xL2TPd on Arch Linux and Ubuntu.

I have rent a VPS for the first time from a provider called MiniVPS and built a L2TP tunnel between my Arch Linux and the Ubuntu VPS.
Unfortunately, available distros were CentOS, Fedora and Ubuntu, and I had to go with Ubuntu since it had the latest kernel among them.
However, I’m not sure whether it is a openvz limitation or not, there were no l2tp kernel modules available which I believe improve l2tp
performance.

So far, my experience with minivps is not too good, but not bad.
Speedtest results on average were like below and bandwidth differs
a lot from time to time.
I measured the speed while on lt2p tunneland also ssh dynamic port forwarding.

Ping response: 250ms
Download: 1Mbps ~ 15Mbps
Upload: 1Mbps

Other than bandwidth, I am very satisfied. OS reinstallation finishes in less than 10 minutes,
and you can change distributions among fedora, ubuntu, and centos anytime.
Serial console is always available in case of some accident.

Here is a note on how to set up l2tp without ipsec.

0. Networking.

# Enable ip forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
# To make it permanent
vim /etc/sysctl.d/40-ip-forward.conf and add
net.ipv4.ip_forward=1# If you need to use internet via VPS, enable NAPT by running…
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

# You also need to open 1701 udp port if you are behind firewall.

1. Install xl2tpd from the repository.


# For Ubuntu
sudo apt-get install xl2pd
## installed version was xl2tpd-1.3.6, it was not compiled with kernel support.
# For Arch
pacman -S xl2tpd
## installed version was xl2tpd-1.3.6-1

2. Server side setting.(Ubuntu)
Edit Main configuration of xL2TPd
vim /etc/xl2tpd/xl2tpd.conf


[global]
access control = yes
auth file = /etc/ppp/chap-secrets
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lns “name of your preference”]
require chap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
require pap = no
assign ip = yes
hostname = hostname # Can be any, i just put hostname of the server machine
ip range = 10.0.0.10 – 10.0.0.20 # IP address range for a tunnel
local ip = 10.0.0.1 # IP address for a tunnel interface (ppp0)
challenge = no
lac = 1.2.3.4 # IP address of client (likely to be global address)
require authentication = no

Edit /etc/ppp/chap-secrets and add username and password for chap authentication.
make sure to chmod 600 /etc/ppp/chap-secrets


# client server secret IP addresses
username * password *

Create /etc/ppp/options.l2tpd for a ppp control


ipcp-accept-local
ipcp-accept-remote
mtu 1410
mru 1410
ms-dns 8.8.8.8
require-mschap-v2
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name username # username for chap authentication
proxyarp
lcp-echo-interval 10
lcp-echo-failure 100
connect-delay 5000

3. Client Side (Arch Linux)
Main configuration of xl2tp
vim /etc/xl2tpd/xl2tpd.conf

[global]
access control = no
auth file = /etc/ppp/chap-secrets
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac “lns name you specified on the server”]
lns = “lns ip address (likely to be global address)”
redial = yes
redial timeout = 5
require chap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
require pap = no
autodial = yes
name = “username for chap authentication”

Edit /etc/ppp/chap-secrets and add username and password for chap authentication.
make sure to chmod 600 /etc/ppp/chap-secrets


# client server secret IP addresses
username * password *

Create /etc/ppp/options.l2tpd for a ppp control
vim /etc/ppp/options.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "username for chap auth"
password "passworf for chap auth"

4. Start the daemon. On both the server and the client, run a command below on both a client and a server, and change routing to your liking

sudo xl2tpd -D
# For split tunneling
ip route add "desired destination ip address" via "ppp peer ip address" dev ppp0
# To route all traffic.
sudo ip route add "Global IP address of your server/32" via 192.168.0.1 dev enp0s25
sudo ip route del default via 192.168.0.1 dev enp0s25
sudo ip route add default via 10.0.0.1 dev ppp0
# Do not forget to re-add your default default gateway after terminating the session.

5. That’s all. This is a pure L2TP VPN tunnel, so there is no encryption involved.
People needing security should consider running ipsec over l2tp, or using openvpn.
If you are paranoid on performance like me, probably this is one of the best solution.

Advertisements
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: