L2TP/IPSEC VPN for FreeNAS?

[nello]

I installed OpenVPN on FreeNAS and it works well ... everywhere but China. Apparently the OpenVPN handshake is detected by the Great Firewall through deep packet inspection and OpenVPN connections are disrupted.

https://vpnreviewer.com/vpn-protocols-that-work-in-china

I'd like to create a L2TP/IPSEC VPN server running on my FreeNAS box.

Has anyone done this? Any recommendations or guides on how to do it?

Thank you for your consideration.

- nello

 

[avggeek]

If you have a working OpenVPN setup, rather than switching to L2TP/IPSEC you might want to consider installing stunnel in a jail and using that to wrap OpenVPN connections. That setup has been proven to work behind the GFC and requires only simple config file changes.

I personally have not used stunnel on FreeNAS but there are forum posts here suggesting it can be done.

 

[nello]

If you have a working OpenVPN setup, rather than switching to L2TP/IPSEC you might want to consider installing stunnel in a jail and using that to wrap OpenVPN connections. That setup has been proven to work behind the GFC and requires only simple config file changes.

Yes, cloaking OpenVPN within stunnel is one of the standard ways of obfuscating OpenVPN traffic:

http://www.greycoder.com/openvpn-china/


I decided to not to try this technique because:

1. iOS Connection
   I need to use my VPN from both iOS (iPhone) as well as OS X (MacBook Air). I'm aware of only a single OpenVPN client for iOS and it's not clear to me how I could configure this app to run through an stunnel connection.
   
   
2. TCP Connection
   My understanding is that using stunnel will introduce latency problems, at a minimum. OpenVPN usually uses a UDP connection whereas stunnel uses TCP. My understanding is that TCP packet retransmissions of the UDP stream is problematic. I've heard that configuring OpenVPN to use TCP will make latency due to retransmissions even worse. Perhaps I've misunderstood.

At this point, I'd like to explore setting up L2TP/IPSec on FreeNAS because this VPN is supported by both iOS and OS X.

Please let me know whether trying to implement an L2TP/IPSec VPN on FreeNAS is reasonable; I'm not a coder and perhaps it's beyond my capability.

Thank you for taking the time to read my post.

- nello

 

[avggeek]

1. iOS Connection
   I need to use my VPN from both iOS (iPhone) as well as OS X (MacBook Air). I'm aware of only a single OpenVPN client for iOS and it's not clear to me how I could configure this app to run through an stunnel connection.

For iOS the default iOS client does not support stunnel. If you are willing to jailbreak though, there is an OpenVPN app that supports stunnel. On OS X, you can look at this guide provided by Streisand as a starting point.

1. TCP Connection
   My understanding is that using stunnel will introduce latency problems, at a minimum. OpenVPN usually uses a UDP connection whereas stunnel uses TCP. My understanding is that TCP packet retransmissions of the UDP stream is problematic. I've heard that configuring OpenVPN to use TCP will make latency due to retransmissions even worse. Perhaps I've misunderstood.

I honestly believe the TCP performance hit for OpenVPN is a bit overblown. If your client connection is relatively reliable, there is almost no perceivable difference in speeds between UDP & TCP - especially for typical browsing and email tasks. I've used OpenVPN over TCP on Hotel WiFi and mobile phones in Asia and have been able to get consistent speeds of up to 6Mbps.

Unfortunately, none of this helps with your actual question on L2TP/IPSEC on FreeNAS so apologies for that :D

 

[nello]

For iOS the default iOS client does not support stunnel. If you are willing to jailbreak though, there is an OpenVPN app that supports stunnel. On OS X, you can look at this guide provided by Streisand as a starting point.

Jailbreaking iOS is not something I want to do, for a variety of reasons:

http://researchcenter.paloaltonetwo...000-apple-accounts-to-create-free-app-utopia/

 

[g00mbs]

I installed OpenVPN on FreeNAS and it works well ... everywhere but China. Apparently the OpenVPN handshake is detected by the Great Firewall through deep packet inspection and OpenVPN connections are disrupted.

https://vpnreviewer.com/vpn-protocols-that-work-in-china

I'd like to create a L2TP/IPSEC VPN server running on my FreeNAS box.

Has anyone done this? Any recommendations or guides on how to do it?

Thank you for your consideration.

- nello

I am traveling in China right now and just turned on TLS as per: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/

It is working great. I can get to my server and out of the GFW.

 

[nello]

I am traveling in China right now and just turned on TLS as per: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/

That's a long thread.

Would you please post a link to the page that discusses turning on TLS?

Thank you.

 

[g00mbs]

That's a long thread.

Would you please post a link to the page that discusses turning on TLS?

Thank you.

First post under "DoS mitigation"

 

[nello]

DoS mitigation

I think that you are referring to the tls-auth option, which protects against Denial of Service (DoS) attacks because failures to provide the pre-shared key causes the connection to be dropped before trying more computationally intensive authentication. For a more complete explanation, see:

https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-auth


The problem with using OpenVPN in China is not DoS attacks.

The problem is that the handshake for OpenVPN TLS is different than the handshake for HTTPS TLS. As a result, the Great Firewall of China (GFC) can identify and disconnect OpenVPN connections based on a OpenVPN TLS protocol signature:

The Great Firewall is using a method called DPI (Deep Packet Inspection) to analyze all inbound and outbound traffic in real-time. The technology can be compared to an anti-virus, which relies on signatures and heuristic/behavior and statistic analysis to identify and flag protocols that are not allowed. VPN protocols are using encryption to secure the data transmitted over the Internet, and the DPI system can identify and block most types of VPN tunneling protocols. The most affected VPN protocol in China is OpenVPN in its default configuration. OpenVPN can still bypass the Great Firewall if its handshake is hidden so it can’t be seen and blocked by the GFC.

Other VPN protocols that still work in China quite well are PPTP and L2TP/IPsec.

Source: https://vpnreviewer.com/internet-vpn-china​

I was already using tls-auth while in China and I was still having trouble making OpenVPN connections. So, I don't think tls-auth is the answer to my problem.

Looking into your suggestion did give me another idea. Apparently, OpenVPN can authenticate via either:

1. Static Key
2. TLS

And I've read several places that the GFC does NOT block OpenVPN connections made with static keys. So, maybe I will look into using static keys.

Thank you for your suggestion. Please let me know if you have additional ideas.