Vyos configuration VPN L2TP

Hi Everyone, I need help with a new implementation of VYOS (1.4) with routing and VPN. Iam trying to implement a VPN L2TP and internal route to a server using this configuration

1- Configure IP address on both interfaces

set interfaces ethernet eth0 address <EXTERNAL_IP_ADDRESS>
set interfaces ethernet eth0 description “External”
set interfaces ethernet eth1 address “192.168.225.1/24”
set interfaces ethernet eth1 description “VMNet01”
set protocols static route 0.0.0.0/0 next-hop <External_IP_Gateway>

2- Set the ssh service

set service ssh port 22
set service ssh listen-address 0.0.0.0

3- DNS forwarding

set service dns forwarding system
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding listen-address 192.168.224.1
set service dns forwarding allow-from 192.168.224.0/24

5- Configure redirection through the l2tp

set nat source rule 10 description “Configure L2TP redirection”
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address <VPN_IP_POOL>
set nat source rule 10 translation address masquerade

6- Configure L2TP VPN Access

set vpn ipsec interface eth0
set vpn l2tp remote-access outside-address <EXTERNAL_IP_ADDRESS>
set vpn l2tp remote-access client-ip-pool start <VPN_POOL_START>
set vpn l2tp remote-access client-ip-pool stop <VPN_POOL_STOP>
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret Thi$I$my$3cr3t
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username user password ‘P4$$w0rd’

7- Configure firewall

set firewall name OUTSIDE-IN default-action “drop”
set firewall name OUTSIDE-IN rule 10 action “accept”
set firewall name OUTSIDE-IN rule 10 state established “enable”
set firewall name OUTSIDE-IN rule 10 state related “enable”
set firewall name OUTSIDE-IN rule 90 action “accept”

set firewall name OUTSIDE-LOCAL default-action “drop”
set firewall name OUTSIDE-LOCAL rule 10 action “accept”
set firewall name OUTSIDE-LOCAL rule 10 state established “enable”
set firewall name OUTSIDE-LOCAL rule 10 state related “enable”
set firewall name OUTSIDE-LOCAL rule 20 action accept
set firewall name OUTSIDE-LOCAL rule 30 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘esp’
set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 destination port ‘500’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 50 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 50 destination port ‘4500’
set firewall name OUTSIDE-LOCAL rule 50 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 60 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 60 destination port ‘1701’
set firewall name OUTSIDE-LOCAL rule 60 ipsec ‘match-ipsec’
set firewall name OUTSIDE-LOCAL rule 60 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 70 action ‘accept’

8- Activate firewall

set interfaces ethernet eth0 firewall in name “OUTSIDE-IN”
set interfaces ethernet eth0 firewall local name “OUTSIDE-LOCAL”

However, I have these problems

1- Need route the internet directly, not through the vyos
2- I unable to go to the internal network that is on eth1, it has PING - SQL and RDP enabled, but I cant.

What I am missing?
Any help will be appreciated

Regards
Daniel.

Hi @dgchultaeiz ,

Regarding routes - this is determined by the client side.
Try to do it like in this video:
https://www.youtube.com/watch?v=RtFWxQcqa8M

Hi @dgchultaeiz , in you case it will be most suitable to use VPN protocols like WireGuard, OpenVPN, OpenConnect that can install routes ondemand. But you can use as alternative trick which describe @Nikolay

Hi @dgchultaeiz,
Regarding access to internal resources, you can try to configure a vpn network on the eth1 interface and configure the gateway.

set interfaces ethernet eth1 address <VPN_IP_GATEWAY>
set vpn l2tp remote-access client-ip-pool start <VPN_POOL_START>
set vpn l2tp remote-access client-ip-pool stop <VPN_POOL_STOP>
set vpn l2tp remote-access gateway-address <VPN_IP_GATEWAY>

1. Try allowing <VPN_IP_POOL> on OUTSIDE-IN> Maybe traffic from L2TP client re-enters on WAN interface after decryption.
2. L2TP doesn’t advertise routes. So you end up with a classful route on client. /8 for 10.x client address, /24 for 192.168.x.x client address. Using 10.x everywhere can be a way out.
   With Windows client , powershell Add-VpnConnectionRoute can alter VPN entry, to include hard-coded route(s).

Everybody, I modified the script, and in the source NAT I removed this code

set nat source rule 10 description “Configure L2TP redirection”
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address <VPN_IP_POOL>
set nat source rule 10 translation address masquerade

And replaced by

set nat source rule 10 description “Configure L2TP redirection”
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address <INTERNAL_IP_RANGE>
set nat source rule 10 translation address masquerade

After that I received the conectivity through the L2TP connection to the internal one.

@Nikolay thanks for the video, it was useful. However, I have a problem with that solution, I don’t receive in the IP address of the L2TP connection a gateway address.
What I am doing wrong on the implementation?
@16again regarding your point 1 I tried without a firewall just the nat rules and I have the same error. about point number 2 Iam using /24 for my L2TP address, which is not the same for the internal networks (192.168.224.0/24) for my internal network and 192.168.255.0/24 for my L2TP pool address. I am ok?

Thanks all for the assistance…

Regards

If L2TP gets a class C address (192.168.222.x/24) by default, vpn client will end up with 192.168.222.x/24 route over the tunnel, and optional a route all traffic. (windows checkbox : “use default gateway on remote network”)