Difference between revisions of "Vpnsec Linux install"
(Plasma toevoeging) |
|||
(18 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | == [Installatie met NetworkManager op Ubuntu 20.04.1 LTS][Installation with NetworkManager on Ubuntu 20.04.1 LTS] == | ||
+ | [nl] | ||
+ | Networkmanager kan inmiddels een vpn connectie aanmaken zonder handmatige aanpassingen. | ||
+ | Start met het installeren van de vereiste pakketten: | ||
+ | <pre> | ||
+ | $ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-libcharon \ | ||
+ | libcharon-extauth-plugins libstrongswan-extra-plugins strongswan-charon libcharon-extra-plugins | ||
+ | </pre> | ||
+ | |||
+ | Reboot na installatie. | ||
+ | Vervolgens kun je via Settings-> Network een VPN toevoegen door op + te klikken. | ||
+ | Kies een naam voor het profiel wat je nu aanmaakt, vul in vpnsec.science.ru.nl als Server Address | ||
+ | Kies Client Authentication EAP (Username/Password) | ||
+ | en vul bij Identity en Username je science loginname in | ||
+ | Door op het ? te klikken achter Password kun je kiezen voor de gewenste password opslag policy. | ||
+ | Vink tenslotte in het Options blokje 'Request an inner IP address' en 'Enforce UDP encapsulation' aan. | ||
+ | |||
+ | Apply en daarna kun je de VPN connectie inschakelen. | ||
+ | |||
+ | === Plasma (KDE) === | ||
+ | |||
+ | In principe gelijk aan de algemene instructies, let op de de "Server" mogelijk "Gateway" heet, je hoeft geen certificate of key in te vullen, ik neem aan dat dat voor key based authentication is. | ||
+ | |||
+ | Voor het maken van verbinding kies je in de tray voor het netwerk ikoon en daarbinnen verbinden met de nieuwe VPN. | ||
+ | [/nl] | ||
+ | |||
+ | [en] | ||
+ | Networkmanager is now capable of generating a new vpn connection without manually creating the config file. | ||
+ | Start with installing the necessary packages: | ||
+ | <pre> | ||
+ | $ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-libcharon \ | ||
+ | libcharon-extauth-plugins libstrongswan-extra-plugins strongswan-charon libcharon-extra-plugins | ||
+ | </pre> | ||
+ | Reboot after the installation. | ||
+ | Via Settings -> Network you can then add a VPN connection by clicking on the +. | ||
+ | Choose a name for the connection profile, fill in vpnsec.science.ru.nl as Server address. | ||
+ | Choose as Client Authentication EAP (Username/Password) | ||
+ | and fill in your science account for Identity and Username. | ||
+ | By clicking on the ? after Password you can select the policy for the password. | ||
+ | Finally in the Options select 'Request an inner IP address' and 'Enforce UDP encapsulation' | ||
+ | |||
+ | Apply and then you can switch on the VPN through the NetworkManager applet in the toolbar. | ||
+ | |||
+ | === Plasma (KDE) === | ||
+ | |||
+ | Pretty much the same as the general instructions, "Server" may be called "Gateway" heet, you don't need to specify a key or certificate, I assume this is for key-based authentication. | ||
+ | |||
+ | To make an actual VPN connection, go to the system tray and select VPN from the network icon and click connect. | ||
+ | [/en] | ||
+ | |||
== [Installatie met NetworkManager op Ubuntu 16.04.1 LTS][Installation with NetworkManager on Ubuntu 16.04.1 LTS] == | == [Installatie met NetworkManager op Ubuntu 16.04.1 LTS][Installation with NetworkManager on Ubuntu 16.04.1 LTS] == | ||
− | <span style="color:#FF0000">Ubuntu 16.04</span>: [ | + | <span style="color:#FF0000">Ubuntu 16.04</span>: [Er is een bekende bug waaraan gewerkt wordt, zie: ][There is a known bug people are trying to fix, see: ] [https://bugs.launchpad.net/bugs/1570352 msg4923789]. |
[nl] | [nl] | ||
Met Ubuntu 16.04.1 LTS is het nu mogelijk om ipsec te gebruiken. Hiertoe moet je wel enig handwerk verrichten, het editten van de connectie middels de VPN applet is nog niet mogelijk.<br> | Met Ubuntu 16.04.1 LTS is het nu mogelijk om ipsec te gebruiken. Hiertoe moet je wel enig handwerk verrichten, het editten van de connectie middels de VPN applet is nog niet mogelijk.<br> | ||
− | Installeer de vereiste software: | + | * Installeer de vereiste software: |
[/nl] | [/nl] | ||
[en] | [en] | ||
With Ubuntu 16.04.1 LTS it is now possible to use ipsec. However some manual configuration has to be performed, editting the connection using the VPN applet is not possible,<br> | With Ubuntu 16.04.1 LTS it is now possible to use ipsec. However some manual configuration has to be performed, editting the connection using the VPN applet is not possible,<br> | ||
