0

I create a Digital Ocean instance that runs on Ubuntu 18.04. After that, I create a VPN service that uses the L2TP protocol on this instance by following this repository. This script uses Libreswan as the IPsec server, and xl2tpd as the L2TP provider. I try to connect from my macOS and it works.

After that, I create a firewall for my machine. I block all inbound connections and only allow port 22. Here is my data after running ufw status verbose command:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)

So it seems all things work perfectly. I expect that I cannot connect again to my VPN (because L2TP works on the UDP port 500). But I can connect to my VPN service successfully.

Please tell me which part that I have configured wrong.

Trần Kim Dự
  • 5,872
  • 12
  • 55
  • 107
  • FYI, the output of `ufw status verbose` is showing that outgoing connections are allowed. Also, try running the following command to see all active incoming and outgoing connections, and which ports are being used for these: netstat -an | grep ESTAB – mti2935 Sep 02 '19 at 19:59
  • @mti2935 My apologized. My mismatch. I mean block all incoming connections. I edited the question. I have tried your command and see all requests are from the digital ocean instance's port 22 to my computer. – Trần Kim Dự Sep 02 '19 at 20:04
  • It looks weird. I guess it should have port 500. The reason I knew I have connected successfully is: 1) MacOS status is successful. 2) My ISP blocks some websites. But every time I connect to VPN, I can go to that website. – Trần Kim Dự Sep 02 '19 at 20:07
  • I assume you mean that all connections are from your desktop computer to port 22 on your server. Port 22 is normally used for SSH. Is it possible that your VPN is connecting through an SSH tunnel? – mti2935 Sep 02 '19 at 20:08
  • The reason the log has port 22 because I am connecting to DO machine through SSH. My VPN uses L2TP protocol. L2TP protocol runs on IPSec. So I don't think it runs through an SSH tunnel. Please correct me if I am wrong. – Trần Kim Dự Sep 02 '19 at 20:10
  • Can you run the same command (above) on the client that you are connecting from? Which port does it show the connection terminating on at the DO server? – mti2935 Sep 02 '19 at 20:12
  • I am trying to clear netstat history first. Because it will show all my history. (I have used my machine without VPN) – Trần Kim Dự Sep 02 '19 at 20:18
  • But when I grep all DO instance's IP. I see that all ESTABLISHED connections are through SSH. Only one line show that I connect to port 1701 (other L2TP port usage), but not ESTABLISHED yet. I also use online tool to check and see that my public IP is my DO instance's IP address. – Trần Kim Dự Sep 02 '19 at 20:20
  • It think if you run the command on your client machine (with | grep ESTAB) it will only show you currently established connections. I want to see if we can find the connection that it's using for the VPN, and if so, what port it's connecting to on the DO server. Based on everything you're saying, I have a feeling either connecting somewhere other than where you think it is, or it's tunneling the connection through SSH. – mti2935 Sep 02 '19 at 20:33
  • it is really strange. L2TP does not use SSL also :( I just guess maybe some problems related to IPv4 and IPv6. – Trần Kim Dự Sep 02 '19 at 20:45
  • I understand why `netstat` command does not work. Because L2TP works on UDP protocol. `netstat` only checks TCP protocol. – Trần Kim Dự Sep 03 '19 at 12:55
  • You're probably right that we're not seeing UDP connections with the netstat command that we're using. By any chance, did you enable UFW *after* you started the VPN server? If so, the problem may be that UFW is not blocking services that were already listenting before you enabled UFW. – mti2935 Sep 03 '19 at 18:09

0 Answers0