How to get L2TP working from the Linux command line

Background

This article explains how to get xl2tpd, which has PPPtP capabilibies, working on Linux. This is useful where you have a server environment and you might need to connect from one server to another server using the L2TP protocol.

If you’re using a Linux desktop based on Ubuntu, e.g. Linux Mint, you can use the built-in network manager to connect to a VPN. If you want to use the command line to connect to a desktop based-in VPN, use this command (see reference here):

nmcli con up id ConnectionName

Note password stored in clear text, so not secure.

Install the Software

ssh to the server or use localhost

Elevate to superuser:

sudo -i

Install both packages:

apt install -y xl2tpd ppp

or

yum install xl2tpd ppp

Configuration Files (there are two)

Backup the default configuration by just renaming it. The reason why we do this is because it’s huge and has 100s of options so it will just be confusing the first time around:

mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.backup

Create a fresh new configuration file:

vi /etc/xl2tpd/xl2tpd.conf

The contents of this fresh new configuration file should look like this:

# cat /etc/xl2tpd/xl2tpd.conf
[lac myvpn]
name = l2tp_user_name
lns = l2tp_server_domain_or_ip
pppoptfile = /etc/ppp/peers/myvpn.xl2tpd
ppp debug = no

Next create the PPP options file referred to by the above configuration file:

vi /etc/ppp/peers/myvpn.xl2tpd
root@nms:~# cat /etc/ppp/peers/myvpn.xl2tpd 
remotename myvpn
user "username"
password "secret"
unit 0
nodeflate
nobsdcomp
noauth
persist
nopcomp
noaccomp
maxfail 5
debug

Starting the service and connecting the VPN

Next Start the service. If you change credentials or all new files, restart the service:

systemctl start xl2tpd

Connect:

sh -c 'echo "c myvpn" > /var/run/xl2tpd/l2tp-control'

Checking if the service is running

Here are two methods to see if the service is running:

> netstat -tuln | grep 1701
udp        0      0 0.0.0.0:1701            0.0.0.0:* 

Or

systemctl status xl2tpd

Troubleshooting tips?

Do `ifconfig` or ip addr and look for pppo0

Checking the log file

tail -f /var/log/syslog | grep pppd

How to add a VPN route

route add -host 192.168.8.20 dev ppp0

Errors

Unauthorized remote IP address
Feb 10 16:28:53 host01 pppd[1038040]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]

Check for noipdefault

vi /etc/ppp/options

Look for this and uncomment it:

# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
noipdefault

Checking remote username and password

Log into the remote VPN server and check your IP address and username:

cat /etc/ppp/chap-secrets

Just one connection allowed

Your L2TP might only allow one connection. Disconnect first and try again.

Routing

You might have to route:

ip route add 172.168.1.42 via 10.0.10.1 dev ppp0

Route not found

When you do this:

# route add -host 172.168.1.42 dev ppp0

Command ‘route’ not found, but can be installed with:

apt install net-tools

Password Errors

A password problem will manifest itself like this:

May 20 05:36:13 hv7 pppd[2090478]: sent [LCP EchoReq id=0x0 magic=0x3541b8c1]
May 20 05:36:13 hv7 pppd[2090478]: rcvd [CHAP Challenge id=0x72 <a0024cc7e81e087501fe613fb8d4755c3d2d60c88610be>, name = "l2tpd"]
May 20 05:36:13 hv7 pppd[2090478]: sent [CHAP Response id=0x72 <eede46c2d4780d64d23c5f8865c3a5ac>, name = "YOUR_USERNAME"]
May 20 05:36:13 hv7 pppd[2090478]: rcvd [LCP EchoRep id=0x0 magic=0x2897188]
May 20 05:36:13 hv7 pppd[2090478]: rcvd [CHAP Failure id=0x72 "Access denied"]
May 20 05:36:13 hv7 pppd[2090478]: CHAP authentication failed: Access denied
May 20 05:36:13 hv7 pppd[2090478]: CHAP authentication failed

References

Tags

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top