Lifewithtech

View Original

VPN: L2TP Server installation and config

Layer Two Tunnel Protocol is one of the trickier VPNs to configure and setup. L2TP encryption is stronger then PPTP and is widely available with out 3rd party software and supports most Mobile devices makes this a top choose for tunneling though the internet. We are going to run though the installation and setup of L2TP on an Ubuntu Server. Please take the time to look though L2TP bug reports before updating or installing. L2TP always seems to fix and brake things on new versions.

Side Note: I normally use apt-get to install packages however I did find a bug in openswan with mismatch versions using apt-get however using aptitude seemed to fix the issue

Lets dive right into the installation and configuration of L2TP on Ubuntu

We will need an IPSec daemon to provide encryption and authentication

sudo aptitude install openswan

You will be prompted regarding RSA keys. Since we will be using preshared keys (PSK), say no/skip the RSA prompts Next we will be adjusting /etc/ipsec.conf

sudo mv /etc/ipsec.conf /etc/ipsec.conf.old

Make a backup of the default ipsec.conf file

sudo nano /etc/ipsec.conf

Copy and paste the following into /etc/ipsec.conf

version 2.0 
config setup 
nat_traversal=yes 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 
oe=off 
protostack=netkey 
conn L2TP-PSK-NAT 
rightsubnet=vhost:%priv 
also=L2TP-PSK-noNAT 
conn L2TP-PSK-noNAT 
authby=secret 
pfs=no 
auto=add 
keyingtries=3 
rekey=no 
ikelifetime=8h 
keylife=1h 
type=transport 
left=[Server IP address] 
leftnexthop=[Server Gateway] 
leftprotoport=17/1701 
right=%any rightprotoport=17/%any

Now, we save the preshared key

sudo mv /etc/ipsec.secrets /etc/ipsec.secrets.old

Make a backup of the default ipsec.secrets file

sudo nano /etc/ipsec.secrets
[Server IP address] %any: PSK “[Your preshared key]”

The preshared key is anything you choose, but be sure to remember it as you will need it for authentication. EG: “testkey” Switch to root and input the following command to make sure that IPSec runs properly

sudo su
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects done
su [primary user]
sudo ipsec verify

It should say that everything is running properly except for Opportunistic Encryption Support

sudo /etc/init.d/ipsec restart

Now let’s install and configure L2TP

sudo aptitude install xl2tpd

sudo mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.old
sudo nano /etc/xl2tpd/xl2tpd.conf

Paste the following

[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

The ip range is the range of internal ip addresses. The local ip is the internal address of the server itself. Now we acquire and configure PPP

sudo aptitude install ppp
sudo nano /etc/ppp/options.xl2tpd

Paste the following (don’t worry, the file is supposed to be empty)

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 209.139.209.33
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Now we will need to create user credentials to be used for the VPN login

sudo nano /etc/ppp/chap-secrets

In this file, you will see something similar to this. Give it the credentials that you choose and remember them. They will be used every time you access the VPN.

user server password ip

[username] [server] [password] *

save the file and restart the service

sudo /etc/init.d/xl2tpd restart

If you are using iptables, input the following

iptables –table nat –append POSTROUTING – jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

openswan doesn’t appear to start after rebooting. Add this line to /etc/rc.local

sudo nano /etc/rc.local
iptables –table nat –append POSTROUTING –jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

You should now be able to connect to your new L2TP VPN gateway.


See this gallery in the original post