Tag Archives: archlinux

l2tp ipsec linux client bash script

hi

here is my simple approach of a vpn client via bash
The main script i found https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup
I’ve adopted it to my needs.

First we configure strongswan:

/etc/ipsec.conf
conn yourcompany
    keyexchange=ikev1
    authby=secret
    type=transport
    left=%defaultroute
    leftprotoport=17/1701
    right=2.2.2.2
    rightprotoport=17/1701
    auto=add
/etc/ipsec.secrets
2.2.2.2 : PSK "yourpsk"

Now we configure xl2tpd

/etc/xl2tpd/xl2tpd.conf
[lac vpn-connection]
lns = 2.2.2.2
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
debug
lock
connect-delay 5000
name yourusername
password yourpassword

Here is my bash script

#!/bin/bash
if [ $# != 1 ] ; then
    echo "Usage: (sudo) sh $0 {start|stop}" 
    exit 1;
fi

VPN_ADDR=2.2.2.2

function getIP(){
    /sbin/ifconfig $1 | grep "inet "| awk '{print $2}'
}

function getGateWay(){
    /sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $2}'
}

function getVPNGateWay(){
    /sbin/route -n | grep -m 1 "$VPN_ADDR" | awk '{print $2}'
}

function saveInterface() {
    echo $(/sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $8}') > /tmp/interface.txt
}

function getInterface(){
    cat /tmp/interface.txt
}

GW_ADDR=$(getGateWay)  

function start(){
    saveInterface
    ipsec up youconnectioname
    sleep 2    #delay to ensure that IPsec is started before overlaying L2TP

    systemctl start xl2tpd
    sleep 2
    /bin/echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control     
    sleep 2    #delay again to make that the PPP connection is up.

    route add $VPN_ADDR gw $GW_ADDR $(getInterface)
    route add default gw $(getIP ppp0)
    route delete default gw $GW_ADDR
}

function stop(){
    ipsec down yourconnectioname
    /bin/echo "d vpn-connection" > /var/run/xl2tpd/l2tp-control
    systemctl stop xl2tpd
    
    VPN_GW=$(getVPNGateWay)
    route delete $VPN_ADDR gw $VPN_GW $(getInterface)
    route add default gw $VPN_GW
}
$1
exit 0

debian jessie as kvm guest high cpu load

Hi

I was wondering about the high cpu load of my debian jessie kvm guests.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+    COMMAND
 18 root 20 0     S           11,0      50:10.35 ksoftirqd/2
 28 root 20 0     S           11,0      49:45.90 ksoftirqd/4
 13 root 20 0     S           10,1      51:25.18 ksoftirqd/1
 23 root 20 0     S           10,1      55:42.26 ksoftirqd/3
 33 root 20 0     S           8,3       43:12.53 ksoftirqd/5
 3 root 20 0      S           7,4       43:19.93 ksoftirqd/0

The more load my kvm guest had the more cpu time was allocated by the kernel.
I was using 3.16.0-4-amd64.

My hostmachines were, ubuntu 14.04 and archlinux. Both same issue.

Simple solution was to install backports kernel 4.2.0-0.bpo.1-amd64 oder compile fresh vanilla kernel via make localyesconfig.

Seems to be a debian kernel bug.

Have fun!

systemd iptables firewall script archlinux

Hi

Here some short howto config systemd to run sysvinit firewall script:

1st copy your existing iptables script to

cp myfw /root/bin/myfw
chmod 750 /root/bin/myfw

Now lets create the systemd service as following:

vim /etc/systemd/system/myfw.service
[Unit]
Description=myfw
After=network.target

[Service]
RemainAfterExit=yes
ExecStart=/root/bin/myfw start
ExecStop=/root/bin/myfw stop
User=root

[Install]
WantedBy=multi-user.target

Enable the script for autostart at boot

systemctl enable myfw.service

Start the firewall

systemctl start myfw.service

Have fun!