SoftEther VPN server on Turris Omnia with l2tp/IPsec

This document shows you how to install a SoftEther VPN server on your Turris Omnia router and get it up and running. A more comprehensive version can be downloaded here.

step 1: create a container

Use the manual How to work with LXC containers to create a new lxc container. Choose Ubuntu Xenial (16.04 lts) as template for the container. Edit the file /etc/config/lxc-auto to enable automatic startup of the container at boot time (see How to work with LXC containers). After the creation was successful, open a terminal window and ssh to the router at its ip-address:

	ssh root@<your routers ip address>

Obtain the containers ip address (replace <name of your lxc container> by the name you gave to your container):

	root@turris:~# lxc-info -n <name of your lxc container>

In LuCI make the containers ip address a static lease.

step 2: connect to the container

Connect to the container (replace <name of your lxc container> by the name you gave to your container):

	root@turris:~# lxc-attach -n <name of your lxc container>

Set a password for the root account of the container:

	root@LXC_NAME:~# passwd

Next set the time zone:

	root@LXC_NAME:~# dpkg-reconfigure tzdata

Check if there are any updates:

	root@LXC_NAME:~# apt update

and install them:

	root@LXC_NAME:~# apt upgrade

Finally have automatic security updates installed:

	root@LXC_NAME:~# apt install unattended-upgrades

Step 3: install Nano, OpenSSH, Vsftp and Build Essential

Nano is a userfriendly editor that comes in handy when editing configuration files:

	root@LXC_NAME:~# apt install nano

Installing OpenSSH enables you to use SFTP connections and SSH shell:

	root@LXC_NAME:~# apt install openssh-server

Before using OpenSSH configure it. First make a backup copy of the config file and make that copy read-only. Then edit the config file:

	root@LXC_NAME:~# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

	root@LXC_NAME:~# chmod a-w /etc/ssh/sshd_config.original

	root@LXC_NAME:~# nano /etc/ssh/sshd_config

Make the following changes in sshd_config:

	LoginGraceTime 30
	PermitRootLogin yes
	PermitEmptyPasswords no
	StrictModes yes
	AllowUsers root

Save the edited config file and restart the SSH service:

	root@LXC_NAME:~# service ssh restart

Similarly install and adapt VSFTP:

	root@LXC_NAME:~# apt install vsftpd

Similarly edit the config file:

	root@LXC_NAME:~# nano /etc/vsftpd.conf

change the setting so you can write:

	write_enable=YES

If you have problems with connecting - default Ubuntu Xenial on Omnia change:

              pam_service_name=ftp 

and restart VSFTP:

	root@LXC_NAME:~# service vsftpd restart

Finally install the Build Essential Package in order to be able to build (compile) SoftEther VPN in your container:

	root@LXC_NAME:~# apt-get install build-essential

You are now ready to download and install SoftEther VPN. Leave the root shell of the container by typing exit and pressing ENTER, and the root shell of the router by once again typing exit and pressing ENTER.

step 4: download SoftEther VPNSERVER and transfer it to your container

Open the browser of your computer and go to the website of SoftEther VPN: http://www.softether-download.com/en.aspx?product=softether

Select:

1. Software: SoftEther VPN(Freeware)
2. Component: SoftEther VPN Server
3. Platform: Linux
4. CPU: ARM EABI (32bit)

and download the software. Once the software has been downloaded transfer it to your container. Using the ftp client of your computer make a SFTP connection to the container and transfer the file to it.The file will be stored in the home directory of user root.

step 5: compile SoftEther VPNSERVER

Open a terminal window and SSH to your lxc container (replace <ipaddress of your container> by the ip address of the container):

	ssh root@<ipaddress of your container>

Extract the SoftEther VPNSERVER installation (change the name if you downloaded a newer version):

	root@LXC_NAME:~# tar zxvf softether-vpnserver-v4.22-9634-beta-2016.11.27-linux-arm_eabi-32bit.tar.gz

It will extract to a folder /vpnserver in the home folder of root. Change to that folder:

	root@LXC_NAME:~# cd vpnserver

and compile it:

	root@LXC_NAME:~/vpnserver# make

During the make process you will be asked some questions: do you want to read the license agreement (answer yes), do you understand the license agreement (answer yes), do you agree the license agreement (answer yes). The proces continues to make the necessary files and runs several checks.

Once the VPNSERVER program has been created it resides in the folder /root/vpnserver. Before starting VPNSERVER, move it to a more suitable place and set proper permissions.

step 6: move VPNSERVER to /usr/local and set proper permissions

Move the vpnserver directory to /usr/local/.

	root@LXC_NAME:~/vpnserver# cd ..

	root@LXC_NAME:~# mv vpnserver /usr/local

Verify that it was successful:

	root@LXC_NAME:~# ls -l /usr/local/vpnserver/

Set and protect the permissions:

	root@LXC_NAME:~# cd /usr/local/vpnserver/
	root@LXC_NAME:/usr/local/vpnserver# chmod 600 *
	root@LXC_NAME:/usr/local/vpnserver# chmod 700 vpncmd
	root@LXC_NAME:/usr/local/vpnserver# chmod 700 vpnserver

Again verify that it has been successful:

	root@LXC_NAME:/usr/local/vpnserver# ls -l
	

Perform a final check to see whether VPNSERVER can operate properly before starting VPNSERVER. Use the check command on the vpncmd command line management utility to automatically check whether the system has sufficient functions to operate VPNSERVER. Start vpncmd by typing the command:

	root@LXC_NAME:/usr/local/vpnserver# ./vpncmd

Select option 3. Use of VPN Tools (certificate creation or communication speed measurement) and execute the check command:

	VPN Tools>check
	

You should receive the answer:

	All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate ...

Type exit to leave the command line management utility and return to the shell prompt:

	VPN Tools>exit 

Before actually starting VPNSERVER configure the system to operate VPNSERVER as a service.

step 7: configure the system to operate the VPNSERVER program as a service and start the program

Configure your system to operate the vpnserver program as a service mode program by registering the /usr/local/vpnserver/vpnserver program as a daemon process that continues to run in the background while Linux is starting. To register VPNSERVER to Linux as a daemon process, create a startup script, as shown below, with the name /etc/init.d/vpnserver.

 #!/bin/sh
 #
 ### BEGIN INIT INFO
 # Provides:          vpnserver
 # Required-Start:    $remote_fs $syslog
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start daemon at boot time
 # Description:       Enable service provided by daemon.
 ### END INIT INFO
 #
 # chkconfig: 2345 99 01
 # description: SoftEther VPN Server
 DAEMON=/usr/local/vpnserver/vpnserver
 LOCK=/var/lock/subsys/vpnserver
 test -x $DAEMON || exit 0
 case "$1" in
 start)
 $DAEMON start
 touch $LOCK
 ;;
 stop)
 $DAEMON stop
 rm $LOCK
 ;;
 restart)
 $DAEMON stop
 sleep 3
 $DAEMON start
 ;;
 *)
 echo "Usage: $0 {start|stop|restart}"
 exit 1
 esac
 exit 0

Create and write the above script to /etc/init.d/vpnserver as a text file. To use the cat command to create the script, press Ctrl + D after the line break in the final line:

	root@LXC_NAME:/usr/local/vpnserver# cat > /etc/init.d/vpnserver

After creating the startup script, change the permissions for this script so that the script cannot be rewritten by a user without permissions.

	root@LXC_NAME:/usr/local/vpnserver# chmod 755 /etc/init.d/vpnserver
	

To verify whether the startup script starts install SYSV-RC-CONF:

	root@LXC_NAME:/usr/local/vpnserver# sudo apt-get install sysv-rc-conf

After the installation was successful, give the command:

	root@LXC_NAME:/usr/local/vpnserver# sysv-rc-conf --list vpnserver
	

The output has to be:

	vpnserver   

Now give the command to start the vpnserver:

	root@LXC_NAME:/usr/local/vpnserver# /etc/init.d/vpnserver start

If successful, you will see:

	The SoftEther VPN Server service has been started.

Use the command below make it to run at startup:

	update-rc.d vpnserver defaults

step 8: configure VPNSERVER

Next configure VPNSERVER to be able to connect to the server using l2tp/ipsec. Invoke the SoftEther VPN Command Line Management Utility, vpncmd, by typing ./vpncmd in the shell prompt:

	root@LXC_NAME:/usr/local/vpnserver# ./vpncmd

Choose option 1. Management of VPN Server. Don’t specify an IP Address of Destination (leave empty) and don’t specify a Virtual Hub Name (leave empty). You end up with:

	
	Connection has been established with VPN Server "localhost" (port 443).
	You have administrator privileges for the entire VPN Server.

