Jan Taczanowski's tech blog

IKEv2 with Let’s Encrypt- robust IPsec vpn solution for Windows, Android, Linux, macOS and iOS clients

14/01/2018 Jan Taczanowski No Comments

Hello 🙂

In this post I will describe how to prepare solid vpn gateway which works flawlessly with many different clients.

I choose the solution based on modern IKEv2 protocol created with Microsoft and Cisco together. In a big simplification – IKEv2 (Internet Key Exchange version 2) is responsible to set up a security association (SA) in the IPsec protocol suite.

Advantages of IKEv2 over IKEv1 protocol:

it tolerates interruptions, latency etc. on network connection. For example, if the connection is temporarily lost, or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN after the network connection is reestablished — in transparent way to the user.
EAP authentication – we can authenticate simply, by username and password
better dead peer/tunnel detection
consume less bandwidth

IKEv2 has built in client in Windows 7 and newer and on macOS and iOS systems.
For Android there is a StrongSwan client app which is working very well. In Linux we can simply use Strongswan which is one of IPsec implementation for Linux.

In setup below I will use certificate for server obtained from Let’s Encrypt. It is needed because Windows clients will not work with self signed certificate without adding our CA as trusted. My goal is that we don’t have to provide anything other then user name and password 🙂

I will skip the part describing an obtaining a certificate from Let’s Encrypt. It is well documented in internet.
For server/gateway side I used Strongswan which provides support for IKEv2.

Server configuration

For setup server side we have to:
Install Strongswan:
(I’m installing it on OpenSUSE)

zypper install strongswan

1	zypper install strongswan

or if you using Debian based Linux distribution

apt-get install strongswan

1	apt-get install strongswan

I already have a certificate Let’s Encrypt for my domain. The typical catalog structure with the certificates from Let’s Encrypt looks as follows:

router:~ # ls -l /etc/certbot/live/taczanowski.net/
lrwxrwxrwx 1 root root  39 01-10 00:22 cert.pem -> ../../archive/taczanowski.net/cert2.pem
lrwxrwxrwx 1 root root  40 01-10 00:22 chain.pem -> ../../archive/taczanowski.net/chain2.pem
lrwxrwxrwx 1 root root  44 01-10 00:22 fullchain.pem -> ../../archive/taczanowski.net/fullchain2.pem
lrwxrwxrwx 1 root root  42 01-10 00:22 privkey.pem -> ../../archive/taczanowski.net/privkey2.pem
-rw-r--r-- 1 root root 543 11-10 18:23 README

router:~ # ls -l /etc/certbot/live/taczanowski.net/

lrwxrwxrwx 1 root root 39 01-10 00:22 cert.pem -> ../../archive/taczanowski.net/cert2.pem

lrwxrwxrwx 1 root root 40 01-10 00:22 chain.pem -> ../../archive/taczanowski.net/chain2.pem

lrwxrwxrwx 1 root root 44 01-10 00:22 fullchain.pem -> ../../archive/taczanowski.net/fullchain2.pem

lrwxrwxrwx 1 root root 42 01-10 00:22 privkey.pem -> ../../archive/taczanowski.net/privkey2.pem

-rw-r--r-- 1 root root 543 11-10 18:23 README

To use it in Strongswan it is necessary to create links to certificates and keys:

ln -s /etc/certbot/live/taczanowski.net/cert.pem /etc/ipsec.d/certs/cert.pem
ln -s /etc/certbot/live/taczanowski.net/chain.pem /etc/ipsec.d/certs/chain.pem
ln -s /etc/certbot/live/taczanowski.net/privkey.pem /etc/ipsec.d/private/privkey.pem

ln -s /etc/certbot/live/taczanowski.net/cert.pem /etc/ipsec.d/certs/cert.pem

ln -s /etc/certbot/live/taczanowski.net/chain.pem /etc/ipsec.d/certs/chain.pem

ln -s /etc/certbot/live/taczanowski.net/privkey.pem /etc/ipsec.d/private/privkey.pem

W need to provide Let’s Encrypt intermediate certificate:

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \
/etc/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

1 2	wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \ /etc/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

This is very important step, I was spent a lot of hours to discover that Windows works properly only if we are providing intermediate certificate. Other CA certs in /etc/ipsec.d/cacerts/ , especially self-signed may also causing problems

Now we can edit /etc/ipsec.conf
My configuration looks as follows:

router:~ # cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
    # Allow for multiple connections form one account
	uniqueids = no
	charondebug = ike 3, cfg 3

conn IKEV2
	auto=add
	dpdaction=clear
    dpddelay=60s
    rekey=no
	fragmentation=yes
	keyexchange=ikev2

	# left - server configuration
	left=%any
	leftsubnet=0.0.0.0/0 #all client traffic is redirected through vpn gateway
	leftauth=pubkey
	leftcert=cert.pem
	leftsendcert=always
	leftid=taczanowski.net

	# right - client confguration
	right=%any
	rightsourceip=192.168.62.0/24 # pool of IPs which we providing for vpn clients
	rightauth=eap-mschapv2  # authenticate by username and password
	rightsendcert=never
	rightdns=8.8.8.8 # DNS server for clients
	rightid=%any
	eap_identity=%identity

router:~ # cat /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

# strictcrlpolicy=yes

# Allow for multiple connections form one account

uniqueids = no

charondebug = ike 3, cfg 3

conn IKEV2

auto=add

dpdaction=clear

dpddelay=60s

rekey=no

fragmentation=yes

keyexchange=ikev2

# left - server configuration

left=%any

leftsubnet=0.0.0.0/0 #all client traffic is redirected through vpn gateway

leftauth=pubkey

leftcert=cert.pem

leftsendcert=always

leftid=taczanowski.net

# right - client confguration

right=%any

rightsourceip=192.168.62.0/24 # pool of IPs which we providing for vpn clients

rightauth=eap-mschapv2 # authenticate by username and password

rightsendcert=never

rightdns=8.8.8.8 # DNS server for clients

rightid=%any

eap_identity=%identity

After that we have to add private key (/etc/ipsec.d/private/privkey.pem) and define usernames and passwords for vpn clients.

router:~ # cat /etc/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA privkey.pem
user1 : EAP "user1_password"
user2 : EAP "user2_password"

router:~ # cat /etc/ipsec.secrets

# ipsec.secrets

# This file holds the RSA private keys or the PSK preshared secrets for

# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.

: RSA privkey.pem

user1 : EAP "user1_password"

user2 : EAP "user2_password"

This is the whole Strongswan configuration. To apply configuration Strongswan must be restarted:

 service strongswan restart

1	service strongswan restart

If don’t have configured NAT/masquerade your clients will not have internet.

If you want allow your clients access to the internet, you have to enable nat/masquerade

iptables -t nat -A POSTROUTING -s 192.168.62.0/24 -j MASQUERADE

1	iptables -t nat -A POSTROUTING -s 192.168.62.0/24 -j MASQUERADE

In some cases there is a problem with mtu/mss which can cause for example problem with opening some web pages. Strongswan documentation recommends reduce the MSS for packets transmitded through tunnel. Strongswan documentation
To reduce the mss, add a rule to iptables:

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 \
-j TCPMSS --set-mss 1200
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN \
-m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 \

-j TCPMSS --set-mss 1200

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN \

-m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200

From my observations, reducing mss to 1200 ensures trouble-free operation on all clients

Clients configuration

In most clients it is trivial.
Windows

Android

iPhone – iOS

macOS
Very simple configuration, analogous to iOS/iPhone

Linux
Unfortunately, manual configuration is slightly complicated. But then it works very well.
In newer releases of Linux distribution there is a gui plugin for network manager which provide easy configuration of vpn connection. But I haven’t tried it.

