Skip to content

Instantly share code, notes, and snippets.

@Zemnmez

Zemnmez/how.md

Last active March 7, 2023 10:12
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save Zemnmez/7588543e001522fd9e50611d68cd0d3a to your computer and use it in GitHub Desktop.
Save Zemnmez/7588543e001522fd9e50611d68cd0d3a to your computer and use it in GitHub Desktop.
Download ZIP
L2TP / ipsec VPN, Amazon Linux (EC2)
Raw
how.md 
# adapted from http://spottedhyena.co.uk/centos-67-ipsecl2tp-vpn-client-unifi-usg-l2tp-server/
yum -y install epel # different on amazon linux
sudo yum -y install xl2tpd openswan
systemctl start ipsec.service
service ipsec start

# 'myserver.com' is just to help identify. these are all imported into /etc/ipsec.conf.

vim /etc/ipsec.d/myserver.com.conf # see next...
config setup
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     nat_traversal=yes
     protostack=netkey
conn L2TP-PSK
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport
# Replace %local below with your local IP address (private, behind NAT IP is okay as well)
     left=%local # i used the ip from ifconfig and it worked
     leftprotoport=17/1701
# Replace IP address with your VPN server's IP
     right=%server
     rightprotoport=17/1701

vim /etc/ipsec.d/myserver.com.secrets # see next...
# there was originally more stuff before the ":" . it didn't work when I had it
: PSK "your_pre_shared_key"

ipsec auto --add L2TP-PSK
vim /etc/xl2tpd/xl2tpd.conf
[lac vpn-connection]
lns = %server
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

vi /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
logfile /var/log/xl2tpd.log
connect-delay 5000
proxyarp
name your_vpn_username
password your_password

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

# now an important amazon specific step!!
# (from here: https://forums.aws.amazon.com/thread.jspa?messageID=916088)
vim /usr/lib/systemd/system/xl2tpd.service # see next ...

Comment out the line starting with 'ExecStartPre='.

ipsec auto --up L2TP-PSK
echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

after this you have to fix the route tables. here is what i did: save this as vpn.sh

#!/bin/bash

MASK=("192.168.1.0/24" "172.20.100.0/24")

if ! ifconfig | grep ppp0;
then
        echo "upping vpn"
                sudo ipsec auto --up L2TP-PSK
                sleep 3
                sudo echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control
fi
echo "route 0 ${MASK[0]}";
if ! route | grep ppp0;
then
        echo "adding routes..."
                sudo route add -net ${MASK[0]} dev ppp0
                sudo route add -net ${MASK[1]} dev ppp0
fi       
chmod +x vpn.sh
sudo crontab -e
10 * * * * /home/ec2-user/vpn.sh

sudo ./vpn.sh # do this a few times until stuff is resolved -- this'll happen automatically via the cron also
@aaaristo
Copy link

aaaristo commented Nov 30, 2021
edited

thanks for the gist

systemctl start xl2tpd.service

seems to be missing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment