L2TP VPN using rp-l2tpd
As I wrote in my earlier post, I configured the L2TP tunnel using xl2tpd & rp-l2tpd application. But the primary application “xl2tpd” has a lot of bugs & I was frustrated of its problems. Finally I use rp-l2tpd only to make the L2TP VPN server. Thanks for project administrator of this application, It is almost a bug free L2TP VPN application & also very easy to configure (especially for my case).
Kernel Requirement of rp-l2tpd
ppp_generic: kernel config –> Network device support –> PPP (point-to-point protocol) support
ppp_synctty: kernel config –> Network device support –> PPP support for sync tty ports
slhc(optional): kernel config –> Network device support –> SLIP (serial line) support –> CSLIP compressed headers
n_hdlc: kernel config –> Character devices –> Non-standard serial port support –> HDLC line discipline support
Use the modprobe command to install the above modules:
modprobe ppp_generic
modprobe ppp_synctty
modprobe n_hdlc
If modules not able to load in your system, recompile & install your kernel with those modules.
To load those modules at startup, add above commands at /etc/rc.local or see this link http://www.centos.org/modules/newbb/viewtopic.php?topic_id=15303&forum=37&post_id=53665 if you are using CentOS.
Prepare the rp-l2tpd Server
To configure the rp-l2tpd VPN server, we need a Linux system with least of two network interfaces. I use Centos 5 Linux operating system for my VPN installation. You can also use other Linux’s flavors, but avoid using Fedora Core 8. Fedora Core 8 has some bug in pppd that doesn’t accept the connection from client.
Activate the IP forwarding on the server to send the data of one to interface to other (from ppp tunnel interface to internal LAN interface). Use the following command to activate the IP forwarding.
| echo 1 > /proc/sys/net/ipv4/ip_forward |
Downloading & Installing rp-l2tpd
You can download rp-l2tpd from http://sourceforge.net/projects/rp-l2tp/. For installation follow the simple procedure.
| ./configuremakemake install |
rp-l2tpd Server Configuration
To configure the rp-l2tpd server, you need to change the following files.
/etc/l2tp/l2tp.conf
/etc/ppp/options
/etc/ppp/chap-secrets
l2tp.conf
This file has the configuration of L2TP server parameters.
| # Global section (by default, we start in global mode)global# Load handlers
load-handler sync-pppd.so load-handler cmd.so # Bind address listen-port 1701 # Configure the sync-pppd handler. You MUST have a “section sync-pppd” line # even if you don’t set any options. section sync-pppd # Configure the CHAP for ppp authentication, you can also use require-pap, but avoid this. lns-pppd-opts ”require-chap 10.10.10.1: lcp-echo-interval 30 lcp-echo-failure 6″ # Peer section section peer # For any peer enters the value 0.0.0.0 with mask 0, otherwise specify the static IP address of peer. peer 0.0.0.0 mask 0 port 1701 lac-handler sync-pppd lns-handler sync-pppd hide-avps yes # Configure the cmd handler. You MUST have a “section cmd” line # even if you don’t set any options. section cmd |
I don’t know how we can use mschap-v2 in this configuration file, if anyone knows please reply.
options
/etc/ppp/options file use to configure the pppd options.
| ipcp-accept-localipcp-accept-remotems-dns 10.10.10.254
ms-wins 10.10.10.254 noccp auth crtscts idle 1800 mtu 1600 mru 1410 defaultroute debug lock proxyarp connect-delay 5000 |
Please look at the man page of pppd for detail on this file.
chap-secrets
Put your authentication on /etc/ppp/chap-secrets file.
| # Secrets for authentication using CHAP# client server secret IP addresses”username” “*” “password” ”10.10.10.2″ |
The IP address field is showing the remote tunnel static IP address. You can assign the dynamic IP addresses also by using radius server & dhcp-pppd plugin etc. Same chap-secrets file can be used, if you are using mschap protocol in option file.
