AWS - VyOS L2TP Server Config (Double NAT)

aws
vpn
l2tp
access
cloud

#1

Hi guys,

Here is my config (in commands) for getting an L2TP server working on AWS. Note that this only worked on VyOS 1.2.0, using the exact same config on 1.1.8 did NOT work. The dummy interface was needed to get around double NAT.

set interfaces dummy dum0 address 'Public_IP_VyOS/32'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec ipsec-interfaces interface 'dum0'

set nat destination rule 1 description 'exclude from NAT'
set nat destination rule 1 'exclude'
set nat destination rule 1 inbound-interface 'eth0'
set nat destination rule 1 log 'disable'
set nat destination rule 1 source address 'VPC_LAN/24'

set nat destination rule 2 description 'exclude from NAT'
set nat destination rule 2 'exclude'
set nat destination rule 2 inbound-interface 'eth0'
set nat destination rule 2 source address '192.168.0.0/16'

set nat destination rule 10 description 'ext. to int. antinat'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 log 'enable'
set nat destination rule 10 translation address 'Public_IP_VyOS'

set nat source rule 10 log 'disable'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '192.168.200.0/24'
set nat source rule 10 translation address 'masquerade'

set vpn ipsec nat-networks allowed-network '0.0.0.0/0'
set vpn ipsec nat-traversal 'enable'

set vpn l2tp remote-access authentication local-users username 'some_user' password 'secret_pass'

set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.200.1'
set vpn l2tp remote-access client-ip-pool stop '192.168.200.255'
set vpn l2tp remote-access description 'L2TP-VPN'
set vpn l2tp remote-access dns-servers server-1 'DNS_server_IP'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'Some_PSK'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address 'Public_IP_VyOS'
set vpn l2tp remote-access wins-servers server-1 'DNS_server_IP'

You will need the following ports opened up in your security group:

UDP 1701
UDP 4500
UDP 500

Also in Windows 10, I had to configure the VPN adapter to allow ‘MS Chap v2’ auth protocol.
RADIUS and split tunneling are on the to-do list, if anyone has experience with either, let me know!