Previously, I publishedHow to Set Up a PPTP VPN Server on Ubuntuan article on how to set up a PPTP VPN server on Ubuntu. However, in some cases, PPTP can be affected and may not work properly. In that scenario, you have another option: using an L2TP/IPSec VPN.

Install Packages
sudo apt-get install xl2tpd openswan ppp
IPSec / Openswan
Open /etc/ipsec.conf and configure as follows:
config setup
nat_traversal=yesvirtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
# The network addresses included here are allowed to be configured as subnets where remote clients are located. In other words,these address ranges should be the addresses of clients behind your NAT router.
oe=off
protostack=netkeyconn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNATconn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
# Apple iOS does not send delete notifications,
# so we need to identify disconnected clients through dead peer detection
dpddelay=30
dpdtimeout=120
dpdaction=clear
# Set ikelifetime and keylife to match Windows default settings
ikelifetime=8h
keylife=1h
type=transport
# Replace IP with your local IP (generally a private address or behind NAT)
left=x.x.x.x
# For upgraded Windows 2000/XP clients
leftprotoport=17/1701
# To support older clients, set leftprotoport=17/%any
right=%any
rightprotoport=17/%any
# Force all connections through NAT because iOS
forceencaps=yes
Note: in your ipsec.conf, “config setup” and “L2TP-PSK-NAT”, “L2TP-PSK-noNAT” should start at the beginning of the line, while other lines should be indented with 8 spaces.
Open /etc/ipsec.secrets and configure:
x.x.x.x %any: PSK “somegoodpassword”
Replace x.x.x.x with your server IP and set a complex password.
Start IPSEC service:
/etc/init.d/ipsec start
Use the following command to verify ipsec is working:
sudo ipsec verify
There should be no errors:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-32-generic-pae (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for ‘ip’ command [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
Create a file named ipsec.vpn in /etc/init.d with the following content:
case “$1” in
start)
echo “Starting my Ipsec VPN”
iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec start
/etc/init.d/xl2tpd start
;;
stop)
echo “Stopping my Ipsec VPN”
iptables –table nat –flush
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec stop
/etc/init.d/xl2tpd stop
;;
restart)
echo “Restarting my Ipsec VPN”
iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
;;
*)
echo “Usage: /etc/init.d/ipsec.vpn {start|stop|restart}”
exit 1
;;
esac
This configures firewall forwarding. Remember to change the local IP pool 10.152.2.0/24 to your own.
Then set executable permissions on this file:
sudo chmod 755 ipsec.vpn
Disable the default ipsec service script:
sudo update-rc.d -f ipsec remove
Then enable our custom one:
sudo update-rc.d ipsec.vpn defaults
L2TP
Modify /etc/xl2tpd/xl2tpd.conf:
[global]
ipsec saref = no[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Configuration notes:
- ip range = IP range for clients that can connect to the VPN service
- local ip = VPN server IP, must be outside the client IP range
- refuse pap = reject PAP authentication
- ppp debug = enable during testing
Choose a complex challenge-response authentication string. Although there is no minimum length limit, it should be at least 16 characters and complex enough for security.
Open /etc/xl2tpd/l2tp-secrets and enter your password:
* * exampleforchallengestring
Open /etc/ppp/options.xl2tpd and configure as follows:
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ms-dns Options for setting DNS servers to assign to clients. When clients connect, they will receive these DNS. To add multiple DNS, put one per line.
If you want to push WINS settings to clients, set the following options:
MTU and MRU According to openswan.org, reducing MRU/MTU size is very important. L2TP/IPSec encapsulates several times, which may degrade performance; reducing this size allows the entire packet to be transmitted at once.
proxyarp The connected client IP and Ethernet addresses can be added to the system ARP table. This affects other clients on the local LAN.
name l2tpd Used in the PPP authentication file.
Add Users
Open /etc/ppp/chap-secrets and configure as follows:
user1 l2tpd chooseagoodpassword *
user2 * chooseagoodpassword *
Each line includes the following fields:
- Client = Username
- Server = Name defined in /etc/ppp/options.xl2tpd above
- Password = User password, set a sufficiently complex one
- IP = * means user can connect from any address, otherwise restrict to a specific address
Note: You can add multiple users.
IP Forwarding
Open /etc/sysctl.conf and modify:
net.ipv4.ip_forward=1
Load the new configuration:
sysctl -p
Start VPN
sudo /etc/init.d/ipsec.vpn restart
sudo /etc/init.d/xl2tpd restart
Troubleshooting
If you encounter problems, the following commands can help:
sudo tcpdump -i ppp0
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog
You can use the following command on the server to monitor:
sudo tcpdump -i eth0 host aaa.bbb.ccc.ddd and not port ssh
Here aaa.bbb.ccc.ddd is your client public IP address.
(This article is compiled from https://help.ubuntu.com.)