Running rp-l2tpd
That’s all from the server configuration side, now you can start the rp-l2tpd server, use the following command.
| l2tpd -f -d 65535 |
“-f” is used to run l2tpd in foreground & “-d 65535” is used to open the debugs at highest level.
rp-l2tpd Client Configuration
The only change in the client configuration is in l2tp.conf file. For client, it is something like this
| # Global section (by default, we start in global mode)global# Load handlers
load-handler sync-pppd.so load-handler cmd.so # Bind address listen-port 1701 # Configure the sync-pppd handler. You MUST have a “section sync-pppd” line # even if you don’t set any options. section sync-pppd lac-pppd-opts ”user nameofuser noipdefault ipcp-accept-local ipcp-accept-remote lcp-echo-interval 30 lcp-echo-failure 6″ # Peer section to connect with server section peer # Replace 51.52.53.54 with your VPN server IP address peer 51.52.53.54 port 1701 lac-handler sync-pppd hide-avps no # Configure the cmd handler. You MUST have a “section cmd” line # even if you don’t set any options. section cmd |
In case of option file use the following entries only.
| lock noauth |
The user name i.e. used in the l2tp.conf file must enter in client’s chap-secrets file.
# Secrets for authentication using CHAP
# client server secret IP addresses
“username” “*” “password” ”*”
Running L2TP Client
To run the rp-l2tpd client, first start the l2tpd service.
| l2tpd -f -d 65535 |
Then set up the connection with your L2TP VPN server by using following command.
| l2tp-control “start-session 51.52.53.54″ |
If you give the ifconfig command it will show you a ppp0 connection when l2tp is connected.
Stopping L2TP Client
Use the following command to stop the L2TP client session.
| l2tp-control stop-session “your-Tunnel-ID your-Session-LAC-ID” |
To check what is your Tunnel-ID & Session-LAC-ID, use the following command.
| l2tp-control “dump-sessions” |
To stop all the connected sessions, use following command.
| l2tp-control “exit” |
http://gogreenindia.in/
Rahul Panwar
It is useful to try everything in practice anyway and I like that here it’s always possible to find something new.
This post is updated, i found some typo mistakes & correct them. Now anyone can try this. It will work fine.
If you find any problem, please write a comment.
If you like it, must share it with others.
Thanks for visiting.
dear rahul
rp-l2tp will work on centos VPS? or only on dedicated server?
sriram
It will work on any CentOS system with atleast two Ethernet cards, one is for internal LAN & other is for Public WAN connectivity.
Best regards
Dear Rahul
I mean it will work on Virtual Private Server? i have IP Phone but it is only support standard L2TP protocol (without pre-shared key).can i use rp-l2tp for this purpose?
I also used rp-l2tpd for same purpose.
To connect the IP Phone which only support L2TP without psk.
You can also use this. Your IP phone may be in some other public network behind the NAT.
IP phone will connect the L2TP server to its public IP or domain name & get the IP address according to your configuration.
You must activate the ip_forwarding to L2TP server to forward the packets of external interface to internal interface.
Best Regards
Dear rahul
how many clients can login to server? morethan 200 clients possible?
best regards
sriram
Depend on your bandwidth & server capability. I think there is no restriction on rp-l2tpd.
Dear rahul
thanks for help i am appreciating you can i get your personal email?
best regards
sriram
Hi!
Do you know if its possible to have many peer addresses on the client side in the l2tp.conf?
section peer
peer 51.52.53.54 <<< specifying two or more ip addresses on that line and then run the command like "l2tp-control “start-session 1.1.1.1" and l2tp-control “start-session 2.2.2.2.″?.
Regards
Thomas
No, it is not possible with that. You can’t use multiple entries on client peer.
But why do you need multiple peer on client side?
Obtain and select some good points from you and it helps me to solve a problem, thanks.
