Chapter Three Part Three Section Two: How To Build A L2TP VPN

Looking for a simple, stable and significant VPS as your web hosting? Check out DigitalOcean, only $5 per month, and you can get $10 in credit just for signing up now.

How to build an L2TP VPN

To build an L2TP/IPSec VPN, you can follow the following 6 steps:

1. Install OpenSwan

Enter the following command lines one by one:

aptitude install build-essential

aptitude install libgmp3-dev gawk flex bison

wget http://www.openswan.org/download/openswan-2.6.35.tar.gz

tar xzvf openswan-2.6.35.tar.gz

cd openswan-2.6.35

make programs

make install

Remember to press the "Return" key when entering any one of the above lines.

By the way, 2.6.35 is the latest version during my test, and you can check the OpenSwan website to see if there is a new version later, if yes, you can use it instead.

2. Edit IPSec

Firstly, open the ipsec.conf file with the following command:

vi /etc/ipsec.conf

Delete all the existing contents, and paste the following ones:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=netkey

conn %default
    forceencaps=yes

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.VPS.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

Remember to change YOUR.VPS.IP.ADDRESS to your VPS IP address, such as 178.18.17.30 for this tutorial.

Secondly, open the ipsec.secrets file with the following code:

vi /etc/ipsec.secrets

And insert the following content:

YOUR.VPS.IP.ADDRESS %any: PSK "YourSharedSecret"

For example:

178.18.17.30 %any: PSK "123456abcdef"

Thirdly, enter the following command lines one by one:

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

Remember to press the "Return" key after every command line.

Fourthly, restart IPSEC with the following command:

service ipsec restart

3. Install L2TP

Go back to the root directory, and install the L2TP package with the following command line:

aptitude install xl2tpd

After installation, open the conf file with the following code:

vi /etc/xl2tpd/xl2tpd.conf

Delete all the existing content and paste the following one:

[global]
; listen-addr = 192.168.1.98

[lns default]
ip range = 10.1.1.2-10.1.1.255
local ip = 10.1.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

4. Set up xl2tpd

Enter the following command:

vi /etc/ppp/options.xl2tpd

Then insert the following codes:

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

After that, open the chap-secrets file:

vi /etc/ppp/chap-secrets

And insert the following content:

username l2tpd password *

For example:

freenuts l2tpd 123456 *

Then, restart L2TP:

service xl2tpd restart

5. IP forward

Enter the following command:

vi /etc/sysctl.conf

Press the "Return" key, find the line of "#net.ipv4.ip_forward=1" and uncomment it.

After that, enter the following command:

sysctl -p

Press the "Return" key, then you will only see "net.ipv4.ip_forward=1" as the result if everything is right.

After that, enter the following command:

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE

6. For reboot

Now, you can connect your L2TP/IPSec VPN, but if you reboot your VPS, your forwarding settings will be gone, to avoid this, you can enter the following command:

vi /etc/rc.local

Press the "Return" key and paste the following contents before the "exit 0" line:

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
/etc/init.d/ipsec restart

Save it, then you are done.

Spread the love
This entry was posted in E-book and tagged , . Bookmark the permalink.