Chromebooks are great devices. Unfortunately they do not support a wide range of VPN technologies, and PPTP - what we tend to use at Astyran since it is supported by most devices – is not in the list.
No choice thus but to modify our standard images to support L2TP over IPsec with PSK (Pre-shared key). Chromeos also supports L2TP over IPsec with certificate-based authentication and OpenVPN but these are more complicated to set-up, especially if you need to support a wide range of devices.
Goal of our set-up
The goal of this procedure is to document a quick and dirty method to set-up a single L2TP VPN server with PSK to be used for our Chromebooks. It should work with other clients too.
Note that we will be using a Google DNS server (126.96.36.199) and once a client is connected, all traffic is allowed through the VPN, including internet traffic.
The documented method should be fine for a single VPN server in a simple environment. If you have a more complicated setup, please spend some weeks cursing and reading on the intricacies of a VPN set-up using Linux.
First create a (micro) EC2 instance (64 bits). We used the latest available Amazon Linux AMI (v2013.03.1). Login as ec2-user, and enter the following in the shell:
sudo su - yum update yum install -y --enablerepo=epel openswan xl2tpd
Note that the enablerepo switch enables the Amazon Extra Packages for Enterprise Linux repository.
Use your favourite editor (e.g. nano) to modify the file
/etc/xl2tpd/xl2tpd.conf to read:
ip range 192.168.22.70-79 local ip 192.168.22.1 require chap=yes name = myVPNServer
You can of course use other IP addresses. The above instructs the VPN to use 192.168.22.1 as a local address, and gives remote clients an IP address between 192.168.22.70 and 192.168.22.79.
Note the name myVPNServer that we will need in the next step.
Edit the file
# Secrets for authentication using CHAP # client server secret IP addresses Zaphod myVPNServer Beeblebrox *
This will set the user-id to Zaphod and the password to Beeblebrox.
/etc/ipsec.conf and add the following:
conn EC2 authby=secret pfs=no rekey=no keyingtries=3 left=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any auto=add
Now edit/create the file
/etc/ipsec.d/ec2.secrets and insert the following:
%any %any : PSK "milliways;2013"
This will set the shared secret (PSK) for the L2TP VPN connection to milliways;2013. Please do change this password and use a much, much longer one.
/etc/sysctl.conf via a text editor and change the following line to read ‘= 1” (default is “0”):
net.ipv4.ip_forward = 1
Now execute the following commands:
# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done # for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
We are nearly there:
sysctl -p iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart chkconfig xl2tpd on chkconfig ipsec on
If there are no errors, execute:
Now configure your EC2 security groups for this VPN to allow:
UDP port 1701 (for L2TP) UDP port 500 (for IKE) UDP port 4500 (for IPSec over UDP)
That’s it! Check here for more information on how to set-up your Chromebook for a L2TP VPN with pre-shared key.