Strongswan configuration: /etc/ipsec.conf

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn ikev2
    right=taczanowski.net
    rightid=%taczanowski.net
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftauth=eap
    leftdns=%config4
    fragmentation=yes
    eap_identity=user1
    auto=add

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup

# strictcrlpolicy=yes

# uniqueids = no

conn ikev2

right=taczanowski.net

rightid=%taczanowski.net

rightsubnet=0.0.0.0/0

rightauth=pubkey

leftsourceip=%config

leftauth=eap

leftdns=%config4

fragmentation=yes

eap_identity=user1

auto=add

password for user1 i stored in /etc/ipsec.secret:

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.secrets 
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
user1 : EAP "user1_password"

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.secrets

# ipsec.secrets

# This file holds the RSA private keys or the PSK preshared secrets for

# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.

user1 : EAP "user1_password"

We have to had intermediate and CA root certyficate in /etc/ipsec.d/cacerts:
intermediate:

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \
/etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

1 2	wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \ /etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

root CA certificate is available to copy from DST Root CA X3
I had to copy it to a file in such way (with adding “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“:

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.d/cacerts/root.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.d/cacerts/root.pem

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

In the default configuration, strongswan does not set the dns addresses provided by the server. This behavior can be changed by editing /etc/strongswan.d/charon/resolv.conf. I uncommented line with “file = /etc/resolv.conf”

x201:/etc/ipsec.d/cacerts # cat /etc/strongswan.d/charon/resolve.conf 
resolve {

    # File where to add DNS server entries.
    file = /etc/resolv.conf

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    resolvconf {

        # Prefix used for interface names sent to resolvconf(8).
        # iface_prefix = lo.inet.ipsec.

    }

}

x201:/etc/ipsec.d/cacerts # cat /etc/strongswan.d/charon/resolve.conf

resolve {

# File where to add DNS server entries.

file = /etc/resolv.conf

# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes

resolvconf {

# Prefix used for interface names sent to resolvconf(8).

# iface_prefix = lo.inet.ipsec.

}

Restart Strongswan:

service strongswan restart

1	service strongswan restart

And connection should be start:

ipsec up ikev2

1	ipsec up ikev2

We can check connection status:

x201:/etc/ipsec.d/cacerts # ipsec status
Security Associations (1 up, 0 connecting):
       ikev2[1]: ESTABLISHED 12 seconds ago, 192.168.50.132[192.168.50.132]...192.168.51.1[taczanowski.net]
       ikev2{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cfdfc3f7_i c14e6cdb_o
       ikev2{1}:   192.168.62.3/32 === 0.0.0.0/0

x201:/etc/ipsec.d/cacerts # ipsec status

Security Associations (1 up, 0 connecting):

ikev2[1]: ESTABLISHED 12 seconds ago, 192.168.50.132[192.168.50.132]...192.168.51.1[taczanowski.net]

ikev2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cfdfc3f7_i c14e6cdb_o

ikev2{1}: 192.168.62.3/32 === 0.0.0.0/0

And disconnect connection:

ipsec down ikev2

1	ipsec down ikev2

[Update 21.12.2018]

Carsten who reads this post shared with me some observations with configuring IKEv2 connections on Windows clients.

In more sophisticated scenario, than described here when we don’t want to set vpn connection as default gateway for clients (redirect all trafic to vpn tunnel), but we want use vpn connection only for some specified remote networks then Windows client is a problem.
Windows has no support for traffic selector provided by strongSwan.
Carsten writes:

The VPN LAN should be different to the remote LAN.
Therefore in Windows “Use default gateway on remote network” must be set.
Therefore “leftsubnet=0.0.0.0/0” is necessary, because all traffic of the client goes through the VPN (which is not nice).
Without “Use default gateway on remote network” Windows only sets a route for the VPN LAN, which is useless. It should be possible to set a route to the remote LAN by using the PowerShell. I haven’t tried that yet.

This problem is also described here

Thanks Carsten for sharing your observations.

Linux box as an IPv6 router with SLAAC and DHCPv6-PD

03/05/2017 Jan Taczanowski 3 Comments

Some time ago I replaced my Mikrotik router with linux box which is working as a router for my home network and as a server for some services.
I had to spend some time to set up IPv6 on linux in such way, that everything was working automatically and without need to configuring anything in statically way. This post will be only about IPv6 part of router configurations.
I omit IPv4 part and configurations of network interfaces, because it is well documented in internet.

