In the last few posts , we had install L2TP over IPsec and freeradius. Today we will show you how to use Freeradius to authenticate L2TP login user, let’s go.

Server IP :
VPN IP range : –
VPN Gateway :
Network Interface : enp0s3

Install Radius-Server

apt-get update
apt-get install build-essential libauthen-radius-perl libauthen-simple-radius-perl libgcrypt11-dev openssl
apt-get install freeradius freeradius-mysql

vim /etc/freeradius/sites-enabled/default

comment out the “files” and uncomment “sql” as below.

authorize {
# files
authenticate {
preacct {
#   files
accounting {
session {
post-auth {
 Post-Auth-Type REJECT {
    # log failed authentications in SQL, too.

vim /etc/freeradius/radiusd.conf

uncomment this : $INCLUDE sql.conf

The information for database, we need to create an user and db with these settings.

vim /etc/freeradius/sql.conf

login = "cannon"
password = "cannon123"
radius_db = "radius"

vim /etc/freeradius/clients.conf

remember this secret , we need it later

secret = 123cannon

Install Mysql

apt-get install mysql-server -y

enter and repeat the password of root mysql

After that , create an user and database following the information we do above.

mysql -u root -p
mysql> create database radius;
mysql> CREATE USER 'cannon'@'localhost' IDENTIFIED BY 'cannon123';
mysql> GRANT ALL PRIVILEGES ON * . * TO 'cannon'@'localhost';
mysql> flush privileges;
mysql> exit

Insert these tables into the database we created just now.

mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql;
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql;
mysql -u root -p
mysql> use radius;
mysql> show tables;
| Tables_in_radius |
| nas                |
| radacct            |
| radcheck           |
| radgroupcheck      |
| radgroupreply      |
| radpostauth        |
| radreply           |
| radusergroup       |
8 rows in set (0.00 sec)

L2TP Install

apt-get update
apt-get install xl2tpd ppp strongswan

Download the freeradius-client from GitHub.

cd /opt/
mv freeradius-client-master freeradius-client
cd freeradius-client/
./configure --prefix=/
make && make install

Add the following lines in the /etc/sysctl.conf file to enable forwarding on the Linux machine.

vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Run the following command to apply changes.

sysctl -p

Remember the secret ?

vim /etc/radiusclient/servers

localhost 123cannon

vim /etc/radiusclient/radiusclient.conf

auth_order    radius,local
login_tries    4
login_timeout    60
nologin /etc/nologin
issue    /etc/radiusclient/issue
seqfile /var/run/freeradius/
authserver     localhost
acctserver     localhost
servers        /etc/radiusclient/servers
dictionary     /etc/radiusclient/dictionary
login_radius    /sbin/login.radius
mapfile        /etc/radiusclient/port-id-map
radius_timeout    10
radius_retries    3
bindaddr *
login_local    /bin/login


Following configuration (which is related to IPv6)  in /etc/radiusclient/dictionary file should be commented out to run the radius client

#ATTRIBUTE      NAS-IPv6-Address        95      string
#ATTRIBUTE      Framed-Interface-Id     96      string
#ATTRIBUTE      Framed-IPv6-Prefix      97      ipv6prefix
#ATTRIBUTE      Login-IPv6-Host         98      string
#ATTRIBUTE      Framed-IPv6-Route       99      string
#ATTRIBUTE      Framed-IPv6-Pool        100     string
#ATTRIBUTE      Framed-IPv6-Address     168     ipv6addr
#ATTRIBUTE      DNS-Server-IPv6-Address 169     ipv6addr
#ATTRIBUTE      Route-IPv6-Information  170     ipv6prefix

vim /etc/pptpd.conf


vim /etc/ppp/pptpd-options

plugin /usr/lib/pppd/2.4.7/
plugin /usr/lib/pppd/2.4.7/

vim /etc/xl2tpd/xl2tpd.conf

ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range =
local ip =
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

vim /etc/ipsec.secrets %any : PSK "private"

vim /etc/ipsec.conf

conn L2TP-PSK-noNAT

vim /etc/ppp/options.xl2tpd

logfd 2
logfile /var/log/l2tp.log
asyncmap 0
idle 1800
mtu 1200
mru 1200
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
plugin /usr/lib/pppd/2.4.7/
plugin /usr/lib/pppd/2.4.7/

service mysql restart

service freeradius restart

service xl2tpd restart

service pptpd retart

ipsec restart


iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source -o enp0s3

Add User

mysql -u root -p

mysql>use radius;

mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES (‘testing’,’User-Password’,’:=’,’123123′);

Connect from a device, as example I using android phone , go to setting –> wireless options –> VPN –> add a new vpn –> VPN type choose L2TP/IPSEC PSK –> key in your server ip –> and the PSK key –> your account & password –> connect

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *