Ubuntu VPN L2TP/IPSec

Environment for this script:
System support: CentOS6+, Debian7+, Ubuntu12+
Memory requirement: ≥128M


About this script:
The terms are explained as follows
L2TP (Layer 2 Tunneling Protocol)
IPSec (Internet Protocol Security)
IKEv2 (Internet Key Exchange v2)
Currently, there are three types of IPsec that can be implemented: openswan, libreswan, and strongswan.
Libreswan is based on a fork of openswan, so now you can hardly see openswan in various distributions.
Of course there are also strongswan ones.

The reason for updating the L2TP one-click installation script is because as various Linux distributions continue to introduce new ones, the original scripts are no longer suitable for current needs.
This script compiles and installs the latest version of libreswan to achieve IPSec (all yum installations under CentOS7), yum or apt-get to install xl2tpd, and then deploy firewall rules according to different usage methods of each release.

VPS based on OpenVZ virtualization technology needs to enable TUN/TAP to be used normally. When purchasing a VPS, please consult the service provider whether it supports enabling TUN/TAP.

OpenVZ virtual VPS requires the system kernel to support IPSec.
It is not recommended to install this script on OpenVZ VPS.

How to check whether the TUN module is supported?
Excuting an order:
cat /dev/net/tun
If the returned information is: cat: /dev/net/tun: File descriptor in bad state, it means normal

How to check whether the ppp module is supported?
Excuting an order:
cat /dev/ppp
If the return information is: cat: /dev/ppp: No such device or address, it is normal
Of course, the script will also perform a check during installation, and the script will prompt if it is not suitable for installation.

installation method:
After the root user logs in, run the following command:

wget --no-check-certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh
chmod +x l2tp.sh
./l2tp.sh

After execution, there will be the following interactive interface

Please input IP-Range:
(Default Range: 192.168.18):
Enter the local IP range (a local IP address assigned to the local computer after connecting to the VPS), and press Enter directly means to enter the default value of 192.168.18

Please input Username:
(Default Username: teddysun):
Username means username, that is, the first default user. Enter directly means to enter the default value teddysun

Please input teddysun’s password:
(Default Password: Q4SKhu2EXQ):
Enter the user's password. By default, a 10-digit password containing uppercase and lowercase letters and numbers will be randomly generated. Of course, you can also specify a password.

Press any key to start…or Press Ctrl+c to cancel
Press any key to continue, if you want to cancel the installation, please press Ctrl+c

After the installation is complete, the script will execute the ipsec verify command and prompt as follows:

Export iptables settings

sudo sh -c "iptables-save > /etc/network/iptables.up.rules"

Modify settings

sudo vi /etc/network/iptables.up.rules

Change the external network IP to the internal network IP

-A POSTROUTING -s 192.168.18.0/24 -j SNAT --to-source <Intranet ip>

application

sudo iptables-apply

If you want to operate on users, you can use the following commands:
l2tp -a add user
l2tp -d delete user
l2tp -m modify the password of an existing user
l2tp -l lists all user names and passwords
l2tp -h lists help information

something else:

  1. After the script is installed, the process has been automatically started, and the boot-up self-start has been added.
  2. The script will rewrite the rules of iptables or firewalld.
  3. When the script is installed, the installation log will be written to the /root/l2tp.log file immediately. If you fail to install, you can use this file to find the error message.

Use the command:
ipsec status (View IPSec running status)
ipsec verify (View IPSec check results)
/etc/init.d/ipsec start|stop|restart|status (used under CentOS6)
/etc/init.d/xl2tpd start|stop|restart (used under CentOS6)
systemctl start|stop|restart|status ipsec (used under CentOS7)
systemctl start|stop|restart xl2tpd (used under CentOS7)
service ipsec start|stop|restart|status (used under Debian/Ubuntu)
service xl2tpd start|stop|restart (used under Debian/Ubuntu)

Connection failed

Windows

1.The Windows 10 system L2TP connection attempt failed: ERROR because the security layer encountered a processing error when initializing the negotiation with the remote computer

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

On the "Edit" menu, click "New" -> "DWORD Value"
In the "Name" box, type " AllowL2TPWeakCrypto "
In the "Value data" box, type "1", and then click "OK"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

On the "Edit" menu, click "New" -> "DWORD Value"
In the "Name" box, type "ProhibitIpSec"
In the "Value data" box, type "1", and then click "OK"

2. L2TP 809 error, win10 prompts that l2tp is not allowed to pass by firewalls and other devices

There are three services that need to be started ("Remote Access Auto Connection Manager", "Remote Access Connection Manager" and "Secure Socket Tunneling Protocol Service"),

3. The network connection between the computer and the VPN server cannot be established because the remote server is not responding. This may not connect the computer…

CMD Run

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent" /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 2 /f

4. Delete the Wan MIniport (IP) device, and then restart the system

Mac OS

The macos vpn L2TP server is not responding. Please try to connect again.

sudo vim /etc/ppp/options
plugin L2TP.ppp
l2tpnoipsec

Reference/Reprint

https://www.cnblogs.com/wangyang0210/p/14713594.html

https://blog.csdn.net/weixin_33940102/article/details/92636184

https://my.oschina.net/vcship/blog/1621796

Comments

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注