VPN: L2TP Server installation and config
Layer Two Tunnel Protocol is one of the trickier VPNs to configure and setup. L2TP encryption is stronger then PPTP and is widely available with out 3rd party software and supports most Mobile devices makes this a top choose for tunneling though the internet. We are going to run though the installation and setup of L2TP on an Ubuntu Server. Please take the time to look though L2TP bug reports before updating or installing. L2TP always seems to fix and brake things on new versions.
Side Note: I normally use apt-get to install packages however I did find a bug in openswan with mismatch versions using apt-get however using aptitude seemed to fix the issue
Lets dive right into the installation and configuration of L2TP on Ubuntu
We will need an IPSec daemon to provide encryption and authentication
sudo aptitude install openswan
You will be prompted regarding RSA keys. Since we will be using preshared keys (PSK), say no/skip the RSA prompts Next we will be adjusting /etc/ipsec.conf
sudo mv /etc/ipsec.conf /etc/ipsec.conf.old
Make a backup of the default ipsec.conf file
sudo nano /etc/ipsec.conf
Copy and paste the following into /etc/ipsec.conf
version 2.0 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=[Server IP address] leftnexthop=[Server Gateway] leftprotoport=17/1701 right=%any rightprotoport=17/%any
Now, we save the preshared key
sudo mv /etc/ipsec.secrets /etc/ipsec.secrets.old
Make a backup of the default ipsec.secrets file
sudo nano /etc/ipsec.secrets
[Server IP address] %any: PSK “[Your preshared key]”
The preshared key is anything you choose, but be sure to remember it as you will need it for authentication. EG: “testkey” Switch to root and input the following command to make sure that IPSec runs properly
sudo su for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done su [primary user] sudo ipsec verify
It should say that everything is running properly except for Opportunistic Encryption Support
sudo /etc/init.d/ipsec restart
Now let’s install and configure L2TP
sudo aptitude install xl2tpd
sudo mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.old sudo nano /etc/xl2tpd/xl2tpd.conf
Paste the following
[global] ipsec saref = yes [lns default] ip range = 10.1.2.2-10.1.2.255 local ip = 10.1.2.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
The ip range is the range of internal ip addresses. The local ip is the internal address of the server itself. Now we acquire and configure PPP
sudo aptitude install ppp sudo nano /etc/ppp/options.xl2tpd
Paste the following (don’t worry, the file is supposed to be empty)
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 209.139.209.33 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
Now we will need to create user credentials to be used for the VPN login
sudo nano /etc/ppp/chap-secrets
In this file, you will see something similar to this. Give it the credentials that you choose and remember them. They will be used every time you access the VPN.
user server password ip [username] [server] [password] *
save the file and restart the service
sudo /etc/init.d/xl2tpd restart
If you are using iptables, input the following
iptables –table nat –append POSTROUTING – jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
openswan doesn’t appear to start after rebooting. Add this line to /etc/rc.local
sudo nano /etc/rc.local
iptables –table nat –append POSTROUTING –jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done
/etc/init.d/ipsec restart
You should now be able to connect to your new L2TP VPN gateway.