# Ideal L2TP server configuration?

## The_Great_Sephiroth

I am ditching PPTP at our main office for L2TP/IPSec. I have two options for setting this up. The server is a PowerEdge 2900 running XenServer 6.2 which will host three Debian 7.8 VMs. One will be the VPN server. The box has two LAN ports. One is connected to our router and functions inside our network for the domain controller (DC is Samba4). The other port goes right to a cable modem and grants VMs direct access to the outside world. Our SIP server (second VM) uses this network. I was debating giving the VPN server access to both. If I do this, I can assign a static IP to the virtual NIC on the external network and a LAN IP to the internal one. Connections could come directly from the WAN into the box on the external interface and be routed to the internal interface.

My other idea was what I've always done. Give it access to just the internal NIC and forward the UDP ports (500 and 4500 IIRC) to the internal LAN IP. Would there be any advantages to one way over the other? I have three unused static IP addresses for the WAN, so if it is better in some way, I do not mind doing it, but it means I have to be VERY strict with an iptables firewall to avoid hacking attempts. If I do it the traditional way it will be behind a Watchguard Firebox router and have a regular iptables firewall.

Thoughts?

----------

## TigerJr

you can try to use network aliases on you router WAN side and iptables rules to redirect network packets to LAN area.

Maybe you need SNAT rule to change source address, but i didn't clearly understand all network topology... If you post block-scheme what is done and what is need, it's would be a half of the answer

i.e

```

ifconfig eth0:1 11.11.11.1/24 up

ifconfig eth0:2 11.11.11.2/24 up

ifconfig eth0:3 11.11.11.3/24 up

```

After aliases up

```

# IRC ?

iptables -t nat -A PREROUTING -p udp -s 0/0 -d 11.11.11.1 --dport 4500 -j DNAT --to-destination 192.168.0.1:4500

iptables -t nat -A PREROUTING -p udp -s 0/0 -d 11.11.11.1 --dport 500 -j DNAT --to-destination 192.168.0.1:500

# DC ?

iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 11.11.11.2 --dport 445 -j DNAT --to-destination 192.168.0.2:445

iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 11.11.11.2 --dport 139 -j DNAT --to-destination 192.168.0.2:139

# SIP ?

iptables -t nat -A PREROUTING -p udp -s 0/0 -d 11.11.11.3 --dport 5060 -j DNAT --to-destination 192.168.0.3:5060

```

If it helps you ....

P\S 

In a fact you can use one alias WAN IP for transferring packets to each other servers... But ... whatever

----------

## The_Great_Sephiroth

I know about aliases, but my question was whether it would be better to have the VPN listening on a WAN connection and routing into a LAN connection or simply to listen on the LAN and route to the LAN without a direct WAN connection. I appreciate the input, but this is my dilemma right now.

----------

## TigerJr

If i really understand you...

Listening VPN on WAN interfaces gives you only iptables rules to manage connection.

Transferring VPN packets to LAN VPN server gives you functionality of route decision and iptables rules on two side but with the slight performance degradation.  So in that way you need to choose performance vs functionality. I will choose functionality, cause performance degradation not huge.

----------

## The_Great_Sephiroth

You're saying that using a single interface increases functionality? I am not sure I follow you here. In the Microsoft world, all of their guides require a public interface and an internal one. Their VPN setup is a nightmare though, and obviously does not apply to GNU/Linux. I was just looking at it because I thought it would be a better setup.

Can you give me a little more detail as to why a single interface increases functionality? I am not opposed to going this route.

----------

## TigerJr

I didn't tell you to use single interface. I mean that you use alias IP for VPN connection and transfer IP VPN packets in to LAN there are server is located.

----------

