How to install L2TP vpn server on CentOS 7 linux

Linux » Service » How to install L2TP vpn server on CentOS 7 linux

How to install L2TP vpn server on CentOS 7 linux

December 17, 2019September 12, 2020

In today tutorial, we show you how to install L2TP vpn server on CentOS 7 linux.
L2tp is synonym of Layer Two Tunneling Protocol and is an extension of PPTP tunneling protocol for creating VPN tunnels.

Here is our environment:
OS: CentOS 7 linux on VMWare
Firewall: firewalld
SElinux: enforcing
IP address: 192.168.3.128

1- Install L2TP

There is two common packages for linux to support l2tp protocol. one is StrongSwan and another is xl2tpd. here we install xl2tpd and related packages:

# yum install epel-release
# yum install xl2tpd libreswan

2- Configure Kernel parameters

to allow vpn traffic goes through our server, we should enable some kernel features. put the following content in /etc/sysctl.conf:

# vim /etc/sysctl.conf

vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0

then make it permanent:

# sysctl -p

3- Configure IPsec

In our configuration, we want to use ipsec to enable l2tp traffic encryption. so open /etc/ipsec.d/l2tp_psk.conf and put the following content in it:

Note: mind about SPACES

# vim /etc/ipsec.d/l2tp_psk.conf

conn L2TP-PSK-NAT
     rightsubnet=vhost:%priv
     also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=no
     ikelifetime=8h
     keylife=1h
     type=transport
     left=192.168.3.128
     leftprotoport=17/1701
     right=%any
     rightprotoport=17/%any

Note: remember to change 192.168.3.128 with your own IP address.
Here we configure l2tp to ask for a pre-shared key (PSK) from clients. we define this key like below:

# vim /etc/ipsec.secrets

192.168.3.128 %any: PSK "123456789"

and do some check on ipsec service:

# ipsec setup start
# ipsec verify

Output:

Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-1062.4.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eno16777728/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/tun0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]

Note: red lines in above output are related to Reverse Path Filtering feautre of kernel and no need to be disabled.

Now we start ipsec service:

# systemctl enable ipsec

4- Configure xl2tpd

first, rename /etc/xl2tpd/xl2tpd.conf to a backup file:

# mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.old

then open /etc/xl2tpd/xl2tpd.conf and put these lines in it:

# vim /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 192.168.3.128
ipsec saref = yes
[lns default]
ip range = 192.168.100.128-192.168.100.254
local ip = 192.168.100.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

also make a backup of /etc/ppp/options.xl2tpd:

# mv /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.old

then put the following lines in it:

# vim /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  4.2.2.4
noccp
#noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Now we define our usernames and passwords for clients:

# vim /etc/ppp/chap-secrets

USERNAME test PASSWORD test

finally start xl2tp service:

# systemctl start xl2tpd
# systemctl enable xl2tpd
# systemctl status xl2tpd

5- Configure firewall

Here we use firewalld service. we need to allow ipsec, forward internal l2tpc ip range traffic to internet interface and do NAT:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept'
# firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept'
# firewall-cmd --permanent --add-port=1701/udp
# firewall-cmd --permanent --add-port=500/udp 
# firewall-cmd --permanent --add-port=4500/udp 
# firewall-cmd --permanent --add-service="ipsec"
# firewall-cmd --reload

if you use CSF, create a file named /etc/csf/csfpre.sh and put these lines in it:

iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eno16777728 -j MASQUERADE

then open port 1701/udp and reload csf.
if you use iptables, just run above command and then save changes with iptables-save. also open port 1701/udp.

Note: remember to change eno16777728 with your own interface name

6- Configure SElinux

we prefer to keep selinux enabled. so to allow bringing up vpn interfaces, we should run the following command:

# setsebool -P daemons_use_tty 1

if you have disabled selinux, simply skip above command.

15 thoughts on “How to install L2TP vpn server on CentOS 7 linux”

Alejandro says:
July 27, 2020 at 3:54 am
This is good work, thanks a lot. With your step by step I installed on Centos 7 64 bits, but the clients of win 7, no can connect they receive a error 789. Can you help me?
Reply
1. TuxTips says:
  August 3, 2020 at 5:35 am
  Hi.
  see vpn server logs to know about source of issue. you can paste error here for investigation
  Reply
playgta5good says:
August 4, 2020 at 3:01 pm
I can’t connect the internet when i connect my l2tp server.My computer show that ipv4 connection no access rights.And i want to know how to solve it.Thank you a lot!
Reply
1. TuxTips says:
  August 7, 2020 at 10:11 am
  Maybe the problem is related to enabling packet forwarding in sysctl.conf or iptables nat rules. please check instructions in article one by one.
  Reply
Richard says:
September 3, 2020 at 6:56 am
Following this guide I get:
Sep 2 09:01:29 centos pppd[18016]: In file /etc/ppp/options.xl2tpd: unrecognized option ‘crtscts’
Does the posted options.xl2tpd still work for you on CentOS 7 with xl2tpd-1.3.14-1.el7.x86_64 and ppp-2.4.5-34.el7_7.x86_64 ?
Reply
1. TuxTips says:
  September 4, 2020 at 2:28 pm
  yes it does. maybe you have installed new version that i have installed in this article.
  so you can remove “crtscts” and check if everything else works properly.
  also you can search on google for “crtscts” any replacement with new option.
  Reply
Peter says:
September 11, 2020 at 10:54 pm
There is a strong SECURITY issue in this guide:
“pppoptfile = /etc/ppp/options.xl2tpd”
I suggest comment the following line:
#noauth
If not, you can login with dummy user/pass, just knowking the correct secret!
Reply
1. TuxTips says:
  September 12, 2020 at 3:36 pm
  thank you Peter, i updated the article
  Reply
  1. Peter says:
    September 12, 2020 at 11:13 pm
    Thanks to you! Your guide was super and really easy to apply!
    Reply
Kleber says:
October 6, 2020 at 3:07 am
I had a big problem, Job for xl2tpd.service failed because the control process exited with error code.
Reply
Sohaib Khan says:
February 5, 2021 at 5:35 pm
Hi,
I followed your instruction but failed to connect VPN.
I am using cento7 .
please see my logs below and let me know what i need to change in configuration, i am using exact same config as shared in this post.
Feb 5 13:01:12.748310: packet from yy.yy.yy.yy:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Feb 5 13:01:12.748385: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: responding to Main Mode from unknown peer yy.yy.yy.yy on port 500
Feb 5 13:01:12.748423: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: WARNING: connection L2TP-PSK-noNAT PSK length of 9 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Feb 5 13:01:12.748462: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 5 13:01:12.932771: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 5 13:01:13.089721: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: Peer ID is ID_IPV4_ADDR: ‘192.168.109.205’
Feb 5 13:01:13.089920: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=DH20}
Feb 5 13:01:13.089929: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Feb 5 13:01:13.246415: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: the peer proposed: xx.xx.xx.xx/32:17/1701 -> 192.168.109.205/32:17/0
Feb 5 13:01:13.246441: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #1: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Feb 5 13:01:13.246654: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #2: responding to Quick Mode proposal {msgid:01000000}
Feb 5 13:01:13.246663: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #2: us: xx.xx.xx.xx:17/1701
Feb 5 13:01:13.246666: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #2: them: yy.yy.yy.yy:17/1701
Feb 5 13:01:13.246873: “L2TP-PSK-noNAT”[1] yy.yy.yy.yy #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x5f4eb182 0x5f4eb182 <0x77eae6b9 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.109.205 NATD=yy.yy.yy.yy:52019 DPD=active}
Feb 5 13:01:13.839985: "L2TP-PSK-noNAT"[1] yy.yy.yy.yy #1: received Delete SA(0x5f4eb182) payload: deleting IPSEC State #2
Feb 5 13:01:13.840001: "L2TP-PSK-noNAT"[1] yy.yy.yy.yy #2: deleting other state #2 (STATE_QUICK_R2) and sending notification
Feb 5 13:01:13.840023: "L2TP-PSK-noNAT"[1] yy.yy.yy.yy #2: ESP traffic information: in=375B out=299B
Feb 5 13:01:13.860510: "L2TP-PSK-noNAT" #1: deleting state (STATE_MAIN_R3) and sending notification
Feb 5 13:01:13.860675: "L2TP-PSK-noNAT"[1] yy.yy.yy.yy: deleting connection "L2TP-PSK-noNAT"[1] yy.yy.yy.yy instance with peer yy.yy.yy.yy {isakmp=#0/ipsec=#0}
Feb 5 13:01:13.860686: packet from yy.yy.yy.yy:52019: received and ignored empty informational notification payload
Reply
cheese says:
August 8, 2022 at 10:11 am
I had a big problem, Job for xl2tpd.service failed because the control process exited with error code.
Reply
Faisal says:
May 13, 2023 at 6:37 am
First of All Great Work, secondly there is issue with “/etc/ppp/chap-secrets” format which you provide is incorrect please update it with ” test * test* “
Reply
Marco Trujillo says:
January 11, 2024 at 1:35 am
you have 2 errors, if you want to work on the last updates, please update the article
on chap-secrets file
USERNAME * “PASSWORD” *
add quotes on password and use asterisk for any servername and asterisk for any IP address
Reply
Marco Trujillo says:
January 11, 2024 at 1:35 am
on options.xl2tpd file
change #noauth to auth to authenticate work
Reply