = 192.168.100.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

options.l2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.2
ms-wins 192.168.1.2
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
+mschap-v2
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent
logfile /var/log/l2tpd.log

Some IPTables Rules You Might Need

# Allow VPN traffic.
#
$IPTABLES -A INPUT  -i ppp0 -p tcp -m tcp  --dport 4500  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -i ppp0 -p udp -m udp  -m multiport --dports 500,4500  -m state --state NEW  -j ACCEPT

Note: Replace ppp0 with your external interface.

So those are the configuration options I used to get everything up and running. I make it sound a lot easier than it actually was, the truth be told, it took me about 25 hours of tinkering before I had everything up and running the way I wanted it. After the first 15 hours, I even gave an alternative VPN solution a try called OpenVPN.

OpenVPN is a full-featured SSL-based VPN that is fairly easy to configure and get working. It took me about 2 hours to get this one up and functional. The downside is, you need to install and configure a 3rd party application, something I didn't want bothered with. I'd certainly recommend it as a viable open-source alternative if Openswan is not the picture for you.

Now back to the story at hand. Like I said, after about 25 hours I had everything working. Was it worth it? You betcha, I can login to my VPN server from anywhere using certificate-based authentication and it's just like I was sitting in my apartment on my home network. My email, my file server, everything at the tips of my fingers.

One thing is for sure, it certainly beats pine and port forwarding!

Other useful resources include:

• Openswan mailing lists – Seems like pretty much any question I had was answered at some point in time on these mailing lists. This became an invaluable resource as I tried to get things working.

• Openswan IRC – Probably not as useful as the mailing lists, but more interactive, the IRC channel (#openswan) on FreeNode allowed me to get a few questions answered in realtime by some folks that new more about this than me.