Very good arcticle
http://www.crosspeer.com/tutorial_Linux_L2TP_VPN_Client.html
https://github.com/jabas06/l2tp-ipsec-vpn-client
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832
Step 0: Util Install
apt-get update
sudo apt-get -y install strongswan xl2tpd net-tools
DesVPNsrv="x.x.x.x"
AMIip="x.x.x.x."
VPNuser="VPN_user"
VPNpass="VPNpass"
PSK="xxxxxx"
Step 1: Configure IpSec
vi /etc/ipsec.conf
cat <<EOF >> /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
lso=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
r4ekey=no
ikelifetime=8h
keylife=1h
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=$DesVPNsrv
auto=start
EOF
vi /etc/ipsec.secrets
0.0.0.0: xxx.xxx.xxx.xxx PSK "XXXXXXXX"
/etc/init.d/ipsec start
sudo /etc/init.d/ipsec verify
ipsec up L2TP-PSK
Step 2: Configure L2TP
vi /etc/xl2tpd/xl2tpd.conf
cat <<EOF >> /etc/xl2tpd/xl2tpd.conf
[lac myVPN]
; set this to the ip address of your vpn server
lns = $DesVPNsrv
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
redial = yes ; Перподключаться при потере соединения
redial timeout = 5 ; Сколько ждать между попытками соединиться
autodial = yes ; Автоматически устанавливать связь при старте сервиса
EOF
vi /etc/ppp/options.l2tpd.client
cat <<EOF >> /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
logfile /var/log/xl2tpd.log
idle 1800
mtu 1400
mru 1400
defaultroute
usepeerdns
debug
connect-delay 5000
name $VPNuser
password $VPNpass
EOF
Step 3: RUN L2TP
sudo service xl2tpd stop
sudo service ipsec stop
sudo mkdir -p /var/run/xl2tpd
sudo touch /var/run/xl2tpd/l2tp-control
sudo service xl2tpd restart
sudo service ipsec restart
sudo ipsec update
sudo ipsec reload
sudo service xl2tpd status
sudo service ipsec status
sleep 8
sudo ipsec down L2TP-PSK-noNAT
sudo ipsec up L2TP-PSK-noNAT
sleep 8
sudo service xl2tpd restart
sleep 8
sudo bash -c 'echo "c myVPN" > /var/run/xl2tpd/l2tp-control'
sleep 8
sudo service xl2tpd restart
sleep 8
Step 4: ADD ROUTE
ip route add 192.168.88.250 via $(ip address show dev ppp0 | grep -Po '(?<=peer )(\b([0-9]{1,3}\.){3}[0-9]{1,3}\b)') dev ppp0
------------------------------------------------------------------------------------------------------------------------
OPENVPN:
apt-get install openvpn -y mkdir -p /autostart/openVPN/
cd /autostart/openVPN/
echo $Passphrase >./OVPNpassphare.txt
cat <<EOF >> ./OVPNauth.txt
$USERNAME
$PASSWORD
EOF
openvpn --config /autostart/openVPN/CI_ovp_Ar.ovpn --askpass /autostart/openVPN/OVPNpassphare.txt --daemon
cat /autostart/openVPN/CI_ovp_Ar.ovpn
client
dev tun
proto tcp
remote-cert-tls server
nobind
cipher AES-256-CBC
auth-user-pass /autostart/openVPN/OVPNauth.txt
persist-key
persist-tun
verb 3
route XXX.XXX.XXX.XXX 255.255.254.0
remote XXX.XXX.XXX.XXX PPPP
# Статус-лог переданные данные и т.п.
status /var/log/openvpn-status.log
# Лог клиента
log /var/log/openvpn.log
# Уровень логирования 0 в лог попадают только записи о критических ошибках, если нужно подробнее, то выставляем 9 для дебагинга
verb 0
# Количество записей после которых будет производиться запись в лог
mute 20
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
Monitoring:
#!/bin/bash
AMIip="XXX.XXX.XXX.XXX"
DESTIP="XXX.XXX.XXX.XXX"
echo 'Begin ping'
ping -c 2 $AMIip > /dev/null
if [ $? -eq 0 ]
then
echo " $(date) [info] OK-OK-OK L2TP ping to $AMIip " >> /var/log/siphostcheck.log
else
echo " $(date) [error] NO-NO-NO L2TP ping to $AMIip " >> /var/log/siphostcheck.log
ping -c 2 $DESTIP
if [ $? -eq 0 ]
then
echo " $(date) [info] OK-OK-OK DESTIP ping to $DESTIP " >> /var/log/siphostcheck.log
else
echo " $(date) [error] NO-NO-NO DESTIP ping to $DESTIP " >> /var/log/siphostcheck.log
fi
curl -s -X POST https://api.telegram.org/bot5710478797:-o8/sendMessage -d chat_id=-XXXXXXXXXXXXXXXXXXX -d text="VPN on PROD server is down! Try reconect "
openvpn --config /autostart/openVPN/CI_ovp_Ar.ovpn --askpass /autostart/openVPN/OVPNpassphare.txt --daemon
fi
TrableShuting :
ip a | grep tun
ps -ef | grep openv and kill demons if need restart tunel
IPDESTINATION="XXX.XXX.XXX.XXX"
sed -i "s/XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX/g" /autostart/openVPN/CI_ovp_Ar.ovpn
cat /autostart/openVPN/CI_ovp_Ar.ovpn
ip a | grep tun
ps -ef | grep openvpn
kill -11
ping -c 2 $IPDESTINATION
ip a | grep tun
openvpn --config /autostart/openVPN/CI_ovp_Ar.ovpn --askpass /autostart/openVPN/OVPNpassphare.txt --daemon
ip a | grep tun
ps -ef | grep openvpn
sleep 10
ping -c 2 $IPDESTINATION
--------------------------------------------------------------------------------------------------------------
FOR Server
local x.x.x.x
port 21788
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.x.x.x 255.255.255.0
#route 10.x.x.x 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
duplicate-cn
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 9
crl-verify crl.pem