L2TP Client: Debian: Difference between revisions

Latest revision as of 09:23, 18 October 2024

Also see this blog post by a customer using Debian and our L2TP service: https://www.ashbysoft.com/posts/debian-aaisp-l2tp/

Standalone A&A L2TP router on Debian Linux

Introduction

I recently moved libreboot.org hosting to a much faster network than what it had before, but the new ISP doesn't assign static IPv4 or IPv6 subnets on the line, and it has all kinds of restrictions, though speed, uptime and latency are all excellent. I decided therefore to set up a tunnel connection using a&a's L2TP tunnel service. It's just like a regular VPN service, but specifically intended for people like me who need fixed IPs to host servers on. It's really very good, and my old hosting was done via one of their handline (VDSL) connections, but I decided I needed something faster via their L2TP service instead.

I was toying with OpenBSD as a router but decided to shelve that project for a while, and go with something I'm very familiar with - Debian Linux!

You could also just use pfsense but I really just like running a router on Debian on an old ThinkPad for some reason. pfsense is "too much gun", for my purposes. Again, I just like Debian for no reason, for this specific purpose.

Adapt this guide according to your distro. Basically all we want to do is do PPP via L2TP and enable packet forwarding in Linux, so that packets can pass between two interfaces. We will have these interfaces:

WAN port (ethernet) - upstream ISP
tunnel port (l2tp) - connecting via WAN port
LAN port (ethernet) - packets ONLY routed between it and the tunnel, NOT the WAN port directly

In other words, this will be a completely enclosed network. The setup that I'm describing here is for a standalone L2TP service, not the failover setup that a&a also provides on their hardlines.

This guide assumes that you already have some dumb cable router or something like that set up, with DHCP. Your L2TP router will sit behind that, using either a static IP or DHCP, whatever you want, doesn't matter, that's just to get you on the internet so we can set up L2TP and route IPs through that.

This setup also assumes that you have an IPv4 subnet e.g. /29 or /28 from a&a. I happened to have a /28 in my setup, because I was such a sport and a&a decided to give that to me on my L2TP, since I had one on my old VDSL line but later switched to virgin for greater speed, to use A&A L2TP with. Openreach PON fibre isn't available in my area when I made this guide.

Preparation

Interface names

In my case, I had these physical interfaces:

enp14s0 in configured via NAT and/or DHCP to upstream ISP. L2TP shall connect through this
eno0 is for routing IPs from the L2TP, to a switch. this is basically my LAN port

Yours may differ, so adapt accordingly.

Firewall

I will not configure a firewall on this network. I always get an IPv4 subnet from a&a either on hardlines or L2TP, and I run an open network. The router is always hardened to only allow local connections, for security.

No NAT/DHCP either. If local hosts want to firewall themselves, they can.

If I want NAT/DHCP inside such a network, I usually plug in an OpenWRT router and set a static IP on the WAN port for that.

Essentially, I like my main network to be "invisible". Just plug in and set an IP (from the public subnet) and you're good to go. This assumes you have good physical security and/or you trust the people that have access to it.

You should not connect anything insecure directly to this main network. For example, your playstation or proprietary Windows PC or something like that, should be heavily firewalled behind e.g. OpenWRT router.

This type of network is useful to me because I run lots of servers via a&a, so I need great flexibility. This is just a very simple setup that *works*.

Traffic shaping / QoS

You might configure codel or (better) cake which is nice for QoS but that's beyond the scope of this article. See: https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm for some tips.

Debian packages to install

   apt-get install ppp pppoe xl2tpd iproute2 tcpdump net-tools resolvconf

You may also want open-vm-tools, if you're virtualised.

You should install these packages BEFORE doing anything else. Just connect via DHCP or something and install these. You could also grab them from Debian installation media.

Network configuration

In the network configuration below, my normal router was a thinkpad connected to wifi, sharing that over ethernet. It was just a test setup. On that DHCP server on the thinkpad, the subnet was 10.42.0.0/24, but normally you might use e.g. 192.168.0.0/24.

You MUST NOT use DHCP on this connection. You have to set a static IP, so that you can set a custom route, going to 90.155.53.19 *via* what would otherwise be the gateway line; in this case I'd normally set gateway 10.42.0.1 in the example below, but instead i set up /sbin/ip route add 90.155.53.19/32 via 10.42.0.1 dev enp14s0. This makes all traffic on IPv4 route through the L2TP instead of directly through the main upstream, in this case virgin media.

And do the same for any other IP addresses that l2tp.aa.net.uk resolves to. Note that IPs may be added with or without warning.

The fact that I used Virgin Media on this line is irrelevant. You can use L2TP on any ISP. Adapt the config below to your needs, accordingly:

/etc/network/interfaces

source /etc/network/interfaces.d/*

 # The loopback network interface
 auto lo
 iface lo inet loopback

# Linux - ANY NAT ROUTER WITH INTERNETZ
# actually, it don't even have to be nat, but whatever
# You must edit this accordingly.
# Advice: set reserved DHCP allocation
# NOTE: 10 network below is just what i used. AGAIN: ADAPT ACCORDINo0
#
#auto enp14s0
#iface enp14s0 inet dhcp

# NOTE: 10.42.0.116 is my upstream router, not anything l2tp-related.
# you MUST set static IPs and not use DHCP at all, so that you can set
# a custom route. See below

# NOTE: the IPs on eno0 are assigned by a&a for my l2tp service
# you must adapt these for your own line. please note also a&a typically
# offers a /29 for l2tp but they gave me a /28; for a /29, you should
# use netmask 255.255.255.248

 auto enp14s0
 allow-hotplug enp14s0
 iface enp14s0 inet static
       address 10.42.0.116
       netmask 255.255.255.0
       network 10.42.0.0
       # gateway 10.42.0.1 # we will set a custom route instead. see below
       broadcast 10.42.0.255
       up /sbin/ip route add 90.155.53.19/32 via 10.42.0.1 dev enp14s0

 # LAN
 auto eno0
  iface eno0 inet static 
   address 81.187.x.x
   netmask 255.255.255.240 
   dns-nameservers 217.169.20.20 217.169.20.21

 iface eno0 inet6 static 
   address  2001:8b0:x:x::1
   netmask 64 
   dns-nameservers 2001:8b0::2020 2001:8b0::2021

 # NOTE: because above, we are forcing everything to go over L2TP, we will
 # not have DNS until the L2TP is up. this is why the IP address of A&A's
 # L2TP router is used directly!

 # NOTE: no hardline so PPP not configured here. This is handled via xl2tpd

NOTE: We shall re-edit this file later. For now though, our purpose is only to get online.

NOTE: IP address 90.155.53.19 is what l2tp.aa.net.uk resolves to, and it shall be used directly for our purposes, due to absent name resolution during initialisation of this network.

Enabling IP forwarding

To tell our Linux router to actually forward traffic, you must first enable IP forwarding in /etc/sysctl.conf.

/etc/sysctl.conf

Uncomment this line:

   #net.ipv4.ip_forward=1

And this line (NOTE: disables stateless address autoconfiguration)

   #net.ipv6.conf.all.forwarding=1

Now run:

   sysctl -p

This will reload /etc/sysctl.conf - applying our changes.

L2TP

It may seem counter-intuitive above, that we've configured PPP as though we're on a hardline, but this is important for the next step. A&A provides L2TP without authentication, but then you authenticate via PPP routed through L2TP.

Debian kernels should already have the correct modules, but otherwise you must ensure that the CONFIG_PPPOL2TP and CONFIG_L2TP options are enabled in your kernel configuration.

It should be noted that A&A L2TP service is (as of this day) currently without IPSEC or other encryption such as wireguard. This is less than ideal, but you will likely be doing a lot of encrypted things online anyway (lots of websites are https-aware nowadays).

You will not be able to use DNS until the L2TP is up, so we will use A&A's IP address for l2tp.aa.net.uk, which is 90.155.53.19.

/etc/xl2tpd/xl2tpd.conf

Place the following contents:

[lac aaisp]
lns = 90.155.53.19
require authentication = no
pppoptfile = /etc/ppp/options.aaisp

/etc/ppp/options.aaisp

Create this file, and place the following contents:

NOTE: the name and password entries are your A&A login details for L2TP.

+ipv6
ipv6cp-use-ipaddr
name xyz@a.X
password Your_xyz@A.X_password
noauth
ifname ppp-aaisp-l2tp

PPP IF Up/Down scripts

PPPoE and L2TP are managed by pppd, which executes if up/down scripts when interfaces go up or down. We shall manipulate this accordingly:

/etc/ppp/ipv6-up.d/0000-defaultroute

This file sets a default route on IPv6, but it can be (ab)used in general to handle L2TP/PPP going up/down. This file is for when the link goes *up*.

A default route must be set!

We already created this file earlier, and now we shall modify it:

#!/bin/bash
/bin/logger $1 is up
if [ $1 = "ppp-aaisp-l2tp" ]; then
	/bin/logger "AAISP over L2TP circuit is online; adding routes"
	/sbin/ip route add default dev ppp-aaisp-l2tp scope link
	/sbin/ip -6 route add default dev ppp-aaisp-l2tp scope link
#	ip route add default dev ppp-aaisp-l2tp proto static scope link metric 50 # hack, got my IPv6 working on host behind the LAN
fi

Don't forget:

   chmod 755 /etc/ppp/ipv6-up.d/0000-defaultroute

/etc/ppp/ipv6-down.d/0000-defaultroute

The routes must be deleted, when the line goes down:

