OpenWrt22.03の可変IPアドレスPPPoEでVPNサーバー(libreswan+xl2tpd)をたてる

2022-10-30 17:44:52

OpenWrt22.03の可変IPアドレスPPPoEでVPNサーバー(libreswan+xl2tpd)をたてる

iPhoneの標準機能でVPN接続しようとするとL2TPしかないのん?

libreswanの受けアドレスにはデバイス名を指定できて、xl2tpdはPort forwadingしたローカルアドレスでもセッションを確立できることがわかったので、可変IPアドレスでもVPNできる。

ここではpre shared keyを使った証明書なしの方式。

準備

1.パッケージを入れる

• libreswan
• xl2tpd

2ルーティングの設定

• OpenWrt22.03でPPPoEマルチセッションにDS-Lite の「WASV4インターフェースへのルーティング準備」「WANSV4インターフェースの追加 PPPoE」

VPNセグメント作成

1./etc/config/network に追加

config interface 'vpn0'
	option proto 'none'
	option auto '1'	
	option device 'ppp0'

config interface 'vpn1'
	option proto 'none'
	option auto '1'
	option device 'ppp1'

config interface 'vpn2'
	option proto 'none'	
	option auto '1'	
	option device 'ppp2'	

config interface 'vpn3'
	option proto 'none'	
	option auto '1'	
	option device 'ppp3'	

2./etc/config/firewallに追加

config zone			 
	option name 'vpn'      
	option conntrack '1'       
	option input 'ACCEPT'  
	option output 'ACCEPT' 
	option forward 'REJECT'
	list network 'vpn0'	
	list network 'vpn1'	   
	list network 'vpn2'    
	list network 'vpn3'    
				    
config forwarding		       
	option src 'vpn'       
	option dest 'lan'	
			       
config forwarding	      
	option src 'lan'       
	option dest 'vpn'      
			       
config forwarding		   
	option src 'vpn'		
	option dest 'wan'	       

Traffic Rules

1. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: Allow-IPSec-ESP
   • General Settings - Protocol: IPSEC-ESP
   • General Settings - Source zone: wan
   • General Settings - Source address: (空欄)
   • General Settings - Destination zone: Device(Input)
   • General Settings - Action: accept
2. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: Allow-IKE(NAT-T)
   • General Settings - Protocol: UDP
   • General Settings - Source zone: wan
   • General Settings - Source address: (空欄)
   • General Settings - Destination zone: Device(Input)
   • General Settings - Destination port: 4500
   • General Settings - Action: accept
3. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: Allow-IKE
   • General Settings - Protocol: UDP
   • General Settings - Source zone: wan
   • General Settings - Source address: (空欄)
   • General Settings - Destination zone: Device(Input)
   • General Settings - Destination port: 500
   • General Settings - Action: accept
4. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: Allow-AH
   • General Settings - Protocol: IPSEC-AH
   • General Settings - Source zone: wan
   • General Settings - Source address: (空欄)
   • General Settings - Destination zone: Device(Input)
   • General Settings - Action: accept
5. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: L2TP
   • General Settings - Protocol: UDP
   • General Settings - Source zone: wan
   • General Settings - Source address: (空欄)
   • General Settings - Destination zone: Device(Input)
   • General Settings - Destination port: 1701
   • General Settings - Action: accept
6. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: Policy-sv4-gw
   • General Settings - Protocol: Any
   • General Settings - Source zone: Device(output)
   • General Settings - Source address: (空欄)
   • General Settings - Output zone: Any zone
   • General Settings - Destination address: !192.168.0.0/24
   • General Settings - Action: apply firewall mark
   • General Settings - Set mark: 0x20
7. Network - Firewall - Traffic Rules - Addボタン
   • General Settings - Name: Policy-vpn
   • General Settings - Protocol: Any
   • General Settings - Source zone: vpn
   • General Settings - Source address: (空欄)
   • General Settings - Destination zone: wan
   • General Settings - Destination address: (空欄)
   • General Settings - Action: apply firewall mark
   • General Settings - Set mark: 0x20

Port Forwading

1. Network - FIrewall - Port Forwards - Addボタン
   • General Settings - Name: L2TP
   • General Settings - Protocol: UDP
   • General Settings - Source zone: wan
   • General Settings - External port: 1701
   • General Settings - Destination zone: lan
   • General Settings - Internal IP address: 192.168.0.254

libreSwan

1./etc/ipsec.conf インターネットからのVPN接続ikev1-internetとLANからのVPN接続ikev1-natを設定しておく。ikev1-internetのleft=%pppoe-wansv4 でインターフェースを設定しているのが重要。

config setup
	# needed when using PSK only. Not needed for X.509 based servers
	uniqueids=no
	virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24

conn ikev1
	authby=secret
	pfs=no
	auto=add
	rekey=no
	right=%any
	ikev2=never
	type=transport
	leftprotoport=17/1701
	rightprotoport=17/%any
	dpddelay=15
	dpdtimeout=30
	dpdaction=clear

conn ikev1-internet
	also=ikev1
	left=%pppoe-wansv4
	rightsubnet=vhost:%priv

conn ikev1-nat
	also=ikev1
	left=192.168.0.254
	rightsubnet=vhost:%priv

include /etc/ipsec.d/*.conf

2./etc/ipsec.secrets iPhoneのL2TP設定のシークレット欄に書くほう

# Unlike older openswan, this file does NOT contain any X.509 related
# information such as private key :RSA statements as these now reside
# in the NSS database. See:
#
# https://libreswan.org/wiki/Using_NSS_with_libreswan
# https://libreswan.org/wiki/Migrating_from_Openswan

# A.B.C.D %any : PSK "SsEeCcRrEeTt"
: PSK "(パスワード)"

# include /etc/ipsec.d/*.secrets

xl2tpd

1./etc/xl2tpd/xl2tpd.conf LAN側の192.168.0.254でlistenさせて、ここにPort Forwadingさせる。listen-addrを設定せずに全インターフェースでlistenするとなぜか複数の接続を検知してエラーになる。

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
ipsec saref = no
force userspace = no
listen-addr = 192.168.0.254

[lns default]                           ; Our fallthrough LNS definition
ip range = 192.168.0.81-192.168.0.89    ; * Allocate from this IP range
local ip = 192.168.0.80                 ; * Our local IP to use
require chap = yes                       ; * Refuse CHAP authentication
refuse pap = yes                        ; * Refuse PAP authentication
require authentication = yes            ; * Require peer to authenticate
name = l2tp                             ; * Report this as our hostname
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes                        ; * Use length bit in payload?

2./etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
# use an internal server for DNS if you need to reach local-only zones or if
# you want DNS to be encrypted through the tunnel.
ms-dns  192.168.0.254
noccp
auth
idle 1800
# when having MTU issues, can be decreased to about 1200
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
connect-delay 5000

3./etc/ppp/chap-secrets iPhoneのL2TP設定のアカウント・パスワード欄に書くほう

#USERNAME  PROVIDER  PASSWORD  IPADDRESS
# Secrets for authentication using CHAP
# client	server	secret			IP addresses
(ユーザー名)	*	(パスワード)	*

そのほか

libreswanがこういうログを大量に出してくるんですが、なんで?

Sun Oct 30 14:17:19 2022 authpriv.warn pluto[11377]: netlink_expire got XFRM_MSG_EXPIRE message with length 116 < 232 bytes; ignore message

参考

• VPN server for remote clients using IKEv1 with L2TP https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
• OpenWrtで IPSec + L2TP VPN https://w.atwiki.jp/ddwrt_openwrt/pages/49.html
• OpenWrtで IPSec + L2TP(racoon + xl2tpd) https://w.atwiki.jp/ddwrt_openwrt/pages/58.html