− | Install required software: | + | * Install required software: |
[/en] | [/en] | ||
<pre> | <pre> | ||
− | $ sudo apt install strongswan-nm libstrongswan-standard-plugins | + | $ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-plugin-eap-mschapv2 |
</pre> | </pre> | ||
[nl] | [nl] | ||
− | * Copier (als root/sudo) de tekst hieronder naar /etc/NetworkManager/system-connections/VPN-science | + | * Copier (als root/sudo) de tekst hieronder naar /etc/NetworkManager/system-connections/VPN-science: |
− | |||
− | |||
− | |||
[/nl] | [/nl] | ||
[en] | [en] | ||
− | * Copy the contents below to /etc/NetworkManager/system-connections/VPN-science | + | * Copy the contents below to /etc/NetworkManager/system-connections/VPN-science: |
− | |||
− | |||
− | |||
[/en] | [/en] | ||
Line 64: | Line 108: | ||
[nl] | [nl] | ||
− | Reboot de machine alvorens gebruik te willen maken van de VPN connection.< | + | * Verander USERNAME in het bestand naar je science login. |
− | Het opstarten van de connectie is conform Ubuntu 14.04. (Bij het starten wordt om je science wachtwoord gevraagd) | + | * Verander de rechten naar -rw------- (owner rw rechten, group en other geen rechten): |
+ | <pre> | ||
+ | chmod u=rw,go= /etc/NetworkManager/system-connections/VPN-science | ||
+ | ls -la /etc/NetworkManager/system-connections/</pre> | ||
+ | * Reboot de machine alvorens gebruik te willen maken van de VPN connection. | ||
+ | [/nl] | ||
+ | [en] | ||
+ | * Change USERNAME to your science login. | ||
+ | * Change the permissions to <tt>-rw-------</tt> (owner rw permisions, group and other no permissions): | ||
+ | <pre> | ||
+ | chmod u=rw,go= /etc/NetworkManager/system-connections/VPN-science | ||
+ | ls -la /etc/NetworkManager/system-connections/</pre> | ||
+ | * Reboot the machine before trying to use the VPN connection. | ||
+ | [/en] | ||
+ | |||
+ | [nl] | ||
+ | Het opstarten van de connectie is conform Ubuntu 14.04. (Bij het starten wordt om je science wachtwoord gevraagd)<br> | ||
'''NB: Het wachtwoord wordt leesbaar opgeslagen in het bovengenoemde bestand!''' | '''NB: Het wachtwoord wordt leesbaar opgeslagen in het bovengenoemde bestand!''' | ||
[/nl] | [/nl] | ||
[en] | [en] | ||
− | + | Starting the connection is identical to Ubuntu 14.04. (When starting the VPN connection, your science password is requested)<br> | |
− | Starting the connection is identical to Ubuntu 14.04. (When starting the VPN connection, your science password is requested) | ||
'''NB: The password will be stored in plain text in the file mentioned above!''' | '''NB: The password will be stored in plain text in the file mentioned above!''' | ||
[/en] | [/en] | ||
− | == [Installatie met NetworkManager op Ubuntu 14.04][Installation with NetworkManager on Ubuntu 14.04] == | + | == [Installatie met NetworkManager op Ubuntu 14.04 LTS][Installation with NetworkManager on Ubuntu 14.04 LTS] == |
[nl]Deze procedure gaat uit van gebruik van Ubuntu 14.04 en <b><tt>NetworkManager</tt></b>. Zie [[#.5BInstallatie_zonder_NetworkManager.5D.5BInstallation_without_NetworkManager.5D|hieronder]] voor een handmatige procedure. | [nl]Deze procedure gaat uit van gebruik van Ubuntu 14.04 en <b><tt>NetworkManager</tt></b>. Zie [[#.5BInstallatie_zonder_NetworkManager.5D.5BInstallation_without_NetworkManager.5D|hieronder]] voor een handmatige procedure. |
Latest revision as of 19:02, 5 February 2021
Installation with NetworkManager on Ubuntu 20.04.1 LTS
Networkmanager is now capable of generating a new vpn connection without manually creating the config file. Start with installing the necessary packages:
$ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-libcharon \ libcharon-extauth-plugins libstrongswan-extra-plugins strongswan-charon libcharon-extra-plugins
Reboot after the installation. Via Settings -> Network you can then add a VPN connection by clicking on the +. Choose a name for the connection profile, fill in vpnsec.science.ru.nl as Server address. Choose as Client Authentication EAP (Username/Password) and fill in your science account for Identity and Username. By clicking on the ? after Password you can select the policy for the password. Finally in the Options select 'Request an inner IP address' and 'Enforce UDP encapsulation'
Apply and then you can switch on the VPN through the NetworkManager applet in the toolbar.
Plasma (KDE)
Pretty much the same as the general instructions, "Server" may be called "Gateway" heet, you don't need to specify a key or certificate, I assume this is for key-based authentication.
To make an actual VPN connection, go to the system tray and select VPN from the network icon and click connect.
Installation with NetworkManager on Ubuntu 16.04.1 LTS
Ubuntu 16.04: There is a known bug people are trying to fix, see: msg4923789.
With Ubuntu 16.04.1 LTS it is now possible to use ipsec. However some manual configuration has to be performed, editting the connection using the VPN applet is not possible,
- Install required software:
$ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-plugin-eap-mschapv2
- Copy the contents below to /etc/NetworkManager/system-connections/VPN-science:
[connection] id=vpnsec.science.ru.nl uuid=1e0ab541-e051-41c2-819f-a005b296c53b type=vpn autoconnect=false permissions= secondaries= timestamp=1465384551 [vpn] virtual=yes encap=yes address=vpnsec.science.ru.nl user=USERNAME method=eap password-flags=0 ipcomp=no service-type=org.freedesktop.NetworkManager.strongswan [vpn-secrets] password= [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= ip6-privacy=0 method=auto
- Change USERNAME to your science login.
- Change the permissions to -rw------- (owner rw permisions, group and other no permissions):
chmod u=rw,go= /etc/NetworkManager/system-connections/VPN-science ls -la /etc/NetworkManager/system-connections/
- Reboot the machine before trying to use the VPN connection.
Starting the connection is identical to Ubuntu 14.04. (When starting the VPN connection, your science password is requested)
NB: The password will be stored in plain text in the file mentioned above!
Installation with NetworkManager on Ubuntu 14.04 LTS
This procedure assumes using NetworkManager. See below for a manual procedure.
Install the required software:
$ sudo apt-get install network-manager-strongswan strongswan-plugin-eap-mschapv2 The following NEW packages will be installed: libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a} strongswan-plugin-eap-mschapv2 strongswan-plugin-openssl{a} ... $ sudo service network-manager stop network-manager stop/waiting $ sudo service network-manager start network-manager start/running, process 29031
Configuration:
Select the NetworkManager applet and after that Edit Connections...
Click Add, select IPsec/IKEv2 in the section VPN, click Create
Enter data at:Connection name, Address (vpnsec.science.ru.nl), loginname, etc. and check the marks where needed.
Save: (Save and Close)
Start the VPN. Select the NetworkManager applet, next VPN Connections and finally the connection created.
Known problems
If the VPN connection has been established, but ping ns1.science.ru.nl doesn't work, while ping 131.174.224.4 does work, then probably dnsmasq is the culprit. This can be solved bij disabling the dnsmasq DNS cache, as is described in Ask Ubuntu: DNS problem when connected to a VPN:
First make sure that there are no lines beginning with nameserver in any files in /etc/resolvconf/resolv.conf.d. If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to target original, make it point to /dev/null. Second, disconnect from the VPN. Edit /etc/NetworkManager/NetworkManager.conf $ sudo gedit /etc/NetworkManager/NetworkManager.conf and comment out dns=dnsmasq (i.e., add a # so that it looks like the following) #dns=dnsmasq and then sudo service network-manager restart
Installation with NetworkManager on Debian Jessie
Unfortunately, the strongswan-network-manager package did not make it to Debian Jessie (and as of writing, is not in jessie-backports either). Nevertheless, backporting the current version of the package appears to work fine. The steps involved in achieving this were taken almost verbatim from this guide.
