Включаем необходимые модули на хостовой машине:
nano /etc/modules
ah4
af_key
esp4
l2tp_ppp
ipcomp
xfrm4_mode_transport
xfrm4_mode_tunnel
xfrm_user
xfrm_ipcomp
Создаем LXC контейнер с Ubuntu Trusty amd64
В конфигурации контейнера /var/lib/lxc/[container_name]/config прописываем разрешения на работу с устройством /dev/ppp.
Сначала на хосте смотрим параметры этого устройства:
sudo ls -ls /dev/ppp
Вывод:
0 crw------- 1 root root 108, 0 Jun 8 21:19 /dev/ppp
Отсюда берем значения 108 и 0 и прописываем их в /var/lib/lxc/[container_name]/config:
sudo nano /var/lib/lxc/[container_name]/config
lxc.cgroup.devices.allow = c 108:0 rwm
Внутри контейнера:
echo "nameserver 77.88.8.8" >> /etc/resolv.conf
apt update
apt-get install openswan xl2tpd nano iptables iptables-persistent
Правим конфиг ipsec, строго собюдая отступы.
nano /etc/ipsec.conf
version 2 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
protostack=netkey
#decide which protocol stack is going to be used.
force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g$
type=transport
#because we use l2tp as tunnel protocol
left=10.10.10.4
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
Пароль для ipsec:
nano /etc/ipsec.secrets
10.10.10.4 %any: PSK "P@ssw0rd"
Отключаем внутри контейнера send и accept редиректы :
for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done
Перезапускаем ipsec:
/etc/init.d/ipsec restart
Правим конфиг l2tp:
nano /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Правим способ авторизации:
nano /etc/xl2tpd/l2tp-secrets
# Secrets for authenticating l2tp tunnels
# us them secret
# * marko blah2
# zeus marko blah
# * * interop
* * * # let all , because we use auth with chap
nano /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1400
mru 1400
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Создаем аккаунты пользователей:
nano /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
testUSER l2tpd testPASS *НАТ!!!
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPTiptables -P FORWARD DROP
iptables -A FORWARD -s 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuiptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
Ребутим сервисы :
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart