SoftEther VPN server on Turris Omnia with l2tp/IPsec
This document shows you how to install a SoftEther VPN server on your Turris Omnia router and get it up and running. A more comprehensive version can be downloaded here.
step 1: create a container
Use the manual How to work with LXC containers to create a new lxc container. Choose Ubuntu Xenial (16.04 lts) as template for the container. Edit the file /etc/config/lxc-auto to enable automatic startup of the container at boot time (see How to work with LXC containers). After the creation was successful, open a terminal window and ssh to the router at its ip-address:
ssh root@<your routers ip address>
Obtain the containers ip address (replace <name of your lxc container> by the name you gave to your container):
root@turris:~# lxc-info -n <name of your lxc container>
In LuCI make the containers ip address a static lease.
step 2: connect to the container
Connect to the container (replace <name of your lxc container> by the name you gave to your container):
root@turris:~# lxc-attach -n <name of your lxc container>
Set a password for the root account of the container:
root@LXC_NAME:~# passwd
Next set the time zone:
root@LXC_NAME:~# dpkg-reconfigure tzdata
Check if there are any updates:
root@LXC_NAME:~# apt update
and install them:
root@LXC_NAME:~# apt upgrade
Finally have automatic security updates installed:
root@LXC_NAME:~# apt install unattended-upgrades
Step 3: install Nano, OpenSSH, Vsftp and Build Essential
Nano is a userfriendly editor that comes in handy when editing configuration files:
root@LXC_NAME:~# apt install nano
Installing OpenSSH enables you to use SFTP connections and SSH shell:
root@LXC_NAME:~# apt install openssh-server
Before using OpenSSH configure it. First make a backup copy of the config file and make that copy read-only. Then edit the config file:
root@LXC_NAME:~# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
root@LXC_NAME:~# chmod a-w /etc/ssh/sshd_config.original
root@LXC_NAME:~# nano /etc/ssh/sshd_config
Make the following changes in sshd_config:
LoginGraceTime 30 PermitRootLogin yes PermitEmptyPasswords no StrictModes yes AllowUsers root
Save the edited config file and restart the SSH service:
root@LXC_NAME:~# service ssh restart
Similarly install and adapt VSFTP:
root@LXC_NAME:~# apt install vsftpd
Similarly edit the config file:
root@LXC_NAME:~# nano /etc/vsftpd.conf
change the setting so you can write:
write_enable=YES
If you have problems with connecting - default Ubuntu Xenial on Omnia change:
pam_service_name=ftp
and restart VSFTP:
root@LXC_NAME:~# service vsftpd restart
Finally install the Build Essential Package in order to be able to build (compile) SoftEther VPN in your container:
root@LXC_NAME:~# apt-get install build-essential
You are now ready to download and install SoftEther VPN. Leave the root shell of the container by typing exit and pressing ENTER, and the root shell of the router by once again typing exit and pressing ENTER.
step 4: download SoftEther VPNSERVER and transfer it to your container
Open the browser of your computer and go to the website of SoftEther VPN: http://www.softether-download.com/en.aspx?product=softether
Select:
and download the software. Once the software has been downloaded transfer it to your container. Using the ftp client of your computer make a SFTP connection to the container and transfer the file to it.The file will be stored in the home directory of user root.
step 5: compile SoftEther VPNSERVER
Open a terminal window and SSH to your lxc container (replace <ipaddress of your container> by the ip address of the container):
ssh root@<ipaddress of your container>
Extract the SoftEther VPNSERVER installation (change the name if you downloaded a newer version):
root@LXC_NAME:~# tar zxvf softether-vpnserver-v4.22-9634-beta-2016.11.27-linux-arm_eabi-32bit.tar.gz
It will extract to a folder /vpnserver in the home folder of root. Change to that folder:
root@LXC_NAME:~# cd vpnserver
and compile it:
root@LXC_NAME:~/vpnserver# make
During the make process you will be asked some questions: do you want to read the license agreement (answer yes), do you understand the license agreement (answer yes), do you agree the license agreement (answer yes). The proces continues to make the necessary files and runs several checks.
Once the VPNSERVER program has been created it resides in the folder /root/vpnserver. Before starting VPNSERVER, move it to a more suitable place and set proper permissions.
step 6: move VPNSERVER to /usr/local and set proper permissions
Move the vpnserver directory to /usr/local/.
root@LXC_NAME:~/vpnserver# cd ..
root@LXC_NAME:~# mv vpnserver /usr/local
Verify that it was successful:
root@LXC_NAME:~# ls -l /usr/local/vpnserver/
Set and protect the permissions:
root@LXC_NAME:~# cd /usr/local/vpnserver/ root@LXC_NAME:/usr/local/vpnserver# chmod 600 * root@LXC_NAME:/usr/local/vpnserver# chmod 700 vpncmd root@LXC_NAME:/usr/local/vpnserver# chmod 700 vpnserver
Again verify that it has been successful:
root@LXC_NAME:/usr/local/vpnserver# ls -l
Perform a final check to see whether VPNSERVER can operate properly before starting VPNSERVER. Use the check command on the vpncmd command line management utility to automatically check whether the system has sufficient functions to operate VPNSERVER. Start vpncmd by typing the command:
root@LXC_NAME:/usr/local/vpnserver# ./vpncmd
Select option 3. Use of VPN Tools (certificate creation or communication speed measurement) and execute the check command:
VPN Tools>check
You should receive the answer:
All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate ...
Type exit to leave the command line management utility and return to the shell prompt:
VPN Tools>exit
Before actually starting VPNSERVER configure the system to operate VPNSERVER as a service.
step 7: configure the system to operate the VPNSERVER program as a service and start the program
Configure your system to operate the vpnserver program as a service mode program by registering the /usr/local/vpnserver/vpnserver program as a daemon process that continues to run in the background while Linux is starting. To register VPNSERVER to Linux as a daemon process, create a startup script, as shown below, with the name /etc/init.d/vpnserver.
#!/bin/sh # ### BEGIN INIT INFO # Provides: vpnserver # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO # # chkconfig: 2345 99 01 # description: SoftEther VPN Server DAEMON=/usr/local/vpnserver/vpnserver LOCK=/var/lock/subsys/vpnserver test -x $DAEMON || exit 0 case "$1" in start) $DAEMON start touch $LOCK ;; stop) $DAEMON stop rm $LOCK ;; restart) $DAEMON stop sleep 3 $DAEMON start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0
Create and write the above script to /etc/init.d/vpnserver as a text file. To use the cat command to create the script, press Ctrl + D after the line break in the final line:
root@LXC_NAME:/usr/local/vpnserver# cat > /etc/init.d/vpnserver
After creating the startup script, change the permissions for this script so that the script cannot be rewritten by a user without permissions.
root@LXC_NAME:/usr/local/vpnserver# chmod 755 /etc/init.d/vpnserver
To verify whether the startup script starts install SYSV-RC-CONF:
root@LXC_NAME:/usr/local/vpnserver# sudo apt-get install sysv-rc-conf
After the installation was successful, give the command:
root@LXC_NAME:/usr/local/vpnserver# sysv-rc-conf --list vpnserver
The output has to be:
vpnserver
Now give the command to start the vpnserver:
root@LXC_NAME:/usr/local/vpnserver# /etc/init.d/vpnserver start
If successful, you will see:
The SoftEther VPN Server service has been started.
Use the command below make it to run at startup:
update-rc.d vpnserver defaults
step 8: configure VPNSERVER
Next configure VPNSERVER to be able to connect to the server using l2tp/ipsec. Invoke the SoftEther VPN Command Line Management Utility, vpncmd, by typing ./vpncmd in the shell prompt:
root@LXC_NAME:/usr/local/vpnserver# ./vpncmd
Choose option 1. Management of VPN Server. Don’t specify an IP Address of Destination (leave empty) and don’t specify a Virtual Hub Name (leave empty). You end up with:
Connection has been established with VPN Server "localhost" (port 443). You have administrator privileges for the entire VPN Server.