First you have to install the debian packaging tools:
sudo apt-get install packaging-dev debian-keyring devscripts equivs
Afterwards you have to download the debian source package:
dget -x http://http.debian.net/debian/pool/main/n/network-manager-strongswan/network-manager-strongswan_1.3.1-1.dsc
Install potentially missing dependencies:
cd network-manager-strongswan-1.3.1/ sudo mk-build-deps --install --remove
Add a backport revision number:
dch --local ~bpo80+ --distribution jessie-backports "Rebuild for jessie-backports."
Build the package (without package signing)
dpkg-buildpackage -us -uc
Install the newly built package:
sudo dpkg -i ../network-manager-strongswan_1.3.1-1~bpo80+1_amd64.deb
Install potentially missing dependencies, just to be sure:
sudo apt-get install -f
Install additional plugins (most notably the eap-mschapv2 plugin):
sudo apt-get install libcharon-extra-plugins
Restart network manager
sudo systemctl restart network-manager.service
Installation without NetworkManager
Note: Below some remarks on doing this for Fedora Core (FC23).
Install strongswan, including the curl, eap-identity, eap-mschapv2 and eap-md5 (required for eap-mschapv2) plugins. When you compile strongswan from source, make sure to pass the right parameters to the configure script.
$ ./configure --enable-curl --enable-md5 --enable-openssl --enable-xauth-eap --enable-eap-md5 --enable-eap-gtc --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-mschapv2 --enable-eap-identify $ make $ sudo make install
You can test which plugins are loaded with sudo ipsec statusall or sudo ipsec listplugins. If necessary you can load plugins manually by editing strongswan.conf.
Make sure your ipsec.conf, probably located in /etc or in /usr/local/etc, looks like this:
config setup strictcrlpolicy=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn science left=%defaultroute leftfirewall=yes leftsourceip=%config leftauth=eap-mschapv2 leftid=mysciencelogin <-- edit this eap_identity=mysciencelogin <-- edit this right=vpnsec.science.ru.nl rightauth=pubkey rightid=@vpnsec.science.ru.nl rightsubnet=0.0.0.0/0 forceencaps=yes auto=start
And your ipsec.secrets as follows, where you enter your own Science account name and password. Watch out that this file cannot be read by everyone, as it contains your password! It is typically owned by root:root with -rw------- (600) permissions.
mysciencelogin : EAP "mypassword"
Everything should work now:
$ sudo ipsec start $ sudo ipsec up science
It can be necessary to put the root certificate in the right folder manually:
$ sudo ln -s /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem [/usr/local]/etc/ipsec.d/cacerts/DigiCert_Assured_ID_Root_CA.pem
Fedora (FC23)
Work in progress... [Gebruiker:Arjen], FC23, 4/3/2016:
On Fedora (tested on FC23), replace command ipsec by strongswan in the instructions above.
To get the newest SELinux policies, you need to issue:
dnf update --enablerepo=updates-testing selinux-policy
Edit /etc/strongswan/strongswan.d/charon/resolve.conf to include a line:
file = /etc/resolv.conf
To resolve errors about certificate CN=TERENA SSL CA 3 not being trusted:
Navigate to [2] Download DigiCert_Assured_ID_Root_CA.crt and TERENA_SSL_CA_3.crt.
Next, extract the .pem files, copy these to the strongswan config directories, and reread the certificates, like this:
openssl x509 -inform DES -in DigiCert_Assured_ID_Root_CA.crt -out DigiCert_Assured_ID_Root_CA.pem -text openssl x509 -inform DES -in TERENA_SSL_CA_3.crt -out TERENA_SSL_CA_3.pem -text cp DigiCert_Assured_ID_Root_CA.pem /etc/strongswan/ipsec.d/cacerts cp TERENA_SSL_CA_3.pem /etc/strongswan/ipsec.d/certs strongswan rereadall
To overcome problems with DNS, I had to stop service `libvirtd`. Yet to be resolved.