L2TP Client: OpenWRT

Back up to the Incoming L2TP Category
From AAISP Support Site

OpenWRT

I'll give details about doing things without LuCI - if you want to do it through the web UI, it should be obvious from the text config what you need to twiddle.

Tested with the following package versions - 

kmod-l2tp - 3.18.10-1
kmod-l2tp-eth - 3.18.10-1
kmod-l2tp-ip - 3.18.10-1
kmod-pppol2tp - 3.18.10-1
ppp-mod-pppol2tp - 2.4.7-5
xl2tpd - 1.3.6-5619e1771048e74b729804e8602f409af0f3faea
luci-proto-ipv6 - git-15.090.50849-576e235-1
luci-proto-ppp - git-15.090.50849-576e235-1

You'll first need to create a static route for ALL the IPs for l2tp.aa.net.uk via your bulk interface (usually wan) in /etc/config/network - 

config route
        option interface 'wan'
        option target '90.155.53.19'

And do the same for any other IP addresses that l2tp.aa.net.uk resolves to. Note that IPs may be added with or without warning.

Then add the tunnel to /etc/config/network - note that even though we enable it, the interface won't get an IPv6 address. Fear not, we can fix that in a minute. 

config interface 'aaisp'
        option proto 'l2tp'
        option server 'l2tp.aa.net.uk'
        option username 'yourusername@a'
        option password 'YOURPASSWORD'
        option ipv6 '1'
        option peerdns '0'
        option metric '50'

Next let's configure DHCPv6 over the tunnel interface since PPP IPV6CP doesn't seem to work properly. Again in /etc/config/network - edit to taste if you don't want to gobble up your entire /48. Though this shows as a separate interface in OpenWRT-land, they'll both assign addresses to the same underlying interface, 'l2tp-aaisp'. 

config interface 'aaisp6'
        option proto 'dhcpv6'
        option reqprefix '48'
        option peerdns '0'
        option _orig_ifname 'aaisp'
        option _orig_bridge 'false'
        option ifname 'l2tp-aaisp'
        option reqaddress 'force'

Now we have -

  • All IPv4 traffic going out of our bulk WAN interface (metric 0)
  • The L2TP tunnel has its default gateway set, but unused (metric 50)
  • All IPv6 traffic going out of the tunnel (haven't tested what would happen if your bulk interface was also IPv6 capable)
  • DNS unchanged from original setup (I use dnscrypt-proxy and some REDIRECT iptables plumbing to secure DNS query traffic)

Next steps

  • iptables PREROUTING rules to mark traffic that should egress via the tunnel
  • iproute2 magic to route the marked traffic properly
  • a painful sense of irony that we're dodging nasty shaping and filtering on our bulk interface only to do it ourselves
  • a really sweet hat

Prod me (daveio) on IRC if you have trouble, I'll try to assist if I'm around.

Retrieved from ‘http://support.aa.net.uk/index.php?title=L2TP_Client:_OpenWRT&oldid=16198