My router is running on linux openSUSE leap 42.2. The configurations are the same for other distros but file paths of config files may be different.

eth0 – wan interface of the router

eth1 – lan interface of the router
To make the router working, I had to:

change some sysctls to obtain IPv6 address on wan interface of my router by Stateless autoconfiguration (SLAAC).
I used wide-dhcpv6-client client to obtain IPv6 adresses pool (DHCPv6-PD) to redistribute addresses from pool on my devices in home network.
Redistributing addresses is done by dnsmasq.

First step – sysctls:
Part of my /etc/sysctl.conf confgured to obtain IPv6 address from Stateless autoconfiguration (SLAAC) on wan interface – eth0:

# Enable IPv6 forwarding
net.ipv6.conf.all.forwarding = 1

# Obtain IPv6 address on wan interface by Stateless autoconfiguration (SLAAC)
net.ipv6.conf.eth0.accept_ra = 2

# I want to have one IPv6 address on my wan interface, based on my mac address. 
# Without this my router will also have temporary, random IPv6 addresses which will be changing over time.
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0

# Enable IPv6 forwarding

net.ipv6.conf.all.forwarding = 1

# Obtain IPv6 address on wan interface by Stateless autoconfiguration (SLAAC)

net.ipv6.conf.eth0.accept_ra = 2

# I want to have one IPv6 address on my wan interface, based on my mac address.

# Without this my router will also have temporary, random IPv6 addresses which will be changing over time.

net.ipv6.conf.all.use_tempaddr = 0

net.ipv6.conf.default.use_tempaddr = 0

After reboot I can see that my wan interface has public IPv6 address:

eth0      Link encap:Ethernet  HWaddr 00:4F:62:XX:XX:XX  
          inet addr:37.X.X.X  Bcast:37.X.X.X  Mask:255.255.254.0
          inet6 addr: fe80::24f:62ff:fe16:bd48/64 Scope:Link
          inet6 addr: 2a03:XXXX:0:252:24f:62ff:fe16:bd48/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:264107 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38333 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:33499400 (31.9 Mb)  TX bytes:25331826 (24.1 Mb)

eth0 Link encap:Ethernet HWaddr 00:4F:62:XX:XX:XX

inet addr:37.X.X.X Bcast:37.X.X.X Mask:255.255.254.0

inet6 addr: fe80::24f:62ff:fe16:bd48/64 Scope:Link

inet6 addr: 2a03:XXXX:0:252:24f:62ff:fe16:bd48/64 Scope:Global

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:264107 errors:0 dropped:0 overruns:0 frame:0

TX packets:38333 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:33499400 (31.9 Mb) TX bytes:25331826 (24.1 Mb)

Second step – wide-dhcpv6-client:
Configuration of wide-dhcpv6-client which will be obtaining IPv6 address pool (DHCPv6-PD) for lan interface (eth1)

router:~ # cat /etc/wide-dhcpv6/dhcp6c.conf 
# eth0 is my wan interface
interface eth0 { 
# request a non-temporary address   
    # request prefix delegation address
    send ia-pd 1;
    request domain-name-servers;
    request domain-name;
};

id-assoc pd 1 {
        prefix ::/64 infinity;
        prefix-interface eth1 {
                sla-len 0;

                # elated with ia-pd to configure subnet on lan interface - eth1
                sla-id 1;

                # "postfix" of IPv6 address on lan interface. 
                # if not configured interface will has EUI-64 (mac based) address.
                # In this case, eth1 will get a IPv6 ending with ::1
                ifid 1;
        };
};

router:~ # cat /etc/wide-dhcpv6/dhcp6c.conf

# eth0 is my wan interface

interface eth0 {

# request a non-temporary address

# request prefix delegation address

send ia-pd 1;

request domain-name-servers;

request domain-name;

};

id-assoc pd 1 {

prefix ::/64 infinity;

prefix-interface eth1 {

sla-len 0;

# elated with ia-pd to configure subnet on lan interface - eth1

sla-id 1;

# "postfix" of IPv6 address on lan interface.

# if not configured interface will has EUI-64 (mac based) address.

# In this case, eth1 will get a IPv6 ending with ::1

ifid 1;

