Saturday, June 18, 2011

Installing and configuring l2tp vpn using xl2tpd

xl2tpd howto

Vpn is use to create a tunnel from your pc to your office system. There are lots of vpn softwares such as openvpn, pptpd, xl2tpd etc.
Here we will discuss about the installaion and configuration of xl2tpd vpn software.
For other vpn installations search in the tags of this very same site.
These steps will work with Redhat, CentOS, Fedora and other redhat distributions.

Install the following packages using yum or rpms :
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced

Download and install Openswan :
mkdir -p /ztmp/l2tp
cd /ztmp/l2tp
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs install

If there is ipsec.conf file take a backup and create new one as follows :
cp /etc/ipsec.conf{,.bkp}
rm -rf /etc/ipsec.conf
touch /etc/ipsec.conf

vi /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=25.x.x.x  #your vps public IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

In the file ipsec.secrets, Give the following line :
vi /etc/ipsec.secrets
25.x.x.x %any: PSK "server.lap.work"

Enable IP Forwarding in /etc/sysctl.conf
net.ipv4.ip_forward = 1

Reload Sysctl settings
sysctl -p

Enable masquerading
iptables -t nat -A POSTROUTING -j MASQUERADE

Set the following parameters
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

Restart ipsec and verify :
/etc/init.d/ipsec restart
ipsec verify

Download and install rp-l2tp :
cd /ztmp/l2tp
wget http://mirror.zeddicus.com/sources/rp-l2tp-0.4.tar.gz
tar zxvf rp-l2tp-0.4.tar.gz
cd rp-l2tp-0.4
./configure
make

cp handlers/l2tp-control /usr/local/sbin/
mkdir /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

Download and install xl2pd
cd /ztmp/l2tp
wget http://mirror.zeddicus.com/sources/xl2tpd-1.2.4.tar.gz
tar zxvf xl2tpd-1.2.4.tar.gz
cd xl2tpd-1.2.4
make install

mkdir /etc/xl2tpd
rm -rf /etc/xl2tpd/xl2tpd.conf
touch /etc/xl2tpd/xl2tpd.conf

Edit the configuration file of xl2pd as follows
vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.0.0.2-10.0.0.254
local ip = 10.0.0.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

cp /etc/ppp/options.xl2tpd{,.bkp}
rm -rf /etc/ppp/options.xl2tpd
touch /etc/ppp/options.xl2tpd

Edit the options file as given below
vi /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Add the user login details to chap-secrets file
vi /etc/ppp/chap-secrets
test l2tpd test123 *

Create the following script
vi /usr/bin/zl2tpset
#!/bin/bash
for each in /proc/sys/net/ipv4/conf/*"
do
echo 0 > \$each/accept_redirects
echo 0 > \$each/send_redirects
done

Give it execution permission
chmod +x /usr/bin/zl2tpset

Run the commands :
zl2tpset
xl2tpd

Append the following lines to rc.local
vi /etc/rc.local
iptables -t nat -A POSTROUTING -j MASQUERADE
/etc/init.d/ipsec restart
/usr/bin/zl2tpset
/usr/local/sbin/xl2tpd

Verify ipsec :
ipsec verify

Now you can connect the vpn using the following credentials

ServerIP:25.x.x.x
username:test
password:test123
PSK Key:server.lap.work

Check the same site for openvpn and pptpd vpn installation and configurations.


Recommended Reading

1. VPNs: A Beginner's Guide
2. Guide to Firewalls and VPNs

Wednesday, June 15, 2011

How to block or allow ips using .htaccess

Suppose you have a site abc.com and in the document root directory of abc.com you have a directory "admin" in which you want to restrict the access to others. But you want to give access to clients from some ips.

You can do this by creating a .htaccess file under "admin" directory.

.htaccess file can be like this.

Order Deny,Allow
Deny from all
Allow from IP_address1
Allow from IP_address2
Allow from IP_address3
Allow from IP_address4
Allow from IP_address5

thats it.

abc.com/admin/ will only be accessible to IP_address1-5