Next set VPN Server Administrator Password:
VPN Server>ServerPasswordSet
Create a new virtual HUB and set a password for it:
VPN Server>HubCreate name_of_my_new_HUB
Once the new Hub has been created enter the new HUB:
VPN Server>HUB name_of_my_new_HUB
Create a user for the new HUB:
VPN Server/name_of_my_new_HUB>UserCreate name_of_user_for_my_new_HUB
And set a password for this user:
VPN Server/name_of_my_new_HUB>UserPasswordSet name_of_user_for_my_new_HUB
Next enable l2tp/ipsec:
VPN Server/name_of_my_new_HUB>IPsecEnable
Answer ‘Enable L2TP over IPsec…’ with yes, ‘Enable Raw…’ with no and ‘Enable EtherIP…’ also with no. Define a Pre Shared Key:
Pre Shared Key for IPsec (Recommended: 9 letters at maximum): pre-shared_key
and define your new Hub as Default Virtual HUB:
Default Virtual HUB ... omitting the HUB on the Username: name_of_my_new_HUB
Finally, enable SecureNAT (refer to https://www.softether.org/index.php?title=4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.7_Virtual_NAT_%26_Virtual_DHCP_Servers for details):
VPN Server/name_of_my_new_HUB>SecureNatEnable
To summarize, you have:
Next inspect the status of your vpn server:
VPN Server/name_of_my_new_HUB> ServerStatusGet
ServerStatusGet command - Get Current Server Status Item |Value ----------------------------------------------+------------------------- Server Type |Standalone Server Number of Active Sockets |43 Number of Virtual Hubs |2 Number of Sessions |0 Number of MAC Address Tables |1 Number of IP Address Tables |1 Number of Users |1 Number of Groups |0 Using Client Connection Licenses (This Server)|0 Using Bridge Connection Licenses (This Server)|0 Outgoing Unicast Packets |231 packets Outgoing Unicast Total Size |9,702 bytes Outgoing Broadcast Packets |0 packets Outgoing Broadcast Total Size |0 bytes Incoming Unicast Packets |231 packets Incoming Unicast Total Size |9,702 bytes Incoming Broadcast Packets |464 packets Incoming Broadcast Total Size |28,304 bytes Server Started at |2016-12-16 (Fri) 14:34:26 Current Time |2016-12-16 15:14:33.238 64 bit High-Precision Logical System Clock |2407123 The command completed successfully.
You see there are 2 virtual hubs. One is the HUB you just created, the other is the DEFAULT HUB. Do some housekeeping and delete the DEFAULT HUB since you don’t need it.
Leave your HUB:
VPN Server/name_of_my_new_HUB>Hub
and delete the DEFAULT HUB:
VPN Server>HubDelete DEFAULT
This completes the configuration of vpnserver for the use of l2tp/ipsec. There are still two steps to go:
step 9: configure portforwarding in the router
In Turris Omnia open the LuCI interface, go to Network/Firewall and open the tab Port Forwards. Add two new port forwards:
name port external internal ip address ---- SoftEtherVPNudp500 ip4 udp port 500 wan anywhere lan ip address of vpn container SoftEtherVPNudp4500 ip4 udp port 4500 wan anywhere lan ip address of vpn container
Click Save and Apply when finished.
step 10: configure your vpn clients
In step 8 you:
created a HUB : name_of_my_new_HUB defined a user of the HUB : name_of_user_for_my_new_HUB set a password for the user of the HUB : password_of_the_user_for_my_new_HUB set a pre-shared key for l2tp/ipsec : pre-shared_key
On your computer/phone/tablet enter the following settings for the configuration of the vpn connection profile:
Connection type : l2tp Server address : the external ip-address or (D)DNS-name of your router Account name : name_of_user_for_my_new_HUB@name_of_my_new_HUB User authentication - password : password_of_the_user_for_my_new_HUB Shared secret : pre-shared_key
That’s all.