L2TP Client: OpenWRT

Back up to the Incoming L2TP Category
From AAISP Support Site
Revision as of 00:02, 18 August 2018 by Reedy (talk | contribs) (→‎top: clean up)

OpenWRT

I'll give details about doing things without LuCI - if you want to do it through the web UI, it should be obvious from the text config what you need to twiddle.

Tested with the following package versions -

kmod-l2tp - 3.18.10-1
kmod-l2tp-eth - 3.18.10-1
kmod-l2tp-ip - 3.18.10-1
kmod-pppol2tp - 3.18.10-1
ppp-mod-pppol2tp - 2.4.7-5
xl2tpd - 1.3.6-5619e1771048e74b729804e8602f409af0f3faea
luci-proto-ipv6 - git-15.090.50849-576e235-1
luci-proto-ppp - git-15.090.50849-576e235-1

You'll first need to create a static route for l2tp.aa.net.uk via your bulk interface (usually wan) in /etc/config/network -

config route
        option interface 'wan'
        option target '90.155.53.19'

Then add the tunnel to /etc/config/network - note that even though we enable it, the interface won't get an IPv6 address. Fear not, we can fix that in a minute.

config interface 'aaisp'
        option proto 'l2tp'
        option server 'l2tp.aa.net.uk'
        option username 'yourusername@a'
        option password 'YOURPASSWORD'
        option ipv6 '1'
        option peerdns '0'
        option metric '50'

Next let's configure DHCPv6 over the tunnel interface since PPP IPV6CP doesn't seem to work properly. Again in /etc/config/network - edit to taste if you don't want to gobble up your entire /48. Though this shows as a separate interface in OpenWRT-land, they'll both assign addresses to the same underlying interface, 'l2tp-aaisp'.

config interface 'aaisp6'
        option proto 'dhcpv6'
        option reqprefix '48'
        option peerdns '0'
        option _orig_ifname 'aaisp'
        option _orig_bridge 'false'
        option ifname 'l2tp-aaisp'
        option reqaddress 'force'

Now we have -

  • All IPv4 traffic going out of our bulk WAN interface (metric 0)
  • The L2TP tunnel has its default gateway set, but unused (metric 50)
  • All IPv6 traffic going out of the tunnel (haven't tested what would happen if your bulk interface was also IPv6 capable)
  • DNS unchanged from original setup (I use dnscrypt-proxy and some REDIRECT iptables plumbing to secure DNS query traffic)

Next steps

  • iptables PREROUTING rules to mark traffic that should egress via the tunnel
  • iproute2 magic to route the marked traffic properly
  • a painful sense of irony that we're dodging nasty shaping and filtering on our bulk interface only to do it ourselves
  • a really sweet hat

Prod me (daveio) on IRC if you have trouble, I'll try to assist if I'm around.