- Henry
good site
Hi, great article, helps me a lot. But I have one question: how can I make this to assign dynamic ip addresses to lacs? You have lns-pppd-opts ”require-chap 10.10.10.1: lcp-echo-interval 30 lcp-echo-failure 6″ and for me with this config it returns error on lac that no ip address assigned, to make it working I have to insert lns-pppd-opts ”require-chap 10.10.10.1:10.10.10.2 lcp-echo-interval 30 lcp-echo-failure 6″ so my lns is 10.10.10.1 and lac 10.10.10.2, but what happens when more lacs appear?
Hi,
Try to allocate the IP address through chap-secrets.
Best regards
Rahul Panwar
thx for replay, but chap-secret solution is not so good… You have written that its possible to configure this with dhcp, have You try this? e.g. in xl2tpd You can define ip pool for lacs and this is great, I think missing this in rp-l2tpd is big mistake
It can be done using pppoe-server with this. But i didn’t try it. pppoe-server will allocate the ip pool for ppp client & authentication will handled by pap/chap-secrets.
Best regards
Dear rahul
THIS VPN ALL ARE USING FOR ILLEGAL PURPOSE WHY YOU HELPING TO DO ILLEGAL? I HOPE U R GOOD MAN DON’T HELP FOR ILLEGAL
Hi Martin,
I don’t know who you are, why you are telling this?
I just write here “How to configure rp-l2tpd/xl2tpd”, you can also find so many other website like this. I don’t understand why you are stopping me to SHARE KNOWLEDGE of a LEGAL thing, because VPN is not ILLEGAL.
If you really think that this is ILLEGAL then stop the companies who are developing & doing paid support for this type of applications.
Sorry Mr Martin, i am just a supporter of OPEN source/Linux & not doing anything ILLEGAL here.
Thanks & Regards,
Rahul Panwar
Dear Rahul
I hope you are remembering one sriram did you help him? but he installed himself openL2TP for me. he is my technician now. i know you dont know more about l2tp so you skipped from his doubts that time you said cant help l2tp vpn is illegal. now you are saying not illegal are you not normal?
Ok, then talk to him, why are you talking to me?
Because i didn’t help him, i didn’t write here that “How to configure OpenL2TP” & “How can you use it ILLEGALLY”…..
Tell me, what do you really want from me????
this is ur words…..
Hi Sriram,
Sorry for late response.
Thanks for your appreciation.
now a day i am very busy with my projects.
I can’t help you on that? It is illegal.
Sorry for that but i can’t support you for an illegal work.
This is your last,,,
Are you telling your real concern ????????? or i will block your comments?
I can see that you are putting a lots of efforts into your blog. Keep posting the good work.Some really helpful information in there. Bookmarked. Nice to see your site. Thanks! Regard
Hi
i have just downloaded rp-l2tpd
./configure works fine , but make does work it show me error :
make -C handlers
make[1]: entrant dans le répertoire « /home/fikri/Bureau/rp-l2tp-0.4/handlers »
make[1]: Rien à faire pour « all ».
make[1]: quittant le répertoire « /home/fikri/Bureau/rp-l2tp-0.4/handlers »
plz help me
hello i need help. I installed l2tp+ipsec with this automated script:
http://mirror.zeddicus.com/auto-l2tp/1.2/centos/l2tp.sh
it was easy and was done within 1 min, i didnt even have to configure the firewall!
however, it seems to crash randomly. It seems that when it crash, i cannot login to the vpn, and i have to manually do a “/etc/init.d/ipsec restart” to fix it. I also cannot find command to stop or start xl2tpd or xl2tp, im not sure what l2tp it is using can you help check it out for me?
i am not a pro here but desperately need help to fix the random “cannot login” problem
Hi
This website is very useful. thanks for help to everybody.i am followed your instructions and installed rp-l2tpd everything sccess. clients can sucessfully connect to server but one problem is client cant get internet from server.Please help me. thanks.