It’s now easy to set up your own cheap VPN virtual private server that can be used with your mobile devices. Great for accessing resources on private networks, browsing securely, or accessing blocked sites.
This is now much easier than it used to be. Last time I tried to set up a VPN on an Ubuntu server, I had trouble with reconnections and had to manually compile OpenSwan. These all seem to be fixed.
Instructions are already all over the internet, but there are a few extra steps for a default Ubuntu linode in order to get routing to work.
These instructions are tested with Ubuntu 11.04 (Natty), but should also work on 11.10. We will set up an OpenSwan IPSec server with l2tp encryption provided by xl2tpd.
- Install everything:
sudo apt-get install openswan ppp xl2tpd
- When OpenSwan installs, answer “No” to the question about certificates… on mobile devices you will use a shared secret rather than a certificate.
- Follow the rest of the directions in this post to set up the configuration files, up until it asks you to restart the three servers. Be sure to substitute the Ubuntu Server IP Address
and your Gateway Internal IP with the Public IP and Default Gateway provided by Linode. These can be found on your Linode Manager under the “Remote Access” tab.
When editing the /etc/xl2tpd/xl2tpd.conf file, you can choose any private subnet for “IP Range” and “local IP”. The “Local IP” will be assigned to the server, and clients will be assigned IPs from the “IP Range”. For example, I chose 192.168.0.2 – 192.168.0.20 for the range and 192.168.0.1 for the local IP.
In addition, in the /etc/ppp/options.xl2tpd file, change the ms-dns line to point to your DNS name servers. You will probably want to use those provided by Linode too — you can add multiple ms-dns lines, one for each resolver.
- Now edit your /etc/rc.local file, and add the following, before the
exit 0;line. Change the 192.168.0.0/24 IP range to match the IP range you chose above in the xl2tpd.conf file.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart
- This sets up the necessary kernel routing options and firewall rules for traffic to be routed through to the Internet. The file will be executed at each boot.. but you can run it now without rebooting with
- Now restart all the servers:
sudo /etc/init.d/pppd-dns restart sudo /etc/init.d/xl2tpd restart sudo /etc/init.d/ipsec restart
- Check that everything is working… you should get “OK” for everything other than “Opportunistic encryption” and RSA key:
sudo ipsec verify
- All done! You can follow the directions for iPhone setup at the bottom of the same post