Skip to content

Instantly share code, notes, and snippets.

@btc100k

btc100k/setup_l2tp_vpn.sh

Created December 24, 2024 16:44
Show Gist options
  • Save btc100k/8a075e2855298aa359d14b1688aa2f04 to your computer and use it in GitHub Desktop.
Save btc100k/8a075e2855298aa359d14b1688aa2f04 to your computer and use it in GitHub Desktop.
Download ZIP
Here is how to establish a VPN connection from ubuntu/mint (client) to Ubiquiti UDM (server).
Raw
setup_l2tp_vpn.sh
#!/bin/bash
# Much of this script came from:
# https://gist.github.com/danielv99/ae6dbd6d3f5b8fe4241519f5a0733ff3
# but a few hours of trial/error/debugging/chatgpt/grok went into the few changes required to get VPN working with my UDM
# YMMV
# My debugging went as followed:
# In one window, create this script, chmod +x it
# In another window, run `journalctl -u xl2tpd -f` to look for errors.
# if this doesn't just plain work for you,
# the errors from the journalctl will probably help you figure out what changes are needed in the pppoptfile
# best of luck
apt-get -y update && apt-get -y upgrade
apt-get -y install strongswan xl2tpd libstrongswan-standard-plugins libstrongswan-extra-plugins
service strongswan-starter stop
service xl2tpd stop
ipsec stop
VPN_SERVER_IP='<server ip>'
VPN_IPSEC_PSK='<server psk>'
VPN_USER='<vpn username>'
VPN_PASSWORD='<vpn password>'
VPN_IP_SUBNET='<such as 192.168.1.0/24>'
cat > /etc/ipsec.conf <<EOF
config setup
conn %default
rekeymargin=3m
keyingtries=4
keyexchange=ikev1
authby=psk
conn VPN1
left=%defaultroute
right=$VPN_SERVER_IP
ike=aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024
esp=aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024
auto=add
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=1h
keylife=1h
type=transport
leftprotoport=17/1701
rightid=$VPN_SERVER_IP
rightprotoport=17/1701
EOF
cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF
chmod 600 /etc/ipsec.secrets
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac VPN1]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF
cat > /etc/ppp/options.l2tpd.client <<EOF
# ipcp-accept-local
# ipcp-accept-remote
refuse-eap
# noccp
noauth
idle 1800
mtu 1410
mru 1410
# noipdefault
# defaultroute
replacedefaultroute
usepeerdns
debug
# require-mschap-v2
# connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF
chmod 600 /etc/ppp/options.l2tpd.client
cat > /etc/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
$VPN_USER VPN1 $VPN_PASSWORD *
# added via script (create_vpn.txt)
EOF
chmod 600 /etc/ppp/chap-secrets
cat > /etc/ppp/pap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
$VPN_USER VPN1 $VPN_PASSWORD *
# added via script (create_vpn.txt)
EOF
chmod 600 /etc/ppp/pap-secrets
service strongswan-starter restart
service xl2tpd restart
ipsec restart
cat > /usr/local/bin/start-vpn <<EOF
#!/bin/bash
(service strongswan-starter start ;
sleep 2 ;
service xl2tpd start) && (
ipsec up VPN1
echo "c VPN1" > /var/run/xl2tpd/l2tp-control
sleep 5
#ip route add 10.0.0.0/24 dev ppp0
while ! ip link show ppp0 &>/dev/null; do
echo "Waiting for ppp0 ..."
sleep 1
done
ip route add $VPN_IP_SUBNET dev ppp0
)
EOF
chmod +x /usr/local/bin/start-vpn
cat > /usr/local/bin/stop-vpn <<EOF
#!/bin/bash
echo "Removing ppp0 route..."
ip route del $VPN_IP_SUBNET dev ppp0
(echo "d VPN1" > /var/run/xl2tpd/l2tp-control
ipsec down VPN1) && (
service xl2tpd stop ;
service strongswan-starter stop)
EOF
chmod +x /usr/local/bin/stop-vpn
echo "To start VPN type: start-vpn"
echo "To stop VPN type: stop-vpn"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment