How to setup L2TP VPN server on Raspberry Pi?

Learn to use your Raspberry Pi as a L2TP VPN Server

Posted by Amritpal Singh on October 20, 2017

In this tutorial you will learn how to setup L2TP (Layer 2 Tunneling Protocol) VPN server on your Raspberry Pi.

List of reasons why one should consider installing L2TP over PPTP VPN server:

  1. It is more secure
  2. Extremely easy to setup
  3. Built-in support by most mobile devices without installing additional softwares

In addition, it is very cheap to have it installed on a low cost, very little power consuming Raspberry Pi than buying a VPN router, or getting a monthly subscription.

Tutorial overview

  1. Router configuration
  2. Install openswan (for IPsec), xl2tpd (L2TP) and ppp
  3. Configure

Router configuration

  1. Assign static IP address to your Raspberry Pi
  2. On your router firewall open ports 1701 TCP, 4500 UDP and 500 UDP and forward them to raspberrypi’s IP address

I have Verizon FIOS, I was able to go into my router configuration by going to http://192.168.1.1 and make the above changes.

Scenario
My Raspberry pi IP address: 192.168.1.19
My router gateway address : 192.168.1.1

Run commands as super user or root:

sudo passwd
su

Update system and install packages

apt-get update
apt-get install openswan xl2tpd ppp lsof

The openswan installation might ask you some questions, this tutorial works with the default answers, just enter through it.
Once you have successfully installed the above packages, run the below commands one by one.

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

Edit /etc/rc.local

nano /etc/rc.local

Paste code in the rc.local file

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE

Rename /etc/ipsec.conf to /etc/ipsec.conf.old

mv /etc/ipsec.conf /etc/ipsec.conf.old

Edit /etc/ipsec.conf

nano /etc/ipsec.conf

Replace contents in file:

version 2.0
config setup

        nat_traversal=yes
        protostack=netkey
        virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.25$
        oe=off

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=192.168.1.19
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
        #force all to be nat'ed. because of ios
        forceencaps=yes
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
        type=passthrough
        left=192.168.1.19
        leftnexthop=192.168.1.1
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

Edit file /etc/ipsec.secrets

nano /etc/ipsec.secrets

Add the secret password

192.168.1.19 %any: PSK "TESTSECRET"

Edit file /etc/xl2tpd/xl2tpd.conf

nano /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = 192.168.1.19
[lns default]
ip range = 192.168.1.201-192.168.1.250
local ip = 192.168.1.19
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = linkVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Edit file /etc/ppp/options.xl2tpd

nano /etc/ppp/options.xl2tpd

Paste the following code:

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
asyncmap 0
auth
crtscts
lock
idle 1800
mtu 1200
mru 1200
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
nodefaultroute
connect-delay 5000

Edit /etc/ppp/chap-secrets

nano /etc/ppp/chap-secrets

Paste the following, change the username and password to whatever your prefer

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
USERNAME    *       PASSWORD        *

Add the service to bootup

update-rc.d -f ipsec remove update-rc.d ipsec defaults

Now restart services

/etc/init.d/xl2tpd restart
/etc/init.d/ipsec restart

If everything went right, you should have a working VPN server right now.

References

This tutorial based on below articles

https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_12.04.html
http://www.raspberrypi.org/phpBB3/viewtopic.php?t=31541
http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu
http://www.cryptocracy.com/blog/2012/05/13/ipsec-slash-l2tp-vpn-server-with-ubuntu-precise
http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html


0 Comments


Add Comment