Next set VPN Server Administrator Password:

	VPN Server>ServerPasswordSet
	

Create a new virtual HUB and set a password for it:

	VPN Server>HubCreate name_of_my_new_HUB

Once the new Hub has been created enter the new HUB:

	VPN Server>HUB name_of_my_new_HUB
	

Create a user for the new HUB:

	VPN Server/name_of_my_new_HUB>UserCreate name_of_user_for_my_new_HUB
	

And set a password for this user:

	VPN Server/name_of_my_new_HUB>UserPasswordSet name_of_user_for_my_new_HUB

Next enable l2tp/ipsec:

	VPN Server/name_of_my_new_HUB>IPsecEnable

Answer ‘Enable L2TP over IPsec…’ with yes, ‘Enable Raw…’ with no and ‘Enable EtherIP…’ also with no. Define a Pre Shared Key:

	Pre Shared Key for IPsec (Recommended: 9 letters at maximum): pre-shared_key

and define your new Hub as Default Virtual HUB:

	Default Virtual HUB ... omitting the HUB on the Username: name_of_my_new_HUB

Finally, enable SecureNAT (refer to https://www.softether.org/index.php?title=4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.7_Virtual_NAT_%26_Virtual_DHCP_Servers for details):

	VPN Server/name_of_my_new_HUB>SecureNatEnable

To summarize, you have:

• set a VPN Server Administrator Password : vpn_server_administrator_password
• created a HUB : name_of_my_new_HUB
• set a password for the new HUB : password_for_my_new_HUB
• defined a user of the HUB : name_of_user_for_my_new_HUB
• set a password for the user of the HUB : password_of_the_user_for_my_new_HUB
• set a pre-shared key for l2tp/ipsec : pre-shared_key

Next inspect the status of your vpn server:

	VPN Server/name_of_my_new_HUB> ServerStatusGet

	ServerStatusGet command - Get Current Server Status
	Item                                          |Value
	----------------------------------------------+-------------------------
	Server Type                                   |Standalone Server
	Number of Active Sockets                      |43
	Number of Virtual Hubs                        |2
	Number of Sessions                            |0
	Number of MAC Address Tables                  |1
	Number of IP Address Tables                   |1
	Number of Users                               |1
	Number of Groups                              |0
	Using Client Connection Licenses (This Server)|0
	Using Bridge Connection Licenses (This Server)|0
	Outgoing Unicast Packets                      |231 packets
	Outgoing Unicast Total Size                   |9,702 bytes
	Outgoing Broadcast Packets                    |0 packets
	Outgoing Broadcast Total Size                 |0 bytes
	Incoming Unicast Packets                      |231 packets
	Incoming Unicast Total Size                   |9,702 bytes
	Incoming Broadcast Packets                    |464 packets
	Incoming Broadcast Total Size                 |28,304 bytes
	Server Started at                             |2016-12-16 (Fri) 14:34:26
	Current Time                                  |2016-12-16 15:14:33.238
	64 bit High-Precision Logical System Clock    |2407123
	The command completed successfully.

You see there are 2 virtual hubs. One is the HUB you just created, the other is the DEFAULT HUB. Do some housekeeping and delete the DEFAULT HUB since you don’t need it.

Leave your HUB:

	VPN Server/name_of_my_new_HUB>Hub

and delete the DEFAULT HUB:

	VPN Server>HubDelete DEFAULT
	

This completes the configuration of vpnserver for the use of l2tp/ipsec. There are still two steps to go:

1. setting port forwarding in the router for the proper ports
2. configuring the vpn-settings of our clients

step 9: configure portforwarding in the router

In Turris Omnia open the LuCI interface, go to Network/Firewall and open the tab Port Forwards. Add two new port forwards:

name                    port                    external        internal ip address
 
----
 
SoftEtherVPNudp500      ip4 udp port 500        wan anywhere    lan ip address of vpn container
 
SoftEtherVPNudp4500	ip4 udp port 4500       wan anywhere    lan ip address of vpn container

Click Save and Apply when finished.

step 10: configure your vpn clients

In step 8 you:

created a HUB				: name_of_my_new_HUB
 
defined a user of the HUB		: name_of_user_for_my_new_HUB
 
set a password for the user of the HUB	: password_of_the_user_for_my_new_HUB
 
set a pre-shared key for l2tp/ipsec	: pre-shared_key

On your computer/phone/tablet enter the following settings for the configuration of the vpn connection profile:

Connection type 			: l2tp
 
Server address				: the external ip-address or (D)DNS-name of your router
 
Account name 				: name_of_user_for_my_new_HUB@name_of_my_new_HUB
 
User authentication - password 		: password_of_the_user_for_my_new_HUB
 
Shared secret				: pre-shared_key

That’s all.