OpenWrt Forum Archive

Topic: OpenWRT as L2TP VPN client

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have a Mac mini at home running Mac OS Sierra 10.12.1 and Server 5.2 configured with an L2TP VPN server.  I can connect to it using my iPhone 6 running iOS 10.1.1 by configuring a L2TP VPN with the server, account, password and secret for my Mac mini, giving me access to other devices on my home LAN and, because the Mac is configured for Internet Connection Sharing, my iPhone can get out onto the Internet with my home broadband IP address.  Essentially it gives me my very own http://strongvpn.com/amer-anywhere.html type service.  So far so good.

I also have a TP-Link WR703N running OpenWRT Chaos Calmer 15.05.01 which I've set up as a wifi-to-ethernet bridge: the wifi side is connected to a wifi network that gives access to the Internet and the ethernet port is connected to my laptop.  This allows my laptop to get internet access through its ethernet port.  Also hunky-dorey.

The thing I want to do is get the WR703N to connect to the L2TP VPN on my Mac mini so that my laptop can route through the Mac to devices on my home LAN, and use ICS to get out onto the Internet using my home broadband IP address.

I did some searching and found https://wiki.openwrt.org/doc/howto/connect_by_l2tp which appears to be exactly what I want, but after running

opkg update

and then

opkg install openl2tp-full

I get the error

Unknown package 'openl2tp-full'.

.  Running

opkg find *l2tp*

doesn't show any near misses, so now I'm a bit stuck, as all my searches for

openwrt l2tp vpn client

find articles about setting up openwrt was a VPN server.

Can someone please point me in the right direction?  Thanks!

(Last edited by kbro on 27 Nov 2016, 23:50)

The article you linked to is extremely outdated.
xl2tpd is the service that provides both functions of l2tp client and server
It works in cooperation with ppp and kernel module l2tp_ppp.

opkg list *l2tp*
kmod-l2tp - 4.4.30-1
kmod-l2tp-ip - 4.4.30-1
kmod-pppol2tp - 4.4.30-1
ppp-mod-pppol2tp - 2.4.7-10
xl2tpd - devel-20151125-2

lsmod | grep l2tp
ip6_udp_tunnel          1783  2 wireguard,l2tp_core
l2tp_core              17553  4 l2tp_ppp,l2tp_ip6,l2tp_ip,l2tp_netlink
l2tp_ip                 5548  0 
l2tp_ip6                7321  0 
l2tp_netlink            8473  1 l2tp_ppp
l2tp_ppp               15834  4 
ppp_generic            22320 10 pppoe,ppp_async,l2tp_ppp,pptp,pppox,ppp_mppe
pppox                   1506  3 pppoe,l2tp_ppp,pptp
udp_tunnel              2051  2 wireguard,l2tp_core

Client functions are managed by netifd and luci but not server.
To configure server you have to configure xl2tpd manually

(Last edited by bolvan on 28 Nov 2016, 09:36)

Thanks for that.  I was wondering whether I'd found some outdated info.  The output to opkg find *l2tp* that I ran yesterday gave me this:

kmod-l2tp - 3.18.23-1 - Kernel modules for L2TP V3 Support
kmod-l2tp-eth - 3.18.23-1 - Kernel modules for L2TP ethernet pseudowire support for L2TPv3
kmod-l2tp-ip - 3.18.23-1 - Kernel modules for L2TP IP encapsulation for L2TPv3
kmod-pppol2tp - 3.18.23-1 - Kernel modules for PPPoL2TP (PPP over L2TP) support
ppp-mod-pppol2tp - 2.4.7-6 - This package contains a PPPoL2TP (PPP over L2TP) plugin for ppp.
xl2tpd - devel-20150930-1 - l2tpd is the open source implementation of the L2TP tunneling protocol (RFC2661).
 It does implement both LAC and LNS role in a L2TP networking architecture. The
 main goal of this protocol is to tunnel PPP frame trough an IP network.

so it looks like I'm a major version behind you - maybe you're on Designated Driver instead of Chaos Calmer?  Unfortunately

root@OpenWrt:~# lsmod | grep l2tp
root@OpenWrt:~#

so I don't have those packages installed.  I tried Googling for a xl2tpd client config hotwo but couldn't find anything on the OpenWRT site.  The best I found was https://support.aa.net.uk/L2TP_Client:_OpenWRT which somewhat irritatingly begins "if you want to do it through the web UI, it should be obvious...".  Yeah, right.  Is there something that might be a bit more helpful to a mere mortal?  Thanks

I'm on lede. But it does not matter. xl2tpd has been in use for many years in openwrt. Even Attitude Adjustment has it and it works fine.
I dont think you're mere mortal cause you can ssh smile Configuring l2tp client in luci is very easy. Create net interface, select l2tp and fill required fields.

Okay, maybe not "mere mortal" - perhaps "seasoned geek who knows he's at the bottom of a new learning curve".  So here's what I did so far...

SSH'ed to router and ran:

opkg install kmod-l2tp kmod-l2tp-ip kmod-pppol2tp ppp-mod-pppol2tp xl2tpd

That seemed to get the packages installed okay.  Then used luci to:

Go to Network > Interfaces > Add new interface...
Create Interface with protocol = L2TP.

General setup for interface now asks for server, username and password, Advanced offers Bring up on boot and Use default gateway, both of which look promising.  Under Firewall Settings I created a new zone "vpn".  But it didn't connect.  I'd say this is because I haven't entered the secret, but there's nowhere on the UI to do that.  Maybe I have to hack that into a /etc/.../*.secrets file, but which one?  And given that the UI handles everything else I'm surprised this bit is missing.  Any thoughts?

See logread output. l2tp and pppd log messages to syslog.
Also note that if you think you need l2tp within your home network then you do something wrong.
I can hardly imagine why l2tpd would ever be needed in a single private network.
If you use l2tp over internet then without additional ipsec layer communication is unencrypted.
If your l2tp sever is set up to require encryption (on mac it should be easy and probably its on by default) then openwrt cant connect without additional manual configuration of strongswan. And this is not as easy as plaintext.

(Last edited by bolvan on 28 Nov 2016, 12:40)

Ah.  That would explain it.  The Mac mini VPN is L2TP/IPsec, so I'm missing the IPsec bit?  I did say I was at the start of a learning curve.  So I need to install strongswan?  The problem there is that pages like https://wiki.openwrt.org/inbox/strongswan.howto appear to be configuring the router to be a server whereas I want to use it as a client.  opkg find *strongswan* lists a *LOT* of packages, so which do I need?  I did notice

strongswan-mod-uci - 5.3.3-1 - StrongSwan UCI config interface plugin

so hopefully I can use luci to configure my secret once I have the the right packages in place.

Uci does not means luci. Uci allows uniformed config in /etc/config. Luci allows editing it in web forms.
IPSEC is not necessary have to be used with l2tp. It runs on its own in tunnel or transport mode and knows nothing about l2tp.
When l2tp is used with ipsec the main layer is ipsec in transport mode.
Ipsec encrypts udp packets to vpn server. Usually port 1701.
L2tp works normally over encrypted udp. For l2tpd its transparent. l2tp provides tunneling. l2tp knows nothing about ipsec.
So there're 2 independend configs. One ipsec, one l2tpd. You can still use luci to configure l2tp but there's no luci module for strongswan. Still you can use uci configs for strongswan

(Last edited by bolvan on 28 Nov 2016, 13:24)

Okay, got that.  So I need to install and configure StrongSWAN to give me an IPsec layer for L2TP to run on top.  I'm struggling to find a HOWTO telling me what to do - I keep finding stuff about using StrongSWAN on a server, not a client.  I did try opkg install strongswan but all I succeeded in doing was exhausting my install space!  I had to do a Reset clean everything out, then reinstall the xl2tpd stuff (which leaves me with 184KB, if that's any help).  Any suggesting on where I should look next?  Many thanks.

If you want your openwrt act as more or less normal linux system then you need extroot.
Thats why its highly recommended to buy routers with USB or at least 16 mb of flash.
Its possible to incorporate packages into compressed squashfs during own compilation or change existing image with imagebuilder. But I guess 184kb will not be enough even for compressed package. Leave at least 100 kb on overlayfs or you may find your router to be autoreset to default settings.

I cant suggest you working configs because it needs testing.
From what I would start :
find on the net tutorials how to configure ipsec/l2tp on traditional linux distros. https://wiki.archlinux.org/index.php/Op … ient_setup
understand the logic
understand how uci translates to strongswan config or skip uci and use direct configuration in /etc/ipsec.conf
experiment, test, read logs, google for errors

Thanks for the advice.  I was only using the WR703N because I had one in my "useful" cupboard, and I thought it would be ideal for this purpose because it's so tiny!

Forgot to mention ipsec with NAT-T uses UDP port 4500 incapsulation of ESP frames. Without NAT-T raw esp cant pass NAT.
We have this incapsulation :

IP4/6 - outer
UDP 4500
ESP
UDP 1701
L2TP
PPP
IP4/6 - inner
TCP/UDP/whatever
<payload>

below ESP all is encrypted

(Last edited by bolvan on 28 Nov 2016, 19:58)

The discussion might have continued from here.