Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: besterl on May 01, 2014, 09:07:42 PM
-
I would like to establish a L2TP tunnel from eth1 and use that tunnel as primary route for all my outbound / inbound traffic.
To explain - My ISP allows me to get single fixed IP's using L2TP VPN tunnels over a normal ADSL connection. This is a nice option for us, as most clients do not need more than a single fixed IP address. Currently I have to do this with a Billion router which is a pain in the neck to configure and also quite expensive for some clients.
I have tested this L2TP with Windows and I can place a Windows host on this fixed public IP using a L2TP vpn client over the ADSL connection. I do not however want to put a Windows box on the internet, I want my SME server to be the one facing the internet, and from there I can port forward to my hearts content.
In standard config setup, there are options for dial-up, fixed IP, PPPOE, DHCP and others for the external interface, but nothing for a VPN connection.
Any ideas would be welcomed.
-
SME server is in theory capable of doing this, but I think there are so many permutations of possible configurations and low demand, so support is unlikely to be included in the SME server software.
There are multiple different types of VPN connection, so someone would need to know more details of your ISP's configuration in order to help you work out a configuration.
-
This is a simple L2TP connection to a fixed IP at the ISP using PAP authentication.
Obviously you supply a username and password as well.
The ISP then supplies your fixed IP allocated to your specific username.
This is becoming popular for the simple reason that it is a cheap way to get a fixed IP, and other router manufacturers like Draytek etc are also starting to supply this functionality in their higher end routers.
I agree that this must be possible in SME. Let us for argument sake say we create a new adapter called tun1 by establishing the connection and make it the default.
Here is an explanation of someone doing this on a vanilla Centos 5 box, I am not sure though how the templates used in SME will affect this.
https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup
This area interests me particularly....
Routing all traffic through the tunnel
This is a lot more complex, but all your traffic will travel through the tunnel. Start by adding a special route for the actual VPN server through your current gateway:
# ip route add 68.68.32.79 via 192.168.1.1 dev eth0
This will ensure that once the default gateway is changed to the ppp interface that your network stack can still find the VPN server by routing around the tunnel. If you miss this step you will lose connectivity to the Internet and the tunnel will collapse. Now add a default route that routes to the PPP remote end:
# ip route add default via yyy.yyy.yyy.yyy dev eth0
The remote PPP end can be discovered by following the step in the previous section. Now to ensure that ALL traffic is routing through the tunnel, delete the original default route:
# ip route delete default via 192.168.1.1 dev eth0
-
This is a simple L2TP connection to a fixed IP at the ISP using PAP authentication.
Obviously you supply a username and password as well.
The ISP then supplies your fixed IP allocated to your specific username.
That's not sufficient information at all. That only tells us that PPP is involved somehow, but doesn't say anything about the transport link between your node and the ISP.
I agree that this must be possible in SME.
I would suggest that you start by adding a /service/wan/run.l2tp script, and use manual db configuration setup rather than the console UI.
Here is an explanation of someone doing this on a vanilla Centos 5 box, I am not sure though how the templates used in SME will affect this.
https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup
That's likely to be something different, because you mention PAP authentication, which isn't used for IPsec.
-
I am clearly out of my depth here.....
I will set up a test box and give some feedback on my progress.
All I can confirm is the info below as it was given to me by the ISP.
Thanks for the help so far Charlie...
-
All I can confirm is the info below as it was given to me by the ISP.
There is no "info below".
Perhaps if you could post a link to your ISP's setup documentation people might be able to give you some pointers to what you need to do.
-
Moving to General discussions.
-
Hi
Here is the link to the Setup Manual from the ISP
http://www.sws.co.za/StaticIPManual.pdf (http://www.sws.co.za/StaticIPManual.pdf)
Thanks guys - This will really be of great help if I can get this going...
-
Here is the link to the Setup Manual from the ISP...
That's not quite a technical specification - more like instructions how to configure particular equipment. But it is enough to say that IPSec is disabled. That will make it easier to set up.
Note also that the lack of IPSec means that it's an unencrypted tunnel setup - so it's a VN, not a VPN.
-
Understood Charlie
The protection I want is on the SME server, the VN is just a means to get a static IP.
It will make mail delivery to SME and site to site VPN's so much easier for smaller sites
Thanks a million once again for the consideration.