OpenWrt L2TP/IPSEC VPN client for Mikrotik server

Published by razvan on

Required:

  • OpenWRT installed on your router
  • SSH access to the router and SSH skills
  • working L2TP server with IPSEC

Login through SSH to the router and lets install required packages, please ensure you have enough free space. This install step will take some time so you should just wait for it to finish.

# opkg update
# opkg install xl2tpd strongswan-default

Now we will remove content of the following files using command:

# > /etc/ipsec.conf 
# > /etc/ipsec.secrets
# > /etc/xl2tpd/xl2tpd.conf

Add the following config lines to files:

  • /etc/ipsec.conf
config setup
 
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp2048!
  esp=aes128-sha1-modp2048!
 
conn mikrotik
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=MIKROTIK_IP_GOES_HERE
  • /etc/ipsec.secrets
: PSK "xxxxxxxxxxxxxxxxxxxx"
  • /etc/xl2tpd/xl2tpd.conf
[lac mikrotik]
lns = MIKROTIK_HOSTNAME_GOES_HERE
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
  • /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
#noipdefault
defaultroute
usepeerdns
connect-delay 5000
name YOUR_USERNAME
password YOUR_PASSWORD

Now we need to enable ipsec and xl2tp services to run on startup then start them manually right now.

# /etc/init.d/ipsec enable
# /etc/init.d/xl2tpd enable
# /etc/init.d/ipsec restart
# /etc/init.d/xl2tpd restart
# ipsec restart
# ipsec up mikrotik

RIght now IPSEC tunnel should be up and running, but we will need to add static route to the remote net with command:

# ip route add x.x.x.x/x dev ppp0

With this steps done the last one from cli is to start L2TP connection with:

# echo "c mikrotik" > /var/run/xl2tpd/l2tp-control

From web interface we will need to create network interface and fiewall zone:

  • Go to the menu –> Network –> Interfaces
  • Select “Add new interface
  • Type a name (ex. ppp0) ,protocol of the new interface should be Unmanaged and Cover network interface should be ppp0 then press submit button and then save and apply
  • Now go to Network –> Firewall
  • Select “Add” from zones area
  • Add a name, check “Masquerading” checkbox, on Covered networks select ppp0 (name of interface created steps ago) and for Allow forward from source zones select lan

After this are done rerun command from SSH then we are done:

# echo "c mikrotik" > /var/run/xl2tpd/l2tp-control

Categories: Blog

1 Comment

Fer · February 20, 2023 at 10:07 pm

and the post update? 🙁

Reply

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Blog

AWX building custom execution environment

AWX default execution environment is pretty strong but in some cases it is not enough. There days I wanted to run a play which require json_query for filtering out some outputs. All went well during Read more

Blog

ESP32 temperature sensor with Zabbix

One of our clients requested us a solution to monitor temperature in their datacenters with one condition, this should send data to a Zabbix server without cloud or any other integrations directly using a WIFI Read more

Blog

Logstash email alert

Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite “stash.” In out case we are sending logs Read more