Skip to content

Instantly share code, notes, and snippets.

@yannispanousis

yannispanousis/README.md

Last active October 14, 2019 19:30
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save yannispanousis/012f20ee1e977835be8f to your computer and use it in GitHub Desktop.
Save yannispanousis/012f20ee1e977835be8f to your computer and use it in GitHub Desktop.
Download ZIP
L2TP Client Setup (Ubuntu 15.10)
Raw
README.md

L2TP Client Setup for Ubuntu

You'll need:

  • VPN server IP
  • VPN pre-shared key
  • VPN username
  • VPN password

The following instructions are mostly derived from the corresponding ones for ArchLinux in this wiki.

  • Download and install latest Ubuntu openswan .deb package from https://launchpad.net/ubuntu/+source/openswan

  • Install xl2tpd

  • Disable IPv4 redirects

      for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

  • Run sudo ipsec verify and you should see something along these lines:

      Checking your system to see if IPsec got installed and started correctly:
  Version check and ipsec on-path                             	[OK]
  Linux Openswan U2.6.38/K4.2.0-19-generic (netkey)
  Checking for IPsec support in kernel                        	[OK]
  SAref kernel support                                       	[N/A]
  NETKEY:  Testing XFRM related proc values                  	[OK]
  [OK]
  [OK]
  Hardware RNG detected, testing if used properly             	[FAILED]
  
  Hardware RNG is present but 'rngd' or 'clrngd' is not running.
  No harware random used!
  
  Checking that pluto is running                              	[OK]
  Pluto listening for IKE on udp 500                         	[OK]
  Pluto listening for NAT-T on udp 4500                      	[OK]
  Two or more interfaces found, checking IP forwarding        	[FAILED]
  Checking NAT and MASQUERADEing                              	[OK]
  Checking for 'ip' command                                   	[OK]
  Checking /bin/sh is not /bin/dash                           	[WARNING]
  Checking for 'iptables' command                             	[OK]
  Opportunistic Encryption Support                            	[DISABLED]

The above output seems to work on Ubuntu 15.10 and a wireless network setup, along with Docker.

"Two or more interfaces found, checking IP forwarding [FAILED]" might be explained by a local setup that includes Docker network interfaces. Regardless the L2TP connection works.

If "Checking that pluto is running" fails then it probably means ipsec service did not succeed in starting up, which needs to be investigated.

  • Set /etc/ipsec.conf to contain this, adjust wherever there's an 'ACTION REQUIRED' tag:

      config setup
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
       nat_traversal=yes
       protostack=netkey
       oe=no
  # ACTION REQUIRED: Replace eth0 with your network interface
       plutoopts="--interface=eth0"
  conn L2TP-PSK
       authby=secret
       pfs=no
       auto=add
       keyingtries=3
       dpddelay=30
       dpdtimeout=120
       dpdaction=clear
       rekey=yes
       ikelifetime=8h
       keylife=1h
       type=transport
  # ACTION REQUIRED: Replace %any below with your local IP address of the interface you specified in the above step
       left=%any
       leftprotoport=17/1701
  # ACTION REQUIRED
       right=<VPN server IP>
       rightprotoport=17/1701

  • Set /etc/ipsec.secrets to contain:

      %any <VPN server IP> : PSK "<VPN pre-shared key>"

  • Add the connection to ipsec

      ipsec auto --add L2TP-PSK

  • Configure xl2tpd by setting the contents of /etc/xl2tpd/xl2tpd.conf to:

      [lac vpn-connection]
  lns = <VPN server IP>
  ppp debug = yes
  pppoptfile = /etc/ppp/options.l2tpd.client
  length bit = yes

  • Configure pppd by setting contents of /etc/ppp/options.l2tpd.client to:

      ipcp-accept-local
  ipcp-accept-remote
  refuse-eap
  require-mschap-v2
  noccp
  noauth
  idle 1800
  mtu 1410
  mru 1410
  defaultroute
  usepeerdns
  debug
  lock
  connect-delay 5000
  name <VPN user>
  password <VPN password>

  • Create control file for xl2tpd:

      mkdir -p /var/run/xl2tpd
  touch /var/run/xl2tpd/l2tp-control

  • Start the connection

      service restart xl2tpd
  ipsec auto --up L2TP-PSK
  echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

  • Route all traffic via the VPN

      CURRENT_GW=<the current default gateway>
  ip route add <VPN server IP> via $CURRENT_GW dev <your local network interface>
  # Add default route to be via the VPN gateway
  ip route add default via 192.168.42.1
  # Remove original default route
  ip route delete default via $CURRENT_GW

  • That's all folks!

Routines after getting a working installation

Open the tunnel

    service ipsec restart
    service xl2tpd restart
    ipsec auto --up L2TP-PSK
    echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control
    
    CURRENT_GW=<the current default gateway>
    ip route add <VPN server IP> via $CURRENT_GW dev <your local network interface>
    
    # Add default route to be via the VPN gateway
    ip route add default via 192.168.42.1
    
    # Remove original default route
    ip route delete default via $CURRENT_GW

Close the tunnel

    service xl2tpd stop
@morozovsk
Copy link

Selecting previously deselected package openswan.
dpkg: relatively openswan 2.6.38-1_amd64.deb, containing openswan: openswan conflicts with ike-server strongswan-ike ike-server provides and exists and is mounted.
dpkg: error processing file openswan_2.6.38-1_amd64.deb (--install): packages conflict - openswan not installed
When processing the next packet errors occurred: openswan_2.6.38-1_amd64.deb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment