Advice on setting up a L2TP VPN on Proxmox.

[shymega]

Hello,

(If this post seems familiar, I originally asked on the mailing list, but I'm posting it here for visibility)

I've got a Proxmox server, and I'm wanting to use an A&A L2TP VPN[0] on
the Proxmox host.

I'm unsure how to set this up in `/etc/network/interfaces`, as I
primarily use NetworkManager on NixOS.

I was thinking of running pfSense/opnSense in a VM, and then connecting
my VMs and LXC containers behind it. The reason I'm using an L2TP VPN is
because the hosting company don't offer IPv6 without a block of IPv4 IPs,
and I think that's overkill. All I need is one IPv6 block and one IPv4
address.

My desired setup would be:

WAN <==> L2TP VPN <==> Proxmox host <==> Firewall VM
| |
VMs <=> <=> LXC
[0]: https://www.aa.net.uk/broadband/l2tp-service/

Is this possible?

Thank you!

 

[shymega]

Ah, I see my text diagram formatting has borked.

 

[esi_y]

My desired setup would be:

WAN <==> L2TP VPN <==> Proxmox host <==> Firewall VM
                                         |         |
                                   VMs  <=>       <=> LXC

It's been a while since I set up L2TP, but I believe you are looking for this (random find, cannot vouch for it, but it looks alright):
https://smekkley.wordpress.com/tag/l2tp-without-ipsec/

You only care for the client side.

EDIT: Your ISP has an entire guide
https://support.aa.net.uk/L2TP_Client:_Debian

Debian's package is the same as for Ubuntu. Details on config here:
https://manpages.debian.org/bookworm/xl2tpd/xl2tpd.conf.5.en.html

 

[shymega]

Yeah, I did see the ISPs guide. The thing I'm stuck on is adapting the L2TP connection with `vmbr0`.

I plan to contribute a guide for Proxmox to A&A's wiki as well.

I have to wait for a KVM to be attached to my server if I lose network connection - and with the bridge, that's the part I'm stuck on.

(Also, mods: could we move this post to "Proxmox VE: Networking and Firewall" please? I just realised!)

 

[esi_y]

Oh, alright, but then you are basically asking how to set up L2TP in OPNSense?

 

[shymega]

Well, _ideally_, I'd like the Proxmox VE host to be connected to the L2TP tunnel via `eno1`, and all child machines (LXC or VMs) to be connected to the bridge.

Attached is my `/etc/network/interfaces`- it's the `vmbr0` and L2TP part I'm cautious about.

 

[esi_y]

Well, _ideally_, I'd like the Proxmox VE host to be connected to the L2TP tunnel via `eno1`, and all child machines (LXC or VMs) to be connected to the bridge.

I was worried about this. I would never let L2TP tunnel of this sort terminate on my PVE host, if for nothing else than that one cannot rely on PVE firewall solution:
https://bugzilla.proxmox.com/show_bug.cgi?id=5759
https://bugzilla.proxmox.com/show_bug.cgi?id=1823

 

[shymega]

Oh, I see. OK.

The L2TP tunnel doesn't provide access to sensitive hosts - it's basically just a way to provide external IPv4/IPv6 addressses, through a tunnel.

The issue currently is that I can't get IPv6 with my host currently. A&A's L2TP tunnel is a workaround for that. So, in terms of security, I suppose using a dedicated firewall VM may be a good idea.

 

[esi_y]

Oh, I see. OK.

The L2TP tunnel doesn't provide access to sensitive hosts - it's basically just a way to provide external IPv4/IPv6 addressses, through a tunnel.

The issue currently is that I can't get IPv6 with my host currently. A&A's L2TP tunnel is a workaround for that.

If that's the only issue, why not use a tunnel broker?
E.g. this one is for free for quite a while: https://tunnelbroker.net/

So, in terms of security, I suppose using a dedicated firewall VM may be a good idea.

Because the PVE firewall solution is so buggy, it really would depend a lot on how you bridge the interfaces, IOW I do not want any traffic to even hit the PVE instances from outside, not even if it is eventually meant for a specific guest. The last comments in bug 5859 totally got me:

- they are fixing their own firewall (so it's a problem)
- but let's hush hush not tell anyone (while doing it, as if it was not a problem, currently being worked on)
- and everyone who is running PVE exposed is beyond help (they got listed on Shodan anyways)

Now what would I do? I would get myself old cheap EdgeRouter ER-X (if your existing networking gear does not support this) and put it inbetween internet and the PVE. That box can terminate you the 6in4 tunnel just fine and also does iptables - and does not have bugs in firewall implementation.