Skip to content

Instantly share code, notes, and snippets.

@yannispanousis
Last active October 14, 2019 19:30
Show Gist options
  • Save yannispanousis/012f20ee1e977835be8f to your computer and use it in GitHub Desktop.
Save yannispanousis/012f20ee1e977835be8f to your computer and use it in GitHub Desktop.
L2TP Client Setup (Ubuntu 15.10)

L2TP Client Setup for Ubuntu

You'll need:

  • VPN server IP
  • VPN pre-shared key
  • VPN username
  • VPN password

The following instructions are mostly derived from the corresponding ones for ArchLinux in this wiki.

  • Download and install latest Ubuntu openswan .deb package from https://launchpad.net/ubuntu/+source/openswan

  • Install xl2tpd

  • Disable IPv4 redirects

      for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
    
  • Run sudo ipsec verify and you should see something along these lines:

      Checking your system to see if IPsec got installed and started correctly:
      Version check and ipsec on-path                             	[OK]
      Linux Openswan U2.6.38/K4.2.0-19-generic (netkey)
      Checking for IPsec support in kernel                        	[OK]
      SAref kernel support                                       	[N/A]
      NETKEY:  Testing XFRM related proc values                  	[OK]
      [OK]
      [OK]
      Hardware RNG detected, testing if used properly             	[FAILED]
      
      Hardware RNG is present but 'rngd' or 'clrngd' is not running.
      No harware random used!
      
      Checking that pluto is running                              	[OK]
      Pluto listening for IKE on udp 500                         	[OK]
      Pluto listening for NAT-T on udp 4500                      	[OK]
      Two or more interfaces found, checking IP forwarding        	[FAILED]
      Checking NAT and MASQUERADEing                              	[OK]
      Checking for 'ip' command                                   	[OK]
      Checking /bin/sh is not /bin/dash                           	[WARNING]
      Checking for 'iptables' command                             	[OK]
      Opportunistic Encryption Support                            	[DISABLED]
    

The above output seems to work on Ubuntu 15.10 and a wireless network setup, along with Docker.

"Two or more interfaces found, checking IP forwarding [FAILED]" might be explained by a local setup that includes Docker network interfaces. Regardless the L2TP connection works.

If "Checking that pluto is running" fails then it probably means ipsec service did not succeed in starting up, which needs to be investigated.

  • Set /etc/ipsec.conf to contain this, adjust wherever there's an 'ACTION REQUIRED' tag:

      config setup
           virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
           nat_traversal=yes
           protostack=netkey
           oe=no
      # ACTION REQUIRED: Replace eth0 with your network interface
           plutoopts="--interface=eth0"
      conn L2TP-PSK
           authby=secret
           pfs=no
           auto=add
           keyingtries=3
           dpddelay=30
           dpdtimeout=120
           dpdaction=clear
           rekey=yes
           ikelifetime=8h
           keylife=1h
           type=transport
      # ACTION REQUIRED: Replace %any below with your local IP address of the interface you specified in the above step
           left=%any
           leftprotoport=17/1701
      # ACTION REQUIRED
           right=<VPN server IP>
           rightprotoport=17/1701
    
  • Set /etc/ipsec.secrets to contain:

      %any <VPN server IP> : PSK "<VPN pre-shared key>"
    
  • Add the connection to ipsec

      ipsec auto --add L2TP-PSK
    
  • Configure xl2tpd by setting the contents of /etc/xl2tpd/xl2tpd.conf to:

      [lac vpn-connection]
      lns = <VPN server IP>
      ppp debug = yes
      pppoptfile = /etc/ppp/options.l2tpd.client
      length bit = yes
    
  • Configure pppd by setting contents of /etc/ppp/options.l2tpd.client to:

      ipcp-accept-local
      ipcp-accept-remote
      refuse-eap
      require-mschap-v2
      noccp
      noauth
      idle 1800
      mtu 1410
      mru 1410
      defaultroute
      usepeerdns
      debug
      lock
      connect-delay 5000
      name <VPN user>
      password <VPN password>
    
  • Create control file for xl2tpd:

      mkdir -p /var/run/xl2tpd
      touch /var/run/xl2tpd/l2tp-control
    
  • Start the connection

      service restart xl2tpd
      ipsec auto --up L2TP-PSK
      echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control
    
  • Route all traffic via the VPN

      CURRENT_GW=<the current default gateway>
      ip route add <VPN server IP> via $CURRENT_GW dev <your local network interface>
      # Add default route to be via the VPN gateway
      ip route add default via 192.168.42.1
      # Remove original default route
      ip route delete default via $CURRENT_GW
    
  • That's all folks!

Routines after getting a working installation

Open the tunnel

    service ipsec restart
    service xl2tpd restart
    ipsec auto --up L2TP-PSK
    echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control
    
    CURRENT_GW=<the current default gateway>
    ip route add <VPN server IP> via $CURRENT_GW dev <your local network interface>
    
    # Add default route to be via the VPN gateway
    ip route add default via 192.168.42.1
    
    # Remove original default route
    ip route delete default via $CURRENT_GW

Close the tunnel

    service xl2tpd stop
@morozovsk
Copy link

Selecting previously deselected package openswan.
dpkg: relatively openswan 2.6.38-1_amd64.deb, containing openswan: openswan conflicts with ike-server strongswan-ike ike-server provides and exists and is mounted.
dpkg: error processing file openswan_2.6.38-1_amd64.deb (--install): packages conflict - openswan not installed
When processing the next packet errors occurred: openswan_2.6.38-1_amd64.deb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment