This post on CSC caught my attention and reminded me of the challenges thrown up whilst working my first IT job at a charity. Typically trying to stitch together enterprise solutions for the bare minimum price.
At time of writing to two replies to the post come in at $700 (C881W) and $670 (MX64W). The solution below will come in below £50 (~$66).

Solution features
- Wireless AP
- DHCP
- IPSec IKEv2 split-tunnel transport
- BGP
Components
Topology
Head office subnet |
10.10.0.0 /16 |
Head office public IP |
172.16.10.1 |
Home office subnet |
dynamic |
Home office public IP |
172.16.10.1 |
Solution ‘inside’ subnet |
192.168.2.0 /24 |
OS config
Interfaces
We will be connecting our RPi to the users home network via the ethernet interface, therefore leave the config to receive an address via DHCP. For our wireless interface which will be offering DHCP leases to associated devices, static interface config needs to be added. Edit /etc/network/interfaces :
/etc/network/interfaces |
allow-hotplug eth0
iface eth0 int dhcp
iface wlan0 inet static
address 192.168.2.254
netmask 255.255.255.0
|
IP forwarding
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
/etc/sysctl.conf |
net.ipv4.ip_forward=1
|
Services
- hostapd
Will allow our RPi to broadcast an SSID and manage its security settings.
/etc/hostapd/hostapd.conf |
interface=wlan0
hw_mode=g
ieee80211d=1
country_code=GB
driver=nl80211
ssid=somessid
auth_algs=1
wpa=2 # WPA2 only
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=somepassword
|
- isc-dhcp-server
Allows the RPi to answer DHCP REQUESTs and issue leases based upon configured scopes.
sudo apt-get install isc-dhcp-server
/etc/dhcp/dhcpd.conf |
authoriative
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.10 192.168.2.20;
option broadcast-address 192.168.2.255;
option routers 192.168.2.254;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local-network";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
|
/etc/default/isc-dhcp-server |
INTERFACES="wlan0"
|
strongswan
Provides a wide range of secure tunnel types, and will create our IPSec IKEv2 tunnel back to the head office ASA. In this first iteration we will implement a split-tunnel; only traffic destined to the head office IP subnet will travel via the tunnel, all other traffic will leave locally.
/etc/ipsec.conf |
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn headofficeasa
left=%defaultroute
leftsubnet=192.168.2.0/24
leftid=172.16.10.2
leftfirewall=yes
right=172.16.10.1
rightsubnet=10.10.0.0/16
rightid=172.16.10.1
auto=route
ike=aes256-sha256-ecp384
esp=aes256-sha256
|
/etc/ipsec.secrets |
172.16.10.2 : PSK "cisco"
172.16.10.1 : PSK "cisco"
|
sudo systemctl enable ipsec
iptables
Software firewall used to restrict access to the ‘outside’ ethernet interface and also NAT traffic not destined to the head office IP subnet to the local interface.
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING ! -s 192.168.2.0/24 -o eth0 -j MASQUERADE
We also want to explictly accept forwarding of IPsec traffic:
iptables -A FORWARD -s 10.10.0.0/16 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
quagga
Dynamic routing protocol daemon which will be used to form an BGP adjacency with the ASA and advertise routes into the head office routing table.
It would have been preferential to use OSPF, but as we are not using tunnel interfaces (eg GRE, VTI) it is not possible to form an adjacency on the same subnet. Thankfully BGP has a feature called eBGP multi-hop which allows you to adjust the TTL on the BGP packets. We can use this to allow the ASA to peer with the ‘inside’ interfaces of the Raspberry Pi.
/etc/quagga/daemons |
zebra=yes
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
babeld=no
|
/etc/quagga/bgpd.conf |
!
hostname bgpd
password zebra
log stdout
!
router bgp 64513
bgp router-id 192.168.2.1
network 192.168.2.0/24
neighbor 172.16.10.1 remote-as 64512
neighbor 172.16.10.1 ebgp-multihop 2
neighbor 172.16.10.1 activate
!
line vty
!
|
ASA Configuration |
!
router bgp 64512
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 172.16.10.2 remote-as 64513
neighbor 172.16.10.2 ebgp-multihop 2
neighbor 172.16.10.2 activate
network 10.10.0.0 mask 255.255.0.0
no auto-summary
no synchronization
exit-address-family
!
|
ASA configuration
!
object network NETWORK-INSIDE
subnet 10.10.0.0 255.255.0.0
!
object network REMOTE-RPI01
subnet 192.168.2.0 255.255.255.0
description Remote RPi inside network
nat (outside,outside) dynamic interface
!
same-security-traffic permit intra-interface
!
nat (inside,outside) source static NETWORK-INSIDE NETWORK-INSIDE destination static REMOTE-RPI01 REMOTE-RPI01 no-proxy-arp route-lookup
!
!
object-group network IPSEC-PEERS
network-object host 172.16.10.2
!
access-list OUTSIDE-IN extended permit esp object-group IPSEC-PEERS any
access-list OUTSIDE-IN extended permit udp object-group IPSEC-PEERS any eq 4500
access-list OUTSIDE-IN extended permit udp object-group IPSEC-PEERS any eq isakmp
!
access-list VPN-TRAFFIC-A-RPI01 extended permit ip object NETWORK-INSIDE object REMOTE-RPI01
!
crypto map CMAP-RPI 1 match address VPN-TRAFFIC-A-RPI01
crypto map CMAP-RPI 1 set peer 172.16.10.2
crypto map CMAP-RPI 1 set ikev2 ipsec-proposal IKEV2-AES256
!
crypto map CMAP-RPI interface OUTSIDE
!
tunnel-group 172.16.10.2 type ipsec-l2l
!
!
!
crypto ipsec ikev2 ipsec-proposal IKEV2-AES256
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 20
prf sha256
lifetime seconds 43200
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 172.16.10.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
!
References
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
NAT and Remote Access VPN
Like this:
Like Loading...
Leave a Reply