L2TP VPN on Debian

by xoyohome
23 deployments · 9 still active · last rev. 2 years ago

Compatible with: No distros currently supported
						#! /bin/bash

# <UDF name="PSK" Label="PSK" default="BK201" example="BK201" />
# <UDF name="IPRANGE" Label="IP Range" default="10.10.10" example="10.10.10" />
# <UDF name="USERNAME" Label="Username" />
# <UDF name="PASSWORD" Label="Password" />

# Get IP address
IP=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.*' | cut -d: -f2 | awk '{ print $1}' | head -1`;

# Install L2TP
apt-get update
apt-get -y upgrade
apt-get -y install ppp strongswan xl2tpd

# set up options.xl2tpd
cat > /etc/ppp/options.xl2tpd <<END
name l2tp
auth
require-mschap-v2
ms-dns 8.8.4.4
ms-dns 8.8.8.8
idle 1800
nodefaultroute
lock
nobsdcomp
novj
novjccomp
nologfd
lcp-echo-interval 5
lcp-echo-failure 5
END

# set up xl2tpd.conf
rm /etc/xl2tpd/xl2tpd.conf
cat > /etc/xl2tpd/xl2tpd.conf <<END
[global]
[lns default]
local ip = $IPRANGE.1
ip range = $IPRANGE.2-$IPRANGE.254
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = l2tp
END

# set up ipsec.conf
rm /etc/ipsec.conf
cat > /etc/ipsec.conf <<END
config setup
        plutodebug=control
        nat_traversal=yes
        charonstart=yes
        plutostart=yes

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn l2tp
        leftfirewall=yes
        pfs=no
        rekey=no
        left=$IP
        leftprotoport=17/1701
        rightsubnetwithin=0.0.0.0/0
        right=%any
        rightprotoport=17/%any
        dpdaction=clear
        auto=add

END

# set up ipsec.secrets
rm /etc/ipsec.secrets
cat > /etc/ipsec.secrets <<END
$IP %any : PSK "$PSK"
END

# add a new user
rm /etc/ppp/chap-secrets
cat > /etc/ppp/chap-secrets <<END
$USERNAME  l2tp  $PASSWORD  *
END

# restart service
service ipsec restart
service xl2tpd restart

# set up iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j SNAT --to-source $IP
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/init.d/rc.local
echo "iptables -t nat -A POSTROUTING -j SNAT --to-source $IP" >> /etc/init.d/rc.local