How to Configure an L2TP VPN on Ubuntu

       Previously, I publishedHow to Set Up a PPTP VPN Server on Ubuntuan article on how to set up a PPTP VPN server on Ubuntu. However, in some cases, PPTP can be affected and may not work properly. In that scenario, you have another option: using an L2TP/IPSec VPN. 

Install Packages

sudo apt-get install xl2tpd openswan ppp

IPSec / Openswan

Open /etc/ipsec.conf and configure as follows:

config setup       
nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24

# The network addresses included here are allowed to be configured as subnets where remote clients are located. In other words,these address ranges should be the addresses of clients behind your NAT router.

        oe=off
        protostack=netkey

        conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

        conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        # Apple iOS does not send delete notifications,
        # so we need to identify disconnected clients through dead peer detection
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        # Set ikelifetime and keylife to match Windows default settings
        ikelifetime=8h
        keylife=1h
        type=transport
        # Replace IP with your local IP (generally a private address or behind NAT)
        left=x.x.x.x
        # For upgraded Windows 2000/XP clients
        leftprotoport=17/1701
        # To support older clients, set leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        # Force all connections through NAT because iOS
        forceencaps=yes

Note: in your ipsec.conf, “config setup” and “L2TP-PSK-NAT”, “L2TP-PSK-noNAT” should start at the beginning of the line, while other lines should be indented with 8 spaces.
Open /etc/ipsec.secrets and configure:

x.x.x.x   %any:  PSK “somegoodpassword”

Replace x.x.x.x with your server IP and set a complex password.
Start IPSEC service: 

/etc/init.d/ipsec start

Use the following command to verify ipsec is working:

sudo ipsec verify

There should be no errors:

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.28/K2.6.32-32-generic-pae (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Checking for ‘ip’ command                                       [OK]
Checking for ‘iptables’ command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

 

Create a file named ipsec.vpn in /etc/init.d with the following content:

  case “$1” in

  start)
    echo “Starting my Ipsec VPN”
    iptables  -t nat   -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for each in /proc/sys/net/ipv4/conf/*
    do
      echo 0 > $each/accept_redirects
      echo 0 > $each/send_redirects
    done
    /etc/init.d/ipsec start
    /etc/init.d/xl2tpd start
;;
  stop)
    echo “Stopping my Ipsec VPN”
    iptables –table nat –flush
    echo 0 > /proc/sys/net/ipv4/ip_forward
    /etc/init.d/ipsec stop
    /etc/init.d/xl2tpd stop
;;
  restart)
    echo “Restarting my Ipsec VPN”
    iptables  -t nat   -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for each in /proc/sys/net/ipv4/conf/*
    do
      echo 0 > $each/accept_redirects
      echo 0 > $each/send_redirects
    done
    /etc/init.d/ipsec restart
    /etc/init.d/xl2tpd restart
;;
  *)
    echo “Usage: /etc/init.d/ipsec.vpn  {start|stop|restart}”
    exit 1
;;
esac

This configures firewall forwarding. Remember to change the local IP pool 10.152.2.0/24 to your own. 

Then set executable permissions on this file:

sudo chmod 755 ipsec.vpn

Disable the default ipsec service script:

sudo update-rc.d -f ipsec remove

Then enable our custom one:

sudo update-rc.d ipsec.vpn defaults

 

L2TP

Modify /etc/xl2tpd/xl2tpd.conf:

[global]
ipsec saref = no

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Configuration notes:

  • ip range = IP range for clients that can connect to the VPN service
  • local ip = VPN server IP, must be outside the client IP range
  • refuse pap = reject PAP authentication
  • ppp debug = enable during testing

Choose a complex challenge-response authentication string. Although there is no minimum length limit, it should be at least 16 characters and complex enough for security.

Open /etc/xl2tpd/l2tp-secrets and enter your password:

* * exampleforchallengestring

Open /etc/ppp/options.xl2tpd and configure as follows:

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

ms-dns Options for setting DNS servers to assign to clients. When clients connect, they will receive these DNS. To add multiple DNS, put one per line.

If you want to push WINS settings to clients, set the following options:

MTU and MRU According to openswan.org, reducing MRU/MTU size is very important. L2TP/IPSec encapsulates several times, which may degrade performance; reducing this size allows the entire packet to be transmitted at once. 

proxyarp The connected client IP and Ethernet addresses can be added to the system ARP table. This affects other clients on the local LAN.

name l2tpd Used in the PPP authentication file.

Add Users

Open /etc/ppp/chap-secrets and configure as follows:

user1 l2tpd chooseagoodpassword *

user2 * chooseagoodpassword *

Each line includes the following fields:

  • Client = Username
  • Server = Name defined in /etc/ppp/options.xl2tpd above
  • Password = User password, set a sufficiently complex one
  • IP = * means user can connect from any address, otherwise restrict to a specific address

Note: You can add multiple users.

IP Forwarding

Open /etc/sysctl.conf and modify:

net.ipv4.ip_forward=1

Load the new configuration:

sysctl -p

Start VPN

sudo /etc/init.d/ipsec.vpn restart
sudo /etc/init.d/xl2tpd restart

Troubleshooting

If you encounter problems, the following commands can help:

sudo tcpdump -i ppp0
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog

You can use the following command on the server to monitor:

sudo tcpdump -i eth0 host aaa.bbb.ccc.ddd and not port ssh

Here aaa.bbb.ccc.ddd is your client public IP address.

(This article is compiled from https://help.ubuntu.com.)

Leave a Comment

Your email address will not be published.