*New 12.1 series Release:
2019-11-08: XigmaNAS 12.1.0.4.7091 - released!

*New 11.3 series Release:
2019-10-19: XigmaNAS 11.3.0.4.7014 - released


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] IPSec VPN to XigmaNAS

Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
techlord
NewUser
NewUser
Posts: 10
Joined: 08 Dec 2017 16:34
Status: Offline

[HOWTO] IPSec VPN to XigmaNAS

#1

Post by techlord » 11 Dec 2017 12:59

1. DESCRIPTION
This is a step by step tutorial on creating an IPSEC VPN to your XigmaNAS server. This is an encrypted tunnel between your XigmaNAS server and another endpoint (such as your phone/laptop/tablet) that goes over Internet and allows safe access to resources inside your home network.

A.My reasons for needing one:
a) Access to the Samba and FTP services (or any other service) from my mobile phone WITHOUT exposing these services to the Internet
b) Exiting to the Internet through my home ISP as opposed to my mobile ISP (for "GEO IP blocking" bypass for example)

B. My setup:
[XigmaNAS server] ---(home lan)---[ROUTER (TPLink)]-----(Internet)----[Android Phone 7.0]

C. Minimum requirements:
a) Client - any device that can create a IPSEC tunnel: my implementation uses "pre shared key" but there are plenty of tutorials on creating IPSec with certificates. I use the built-in VPN in the Android 7.0.
b) XigmaNAS built on FreeBSD 11.1 and up - this is the only version that has kernel IPSEC support out-of-the box.
c) SSH management to your XigmaNAS server activated and a LAN machine with a SSH client ( putty,xshell)
d) good knowledge of VI tool in cli

2. XigmaNAS setup.
If you have full XigmaNAS installation you can go straight to B, otherwise follow instructions in section A for embedded XigmaNAS.

A. Preparation.
If you have an embedded XigmaNAS deployed (like myself), it's hard to do any modifications to the underlying FreeBSD and really not recommended. Other options are:
a) creating a JAIL and deploying the IPSEC there. I only mention this option because it seems doable but I had a lot of issues with enabling IPSEC inside a jail. Basically, a jail is a separate environment inside your OS. You can start processes there which will not be able to access your main OS. More on JAILS on XigmaNAS here:
https://www.xigmanas.com/forums/viewtop ... 89df1311d7

b) deploying a dedicated IPSEC virtual machine with the VirtualBox service in your XigmaNAS. This has many advantages like security and not screwing with your XigmaNAS main deployment. I highly recommend this way even if you have a full installation.

Here are the steps:
i) VirtualBOX setup:
In the XigmaNAS GUI go to Virtualization-Virtual Box and enable the service. I pointed the Home Directory to a new folder I created [VMs] on the spinning disks RAID. After you enable the service you should get access to the Virtual Box
Administrative page: https://"your_xigmanas_ip"/phpvirtualbox/index.html

ii) Download freebsd 11.2:
The IPSEC machine will basically be a new FREEBSD machine (you can actually do this on any Linux) that you will have to install. You can do this by downloading an ISO from:
https://download.freebsd.org/ftp/releas ... AGES/11.2/
OR (and my personal choice) downloading a prebuilt VM which will make your deployment take a few minutes., from:
https://download.freebsd.org/ftp/releas ... 64/Latest/
Download "FreeBSD-11.2-RELEASE-amd64.vmdk.xz", extract the *.vmdk and put it on the NAS in a folder. I put it in the virtualbox home directory: /mnt/myraid/VMs .
Easiest way to put it on the NAS is from a local computer via samba or SCP. Now, depending on how you put the file there, you may need to change permissions so that virtualbox can use it.
Go to the folder that contains this file and issue (and be root):

Code: Select all

chown vboxusers:vboxusers FreeBSD-11.2-RELEASE-amd64.vmdk
iii) Install the VM:
Go back to the virtualbox management page and press "new"; the menu for a new VM will appear. You can put there anything you want that will help your own setup, here is what I put:
- name: myvpnvm, type: BSD, Version: FreeBSD (64-bit)
- System: 256MB of RAM, enough for only IPSEC, more if you plan to use for other services
- Use an existing hard disk -> point to the *vmdk downloaded earlier
Create and open settings to do further configs
- General - startup mode Auto if you want it to autostart on nas4free reboot
- Display -> Remote display tab - choose a port ( i put 15001) and input a VNC password - you will need this later
- disable audio
- NETWORK (very important) - choose "bridged adapter" (check under name and select the card there) and promiscuous "allow all". This will make the VM part of your home LAN meaning you will have to assign an IP in the same subnet as the NAS.
Click OK and start the machine.

iv) Configure IP and SSH service on the machine.
Now that the VM is UP we need to configure an IP address on it and [optional] enable SSH service for easier management.
Access to the VM's console is done with VNC. There is a webVNC (called noVNC) already installed on XigmaNAS. You can access your new VM at:
https://your_xigmanas_ip/novnc/vnc.html?host=your_xigmanas_ip&port=15001
If this works for you - great, it did not work for me so I had to install a VNC client on my windows machine - UltraVNC. Connect to the VM using your XigmaNAS server IP, port and password configured at the steps above.
Once you see the VM CLI screen:
- login with "root" - should request no password
- change root password with

Code: Select all

passwd
- put an IP in

Code: Select all

vi /etc/rc.conf
. The IP MUST be in the same subnet as the nas4free server and the defaultrouter should be the router that has the Internet link. Example:

Code: Select all

ifconfig_em0="inet 192.168.0.201 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
It would be a good idea to enable SSH as configuring via VNC is a pain.

B. IPSEC setup.
Now that we have a dedicated IPSEC VM ( or we have a full nas4free installation) we can get on with ipsec. There are multiple ways of creating an ipsec server such as ipsec-tools (racoon) and strongswan. I prefer strongswan as it is very well documented and easy to use.
Install strongswan:

Code: Select all

pkg install strongswan
Configure strongswan:

Code: Select all

vi /usr/local/etc/ipsec.conf

Code: Select all

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
    strictcrlpolicy=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes

    rekey=no
    authby=secret

    left=%any
    leftid=example.vpn.com
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=172.16.0.0/24
Considerations:
- remember leftid as it is needed on the client
- the client will get an IP from " rightsourceip" .

Configure the presharedkey:

Code: Select all

vi /usr/local/etc/ipsec.secrets
PUT:

Code: Select all

: PSK 'yourpresharedkey'
Make strongswan able to autostart after boot and make the server able to be used as a gateway with

Code: Select all

vi /etc/rc.conf

Code: Select all

strongswan_enable="YES"
gateway_enable="YES"
Start the service :

Code: Select all

service strongswan start
and don't worry about the following errors:

Code: Select all

no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
To check that the service is UP and waiting for connections issue

Code: Select all

ipsec statusall
. Output should be something like this:
Status of IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE, amd64):
uptime: 2 days, since Dec 08 17:20:11 2017
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Virtual IP pools (size/online/offline):
172.16.0.0/24
Listening IP addresses:
192.168.0.201
Connections:
ikev2-vpn: %any...%any IKEv2
ikev2-vpn: local: [example.vpn.com] uses pre-shared key authentication
ikev2-vpn: remote: uses pre-shared key authentication
ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none


If you get an error then go back and recheck everything. Do not go further.
If the output is like above you are DONE, IPSEC is up and waiting for connections.


3. Router setup.
In order to reach your IPSEC VM/xigmanas via IPSEC from the Internet you need a couple of things configured on your Router:
A. Forwarding rules - the menu on my router is FORWARDING -> Virtual Server
Forward ports 500 and 4500 on protocol UDP towards your IPSEC machine.
B. Enable IPSEC Passthrough. this is under Security -> Basic Security
C. Put a static route towards 172.16.0.0/24 via the IPSEC VM machine. On my router this is under Advance Routing -> Static Route list
D. [Optional] If you are connecting to the Internet with a dynamic Public IP like myself you need to use a Dynamic DNS service. I won't cover that but you should find the relevant menu in your router.


4. Client setup.
Any machine that can raise a IKE IPSEC can be used.
In any Android phone go to:
Settings - Connections - More connection settings - VPN
Add VPN

Code: Select all

Name: Whatever you want
Type: IPSec IKEv2 PSK
Server address: your home IP or hostname if you have dynamic dns
IPSec identifier: example.vpn.com - leftid from strongswan
IPSec pre-shared-key - you configured previously
Go to Advanced - Forwarding routes:
a) your home subnet (ex: 192.168.0.0/24) - if you want only access to the inside LAN of your home
b) 0.0.0.0/0 if you want to exit to Internet via your home IP. be carefull with this, once the VPN is up all traffic from your phone will go in the tunnel
And you are DONE. Once the tunnel is up you can access XigmaNAS (don't forget to put a route in XigmaNAS towards your phone subnet 172.16.0.0 via the VM IP).

Let me know if this tutorial was helpful.

peixoto
NewUser
NewUser
Posts: 1
Joined: 26 Aug 2019 19:28
Status: Offline

Re: [HOWTO] IPSec VPN to XigmaNAS

#2

Post by peixoto » 26 Aug 2019 19:49

Hi,

Thank you for this great tutorial... I've tried to implement it(with some adjustements: downloaded freebsd 12 and my VM machine has the following IP 192.168.0.98. gateway IP 192.168.0.2. xigmanas 192.168.0.99)but i have some doubts and i can't get the tunnel to work.
In the router setup, the port forwarding should be to the IPSEC VM machine or the Xigmanas MAchine?
When I try to establish the tunnel i'm asked username and password and i don't know what they are.

I think the Xigmanas setup is ok
http://prntscr.com/oxrso4

Router config:
http://prntscr.com/oxrtif
http://prntscr.com/oxrtvz
http://prntscr.com/oxru8d
The WAN IP is dynamic so i configured the noip service and i've checked with ping (it's working fine).

kind regards and thank you for your help!

techlord
NewUser
NewUser
Posts: 10
Joined: 08 Dec 2017 16:34
Status: Offline

Re: [HOWTO] IPSec VPN to XigmaNAS

#3

Post by techlord » 29 Sep 2019 16:12

Hi,

Apologies, I have not visited the forum in a while.
The Port forwarding should target the IPSEC VM - make sure the VM has bridge network.
If you are asked for username and password you are not choosing PSK IPSEC from the menu.

Please post more info, like client setup, VM strongswan setup and I'll try to help.

Post Reply

Return to “[HowTo]”