L2TP Client: Debian: Difference between revisions

L2TP Client: Debian (view source)

Revision as of 21:33, 12 March 2023

278 bytes added , 12 March 2023

m

removed pointless swearing

Drsox

autoreview, editor

94

edits

Revision as of 22:59, 28 November 2022 (view source) Reedy (talk \| contribs) (Formatting) ← Older edit		Revision as of 21:33, 12 March 2023 (view source) Drsox (talk \| contribs) m (removed pointless swearing) Newer edit →
(5 intermediate revisions by 2 users not shown)
===Introduction=== I recently moved [https://libreboot.org/ ]libreboot.org] hosting to a much faster network than what it had before, but the new ISP doesn't assign static IPv4 or IPv6 subnets on the line, and it has all kinds of restrictions, though speed, uptime and latency are all excellent. I decided therefore to set up a tunnel connection using a&a's [https://www.aa.net.uk/broadband/l2tp-service/ L2TP tunnel service]. It's just like a regular VPN service, but specifically intended for people like me who need fixed IPs to host servers on. It's really very good, and my old hosting was done via one of their handline (VDSL) connections, but I decided I needed something faster via their L2TP service instead.▼ ▲I recently moved [https://libreboot.org/ ]libreboot.org hosting to a much faster network than what it had before, but the new ISP doesn't assign static IPv4 or IPv6 subnets on the line, and it has all kinds of restrictions, though speed, uptime and latency are all excellent. I decided therefore to set up a tunnel connection using a&a's [https://www.aa.net.uk/broadband/l2tp-service/ L2TP tunnel service]. It's just like a regular VPN service, but specifically intended for people like me who need fixed IPs to host servers on. It's really very good, and my old hosting was done via one of their handline (VDSL) connections, but I decided I needed something faster via their L2TP service instead. I was toying with OpenBSD as a router but decided to shelve that project for a while, and go with something I'm very familiar with - Debian Linux! Essentially, I like my main network to be "invisible". Just plug in and set an IP (from the public subnet) and you're good to go. This assumes you have good physical security and/or you trust the people that have access to it. You should not connect anything insecure directly to this main network. For example, your playstation or proprietary ~~shitware~~ Windows PC or something like that, should be heavily firewalled behind e.g. OpenWRT router. This type of network is useful to me because I run lots of servers via a&a, so I need great flexibility. This is just a very simple setup that works. ===Debian packages to install=== apt-get install ppp pppoe xl2tpd iproute2 tcpdump net-tools resolvconf ===Network configuration=== In the network configuration below, my normal router was a thinkpad connected to wifi, sharing that over ethernet. It was just a test setup. On that DHCP server on the thinkpad, the subnet was `<tt>10.42.0.0/24`</tt>, but normally you might use e.g. `<tt>192.168.0.0/24`</tt>. You MUST NOT use DHCP on this connection. You have to set a static IP, so that you can set a custom route, going to `<tt>90.155.53.19`</tt> via what would otherwise be the `<tt>gateway`</tt> line; in this case I'd normally set `<tt>gateway 10.42.0.1`</tt> in the example below, but instead i set `<tt>up /sbin/ip route add 90.155.53.19/32 via 10.42.0.1 dev enp14s0`</tt>. This makes all traffic on IPv4 route through the L2TP instead of directly through the main upstream, in this case virgin media. '''And do the same for any other IP addresses that l2tp.aa.net.uk resolves to. Note that IPs may be added with or without warning.''' The fact that I used Virgin Media on this line is irrelevant. You can use L2TP on any ISP. Adapt the config below to your needs, accordingly: ===/etc/network/interfaces=== <syntaxhighlight lang=bash> source /etc/network/interfaces.d/* NOTE: We shall re-edit this file later. For now though, our purpose is only to get online. NOTE: IP address `<tt>90.155.53.19`</tt> is what `<tt>l2tp.aa.net.uk`</tt> resolves to, and it shall be used directly for our purposes, due to absent name resolution during initialisation of this network. ===Enabling IP forwarding=== #net.ipv4.ip_forward=1 And this line (NOTE: disables stateless address autoconfiguration) sysctl -p This will reload `<tt>/etc/sysctl.conf`</tt> - applying our changes. ===L2TP=== It may seem counter-intuitive above, that we've configured PPP as though we're on a hardline, but this is important for the next step. A&A provides L2TP without authentication, but then you authenticate via PPP routed through L2TP. Debian kernels should already have the correct modules, but otherwise you must ensure that the `<tt>CONFIG_PPPOL2TP`</tt> and `<tt>CONFIG_L2TP`</tt> options are enabled in your kernel configuration. It should be noted that A&A L2TP service is (as of this day) currently without IPSEC or other encryption such as wireguard. This is less than ideal, but you will likely be doing a lot of encrypted things online anyway (lots of websites are https-aware nowadays). You will not be able to use DNS until the L2TP is up, so we will use A&A's IP address for `<tt>l2tp.aa.net.uk`</tt>, which is `<tt>90.155.53.19`</tt>. ===/etc/xl2tpd/xl2tpd.conf=== Place the following contents: <syntaxhighlight lang=bash> [lac aaisp] lns = 90.155.53.19 Create this file, and place the following contents: NOTE: the `<tt>name`</tt> and `<tt>password`</tt> entries are your A&A login details for L2TP. <syntaxhighlight lang=bash> +ipv6 ipv6cp-use-ipaddr ===PPP IF Up/Down scripts=== PPPoE and L2TP are managed by `<tt>pppd`</tt>, which executes if up/down scripts when interfaces go up or down. We shall manipulate this accordingly: ===/etc/ppp/ipv6-up.d/0000-defaultroute=== The routes must be deleted, when the line goes down: <syntaxhighlight lang=~~bahs~~bash> #!/bin/bash /bin/logger $1 is down This L2TP routing setup is a bit hacky, and this guide could use some refinement. The `<tt>@reboot`</tt> line is probably redundant, since this will just run every minute anyway. I really wouldn't worry about it. The last line that says "reboot" will run at boot time, for each and every boot. It will also run again, once every minute. If the L2TP is online, running the command is harmless and will simply exit. ListenAddress 10.0.0.42 You can find useful logs in `<tt>/var/log/messages`</tt>. ==Testing==