How to create split vpn server on CentOS 7 linux
In this article we show you how to create split vpn server on CentOS 7 linux.
In split vpn type, we only want to reach one or more remote subnets. so we do not “send all traffic through the VPN”.
Here is our environment:
OS: CentOS 7 linux on VMware
Firewall: firewalld
SElinux: enforcing
VPN server IP address: 192.168.147.131
VPN server internal address: 10.0.0.130
VPN client IP address: 192.168.147.129
Isolated host: 10.10.0.129
1- Install prerequistites
Refer to this article to install L2TP and ipsec packages and configure them: How to install IPSEC IKEv2 vpn server on CentOS 7 linux
When you reach to step 4 in mentioned article continue as the following.
2- Create Configuration
put the following content in /etc/ipsec.d/ike.conf:
# vim /etc/ipsec.d/ike.conf
conn ike
left=192.168.147.131
leftcert=192.168.147.131
[email protected]
leftsendcert=always
leftsubnet=10.10.0.0/16
leftrsasigkey=%cert
right=%any
rightaddresspool=10.10.20.1-10.10.20.254
rightca=%same
rightrsasigkey=%cert
modecfgdns="8.8.8.8,4.2.2.4"
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
IKEv2=insist
rekey=no
fragmentation=yes
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
Note: remember to change left=192.168.147.131 with your own IP address.
Note1: Mind SPACES in above configuration
In above configuration, we have indicated leftsubnet, this is the subnet that our client will have access to.
so the easiest way to ensure our client can access remote subnet is to set dhcp pool range regarding this subnet.
Here we want to access 10.10.0.0/16 as remote subnet and we have set 10.10.20.1-10.10.20.254 as our dhcp pool subnet.
Also we have to enable proxyarp on server internal interface related to subnet 10.10.0.0/16.
if you want to know more about proxyarp refer to https://en.wikipedia.org/wiki/Proxy_ARP
so put below line in /etc/sysctl.conf:
# eth1 is the internal interface with a 10.10.X.Y/16 IP address
net.ipv4.conf.eth1.proxy_arp=1
Note: Remember to change eth1 with your own INTERNAL interface.
and make it permanent by issuing:
# sysctl -p
5- Start IPsec Service
now we start ipsec service and check if it has started properly:
# systemctl enable ipsec # systemctl start ipsec # systemctl status ipsec
5- Configure firewall
Here we use firewalld service. we need to allow ipsec, forward internal l2tpc ip range traffic to internet interface and do NAT:
# firewall-cmd --permanent --zone=public --add-masquerade # firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept' # firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept' # firewall-cmd --permanent --add-port=500/udp # firewall-cmd --permanent --add-port=4500/udp # firewall-cmd --permanent --add-service="ipsec" # firewall-cmd --reload
if you use CSF, create a file named /etc/CSF/csfpre.sh and put these lines in it:
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -s 10.10.20.0/24 -j ACCEPT # iptables -t nat -A POSTROUTING -s 10.10.20.0/24 -o eno16777728 -j MASQUERADE
then reload CSF.
if you use iptables, just run above command and then save changes with iptables-save.
Note: remember to change eno16777728 with your own interface name
6- Configure SElinux
we prefer to keep selinux enabled. so to allow bringing up vpn interfaces, we should run the following command:
# setsebool -P daemons_use_tty 1
if you have disabled selinux, simply skip above command.