How to setup l2tp client

Hey guys,

i am trying to configure my router to connect to a third party vpn by using L2TP.
I successfully configured the OpenVPN client but the performance is not so great.
(using the archer c7 v2 i get max. 12 Mbit with AES-256-CBC)

The packages xl2tpd and ipsec-tools are installed.
But when i try to setup the network interface i cannot submit a psk.
What am i doing wrong?

Thanks for your help :slight_smile:

Just 12 Mbit/s? I know that the QCA9558 SoC in the Archer C7 v2 does not have any crypto-offload and the single-core 720 MHz MIPS32 CPU is weak (not that dual or quad-core cpu would do much, as OpenVPN is single-threaded). Can you tell me, what "throughput" you are looking for? As I don't think l2tp would help much, unless you got for a weaker cipher.

1 Like

sry i could not answer at the weekend.

As much as possible. I have a 100Mbit connection which should by enough to get at least 50Mbit and more while using the VPN. (on a decent CPU)

I think l2tp is executed in the kernel which should result in more throughput because openvpn loses performance by switching between user- and kernelspace.
I cannot change the cipher to a lower length (at least 256 bits). The VPN provider selects AES-256-GCM by default which slows the connection to 8Mbit.

Ok, 100MBit/s connection and you are hoping to hit 50MBit/s+ for VPN.

I've ran a iperf3 over an IPSec with AES-256-CBC + HMAC-SHA256 secured connection on my Archer C7 and I got:

root@archer-c7:~# iperf3 -s # server
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.8.7, port 58822
[  5] local 192.168.8.249 port 5201 connected to 192.168.8.7 port 58824
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  5.36 MBytes  44.8 Mbits/sec                  
[  5]   1.00-2.01   sec  5.46 MBytes  45.5 Mbits/sec                  
[  5]   2.01-3.01   sec  5.38 MBytes  45.3 Mbits/sec                  
[  5]   3.01-4.01   sec  5.64 MBytes  47.2 Mbits/sec                  
[  5]   4.01-5.01   sec  5.55 MBytes  46.5 Mbits/sec                  
[  5]   5.01-6.01   sec  5.64 MBytes  47.2 Mbits/sec                  
[  5]   6.01-7.01   sec  5.55 MBytes  46.5 Mbits/sec                  
[  5]   7.01-8.00   sec  5.55 MBytes  47.2 Mbits/sec                  
[  5]   8.00-9.00   sec  5.55 MBytes  46.5 Mbits/sec                  
[  5]   9.00-10.01  sec  5.63 MBytes  47.2 Mbits/sec                  
[  5]  10.01-10.07  sec   267 KBytes  35.8 Mbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.07  sec  55.6 MBytes  46.3 Mbits/sec                  receiver
-----------------------------------------------------------


root@javelin:~# iperf3 -c desktop-pc.daheim # client
Connecting to host desktop-pc.daheim, port 5201
[  5] local 192.168.8.249 port 54424 connected to 192.168.8.7 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  3.82 MBytes  32.1 Mbits/sec    0   30.6 KBytes       
[  5]   1.00-2.00   sec  3.90 MBytes  32.7 Mbits/sec    0   30.6 KBytes       
[  5]   2.00-3.00   sec  3.85 MBytes  32.2 Mbits/sec    0   30.6 KBytes       
[  5]   3.00-4.00   sec  3.91 MBytes  32.8 Mbits/sec    0   30.6 KBytes       
[  5]   4.00-5.00   sec  3.83 MBytes  32.1 Mbits/sec    0   30.6 KBytes       
[  5]   5.00-6.00   sec  3.86 MBytes  32.5 Mbits/sec    0   30.6 KBytes       
[  5]   6.00-7.00   sec  3.82 MBytes  32.0 Mbits/sec    0   30.6 KBytes       
[  5]   7.00-8.00   sec  3.88 MBytes  32.6 Mbits/sec    0   30.6 KBytes       
[  5]   8.00-9.00   sec  3.84 MBytes  32.1 Mbits/sec    0   30.6 KBytes       
[  5]   9.00-10.00  sec  3.90 MBytes  32.8 Mbits/sec    0   30.6 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  38.6 MBytes  32.4 Mbits/sec    0             sender
[  5]   0.00-10.00  sec  38.6 MBytes  32.4 Mbits/sec                  receiver

 iperf Done.

Sadly, it doesn't look like 50 MBit/s+ is possible with this router.

"l2tp" is actually just a tunnel protocol, you'll need to deal with IPsec first. See:

Sadly, I haven't seen any LuCI-App in the repository, that could help you with setting up the strongswan/racoon daemon. In theory, racoon (ipsec-tools) does have some uci integration.
So you could configure it through /etc/config/racoon without having to deal with a custom config file. However, the openwrt wiki states that strongswan is recommended. https://wiki.openwrt.org/doc/howto/vpn.overview#strongswan_recommended

And from what I can glimpse, the tutorials cover mostly the server setup. So you'll need to look elsewhere for a IPsec/L2TP client setup:

https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup

And piece the information together to get a working setup. Once the IPsec
transport/tunnel is working, you should be able to just connect with the existing L2TP config.

Do you know if this is also the default aead mode for the IPSec/L2TP setting? Because racoon/setkey utility doesn't have support for AES-GCM (but AES-256-CBC + HMAC(SHA256)).
If that's the case, you should look at strongswan directly.

1 Like

i can't connect to nordvpn by l2tp... can you describe how to config?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.