};

Unfortunately package of wide-dhcpv6-client does not provide configuration file for systemd. To start up wide-dhcpv6-client by systemd I created wide-dhcpv6.service entry:

router:~ # cat /usr/lib/systemd/system/wide-dhcpv6.service;
[Unit]
Description=wide-dhcpv6
Before=dnsmasq.service
After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service SuSEfirewall2_init.service

[Service]
ExecStart=/usr/sbin/dhcp6c -c /etc/wide-dhcpv6/dhcp6c.conf -P default -d -D -f eth0
RemainAfterExit=true

[Install]
WantedBy=multi-user.target

router:~ # cat /usr/lib/systemd/system/wide-dhcpv6.service;

[Unit]

Description=wide-dhcpv6

Before=dnsmasq.service

After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service SuSEfirewall2_init.service

[Service]

ExecStart=/usr/sbin/dhcp6c -c /etc/wide-dhcpv6/dhcp6c.conf -P default -d -D -f eth0

RemainAfterExit=true

[Install]

WantedBy=multi-user.target

Enable it on system startup:

router:~ # systemctl enable wide-dhcpv6.service
Created symlink from /etc/systemd/system/multi-user.target.wants/wide-dhcpv6.service to /usr/lib/systemd/system/wide-dhcpv6.service.

1 2	router:~ # systemctl enable wide-dhcpv6.service Created symlink from /etc/systemd/system/multi-user.target.wants/wide-dhcpv6.service to /usr/lib/systemd/system/wide-dhcpv6.service.

After reboot I can see that my lan interface (eth1) has assignment IPv6 address with prefix:

eth1      Link encap:Ethernet  HWaddr C0:3F:D5:6D:F4:5C  
          inet addr:192.168.51.1  Bcast:192.168.51.255  Mask:255.255.255.0
          inet6 addr: fe80::c23f:d5ff:fe6d:f45c/64 Scope:Link
          inet6 addr: 2a03:XXXX:252f:e900::1/56 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:361458 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92615 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:61669608 (58.8 Mb)  TX bytes:31434041 (29.9 Mb)
          Interrupt:20 Memory:f7c00000-f7c20000

eth1 Link encap:Ethernet HWaddr C0:3F:D5:6D:F4:5C

inet addr:192.168.51.1 Bcast:192.168.51.255 Mask:255.255.255.0

inet6 addr: fe80::c23f:d5ff:fe6d:f45c/64 Scope:Link

inet6 addr: 2a03:XXXX:252f:e900::1/56 Scope:Global

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:361458 errors:0 dropped:0 overruns:0 frame:0

TX packets:92615 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:61669608 (58.8 Mb) TX bytes:31434041 (29.9 Mb)

Interrupt:20 Memory:f7c00000-f7c20000

Last step – dnsmasq:
Part of configuration of dnsmasq (/etc/dnsmasq.conf) to redistributing IPv6 addresses in home network. Dnsmasq will also work as dns cache. :

# don't listen to anything on eth0
except-interface=eth0

bogus-priv

# IPv6 Route Advertisements
enable-ra

# Create a IPv6 range from address on the interface. The ::1 is related to the ifid in /etc/wide-dhcpv6/dhcp6c.conf.
dhcp-range=tag:eth1,::1,constructor:eth1, ra-names, 12h

# ra-names - it gives DNS names to IPv6 hosts
local=/home/

# don't listen to anything on eth0

except-interface=eth0

bogus-priv

# IPv6 Route Advertisements

enable-ra

# Create a IPv6 range from address on the interface. The ::1 is related to the ifid in /etc/wide-dhcpv6/dhcp6c.conf.

dhcp-range=tag:eth1,::1,constructor:eth1, ra-names, 12h

# ra-names - it gives DNS names to IPv6 hosts

local=/home/

Enable dnsmasq on system startup:

router:~ # systemctl enable dnsmasq.service
Created symlink from /etc/systemd/system/multi-user.target.wants/dnsmasq.service to /usr/lib/systemd/system/dnsmasq.service.

1 2	router:~ # systemctl enable dnsmasq.service Created symlink from /etc/systemd/system/multi-user.target.wants/dnsmasq.service to /usr/lib/systemd/system/dnsmasq.service.

After reboot, devices in home network should be able to use internet by IPv6 🙂

But now, devices in home network are avaible from outside. Each of device has own public IPv6 address which is awailable from outside (internet).

We have to secure it, by allowing only for connections which are initialized from our internal network. It can be done by ip6tables.

ip6tables -A FORWARD -m state --state NEW -i eth1 -o eth0 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP

ip6tables -A FORWARD -m state --state NEW -i eth1 -o eth0 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -P FORWARD DROP

It’s all, described configuration works flawlessly for me for days 🙂

Securing ssh by iptables rules

16/04/2017 Jan Taczanowski 3 Comments

I secured my ssh server in simple way – with iptables rules which will be blocking attackers. I setup my iptables in such way, that it is allowing only one tcp syn packet to ssh port per minute from one ip address. With aditional configuration of sshd daemon the rules will allowing for once login attempt per hour.
iptables rules:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -m hashlimit \
--hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-htable-expire 3600000 --hashlimit-mode srcip \
--hashlimit-name ssh -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -m hashlimit \

--hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-htable-expire 3600000 --hashlimit-mode srcip \

--hashlimit-name ssh -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

After we reaches this one new connection per hour, the hashlimit-htable-expire rule starts to counting 60 minutes (3600000ms). In this time you can not connect again to ssh.

MaxAuthTries in /etc/ssh/sshd_config – this is important, with this, sshd will be closing ssh connections after authentication failure, thus attacker will have to create new ssh connection (and tcp connection) to try again. This fact (new syn packet) will by noticed by iptables.

MaxAuthTries 3

1	MaxAuthTries 3

If you use only public key authentication, you can set MaxAuthTries to 1 because this is first authentication method provided by OpenSSH server, also ssh clients firstly tries authenticate through public key. Other authentication methods are on further places.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey

With MaxAuthTries set to 1 only fist authentication method will work – usually publickey.

You can check the blocked addresses:

router:~ # cat /proc/net/ipt_hashlimit/ssh
16 216.98.212.11:0->0.0.0.0:0 90670848 108000000 36000000
338 42.7.26.55:0->0.0.0.0:0 80364416 108000000 36000000
553 116.31.116.50:0->0.0.0.0:0 31482240 108000000 36000000
593 123.183.209.134:0->0.0.0.0:0 32435072 108000000 36000000

router:~ # cat /proc/net/ipt_hashlimit/ssh

16 216.98.212.11:0->0.0.0.0:0 90670848 108000000 36000000

338 42.7.26.55:0->0.0.0.0:0 80364416 108000000 36000000

553 116.31.116.50:0->0.0.0.0:0 31482240 108000000 36000000

593 123.183.209.134:0->0.0.0.0:0 32435072 108000000 36000000

This rules very limited strength of attacks on my ssh.

Please test this first with another server access!

NanoPi NEO as remote SDR server for RTL2832u

17/02/2017 Jan Taczanowski No Comments

Hi!
Today I will show how to make remote SDR radio server for RTL2832u dongle with very small and cheap device such as NanoPi NEO.

The main purpose of this is that I want place the NanoPI with RTL dongle and antenna attached to it on remote location – on high building 250 meters far away from my home. I have wireless bridge connecting my home with this place.

Notice: Wireless have to be able to send about 16Mb/s of tcp trafic from NanoPi to PC.

On NanoPi I installed Armian Linux. After that I was set up rtl_tcp server:
900001 – this is lowest sample-rate which can be used, I used lowest because my wireless bridge wasn’t able to pass more traffic.

 apt-get install rtl-sdr; rtl_tcp -a 0.0.0.0 -s 900001

1	apt-get install rtl-sdr; rtl_tcp -a 0.0.0.0 -s 900001

 _   _                   ____  _   _   _            
| \ | | __ _ _ __   ___ |  _ \(_) | \ | | ___  ___  
|  \| |/ _` | '_ \ / _ \| |_) | | |  \| |/ _ \/ _ \ 
| |\  | (_| | | | | (_) |  __/| | | |\  |  __/ (_) |
|_| \_|\__,_|_| |_|\___/|_|   |_| |_| \_|\___|\___/ 
                                                    

Welcome to ARMBIAN 5.25 stable Ubuntu 16.04.1 LTS 4.9.4-sun8i   
System load:   0.44            	Up time:       7 days		
Memory usage:  4 % of 497Mb  	IP:            192.168.51.30
CPU temp:      34°C           	
Usage of /:    17% of 14G    	


[ 23 updates to install: apt-get upgrade ]

Last login: Fri Feb 17 00:16:31 2017 from 192.168.51.24

root@nanopineo:~# apt-get install rtl-sdr
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  rtl-sdr
0 upgraded, 1 newly installed, 0 to remove and 23 not upgraded.
Need to get 0 B/50.0 kB of archives.
After this operation, 159 kB of additional disk space will be used.
Selecting previously unselected package rtl-sdr.
(Reading database ... 75756 files and directories currently installed.)
Preparing to unpack .../rtl-sdr_0.5.3-5_armhf.deb ...
Unpacking rtl-sdr (0.5.3-5) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up rtl-sdr (0.5.3-5) ...

root@nanopineo:~# rtl_tcp -a 0.0.0.0 -s 900001
Found 1 device(s):
  0:  Realtek, RTL2838UHIDIR, SN: 00000001

Using device 0: Lifeview LV5TDeluxe
Found Fitipower FC0013 tuner
Exact sample rate is: 900001.019241 Hz
Tuned to 100000000 Hz.
listening...
Use the device argument 'rtl_tcp=0.0.0.0:1234' in OsmoSDR (gr-osmosdr) source
to receive samples in GRC and control rtl_tcp parameters (frequency, gain, ...).

_ _ ____ _ _ _

| \ | | __ _ _ __ ___ | _ \(_) | \ | | ___ ___

| \| |/ _` | '_ \ / _ \| |_) | | | \| |/ _ \/ _ \

| |\ | (_| | | | | (_) | __/| | | |\ | __/ (_) |

|_| \_|\__,_|_| |_|\___/|_| |_| |_| \_|\___|\___/

Welcome to ARMBIAN 5.25 stable Ubuntu 16.04.1 LTS 4.9.4-sun8i

System load: 0.44 Up time: 7 days

Memory usage: 4 % of 497Mb IP: 192.168.51.30

CPU temp: 34°C

Usage of /: 17% of 14G

[ 23 updates to install: apt-get upgrade ]

Last login: Fri Feb 17 00:16:31 2017 from 192.168.51.24

root@nanopineo:~# apt-get install rtl-sdr

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following NEW packages will be installed:

rtl-sdr

0 upgraded, 1 newly installed, 0 to remove and 23 not upgraded.

Need to get 0 B/50.0 kB of archives.

After this operation, 159 kB of additional disk space will be used.

Selecting previously unselected package rtl-sdr.

(Reading database ... 75756 files and directories currently installed.)

Preparing to unpack .../rtl-sdr_0.5.3-5_armhf.deb ...

Unpacking rtl-sdr (0.5.3-5) ...

Processing triggers for man-db (2.7.5-1) ...

Setting up rtl-sdr (0.5.3-5) ...

root@nanopineo:~# rtl_tcp -a 0.0.0.0 -s 900001

Found 1 device(s):

0: Realtek, RTL2838UHIDIR, SN: 00000001

Using device 0: Lifeview LV5TDeluxe

Found Fitipower FC0013 tuner

Exact sample rate is: 900001.019241 Hz

Tuned to 100000000 Hz.

listening...

Use the device argument 'rtl_tcp=0.0.0.0:1234' in OsmoSDR (gr-osmosdr) source

to receive samples in GRC and control rtl_tcp parameters (frequency, gain, ...).

The next step was to setup and start gqrx on my home computer:
Notice: Input rate must be the same as set on rtl_tcp server. 192.168.51.30 – this is IP address of my NanoPi.

And now, we can hear everything around us 🙂