Tag Archives: VPN

EdgeMAX EdgeRouter – L2TP IPSec VPN Server

Source EdgeRouter – L2TP IPsec VPN Server

Applicable to the latest EdgeOS firmware on all EdgeRouter models using CLI mode. L2TP setup is not configurable on web interface.

Enter configuration mode

configure

Configure the server authentication settings (replace with your desired passphrases).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password <secret>

Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249

Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 <ip-address>
set vpn l2tp remote-access dns-servers server-2 <ip-address>

Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE

set vpn l2tp remote-access outside-address 0.0.0.0

Define the IPsec interface which will receive L2TP requests from clients.

set vpn ipsec ipsec-interfaces interface eth0

(Optional) Lower the MTU for L2TP traffic.

set vpn l2tp remote-access mtu <mtu-value>

Commit the changes and save the configuration.

commit ; save

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics
show vpn remote-access
show vpn ipsec sa
show interfaces
show log | match 'xl2tpd|pppd'

DD-WRT PPTP VPN Client Settings

I have two routers, one is ASUS RT-AC66U, it’s used for all my devices, it uses default firmware shipped from ASUS, the other is ASUS RT-N16, it uses DD-WRT and configured with VPN client to pass all traffic to my VPN servers to bypass website blocking from China, I use this router for my PlayStation and other devices that don’t have native VPN support.

First you need to enable PPTP client on DD-WRT router:

  • Remote Subnet Mask: 255.255.255.0
  • MPPE Encryption: mppe required,no40,no56,stateless
  • Username: Your VPN username
  • Password: Your VPN password

Then you need to enable Startup commands:

#!/bin/sh
sleep 120
PPTPSERVER=$(/usr/sbin/nvram get pptpd_client_srvip)
PPTPGWY=$(/usr/sbin/nvram get wan_gateway)
/sbin/route add -host $PPTPSERVER gw $PPTPGWY dev vlan2
/sbin/route del default
/sbin/route add default dev ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

According to this article, the script I’m using above will terminate all Internet traffic until a VPN connection can be re-established if the VPN connection is lost, if you’d like your router to continue to route traffic using your ISP’s connection when losing connection, you can use the following script:

#!/bin/sh
sleep 120
PPTPSERVER=$(/usr/sbin/nvram get pptpd_client_srvip)
PPTPGWY=$(/usr/sbin/nvram get wan_gateway)
/sbin/route add -host $PPTPSERVER gw $PPTPGWY dev vlan2
/sbin/route del default
/sbin/route add default gw $PPTPGWY metric 100
/sbin/route add default dev ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Set static IP for my secondary router according to my primary router, note that you need to set your DNS to some other providers outside China Great Fire Wall.

Some other steps you can do:

  • Enable remote access to your router,then you can access your router at http://10.0.0.100:8080/ when you’re using your main router network connection.
  • Enable SSH for easier (maybe harder) maintenance in the future.
  • Enable SNMP for easier (maybe harder) maintenance in the future.
  • Backup your current router settings.
  • Change Wi-Fi TX Power
  • Change NTP timezone
  • Enable JFFS2 support

Some useful command:

  • route – Show current router rules
  • ps | grep pptp – Show VPN process

References: