I’ve always needed to be able to connect into my home network remotely for one reason or another, so wanted a quick, secure and cheap VPN solution to do the trick. If you’re only going to have a handful of users connected at one time something like a Raspberry Pi is ideal for the job, you’re going to be leaving it running permanently, so something quiet and low power like a Raspberry Pi is ideal.
I’ve used a Raspberry Pi 3 in this case and installed Ubuntu Linux 20.04 on it, other than that that’s all you need to get started.
https://danielmiessler.com/blog/building-your-own-dedicated-ipsec-vpn-in-less-than-10-minutes/
Much of what is shown below is based on the above links and the hwdsl2 build that can be found here: https://github.com/hwdsl2/setup-ipsec-vpn, great work. I’m summarising the below as a record of my own steps to install, but making them public so others can see how to do it and some additional considerations on the log monitoring.
Generate the Password and Keys
The VPN server will use IPSec and L2TP, so we need two secrets. The first 10 character one will be the password for the VPN credentials. And the second one, a 16 character one, will be the PSK (Pre-Shared-Key).
So logon to the Raspberry Pi and run these two commands:
openssl rand -base64 10
openssl rand -base64 16
Install the VPN Server
Next we run the following command on the Raspberry Pi to install the VPN and substitute in the two secrets we generated above, the 16 character one first, and then the 10 character one for the password, for the VPN_USER put in whatever you feel is suitable.
wget https://git.io/vpnsetup -O vpnsetup.sh && VPN_IPSEC_PSK='<16_char_secret>' VPN_USER='<VPN_Username>' VPN_PASSWORD='<10_char_secret>' sudo sh vpnsetup.sh
Once installed, you’ll be presented with the following:
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: <Your IP Address>
IPsec PSK: <16_char_secret>
Username: <VPN_Username>
Password: <10_char_secret>
Write these down. You'll need them to connect!
Important notes: https://git.io/vpnnotes
Setup VPN clients: https://git.io/vpnclients
IKEv2 guide: https://git.io/ikev2
Configure Your Firewall
The configuration of your firewall to allow the traffic in from the outside world could be a complete article in itself, essentially you need to allow in IPSEC and IKE through to your Raspberry Pi internal IP address, “port forwarding” is typically what it is called.
Connecting Your Device to VPN
So let’s say you want to use an Android device to connect to your VPN, you’d do this on your phone (some steps may be slightly different), but the general idea is the same.
1. Launch the Settings application.
2. Tap “Network & internet”. Or, if using Android 7 or earlier, tap More… in the Wireless & networks section.
3. Tap VPN.
4. Tap Add VPN Profile or the + icon at top-right of screen.
5. Enter anything you like in the Name field.
6. Select L2TP/IPSec PSK in the Type drop-down menu.
7. Enter Your VPN Server IP in the Server address field.
8. Leave the L2TP secret field blank.
9. Leave the IPSec identifier field blank.
10. Enter Your VPN IPsec PSK in the IPSec pre-shared key field, i.e. the <16_char_secret>
11. Tap Save.
12. Tap the new VPN connection.
13. Enter Your VPN Username in the Username field, i.e. the <VPN_Username>
14. Enter Your VPN Password in the Password field, i.e. the <10_char_secret>
15. Check the Save account information checkbox.
16. Tap Connect.
Assuming you’ve got connected up, you can verify it is working correctly by trying to contact something on your home network which you would otherwise not be able to reach if you were not connected to the VPN, also if you try to access the Internet from your Android device, you should find that it shows your home IP address via the VPN, rather than some mobile Internet IP of your service provider.
Log Monitoring
You can find the VPN logging in the normal places, on Ubuntu Libreswan logs into /var/log/auth.log, and xl2tpd logs into /var/log/syslog.
If you want to log the IPSec and L2TP usernames, add the line “debug” to the /etc/ppp/options.xl2tpd file, and run service xl2tpd restart, all the future connections will show with debug logging so you can see the individual username in there too.
Now I know that i’m the only user of my home network VPN, so it would be good to know when someone is trying to connect or has connected, so some sort of quick and dirty monitoring of the logs will be handy.
So something like the below will pull out the time, date and IP address of connections being made successful or otherwise:
cat /var/log/auth.log | grep l2tp-psk | grep "responding to Main Mode from" | awk '{print $1,$2,$3,$7}'
Useful to retrospectively look at the connections attempted so you know if something was trying to connect, hopefully it should just be you!
Log Monitoring (SSH and/or VPN)
Let’s make it automatic, so now if you create a file called say: 52-sshlogging.conf and put it in /etc/rsyslog.d/ with the following contents:
$ModLoad ommail
$ActionMailSMTPServer yourmailserver.domain.com
$ActionMailFrom rsyslog@whatever.com
$ActionMailTo you@youremail.com
$template mailSubject,"Login Alert on %hostname%"
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
# the if ... then ... mailBody mus be on one line!
if $msg contains 'session opened for user' then :ommail:;mailBody
The bounce the rsyslog daemon with: systemctl restart rsyslog, that will send you an email whenever someone logs onto the Raspberry Pi with SSH. So for the VPN logs you can add another file, i found trying to add it to the same file didn’t seem to work!
$ModLoad ommail
$ActionMailSMTPServer yourmailserver.domain.com
$ActionMailFrom rsyslog@whatever.com
$ActionMailTo you@youremail.com
$template mailSubject,"Login Alert on %hostname%"
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
# the if ... then ... mailBody mus be on one line!
if $msg contains 'responding to Main Mode from' then :ommail:;mailBody
Now restart rsyslog again, and now when you login via VPN or SSH, you’ll get an email sent to you, so you’ll know something is up!
https://unix.stackexchange.com/questions/143864/monitor-all-login-attempts