* Home :: Get a random password :: Get a multi-word password :: What is my IP? (v4 | v6)
* My projects

Quick L2TP server on Linux

Tags: howto,vpn,l2tp

Date: 20230126

L2TP is a layer 2 tunneling implementation. In the wild it's often paired with IPSec, for security, but it can be useful even on its own.

Before we start, it's good to note that L2TP provides NO SECURITY. It just channels traffic, so it is still prone to inspection, manipulation, interception and so on.
However.. with most protocols nowadays being encrypted (think HTTPS etc), this is less of a problem than it used to be.

If for whatever reason you need a quick and dirty VPN server, this article is for you!

I'm using Debian in this example, but you can use any distro and just adjust the right paths and so on.

Let's start!

1. Install the required package:

apt -y install xl2tpd

# it will start automatically, so let's stop it for now:

service xl2tpd stop

2. Configure it:

# create a basic config file, modify the IP range to suit your needs

mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.orig

cat << 'EOF' > /etc/xl2tpd/xl2tpd.conf
[global]                                                                ; Global parameters:
[lns default]                                                   ; Our fallthrough LNS definition
ip range =       ; * Allocate from this IP range
local ip =                           ; * Our local IP to use
length bit = yes                                                ; * Use length bit in payload?
require chap = yes                                      ; * Require CHAP auth. by peer
refuse pap = yes                                                ; * Refuse PAP authentication
require authentication = yes                    ; * Require peer to authenticate
ppp debug = yes                                         ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file

touch /etc/ppp/options.l2tpd.lns

3. Add your users to /etc/ppp/chap-secrets. Here's how mine looks:

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
"User1"      "*"     "Super-Secure-Password-???"             "*"

4. Enable and start the xl2tpd server, you're almost done!

systemctl enable --now xl2tpd

5. The L2TP side of things is done, but you'll still need a few more bits to get it to actually work, in this case NAT so we can reach the internet from the clients via the VPN.
This is optional and depends on your circumstances.

I don't have iptables installed and set up, so let's do that:

apt -y install iptables iptables-persistent
# I assume your WAN interface is eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
systemctl enable netfilter-persistent

# and let's also set up IP forwarding
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Now you are done! Try to connect to your new L2TP VPN.
(c)The Nux(tm) ;-)

No CSS, no Javascript, no some HTML.
No ads, no tracking, no cookies.