0. Установка необходимых пакетов
bash apt update apt install strongswan xl2tpd -y
1. Настройка IPsec (StrongSwan)
1.0 Создаем и редактируем файл /etc/ipsec.conf:
cat > /etc/ipsec.conf << 'EOF'
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn L2TP-PSK
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=SERVER_VPN_IP_FIX_THIS #fix this string
EOF
1.1 Создаем файл с секретом
echo ": PSK "YOU_PSK_KEY_FIX_ME #fix this string" > /etc/ipsec.secrets
chmod 600 /etc/ipsec.secrets
2. Настройка xl2tpd
Редактируем файл --- много всего добавить в самый низ [lac myVPN] lns = SERVER_VPN_IP_FIX_THIS #fix this string ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes
3. Настройка PPP
cat > /etc/ppp/options.l2tpd.client << "EOF" ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth logfile /var/log/xl2tpd.log idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug connect-delay 5000 name USERNAME_VPN_FIX_THIS password PASSWORDUSERUSER_VPN_FIX_THIS EOF chmod 600 /etc/ppp/options.l2tpd.client
4. Управление l2tp и keepalive.
Скрипт запуска и перезапуска l2tp
(да все можно сделать через network-manager, но иногда надо так)
cat > /usr/local/bin/l2tp-vpn.sh << 'EOF'
#!/bin/bash
VPN_NAME="myVPN"
CONTROL_FILE="/var/run/xl2tpd/l2tp-control"
VPN_ROUTE="192.168.0.0/24" # fix_this
case "$1" in
start)
echo "Starting VPN..."
mkdir -p /var/run/xl2tpd
touch "$CONTROL_FILE"
#ipsec start #dipricated
#sleep 2 #dipricated
#ipsec up L2TP-PSK #dipricated
sleep 2
systemctl start xl2tpd
sleep 2
echo "c $VPN_NAME" > "$CONTROL_FILE"
# Ждём появления ppp0
for i in {1..20}; do
if ip link show ppp0 2>/dev/null | grep -q "UP"; then
echo "ppp0 is up"
break
fi
sleep 1
done
sleep 2
ip route del $VPN_ROUTE dev ppp0 2>/dev/null
ip route add $VPN_ROUTE dev ppp0
echo "VPN started and route added"
;;
stop)
echo "Stopping VPN..."
ip route del $VPN_ROUTE dev ppp0 2>/dev/null
echo "d $VPN_NAME" > "$CONTROL_FILE" 2>/dev/null
sleep 1
systemctl stop xl2tpd
#ipsec down L2TP-PSK 2>/dev/null # #dipricated
#ipsec stop # #dipricated
echo "VPN stopped"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
EOF
chmod +x /usr/local/bin/l2tp-vpn.sh
#keepalive
cat > /usr/local/bin/l2tp-vpn-monitor.sh << 'EOF'
#!/bin/bash
VPN_ROUTE="192.168.15.0/24" # ДОЛЖЕН СОВПАДАТЬ С VPN_ROUTE ИЗ l2tp-vpn.sh
CHECK_INTERVAL=30 # Проверяем каждые 30 секунд
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}
while true; do
# Проверяем жив ли туннель
if ! ip link show ppp0 2>/dev/null | grep -q "UP"; then
log "ALERT: VPN tunnel is DOWN! Restarting..."
/usr/local/bin/l2tp-vpn.sh stop
sleep 5
/usr/local/bin/l2tp-vpn.sh start
log "VPN restart completed"
# Проверяем есть ли маршрут
elif ! ip route show 2>/dev/null | grep -q "$VPN_ROUTE.*ppp0"; then
log "ALERT: Route $VPN_ROUTE is missing! Re-adding..."
ip route add $VPN_ROUTE dev ppp0 2>/dev/null
log "Route re-added"
fi
sleep $CHECK_INTERVAL
done
EOF
chmod +x /usr/local/bin/l2tp-vpn-monitor.sh
5. Файлы systemd для скрипто:
#keepalive cat > /etc/systemd/system/l2tp-vpn-monitor.service << 'EOF' [Unit] Description=L2TP VPN Monitor Daemon After=l2tp-vpn.service Requires=l2tp-vpn.service [Service] Type=simple ExecStart=/usr/local/bin/l2tp-vpn-monitor.sh Restart=always RestartSec=10 [Install] WantedBy=multi-user.target EOF #runner l2tp cat > /etc/systemd/system/l2tp-vpn.service << 'EOF' [Unit] Description=L2TP/IPsec VPN Client After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/l2tp-vpn.sh start ExecStop=/usr/local/bin/l2tp-vpn.sh stop [Install] WantedBy=multi-user.target EOF
5. запуск и проверка:
Запуск: systemctl daemon-reload # Включаем автозапуск обоих сервисов systemctl enable l2tp-vpn.service systemctl enable l2tp-vpn-monitor.service # Запускаем systemctl start l2tp-vpn.service systemctl start l2tp-vpn-monitor.service Проверка: # Статус VPN systemctl status l2tp-vpn # Статус монитора systemctl status l2tp-vpn-monitor # Проверка маршрутов ip route | grep ppp0 # Логи монитора journalctl -u l2tp-vpn-monitor -f
P.S nmcli
0. Создание VPN-подключения через nmcli
# Импорт из конфигурационного файла
nmcli connection import type l2tp file ~/my-vpn.conf
# Или создание с нуля
nmcli connection add type vpn \
vpn-type l2tp \
con-name "MyVPN" \
vpn.data "gateway = vpn.example.com, \
ipsec-enabled = yes, \
ipsec-psk = YOUR_PSK, \
user = YOUR_USERNAME"
# Включить VPN:
nmcli connection up "MyVPN"
# Выключить:
nmcli connection down "MyVPN"
# Статус:
nmcli connection show --active
# Список всех подключений:
nmcli connection show
Пример файла конфига:
work-vpn.conf
--------------
ini
[vpn]
gateway = vpn.company.com
ipsec-enabled = yes
ipsec-psk = MySecretPSK123
ipsec-ike = aes256-sha256-modp2048
ipsec-esp = aes256-sha256
user = myusername
password = MyRealPassword
[ipv4]
never-default = yes
routes = 192.168.0.0/24 10.0.0.1
--------------