cat <<EOF >>/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
EOF
NOTE: On DigitalOcean, also:
cat <<EOF >>/etc/sysctl.conf
net.ipv4.conf.ip_vti0.rp_filter=0
EOF
Reload config:
sysctl -p
Install dependencies:
apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools
Build and install Libreswan:
wget https://download.libreswan.org/libreswan-3.12.tar.gz
tar zxvf libreswan-3.12.tar.gz
cd libreswan-3.12
make programs
make install
Set up pre-shared key authentication:
cat <<EOF >/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
# Use a Preshared Key. Disable Perfect Forward Secrecy.
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
# left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
left=%defaultroute
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
EOF
cat <<EOF >>/etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
EOF
cat <<EOF >/etc/ipsec.secrets
%any: PSK "__PRE_SHARED_KEY__"
EOF
chmod 600 /etc/ipsec.secrets
NOTE: On Ubuntu 14.04, also:
ipsec initnss
NOTE: On Debian jessie, first:
systemctl enable ipsec.service
ipsec setup start
ipsec verify
apt-get install -y xl2tpd
cat <<EOF >/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
access control = no
[lns default]
ip range = 10.1.10.2-10.1.10.255
local ip = 10.1.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
cp /etc/ppp/options /etc/ppp/xl2tpd-options
cat <<EOF >>/etc/ppp/xl2tpd-options
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
EOF
cat <<EOF >/etc/ppp/chap-secrets
__USERNAME__ * __PASSWORD__ *
EOF
chmod 600 /etc/ppp/chap-secrets
NOTE: May have to use local DNS servers.
On Ubuntu 14.04:
/etc/init.d/xl2tpd start
On Debian jessie:
systemctl enable xl2tpd.service
systemctl start xl2tpd.service
For now:
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
Replace %SERVERIP% with the external IP of your VPS
For later:
cat <<EOF >>/etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
EOF
Replace %SERVERIP% with the external IP of your VPS
ipsec setup restart
systemctl restart xl2tpd.service
- http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
- http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-wheezy.html
- https://libreswan.org/man/ipsec.conf.5.html
- https://github.com/libreswan/libreswan/blob/master/README
- https://github.com/libreswan/libreswan/blob/master/docs/examples/sysctl.conf
- https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf