L2TP VPN Server

In L2TP VPN server setups, all sessions in a tunnel carry PPP.

When configured as an L2TP VPN server, prol2tpd is used to set up L2TP tunnels and sessions in order to receive data from clients. propppd is used to terminate PPP in those sessions.

When L2TP sessions are created and destroyed in L2TP tunnels, prol2tpd uses APIs of propppd to create and destroy PPP instances. If a PPP connection is terminated, perhaps because the PPP peer disconnects or fails to authenticate, prol2tpd closes the corresponding L2TP session automatically.

Required ProL2TP packages

Install prol2tp and proppp packages.

IPSec

ProL2TP can be used with any Linux IPSec components. We recommend strongswan.

The most difficult part of getting L2TP/IPSec VPNs to work is the configuration of IPSec. If you haven’t configured IPSec on Linux before, we suggest that you setup IPSec to protect a simple UDP connection between two Linux systems first. The IPSec setup for L2TP will be very similar, with rules to match UDP port 1701 (L2TP).

Configuration

When used as an L2TP VPN server, PPP connections are usually authenticated by RADIUS. IP addresses are assigned using an IP pool from RADIUS.

In this example, it is assumed that a RADIUS server already exists and is configured to authenticate PPP users and assign IP addresses. If you don’t already have a RADIUS server, refer to the RADIUS section.

The referenced sample config files are annotated to explain the parameters used.

propppd.conf

propppd.conf sets PPP options such as allowed auth protocols. The config also calls out the RADIUS server(s) to be used.

prol2tpd.conf

prol2tpd.conf sets options to allow connections from any L2TP VPN peer. Tunnel authentication is handled by IPSec and each VPN user is authenticated by RADIUS.

For more details of all config options available, refer to the propppd.conf man page and prol2tpd.conf man page.

Firewall

The VPN server should be configured with firewall rules to prevent L2TP connections that aren’t using IPSec. prol2tpd listens on UDP port 1701 and doesn’t care whether the packet arrived from the peer encrypted by IPSec or not. When IPSec is used, the Linux kernel takes care of encrypting or decrypting each packet for us. Therefore, if the VPN server should reject L2TP connections that don’t use IPSec, a firewall must be configured to block them.

Any firewall in the path to the VPN client must be configured to allow UDP ports 500 and 4500 (IPSec).

The following rules shows one approach, using iptables.

# local interface used for VPN traffic
VPNSRV_IFNAME=eth3
# protected network accessed by VPN clients
VPNSRV_TEST_NET=10.44.0.0/16

iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -p udp --dport 500 -j ACCEPT
iptables -I INPUT 5 -p udp --dport 4500 -j ACCEPT
iptables -I INPUT 6 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 7 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i "$VPNSRV_IFNAME" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$VPNSRV_IFNAME" -j ACCEPT
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$VPNSRV_TEST_NET" -d "$VPNSRV_TEST_NET" -j ACCEPT
# Uncomment if you wish to disallow traffic between VPN clients themselves
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$VPNSRV_TEST_NET" -d "$VPNSRV_TEST_NET" -j DROP
iptables -A FORWARD -j DROP
# iptables -t nat -I POSTROUTING -s "$VPNSRV_TEST_NET" -o "$VPNSRV_IFNAME" -j MASQUERADE
iptables-save > /etc/iptables.rules

RADIUS

If a RADIUS server is not already available, we recommend installing freeradius which is available in most Linux distributions.

If your user database is in an LDAP server, a RADIUS server may be configured to proxy auth requests to LDAP. Please refer to freeradius documentation for how to do so.

The config file layout of freeradius is quite complex and differs significantly between freeradius versions 2 and 3. It should be configured with PPP users and passwords, assigning IP addresses from an IP address pool.

FreeRADIUS 2

Config files are located under /etc/freeradius/.

• Disable RADIUS proxy Edit radiusd.conf and set proxy_requests to no.

• Set IP addresses in an IP address pool Edit modules/ippool and edit range-start / range-stop in the main_pool definition.

• Enable the IP address pool Edit sites-available/default and uncomment main_pool.

• Add users Edit users and add entries for each user like the below example.

  DEFAULT Pool-Name := "main_pool"
       Fall-Through = Yes
  u1@example.com Cleartext-Password := "u1_pass"
       Framed-Protocol == PPP

FreeRADIUS 3

Config files are located under /etc/freeradius/3.0/.

• Disable RADIUS proxy Edit radiusd.conf and set proxy_requests to no.

• Set IP addresses in an IP address pool Edit mods-available/ippool and edit range-start / range-stop in the main_pool definition.

• Enable the IP address pool Edit sites-available/default and uncomment main_pool.

• Add users Edit mods-config/files/authorize and add entries for each user like the below example.

  DEFAULT Pool-Name := "main_pool"
       Fall-Through = Yes
  u1@example.com Cleartext-Password := "u1_pass"
       Framed-Protocol == PPP