Hardening EdgeRouter Lite – Part 4


This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Date Title Description
03/13/16 My Home Router – EdgeRouter Lite Quick introduction to EdgeRouter Lite
04/09/16 Ubiquiti’s EdgeOS CLI Introduction EdgeOS CLI Primer
05/01/16 How to configure EdgeRouter Lite via CLI – Part 1 EdgeOS configuration guide for CLI junkies
05/01/16 How to configure EdgeRouter Lite via CLI – Part 2 EdgeOS configuration guide for CLI junkies
12/03/16 Hardening EdgeRouter Lite – Part 1 Basic management hardening
12/04/16 Hardening EdgeRouter Lite – Part 2 EdgeOS with two-factor authentication
12/05/16 Hardening EdgeRouter Lite – Part 3 Management ACL

Introduction

In my How to configure EdgeRouter Lite via CLI – Part 2 post, there is an L2TP via IPsec section. The commands shown in that blog post works great. However, there are security concerns with that configuration. The remote-access VPN configuration uses pre-shared secret for machine authentication and user authentication with no two-factor authentication (2FA). In this post, I will demonstrate how to harden remote-access VPN connectivity on EdgeRouter Lite.

User Authentication with 2FA

As mentioned in my how-to configure guide, I prefer L2TP over IPsec, so this post will only cover that. The configuration demonstrated here requires a RADIUS server, such as FreeRADIUS. Check my blog post about it if you want to create your own. If you chose the local Google Authenticator route, there might be a way to tie that with user authentication. That is, however, out of the scope of this post.

The EdgeOS has two L2TP modes for user authentication, local and RADIUS. In my how-to guide, it showed the use of the local account which is separate from device management. As previously discussed, username and password are no longer considered secure today. That said, we’re going to add another factor of authentication to the account.

EdgeOS Commands

The first command is to change user authentication mode to RADIUS.

set vpn l2tp remote-access authentication mode radius

The second command is to point the device to the RADIUS server and enter the key you want to use.

set vpn l2tp remote-access authentication radius-server 192.168.250.250 key supersecretkey

The last command is to change the default protocol from MS-CHAPv2 to PAP. Unfortunately, Google Authenticator will only work with PAP, as far as I know.

set vpn l2tp remote-access authentication require pap

Don’t forget to commit and save the configuration. Issue the commit;save command.

FreeRADIUS Configuration

In my FreeRADIUS blog post, there were only a few lines that needed to be changed or added to the config files. Aside from those modifications the files were left in the default state. That’s okay for the most part. However, when we try to access VPN, it takes a bit longer than using the local account. In this section, we’re going to make some optimizations to speed up the process of authentication.

I am a FreeRADIUS newbie, so I do not know what all of these lines mean, but I commented them out to speed up the process of authentication. I just looked at the debug using sudo freeradius -X command and tried to interpret what it was saying. The lines that included noop, I figured they are not needed for my environment, so I commented them out. Every time I made the change, I tested my VPN to make sure I was able to log in still. If you are currently using or going to use this FreeRADIUS instance for other purposes, then be careful of what you comment out because it may break. Remember, I only use this for remote access VPN and device authentication.

Edit the /etc/freeradius/sites-enabled/default file.

$ sudo vi /etc/freeradius/sites-enabled/default

Find the following and comment them out.

authorize {
#      chap
#      mschap
#      suffix
#      eap {
#              ok = return
#      }
#      expiration
#      logintime
#      pap

authenticate {
#      Auth-Type PAP {
#              pap
#      }
#      Auth-Type CHAP {
#              chap
#      }
#      Auth-Type MS-CHAP {
#              mschap
#      }
#      digest
#      eap

preacct {
#      suffix
#      files

accounting {
#      exec

post-auth {
#      exec

Next step is to edit the client.conf file. From what I can tell, this is kind of like an ACL. If you do not add the router’s source IP address, then FreeRADIUS will ignore the traffic from the router. Once you open the file using VI or your favorite text editor, look for the client localhost { line and add the lines listed below.

$ sudo vi /etc/freeradius/clients.conf
client rtr {
        ipaddr = 192.168.1.1
        secret = secretkey
}
client localhost {

Since we made changes to the files, we need to restart the service for it to take effect.

$ sudo service freeradius restart

Verification

Now, go ahead and test your VPN connectivity to see if it works. If everything works, then you can now delete the local account from the configuration. Remember, the format for the password is password+TOTP.

delete vpn l2tp remote-access authentication local-users username unique-username-here password your-unique-password-here

Troubleshooting

When you are troubleshooting FreeRADIUS, it is very helpful to use the freeradius -X command. This helped me figure out some issues that I’ve encountered when setting this up. This command may be different in other Linux distro, though. Just check the documentation for the right command. From what I can tell, all Debian-based Linux distro uses this command.

Before you can issue the debug command, you need to stop FreeRADIUS service first or you will get an error, as shown below.

$ sudo freeradius -X
<-- Output omitted for brevity -->
Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[273]: Error binding to port for 0.0.0.0 port 1812
$ sudo service freeradius stop
$ sudo freeradius -X
<-- Output omitted for brevity -->
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

Once you’re done with troubleshooting, make sure to start the service back up with sudo service freeradius start command.

Final Words

The problem with local authentication is that we need to enter user account details within EdgeOS. That said, anyone who has admin-level access on EdgeOS will be able to view the password of the users. Changing the remote access VPN authentication from local to RADIUS is a more secure option. On top of that, we can add another factor of authentication.

For the most part, this is secure enough. In fact, I’ve seen a lot of organizations that use a similar setup. However, some organizations or people want to implement the securest method possible for their remote access VPN. That said, they need to implement certificate-based machine authentication. Heck, they may even combine both 2FA and certificate-based machine authentication for maximum security.

If I ever get the L2TP over IPsec working using certificates, then I will cover it in my next blog post. I know it’s possible, but my client is stuck in IKE Phase 1. The problem is most likely my certificates.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.


About Andrew Roderos

As an IT professional, I have a strong passion for technology and a desire to learn more about it. Technologies that I am mostly interested in are computer networking, network security, virtualization, and programming. Outside of the information technology world, I enjoy traveling, reading science fiction books and manga, watching movies, and photography.