Skip to content

Instantly share code, notes, and snippets.

@mietek
Last active September 30, 2024 18:02
Show Gist options
  • Save mietek/4877cd74423bf6925b92 to your computer and use it in GitHub Desktop.
Save mietek/4877cd74423bf6925b92 to your computer and use it in GitHub Desktop.
Set up L2TP/IPsec VPN on Debian

Set up L2TP/IPsec VPN on Debian

Set up IPsec

Set up networking

cat <<EOF >>/etc/sysctl.conf
net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
EOF

NOTE: On DigitalOcean, also:

cat <<EOF >>/etc/sysctl.conf
net.ipv4.conf.ip_vti0.rp_filter=0
EOF

Reload config:

sysctl -p

Install Libreswan

Install dependencies:

apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools

Build and install Libreswan:

wget https://download.libreswan.org/libreswan-3.12.tar.gz
tar zxvf libreswan-3.12.tar.gz
cd libreswan-3.12
make programs
make install

Set up Libreswan

Set up pre-shared key authentication:

cat <<EOF >/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
        left=%defaultroute
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
EOF
cat <<EOF >>/etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
EOF
cat <<EOF >/etc/ipsec.secrets
%any: PSK "__PRE_SHARED_KEY__"
EOF
chmod 600 /etc/ipsec.secrets

NOTE: On Ubuntu 14.04, also:

ipsec initnss

Start IPSec

NOTE: On Debian jessie, first:

systemctl enable xl2tpd.service
ipsec setup start
ipsec verify

Set up PPP

Install PPP

apt-get install -y xl2tpd

Set up PPP

cat <<EOF >/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 10.1.10.2-10.1.10.255
local ip = 10.1.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
cp /etc/ppp/options /etc/ppp/xl2tpd-options
cat <<EOF >>/etc/ppp/xl2tpd-options
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
EOF
cat <<EOF >/etc/ppp/chap-secrets
__USERNAME__ * __PASSWORD__ *
EOF
chmod 600 /etc/ppp/chap-secrets

NOTE: May have to use local DNS servers.

Start PPP

On Ubuntu 14.04:

/etc/init.d/xl2tpd start

On Debian jessie:

systemctl enable xl2tpd.service
systemctl start xl2tpd.service

Set up firewall

For now:

iptables --table nat --append POSTROUTING --jump MASQUERADE

For later:

cat <<EOF >>/etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
EOF

References

@rwb196884
Copy link

Can't get this to work with Mac, Windows, or Android clients. All show the same in the syslog:

...
Aug  6 09:08:59 mini31 xl2tpd[12270]: get_call: allocating new tunnel for host 192.168.0.7, port 60075.
Aug  6 09:08:59 mini31 xl2tpd[12270]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Aug  6 09:08:59 mini31 xl2tpd[12270]: protocol_version_avp: peer is using version 1, revision 0.
Aug  6 09:08:59 mini31 xl2tpd[12270]: framing_caps_avp: supported peer frames: async sync
Aug  6 09:08:59 mini31 xl2tpd[12270]: hostname_avp: peer reports hostname 'macbook'
Aug  6 09:08:59 mini31 xl2tpd[12270]: assigned_tunnel_avp: using peer's tunnel 27
Aug  6 09:08:59 mini31 xl2tpd[12270]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
Aug  6 09:08:59 mini31 xl2tpd[12270]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 27, call is 0.
Aug  6 09:08:59 mini31 xl2tpd[12270]: control_finish: Peer requested tunnel 27 twice, ignoring second one.
Aug  6 09:08:59 mini31 xl2tpd[12270]: build_fdset: closing down tunnel 42061
Aug  6 09:08:59 mini31 xl2tpd[12270]: network_thread: select timeout with max retries: 5 for tunnel: 23913
Aug  6 09:09:03 mini31 xl2tpd[12270]: network_thread: recv packet from 192.168.0.7, size = 68, tunnel = 0, call = 0 ref=0 refhim=0
Aug  6 09:09:03 mini31 xl2tpd[12270]: get_call: allocating new tunnel for host 192.168.0.7, port 60075.
Aug  6 09:09:03 mini31 xl2tpd[12270]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Aug  6 09:09:03 mini31 xl2tpd[12270]: protocol_version_avp: peer is using version 1, revision 0.
Aug  6 09:09:03 mini31 xl2tpd[12270]: framing_caps_avp: supported peer frames: async sync
Aug  6 09:09:03 mini31 xl2tpd[12270]: hostname_avp: peer reports hostname 'macbook'
Aug  6 09:09:03 mini31 xl2tpd[12270]: assigned_tunnel_avp: using peer's tunnel 27
Aug  6 09:09:03 mini31 xl2tpd[12270]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
Aug  6 09:09:03 mini31 xl2tpd[12270]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 27, call is 0.
Aug  6 09:09:03 mini31 xl2tpd[12270]: control_finish: Peer requested tunnel 27 twice, ignoring second one.
Aug  6 09:09:03 mini31 xl2tpd[12270]: build_fdset: closing down tunnel 17913
Aug  6 09:09:04 mini31 charon: 12[NET] received packet: from 192.168.0.7[500] to 192.168.0.31[500] (76 bytes)
Aug  6 09:09:04 mini31 charon: 12[ENC] parsed INFORMATIONAL_V1 request 4192958371 [ HASH D ]
Aug  6 09:09:04 mini31 charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 0bbf9603
Aug  6 09:09:04 mini31 charon: 12[IKE] closing CHILD_SA wep-ap{2} with SPIs c84bba15_i (532 bytes) 0bbf9603_o (0 bytes) and TS 192.168.0.31/32[udp/l2f] === 192.168.0.7/32[udp/60075]
Aug  6 09:09:04 mini31 charon: 07[NET] received packet: from 192.168.0.7[500] to 192.168.0.31[500] (92 bytes)
Aug  6 09:09:04 mini31 charon: 07[ENC] parsed INFORMATIONAL_V1 request 2200503579 [ HASH D ]
Aug  6 09:09:04 mini31 charon: 07[IKE] received DELETE for IKE_SA wep-ap[2]
Aug  6 09:09:04 mini31 charon: 07[IKE] deleting IKE_SA wep-ap[2] between 192.168.0.31[192.168.0.31]...192.168.0.7[192.168.0.7]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment