Install L2TP/IPSEC and PPTP Server On Ubuntu(14.04) Server

I have a Linode VPS with 1TB monthly bandwidth limitation for daily Linux and other usage. This Guide will walk you through the process of installing a L2TP VPN Server on Ubuntu Server 14.04.

  1. Install xl2tpd, openswan and ppp:
sudo apt-get --no-install-recommends install xl2tpd openswan ppp pptpd
  1. After all apps installed we need to conifuguration the system and apps to make all services run well as we wish. First, we need to set the firewall and make the kernel forward the ip packet. For l2tp/ipsec:
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

For pptp:

iptables -A FORWARD -p tcp --syn -s -j TCPMSS --set-mss 1356

eth0 is the network interface with public ip. is the ip range vpn we want the client to use when connected. You can use any private network ip address you want. Remember to make this different from your local network ip address.

  1. Second, we will disable accept_redirects and send_redirects to disable the kernel ICP redirects:
    for each in /proc/sys/net/ipv4/conf/*
            echo 0 > $each/accept_redirects
            echo 0 > $each/send_redirects
  1. Finally, we will enable the ip packet forwarding and disable the kernel ICP redirects for boot by adding the following lines at the end of /etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Note: We can create a customized init script to do the 1st and 2nd steps automatically with the following steps:
1). Create a customized service script /etc/init.d/vpn(You can use any file name here):

# Customized startup script for L2TP/IPSec, PPTP
# Provides:
# Required-Start:    $network $remote_fs $syslog $named
# Required-Stop:     $syslog $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start Openswan IPsec and pptpd at boot time
# Description:       Customized start script to start ipsec, xl2tpd and pptpd

case "$1" in
    echo "Starting L2TP/Ipsec,PPTP VPN Service"
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
    iptables -A FORWARD -p tcp --syn -s -j TCPMSS --set-mss 1356
    for each in /proc/sys/net/ipv4/conf/*
            echo 0 > $each/accept_redirects
            echo 0 > $each/send_redirects
    /etc/init.d/ipsec start
    /etc/init.d/xl2tpd start
    /etc/init.d/pptpd start

    echo "Stopping L2TP/Ipsec,PPTP VPN Service"
    iptables --table nat --flush
    /etc/init.d/ipsec stop
    /etc/init.d/xl2tpd stop
    /etc/init.d/pptpd stop
    echo "Restarting L2TP/Ipsec,PPTP VPN Service"
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
    iptables -A FORWARD -p tcp --syn -s -j TCPMSS --set-mss 1356
    for each in /proc/sys/net/ipv4/conf/*
            echo 0 > $each/accept_redirects
            echo 0 > $each/send_redirects
    /etc/init.d/ipsec restart
    /etc/init.d/xl2tpd restart    
    /etc/init.d/pptpd restart

    echo "Usage: /etc/init.d/vpn  {start|stop|restart}"
    exit 1

This script will update the firewall settings when you startup the ipsec, xl2tpd and pptpd services. You need add executive permission to this file:

sudo chmod 755 vpn

2). And then replace the default ipsec, xl2tpd and pptpd init script with this customized script:

update-rc.d -f ipsec remove
update-rc.d -f xl2tpd remove
update-rd.d -f pptpd remove
update-rc.d vpn defaults
  1. Now we can configure pptpd, xl2tpd, and p2tpd separately. For pptp, we just need to configure the /etc/pptpd.conf with the getway IP and client IP range:

localip: Server IP, served as the pptp server gateway IP.
remoteip: The IP range server assigned when an client connected, must be an subset of the IP range configured in the iptabs configuration section.

  1. Configure ipsec by editting the /etc/ipsec.conf configuration file. Here is an entire configuration template, just replace the ***.***.***.*** with your server IP.
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    # OE is now off by default. Uncomment and change to on, to enable.
    # which IPsec stack to use. auto will try netkey, then klips then mast
    # Use this to log to a file, or disable logging on embedded systems (like openwrt)

conn L2TP-PSK-noNAT
        #shared secret. Use rsasig for certificates.

        #Disable pfs

        #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

        #Only negotiate a conn. 3 times.


        # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.

        #because we use l2tp as tunnel protocol

        #fill in server IP above


        # Dead Peer Dectection (RFC 3706) keepalives delay
        #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
        # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
  1. Configure the ipsec pre-shared key, the configuration file is /etc/ipsec.secrets:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host which knows
# the public part.  Suitable public keys, for ipsec.conf, DNS, or configuration
# of other implementations, can be extracted conveniently with "ipsec
# showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
# include /var/lib/openswan/
***.***.***.***  %any:   PSK     "some-psk-string"

In the configuration file, ****.***.***.*** is the server public IP and some-psk-string is your customized psk.

  1. Configure xl2tpd, use your favorite editor to edit the /etc/xl2tpd/xl2tpd.conf file by repacing all the content with the following lines:
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range =
local ip =
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
  1. Configure ppp by replacing the content of /etc/ppp/options.xl2tpd with the following lines with your favorite editor:
mtu 1200
mru 1000
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
  1. Add user, all the users are defied in /etc/ppp/chap-secrets. Here is an example configuration:
# Secrets for authentication using CHAP
# client    server  secret          IP addresses
user  *   passwd  *

user = username for the user.
server = the name we define in the ppp.options file for xl2tpd.
passwd = password for the user.
IP Addresses = leave to * for any address or define addresses from were a user can login.

  1. All done, now start and test the service
sudo service vpn restart 

If every thing goes well, you will see the following outputs

Restarting L2TP/Ipsec,PPTP VPN Service
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.15.4-x86_64 ...
Restarting xl2tpd: xl2tpd.
 * Restarting PoPToP Point to Point Tunneling Server pptpd               [ OK ]

Now read this

PAC File and Proxy Auto Switch for Firefox IE11 and Chrome

I’m using my working laptop after work at home currently before my PC DIY finished and new RMBP reveled. At work we need to access internet via internal proxy servers and after work just connect laptop directly to the wireless router to... Continue →