Fedora as IPSEC/L2TP VPN Server for Mac and Android

Now this is probably one of the most unrelated posts one could think off (considering my other posts about programming) but I just have to write this down because I am almost a 100% certain that other people have exactly the same problem. Recently we reinstalled one of our office servers and we finally wanted to have a IPSEC/L2TP server as both Android, Mac and iPhones support it natively.

The configuration always seemed a bit overwhelming and whenever I tried, I always failed miserably to get it to work. On top of that, I just couldn't find any easy explanation on the web guiding me through a Road Warrior to NATted VPN Server installation.

In the end, I finally give it a good try and was surprised getting it to work. This guide is for Fedora 13 and Fedora 14 (both have the most recent Kernel, OpenSwan and xl2tpd packages that I found are needed).

So, some background. Most of the clients will be "road warriors" (apparently that is what it's called...) with dynamic IPs and often behind NATting firewalls. Also, our server is behind a firewall using NAT and since I am a bit lazy I am going with L2TP with a PSK (pre-shared key) rather than certificates.

Installing the necessary packages

The first step is to install the necessary packages in Fedora.

yum install openswan xl2tpd

Configure Openswan

Now check out the /etc/ipsec.conf, so far it's missing important bits but it already has an incomplete config setup section. Your file should read something like this:

version 2.0

config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16:,%v4:!{your local subnet}
        oe=off
        nhelpers=0

conn L2TP-PSK
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left={your server's internal IP}
        leftprotoport=17/1701
        leftnexthop={your network's gateway IP}
        right=%any
        rightprotoport=17/0
        rightsubnet=vhost:%no,%priv

Replace the occurrences of {your xxx} with the correct IP addresses.

Now you also have to add a file in /etc/ipsec.d. You can name it anything you like, however, it needs the extension .secrets and it will contain your pre-shared key. The content of the file should be

{your server's internal IP} %any: "a_key_that_is_at_least_8_characters_long"

Just to make sure that everything is right, type

service ipsec start

followed by

ipsec verify

Everything should be "green" except opportunistic encryption, which should be disabled.

Configure xl2tpd

The default configuration provided by the xl2tpd RPM is actually quite complete; however, you must make sure that ipsec saref = yes is uncommented (remove the semicolon in the beginning of the line) and that the ip range is outside an actively used ip range. I.e. if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local ip which is used for communication with PPP and given that you have the IP-setup from my example you could simply use 192.168.10.101.

Configuring PPP

You can configure PPP to check for passwords with PAM, however, let's keep it very simple for now. Add following to /etc/ppp/chap-secrets

testuser * testpassword *

Also, if you are using Windows VPN clients you should also take a look at /etc/ppp/options.xl2tpd and verify that all ms-dns entries point to the correct nameservers ( your own? ;-) ). I am actually not sure if other clients (other than Windows) care about these entries, but it won't hurt having this set correctly...

Wrapping up

Now start xl2tpd using following command:

service xl2tpd start

Hopefully it'll start just fine and if it does, you are good to fix the final things needed.

First, make sure that clients can connect on port 500 and 4500 (both UDP) on your server (i.e., open those ports in your firewall).

Second, you can make the VPN server start on boot by executing

chkconfig ipsec on

and

chkconfig xl2tpd on

That's basically it, you can now use your L2TP/IPSEC VPN client and try to connect. The username and password will be testuser and testpassword while the pre-shared key will be, well, whatever you've set it to (a_key_that_is_at_least_8_characters_long if you followed the example).

Good luck!

UPDATE

I actually forgot to mention that you should check your /etc/sysctl.conf. If not already present, add following to the file:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

E-Mail to Steve

I can't believe how quickly the number of supports on PetitionSpot.com grew once Rick Ross from DZone posted the link to it on DZone's Twitter feed. My initial goal of 10.000 signatures is not that far away and to be honest, I was more less guessing what a "good number" of supporters would be. Having reached almost 4000 signatures already, I have now written a letter to Steve Jobs and I want to share it with you:

Dear Mr. Jobs,

Apple has recently announced through its Update Release Notes that the JRE/JDK maintained by Apple will be deprecated in future releases of Mac OS.

Apple has done so without giving any hints as to whether any cooperation with Oracle is in place to continue a JRE/JDK-effort for Mac OS.

As you undoubtedly are aware of, Macs have become an increasingly popular platform for “non-Microsoft” software development and the lack of information has therefore caused some concern in the Java Community.

I do, in part, agree with your statement that it may not be ideal for Apple to provide it’s own implementation of a technology owned by another corporation. However, Apple’s developers have so far done a very good job at maintaining a Java Development Kit and Runtime for Mac OS X. In fact, recent updates have always been fairly close after Sun’s (and now Oracle’s) releases.

A couple of days ago I started a simple online petition (http://www.petitionspot.com/petitions/macjdk) asking Apple to contribute the Mac OS X-specific parts of its Java implementation to the OpenJDK BSD Port Project (http://wikis.sun.com/display/OpenJDK/BSDPort) and within days I collected thousands of signatures and it is still growing.

The OpenJDK project already has a working implementation of OpenJDK 6 and 7 for Mac OS X, which uses X11 for all the graphical parts. If Apple were to contribute it’s own implementation of the integration bits into Mac OS X, we would no doubt have a very solid Java for Mac which does not have to be maintained by Apple and will stay up to date since OpenJDK is a Oracle- and IBM-backed project to build coming versions of Java.