 #!/bin/bash
 /bin/logger $1 is down
 if [ $1 = "ppp-aaisp-l2tp" ]; then
	/bin/logger "AAISP over L2TP circuit is offline; removing routes"
	/sbin/ip route del default dev ppp-aaisp-l2tp scope link
	/sbin/ip -6 route del default dev ppp-aaisp-l2tp scope link
	# NOTE:
	# can put a loop here, to automatically reconnect xl2tpd
	# via the control file. this, combined with a script on
	# system startup that does the same, should ensure maximum uptime
 fi

Don't forget:

   chmod 755 /etc/ppp/ipv6-down.d/0000-defaultroute

xl2tpd control file

Create the xl2tpd control file:

   mkdir -p /var/run/xl2tpd
   touch /var/run/xl2tpd/l2tp-control

Start the xl2tpd service:

   systemctl start xl2tpd

Tell the daemon to connect to aaisp:

   echo "c aaisp" > /var/run/xl2tpd/l2tp-control

A&A prioritises routing down L2TP, but since this is standalone, you shouldn't need to worry much. However, we shall configure routing next, just to be sure.

NOTE: The above is basically how you turn on or off your L2TP internetz. You can echo 'd aaisp' to the control file to turn it off.

You need to decide whether you want L2TP turning on or off in your router. In some situations, it may not actually be desirable for it to autostart, like if you just want to quickly test a new network but aren't ready for it to go in production yet.

We cover the control file last, because we need everything else covered to already be in place in order for everything to Just Work.

Assuming that the above works, this should create a network interfaced named ppp-aaisp-l2tp, which is PPP via L2TP.

Notes about IP routing

My A&A IPs are: 81.187.y.y 81.187.x.x/28 2001:8b0:x:x::/64

My IPv6 is *working*, but IPv4 isn't.

My desired setup is:

router LAN port is eno0 and has an IPv4 and v6 address, the v4 one is from the assigned /28 as above
router LAN port set with IPv4 address of 81.187.172.129
hosts behind the LAN port, via a switch, can set another IPv4 addresses e.g. 81.187.172.130, using 81.187.172.129 as gateway
NOTE: I don't need DHCP/NAT etc on the main router because /28 IPv4. If I need NAT, I just plug in an openwrt router and set a static IP on its WAN slot, from the /28

IPv4:

root@aimbot:~# ip -4 route
default via 10.42.0.1 dev enp14s0 onlink 
default dev ppp-aaisp-l2tp proto static scope link metric 50 
10.42.0.0/24 dev enp14s0 proto kernel scope link src 10.42.0.116 
81.187.81.187 dev ppp-aaisp-l2tp proto kernel scope link src 81.187.232.11 
81.187.172.128/28 via 81.187.81.187 dev ppp-aaisp-l2tp 
169.254.0.0/16 dev enp14s0 scope link metric 1000

IPv6:

root@aimbot:~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2001:8b0:b95:1bb5::/64 dev eno0 proto kernel metric 256 pref medium
fe80::203:97ff:fe05:4000 dev ppp-aaisp-l2tp proto kernel metric 256 pref medium
fe80::c001:e8bf:1803:9f80 dev ppp-aaisp-l2tp proto kernel metric 256 pref medium
fe80::/64 dev eno0 proto kernel metric 256 pref medium
fe80::/64 dev enp14s0 proto kernel metric 256 pref medium
default dev ppp-aaisp-l2tp metric 1024 pref medium

Other configurations

The /tmp, /var/run and /var/lock directories should also be tmpfs. This isn't strictly necessary, but for a high-performance machine it might be desirable, especially for something like this.

Auto-connect

Due to the way xl2tpd works (control files), I concluded that the best way to handle this is with crontab. As root, do:

   crontab -e

In there, insert:

* * * * * echo "c aaisp" > /var/run/xl2tpd/l2tp-control
@reboot echo "c aaisp" > /var/run/xl2tpd/l2tp-control

You might also add something like this, for resolving domain names:

* * * * * echo "nameserver 217.169.20.20" > /etc/resolv.conf

This L2TP routing setup is a bit hacky, and this guide could use some refinement.

The @reboot line is probably redundant, since this will just run every minute anyway. I really wouldn't worry about it.

The last line that says "reboot" will run at boot time, for each and every boot. It will also run again, once every minute. If the L2TP is online, running the command is harmless and will simply exit.

Security

You should configure SSH to accept keys only and (optional) only listen on a local IP address (e.g. 10 network). This is beyond the scope of the article, but it's quite trivial to set up.

or configure for ssh key authentication with no password fallback.

e.g.

   ListenAddress 10.0.0.42

You can find useful logs in /var/log/messages.

Testing

The following commands may be useful later, to debug issues:

ip route
ip -6 route
ping 8.8.8.8
ping6 2001:4860:4860::8888
tcpdump -ni eno0