Create L2TP IPSec VPN service with Debian & Raspberry - shenhaoyu/AnyGW GitHub Wiki
The objective of this tutorial is to create L2TP/IPSec service with Debian server and Raspberry client (iPad and Android clients are also tested). Some performance optimization was necessary to achieve 720P video acceptable experience cross country.
Install necessary packages
root@:# apt-get install xl2tpd strongswan ufw
/etc/ipsec.conf
conn anygw
dpdaction=clear
authby=secret
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
esp=aes256-sha1,aes128-sha1,3des-sha1
type=transport
left=<local ip>
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
/etc/ipsec.secrets
<local ip> %any : PSK "anygw"
/etc/xl2tpd/xl2tpd.conf
[global]
access control = no
ipsec saref = yes
saref refinfo = 30
[lns default]
ip range = 192.168.9.2-192.168.9.100
local ip = 192.168.9.1
require chap = yes
refuse pap = yes
require authentication = yes
name = AnyGW
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
name xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-wins 8.8.8.8
auth
noccp
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
/etc/ppp/chap-secrets
# client server secret IP addresses
<username> * <password> *
/etc/ufw/before.rules
# NAT table rule
*nat
:POSTROUTING ACCEPT [0:0]
# Allow forward traffic to eth0
-A POSTROUTING -s 192.168.9.0/24 -o eth0 -j MASQUERADE
# Process the NAT table rules
COMMIT
# Mangle MTU for VPN Performance`
*mangle
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
/etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
root@:# sysctl - p
root@:# ufw allow 22
root@:# ufw allow 500
root@:# ufw allow 4500
root@:# service ufw restart
TODO: ppp0 -> ppp1