I believe that Apple supporting OpenJDK (and in particular the BSD Port effort) by contributing relevant parts of the Apple JDK/JRE source code will be mutually beneficial. Java Developers will be able to continue using their existing investments when Java 7 and/or Lion ships and Apple will continue to benefit from a large number of (in my opinion) open minded software engineers that are capable of providing Cocoa-based applications for the growing number of iOS-based devices on the market.

Sincerely,
Daniel Pfeifer

You may also have noticed that I received some constructive criticism on PetitionSpot.com for only mentioning the JDK, when it is in fact the whole lot (JDK/JRE) that is important to us. I have therefore updated the petition slightly ( adding JRE to the text and keeping the original so that nobody can claim I am cheating ;) ).

I also want to once again mention that when you sign the petition on PetitionSpot.com, the site will ask for a donation. The donation is exclusively for the operation of PetitionSpot.com, it is nothing I, Apple or Oracle will receive ( not that Apple or Oracle would need it... ).

Anyway, long story short, thanks for signing the petition and let's hope Steve will listen :)

Java for Mac, not Oracle's business [UPDATED]

As many of you, I was surprised to read that Apple would be phasing out Java from Mac OS X and Steve Jobs is basically trying to push the responsibility over to Oracle. It didn't take long, but within hours message boards were filled with posts about this. The reason? Quite simple, many of those that buy a MacBook Pro, are Java Developers to begin with! They bought a Mac because they like the hardware, because they can get a good-looking UNIX operating system and at the same time not sacrifice the ability to use Adobe Photoshop or Microsoft Office.

I myself am one of those Java Developers that bought a Mac for these precise reasons. If the guy at the Apple Store would have said "Sorry, no Java here", I would have turned around and left just to go to the Sony Center next door and buy one of those 13 inch Vaio's. And believe me, I am not the only one; I work as a consultant and have been in the business of making mission-critical and web-scale software development for around 10 years now, I know personally and by recognition literally hundreds of software engineers that, just like me, bought a Mac to pay their bills coding Java applications.

On top of this, one can't ignore the fact that Java Developers are some of the most open-minded software engineers out there. We like new frameworks, we like new languages (Scala, Groovy, et cetara) and we like to experiment. Me aside, I know enough Java Developers that learned Objective C and Xcode in their free time, just for fun... and because they were able to (after all, you already have a $2500 MacBook, why not install Xcode, too?)!

This may be my opinion, but Apple has become arrogant and disrespectful towards non-Apple-technology. This time, however, I can't stop to wonder if Apple expresses it's dislike towards the wrong crowd; iOS is fairly big now, but what if those "I pay my rent doing Java"-developers leave the Mac? There is no Xcode for Linux or Windows, you know... And let's face it: Very very few developers earn any money to speak of making Fart and Burp Apps for the iPhone or iPad. I guess Steve Jobs bets on having reached critical mass, but that remains to be seen (at least if nobody resolves the JDK issue anytime soon).

Steve recently commented on this by saying that he doesn't like playing catch-up with Oracle's Java and honestly, despite of all I wrote so far, I agree! I would appreciate it if Oracle provided a first-class JDK for Mac OS X just the same way they provide a first-class JDK for Windows, however, I do not think that it is Oracle's business; and why is not not Oracle's business? Because Oracle is in the business of providing software for the enterprise, they are not in the business of providing 250.000 tiny applications for iPhone owners... Not that there is anything wrong with it, Apple is doing very well by doing exactly that.

One might argue that Oracle already supports a competing operating system by providing a Windows JDK and that Oracle should show some goodwill throwing Mac OS X into the mix and yeah, it would be nice, but don't kid yourselves: Besides on the IT-staffs' desktops, Mac OS X is nowhere to be found in businesses. In ten years I have not seen a single server running any flavor of Mac OS. What I have seen is many Office Servers running Windows and thousands of machines running Solaris or Linux.

So, where does this leave us? For the time being we don't have any problem to speak of. Apple just released JDK 1.6.0_22, which will work just fine for a while. However, in less than a year Mac OS X Lion will be arriving and what if Apple really decides not to ship Java SE 7 on Mac OS X 10.7? Personally, I'd probably switch back to Ubuntu full time (tested 10.10 yesterday, it's really neat), but still: What's the purpose of owning an expensive MacBook Pro when I can't run Mac OS X?

Instead of just hoping and guessing we can take things in our own hands, after all, that's what Java developers are really good at. There is already a OpenJDK BSD Port Project in process and if Apple would be nice enough to contribute their source code to this project, I bet we will have a top notch OpenJDK for Mac OS X in time for Lion's release.

So, sign this petition and once I have collected enough signatures, I will submit it to Apple. Oh, and don't forget to tell your friends and colleagues about it.

--- UPDATE ---

I have been told by a fellow signer that PetitionSpot.com asks for donations when signing the petition. A donation given is nothing the petition starter (me in this case) receives, it is to support the operation of the website. Long story short, unless you want to support PetitionSpot.com, there is no need to donate. Neither I (or Apple/Oracle for that matter) will personally receive it.