1. Environment preparation

Install one Debian Linux 7.0 server, with external network configuration.

2. Installation steps

(1) Install IPSec

Bash

# apt-get update && apt-get upgrade && apt-get dist-upgrade && apt-get install openswan

ERR: A prompt says some library versions are too low. ANS: Update the system and retry.

2. Configure IPSec

Modify /etc/ipsec.conf to the following:

Bash

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=local_IP_address
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

Append the following content after /etc/ipsec.secrets

ActionScript

     Local IP address   %any:  PSK "YourSharedSecret"

Change the Chinese characters to the corresponding address. 3. Run the following command

Bash

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

4. Check if IPSec Works

Bash

# ipsec verify

ERR: can not load config '/etc/ipsec.conf': /etc/ipsec.conf:58: syntax error, unexpected CONN \[conn\] ANS: Check the ipsec.conf file for spaces or tabs before the conn line.

5. Restart the IPSec service.

Bash

/etc/init.d/ipsec restart

6. Install the L2TP software

Bash

# apt-get install xl2tpd

7. Add the following to the file /etc/xl2tpd/xl2tpd.conf

Bash

[global]
ipsec saref = yes
[lns default]
ip range = 192.168.1.2-192.168.1.254
local ip = the local virtual IP address, let's just use 192.168.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

8. Install PPP: # apt-get install ppp 9. Create the file /etc/ppp/options.xl2tpd and add the following content

Bash

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

11. Add a VPN user

Bash

# vi /etc/ppp/chap-secrets

username * password * Change username to the VPN connection username, password to the password, and * means don't specify the server side or the access IP.

/etc/init.d/xl2tpd restart

Restart the xl2tpd service.

12. Configure iptables forwarding

Bash

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

13. Add a startup entry

Bash

# vi /etc/rc.local

Bash

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

Add the content above.

3. Notes

4. The command "echo 1 > /proc/sys/net/ipv4/ip_forward" can also be achieved by editing the file "/etc/sysctl.conf", uncommenting the line "net.ipv4.ip_forward = 1", and running the command "sysctl -p".

5. Some say that adding the line "mtu 1400 noccp connect-delay 5000" to the file "/etc/ppp/options.xl2tpd" can solve the problem of iOS/Mac OS being unable to connect. I tried it and found it didn't work.

6. The VPN log file is "/var/log/auth.log"; if you can't connect, check the log and Google the specific problem.

7. If Windows can't connect, try modifying the registry entry "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]" and adding a "DWORD" entry "ProhibitIpSec=dword:00000001".

8. If after connecting you can't access the external network, check whether the iptables forwarding is set up correctly. Try the command "iptables -t nat -A POSTROUTING -s change_to_your_virtual_IP_range e.g. 192.168.1.0/24 -o venet0 -j MASQUERADE".

9. The VPN built with the above steps simply refuses to connect on iOS and Mac, even though Windows works fine. I tried the PPTP VPN, and unexpectedly it connected. Below are the files that need to be modified and the software to install.

10. Setting Up a PPTP VPN Server

11. Install the software

Bash

# apt-get install pptpd ppp

2. Edit the configuration file

Bash

vi /etc/pptpd.conf

Add the following content (in the file it's commented out—just delete the "#" to enable it)

Bash

localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.254

Bash

vi /etc/ppp/pptpd-options

Add the following content

Bash

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Note: "require-mppe-128" must not be commented out, otherwise Mac cannot connect. Add an account.

Bash

vi /etc/ppp/chap-secrets

Bash

testuser    l2tpd    password    *

Note: If you've done the steps above, the VPN name created by default is l2tpd. In that file, the second field, as shown above, is the name of the VPN the user is connecting to; the first field is the username; the third field is the password; the last field is the IP, and * means no restriction on the connecting IP.

Now, connect to the VPN—you know the rest.

Postscript:

iOS devices connecting to the VPN via PPTP are extremely unstable. It may be related to the VPS region, or to PPTP itself. Tracking the connection log with tail -f /var/log/auth.log shows the error "message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level". A bit of Googling led me to the page at http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade. After a bit of digging, the cause turned out to be a version issue with openswan; running the following command fixes it.

Bash

# apt-get install openswan=1:2.6.37-3
# /etc/init.d/xl2tpd restart
# /etc/init.d/ipsec restart

After testing, iOS connects normally, but the network speed doesn't improve. It's fine right after connecting, but goes unresponsive after a while. I suspect it's the GFW, but Windows stays rock solid.