I've gone a similar route for my VPN needs, though instead of using a script I configured StrongSwan directly. I skipped the whole L2TP thing since the only things I care about routing are IP packets and IPSec does that just fine. I tried OpenVPN for a bit, but the iOS app felt like it was main an ad for Private Internet Access and turned me off of it.
My VPN needs are, roughly:
- Remote access to my home network from my phone/laptop/tablet. This is mainly to check on my security cameras, but being able to access my NAS and everything else is a nice bonus. I can even turn my Philips Hue lights on and off via my VPN connection.
- Remote access to VMs running on a rented machine at Joe's Data Center. Basically the same scenario as above, but with different stuff on the other side of the tunnel.
- Seamless integration of my home network with the remote one. This is where things get fun. Basically, custom routes on my router tell it to send packets destined for the remote subnets to the VPN server, plus some custom dnsmasq configuration routes DNS requests for remote machines to the appropriate server.
Honestly, the only thing that bugs me about my setup is that I can't figure out what the secret sauce is to get Windows 10's native VPN client to connect to my servers. I'm pretty sure that my certificates are missing something that Win10 needs in order to use them, but I haven't figured out what it is yet. Fortunately, this isn't something I need right now, but it would be nice to get it working.
Same here. I'm looking at eventually replacing my router with an OpenBSD box and having it handle the VPN stuff.
My servers are primarily FreeBSD, but I wouldn't recommend doing IPSec on it. FreeBSD 10 doesn't enable IPSEC by default, so you have to recompile the kernel to use it. FreeBSD 11 enables IPSEC but does not enable IPSEC_NAT_T (NAT Traversal, basically IPSec encapsulated in UDP), so you need to recompile to use it since many clients end up being behind NAT at some point.
My ideal setup would see OpenBSD gateways in front of my FreeBSD servers, but in some cases that isn't possible. I'll probably end up creating small OpenBSD VMs on the FreeBSD hosts to do the VPN work.
> FreeBSD 11 enables IPSEC but does not enable IPSEC_NAT_T
FWIW I heard that FreeBSD 11.1 (already in 11-Stable) is going to removed IPSEC_NAT_T as a tunable, and it will be effectively enabled by default.
I wanted to create an openbsd vm (on bhyve) too, but there is some weird issue with openbsd 6.1 and bhyve passing through some funky cpu flags it shouldn't be that causes openbsd to panic. Apparently passing -w to bhyve works, but I haven't tried it yet.
> FWIW I heard that FreeBSD 11.1 (already in 11-Stable) is going to removed IPSEC_NAT_T as a tunable, and it will be effectively enabled by default.
Sweet!! I guess I'll hold off on upgrading my boxes until 11.1 lands.
> I wanted to create an openbsd vm (on bhyve) too, but there is some weird issue with openbsd 6.1 and bhyve passing through some funky cpu flags it shouldn't be that causes openbsd to panic. Apparently passing -w to bhyve works, but I haven't tried it yet.
My VPN needs are, roughly:
- Remote access to my home network from my phone/laptop/tablet. This is mainly to check on my security cameras, but being able to access my NAS and everything else is a nice bonus. I can even turn my Philips Hue lights on and off via my VPN connection.
- Remote access to VMs running on a rented machine at Joe's Data Center. Basically the same scenario as above, but with different stuff on the other side of the tunnel.
- Seamless integration of my home network with the remote one. This is where things get fun. Basically, custom routes on my router tell it to send packets destined for the remote subnets to the VPN server, plus some custom dnsmasq configuration routes DNS requests for remote machines to the appropriate server.
Honestly, the only thing that bugs me about my setup is that I can't figure out what the secret sauce is to get Windows 10's native VPN client to connect to my servers. I'm pretty sure that my certificates are missing something that Win10 needs in order to use them, but I haven't figured out what it is yet. Fortunately, this isn't something I need right now, but it would be nice to get it working.