View previous topic :: View next topic |
Author |
Message |
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Thu Dec 23, 2010 7:04 pm Post subject: how to l2tp (strongVPN) |
|
|
here is a brain dump of how to connect to a usa l2tp server and get yourself a us IP address:
Quote: |
echo "net-misc/openswan ~x86">>/etc/portage/package.keywords
emerge -av openswan net-dialup/xl2tpd net-dialup/ppp
|
you will need to have these details in hand to config the connection:
username , password , l2tp_password,
vpn host address (vpn_host) use ping the vpn name server you got ,
nic - device you use to connect to the internet (eth0)
wan_IP nad wan_gw - which are the IP address your ISP provides and the gateway you use
last information is seen using the ifconfig and route commands.
nat - in this case the pc is connected stright to the modem , with no router involved so nat = no
etc/ipsec.conf:
Code: |
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nat_traversal=no
protostack=netkey
oe=no
plutoopts="--interface=eth0"
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=wan_IP
leftnexthop=%defaultroute
leftprotoport=17/1701
right=vpn_host
rightprotoport=17/1701
|
/etc/ipsec.secrets:
Code: | wan_IP vpn_host : PSK "l2tp_password" |
/etc/xl2tpd/xl2tpd.conf:
Code: |
[lac username]
lns = vpn_host
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
|
/etc/ppp/options.l2tpd.client:
Code: | ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name username
password password
|
/etc/ppp/options same as /etc/ppp/options.l2tpd.client
now to actually establish the connection do:
Quote: | /etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
sleep 2
ipsec auto --up L2TP-PSK
sleep 3
echo "c username" > /var/run/xl2tpd/l2tp-control
ip ro add vpn_host via wan_gw
route del -net 0.0.0.0 netmask 0.0.0.0 gw wan_gw |
Firewall
I am using arno-firewall-scripts, so in the /etc/arno-iptables-firewall/custom-rules: Code: |
iptables -A INPUT -s wan_IP -d vpn_host -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s wan_IP -d vpn_host -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -s wan_IP -d vpn_host -p 50 -j ACCEPT
iptables -A INPUT -s wan_IP -d vpn_host -p 51 -j ACCEPT |
Automatic it all
sed -i `s/auto.*/ auto=start/' /etc/ipsec.conf
good link I found later http://trinityhome.org/Home/index.php?wpid=167&front_id=18
Last edited by nivw on Fri Dec 31, 2010 1:10 pm; edited 6 times in total |
|
Back to top |
|
|
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Sat Dec 25, 2010 12:03 pm Post subject: |
|
|
to automate this we need three files:
1. I am using dhcpcd, as my dhcpcd client , so add /lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf
2. /etc/init.d/strongVpn
3./etc/conf.d/strongVpn
/lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf
Code: | #/lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf
#use ISP default gateway as a route for l2tp server
#written by niv vaizer
[ -f /etc/conf.d/strongVpn ] && . /etc/conf.d/strongVpn
if [ "$interface" = "$WAN_DEV" -a "$if_up" = "true" ] ; then
#if [ $if_up -a "$reason" = "BOUND" ] ; then
[ -n "${new_routers}" ] &&ip ro | grep -q "${VPN_HOST} via ${new_routers}"
if [ $? -ne 0 ] ; then
line=$(ip ro | grep "${VPN_HOST} via")
line=${line%%dev*}
[ -n "${line}" ] && ip ro del ${line}
ip ro add "$VPN_HOST" via "$new_routers"
fi
grep -q $new_ip_address /etc/ipsec.conf
if [ $? -ne 0 ] ; then
sed -i "s/left=.*/left=$new_ip_address/" /etc/ipsec.conf
sed -i "s/.*\ :/$new_ip_address $VPN_HOST \:/" /etc/ipsec.secrets
#/usr/bin/rc-config restart ipsec
fi
#$old_routers is missing so no ip ro del
#fi
fi
|
/etc/init.d/strongVpn
Code: |
#!/sbin/runscript
#/etc/init.d/strongVpn:
# written by: niv vaizer
# load l2tp setting and connect to strongVpn
#depend() {
# use net
#}
start() {
ebegin "Starting strongVpn"
WAN_IP=$(ifconfig $WAN_DEV | sed -rn '/dr:/{;s/.*dr:([0-9.]+) .*/\1/;p;}'|head -n1)
WAN_GW_TEMP=$(ip ro |grep $VPN_HOST |sed s/.*via\ //|sed s/\ dev.*//)
[ "$WAN_GW_TEMP" = "" ] && WAN_GW_TEMP=$(route -n |grep "^0.*eth"| awk '{ print $2 }')
[ "$WAN_GW_TEMP" = "" ] && WAN_GW_TEMP=$(route -n|grep "UGH.*eth"|awk '{ print $2 }' )
[ "$WAN_GW_TEMP" != "" ] && WAN_GW=$WAN_GW_TEMP
/usr/bin/rc-config start ipsec
/usr/bin/rc-config start xl2tpd
sleep 3
ipsec auto --up L2TP-PSK
sleep 3
echo "c $USERNAME" > /var/run/xl2tpd/l2tp-control
sleep 2
touch $PID
sed -i "s/^EXT_IF=.*/EXT_IF=${IFACE}"/ /etc/arno-iptables-firewall/firewall.conf
/etc/init.d/arno-iptables-firewall status |grep -q started &&/usr/bin/rc-config restart arno-iptables-firewall
/usr/bin/rc-config restart noip
let count=0
while ! [ -f /var/lib/run/resolvconf/interfaces/$IFACE ] ; do
resolvconf -u -a $IFACE= </etc/resolv.conf.strongvpn
let count++
[ $count -ge 20 ] && break
sleep 1
done
eend $?
}
stop() {
ebegin "Stopping strongVpn"
WAN_IP=$(ifconfig $WAN_DEV | sed -rn '/dr:/{;s/.*dr:([0-9.]+) .*/\1/;p;}')
WAN_GW=$(ip ro |grep $VPN_HOST |sed s/.*via\ //|sed s/\ dev.*//)
echo "d $USERNAME" > /var/run/xl2tpd/l2tp-control
sleep 3
ipsec auto --down L2TP-PSK
sleep 2
/usr/bin/rc-config stop xl2tpd
/usr/bin/rc-config stop ipsec
/sbin/resolvconf -u
sed -i "s/^EXT_IF=.*/EXT_IF=$WAN_DEV"/ /etc/arno-iptables-firewall/firewall.conf
/etc/init.d/arno-iptables-firewall status |grep -q started &&/usr/bin/rc-config restart arno-iptables-firewall
/usr/bin/rc-config restart noip
rm -f $PID
eend $?
}
|
Last edited by nivw on Mon Jan 24, 2011 7:06 pm; edited 7 times in total |
|
Back to top |
|
|
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Sun Dec 26, 2010 8:48 pm Post subject: |
|
|
new issue: how to prevent eth0 dhcp from adding a default route when the dhcp is refrshed? |
|
Back to top |
|
|
Bircoph Developer
Joined: 27 Jun 2008 Posts: 261 Location: Moscow
|
Posted: Mon Dec 27, 2010 9:06 am Post subject: |
|
|
nivw wrote: | new issue: how to prevent eth0 dhcp from adding a default route when the dhcp is refrshed? |
This depends on what dhcp client you are using. For dhcpcd use -G option:
Code: |
dhcpcd_eth0="-G -C resolv.conf -h '' -L"
|
And I recommend you to use openl2tpd instead of xl2tpd, because the first in kernel-space solution and the second is user-space. CPU load differs by 10-20 times. For the very same reason I recommend you to use racoon instead of openswan. _________________ Per aspera ad astra! |
|
Back to top |
|
|
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Wed Dec 29, 2010 8:42 am Post subject: |
|
|
init script fixed.
open issues:
main issue is how to get my ISP default gateway , using dhcp, but not use it as default route, but rather usu:
ip ro add $VPN_HOST via $WAN_GW
other isuue is also mifrate to openl2tp as suggested.
I just can find any guide to setup l2tp CLIENT in getnoo, many guides for servers |
|
Back to top |
|
|
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Wed Dec 29, 2010 9:33 pm Post subject: |
|
|
dhcp issue fixed thanks to Roy Marples |
|
Back to top |
|
|
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Sat Jan 01, 2011 8:20 pm Post subject: |
|
|
Roy also suggested to change the strategy and use dhcpcd to setup ppp0 gw as a default with higher metric, and leave the eth0 default gw. also use openresolf to allow both the ISP and the l2tp dns to coexist.
0. use openrc dhcpcd newset , and openresolv newest
1. remove the wan net. links: unlink /etc/init.d/net.eth0 ;unlink /etc/init.d/net.ppp0
2. edit /etc/dhcpcd.conf:
allowinterfaces eth0,ppp0 |
|
Back to top |
|
|
nivw Apprentice
Joined: 09 Nov 2005 Posts: 261
|
Posted: Thu Feb 10, 2011 5:43 pm Post subject: openresolv fix |
|
|
I found a bug in ppp, that is related to openresolv: https://bugs.gentoo.org/show_bug.cgi?id=353045
this fixes the section:
Code: | let count=0
while ! [ -f /var/lib/run/resolvconf/interfaces/$IFACE ] ; do
resolvconf -u -a $IFACE= </etc/resolv.conf.strongvpn
let count++
[ $count -ge 20 ] && break
sleep 1
done |
and you can remove it |
|
Back to top |
|
|
|