L2TP Client: OpenWRT: Difference between revisions
(→top: clean up) |
mNo edit summary |
||
Line 16: | Line 16: | ||
luci-proto-ppp - git-15.090.50849-576e235-1 |
luci-proto-ppp - git-15.090.50849-576e235-1 |
||
You'll first need to create a static route for <code>l2tp.aa.net.uk</code> via your bulk interface (usually <code>wan</code>) in <code>/etc/config/network</code> - |
You'll first need to create a static route for ALL the IPs for <code>l2tp.aa.net.uk</code> via your bulk interface (usually <code>wan</code>) in <code>/etc/config/network</code> - |
||
config route |
config route |
||
option interface 'wan' |
option interface 'wan' |
||
option target '90.155.53.19' |
option target '90.155.53.19' |
||
'''And do the same for any other IP addresses that l2tp.aa.net.uk resolves to. Note that IPs may be added with or without warning.''' |
|||
Then add the tunnel to <code>/etc/config/network</code> - note that even though we enable it, the interface won't get an IPv6 address. Fear not, we can fix that in a minute. |
Then add the tunnel to <code>/etc/config/network</code> - note that even though we enable it, the interface won't get an IPv6 address. Fear not, we can fix that in a minute. |
Revision as of 11:23, 8 December 2022
OpenWRT
I'll give details about doing things without LuCI - if you want to do it through the web UI, it should be obvious from the text config what you need to twiddle.
Tested with the following package versions -
kmod-l2tp - 3.18.10-1 kmod-l2tp-eth - 3.18.10-1 kmod-l2tp-ip - 3.18.10-1 kmod-pppol2tp - 3.18.10-1 ppp-mod-pppol2tp - 2.4.7-5 xl2tpd - 1.3.6-5619e1771048e74b729804e8602f409af0f3faea luci-proto-ipv6 - git-15.090.50849-576e235-1 luci-proto-ppp - git-15.090.50849-576e235-1
You'll first need to create a static route for ALL the IPs for l2tp.aa.net.uk
via your bulk interface (usually wan
) in /etc/config/network
-
config route option interface 'wan' option target '90.155.53.19'
And do the same for any other IP addresses that l2tp.aa.net.uk resolves to. Note that IPs may be added with or without warning.
Then add the tunnel to /etc/config/network
- note that even though we enable it, the interface won't get an IPv6 address. Fear not, we can fix that in a minute.
config interface 'aaisp' option proto 'l2tp' option server 'l2tp.aa.net.uk' option username 'yourusername@a' option password 'YOURPASSWORD' option ipv6 '1' option peerdns '0' option metric '50'
Next let's configure DHCPv6 over the tunnel interface since PPP IPV6CP doesn't seem to work properly. Again in /etc/config/network
- edit to taste if you don't want to gobble up your entire /48. Though this shows as a separate interface in OpenWRT-land, they'll both assign addresses to the same underlying interface, 'l2tp-aaisp'.
config interface 'aaisp6' option proto 'dhcpv6' option reqprefix '48' option peerdns '0' option _orig_ifname 'aaisp' option _orig_bridge 'false' option ifname 'l2tp-aaisp' option reqaddress 'force'
Now we have -
- All IPv4 traffic going out of our bulk WAN interface (metric 0)
- The L2TP tunnel has its default gateway set, but unused (metric 50)
- All IPv6 traffic going out of the tunnel (haven't tested what would happen if your bulk interface was also IPv6 capable)
- DNS unchanged from original setup (I use dnscrypt-proxy and some REDIRECT iptables plumbing to secure DNS query traffic)
Next steps
- iptables PREROUTING rules to mark traffic that should egress via the tunnel
- iproute2 magic to route the marked traffic properly
- a painful sense of irony that we're dodging nasty shaping and filtering on our bulk interface only to do it ourselves
- a really sweet hat
Prod me (daveio
) on IRC if you have trouble, I'll try to assist if I'm around.