Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save codingwesley/aa7fe20cbe62575048aef2169d2ff0da to your computer and use it in GitHub Desktop.
Save codingwesley/aa7fe20cbe62575048aef2169d2ff0da to your computer and use it in GitHub Desktop.
Set up L2TP/IPsec VPN on Debian

Set up L2TP/IPsec VPN on Debian

Set up IPsec

Set up networking

cat <<EOF >>/etc/sysctl.conf
net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
EOF

NOTE: On DigitalOcean, also:

cat <<EOF >>/etc/sysctl.conf
net.ipv4.conf.ip_vti0.rp_filter=0
EOF

Reload config:

sysctl -p

Install Libreswan

Install dependencies:

apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools

Build and install Libreswan:

wget https://download.libreswan.org/libreswan-3.12.tar.gz
tar zxvf libreswan-3.12.tar.gz
cd libreswan-3.12
make programs
make install

Set up Libreswan

Set up pre-shared key authentication:

cat <<EOF >/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
        left=%defaultroute
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
EOF
cat <<EOF >>/etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
EOF
cat <<EOF >/etc/ipsec.secrets
%any: PSK "__PRE_SHARED_KEY__"
EOF
chmod 600 /etc/ipsec.secrets

NOTE: On Ubuntu 14.04, also:

ipsec initnss

Start IPSec

NOTE: On Debian jessie, first:

systemctl enable xl2tpd.service
ipsec setup start
ipsec verify

Set up PPP

Install PPP

apt-get install -y xl2tpd

Set up PPP

cat <<EOF >/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 10.1.10.2-10.1.10.255
local ip = 10.1.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
cp /etc/ppp/options /etc/ppp/xl2tpd-options
cat <<EOF >>/etc/ppp/xl2tpd-options
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
EOF
cat <<EOF >/etc/ppp/chap-secrets
__USERNAME__ * __PASSWORD__ *
EOF
chmod 600 /etc/ppp/chap-secrets

NOTE: May have to use local DNS servers.

Start PPP

On Ubuntu 14.04:

/etc/init.d/xl2tpd start

On Debian jessie:

systemctl enable xl2tpd.service
systemctl start xl2tpd.service

Set up firewall

For now:

iptables --table nat --append POSTROUTING --jump MASQUERADE

For later:

cat <<EOF >>/etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
EOF

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment