Ubuntu 16.04 builds L2TP VPN Server in three minutes

1. Install openswan

sudo apt-get install openswan

If an error occurs Package 'openswan' has no installation candidate, please execute the following command, if the installation is successful, please go directly to the second step

sudo vi /etc/apt/sources.list.d/lzu.list
#创建一个源

Paste the following code into the lzu.list file

deb http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse

update the source

sudo apt-get update

install openswan

sudo apt-get install openswan
#安装出现提示框，选择NO回车

2. Install xl2tpd and configure IPSec service

sudo apt-get install xl2tpd

Modify the /etc/ipsec.conf configuration file

sudo vi /etc/ipsec.conf

Paste the following content into the ipsec.conf file

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
        oe=off
        protostack=netkey
 
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        ikelifetime=8h
        keylife=1h
        type=transport
        # 替换 IP 地址为你的公网IP
        left=x.x.x.x
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        forceencaps=yes
conn passthrough-for-non-l2tp
        type=passthrough
        left=$IP
        leftnexthop=$GATEWAY
        #下面改成你主机以太网卡的IP
        right=x.x.x.x
        #下面改成该IP所在网段的网关地址如199.12.25.1/24
        rightsubnet=x.x.x.1/23
        auto=route

Pay attention to modify the IP and gateway in the # sign prompt

Modify the file /etc/ipsec.secrets

sudo vi /etc/ipsec.secrets

Fill in the configuration

*Here xxxx is replaced with the public IP address of your server, and the password in "" is replaced with the password you set by yourself, which will be used when the client connects.

x.x.x.x  %any: PSK "mima1234567890"

After saving, execute the following code to modify the network policy to make IPSEC work normally

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

Start the IPSEC service and check if IPSEC is working properly

sudo /etc/init.d/ipsec start
#使用如下命令确认 ipsec 是否工作正常
sudo ipsec verify
#注意：只要没有Faild就可以了

If an error occurs, please refer to the following command

#错误1.Checking /bin/sh is not /bin/dash   [WARNING] 输入以下代码
sudo dpkg-reconfigure dash
#按英文提示，选择no


#错误2.pluto is running [FAILED]
sudo /etc/init.d/ipsec start


#错误3：NETKEY: Testing XFRM related proc values [FAILED]
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done


#错误4：Pluto listening for IKE on udp 500 [FAILED]
apt-get install lsof


#错误5：Hardware RNG detected, testing if used properly            [FAILED]
sudo apt-get install rng-tools

Modify /etc/xl2tpd/xl2tpd.conf configuration

sudo vi /etc/xl2tpd/xl2tpd.conf

Paste the following

[global]
ipsec saref = yes

[lns default]
ip range = 10.10.20.100-10.10.20.254
local ip = 10.10.20.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Modify PPP configuration

sudo vi /etc/ppp/options.xl2tpd

write the following

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1404
mru 1404

Add user

sudo vi /etc/ppp/chap-secrets

Fill in the username and password used by the client

yonghuming * mima1234567890 *

3. Set up forwarding

sudo vi /etc/sysctl.conf

#找到并去掉以下代码的#号
net.ipv4.ip_forward=1

Configuration takes effect

sysctl -p

Allows the gre protocol and ports 1723 and 47

sudo iptables -A INPUT -p gre -j ACCEPT 
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT 
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT 

Enable NAT forwarding

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
#注意填写ens3，不同机器是不一样的，可以在终端输入ifconfig来查看网卡联网以及网卡的名称

4. Start the VPN

sudo /etc/init.d/xl2tpd restart