Deploying L2TP VPN on RHEL 10: A Step-by-Step Guide to Secure Remote Access

Introduction

Implementing an L2TP/IPsec VPN on RHEL 10 remains a practical option for organizations that need compatibility with a wide range of client platforms (Windows, macOS, Android, iOS, and many Linux distros). Although newer protocols like WireGuard and IKEv2 are gaining traction, L2TP combined with IPsec (L2TP/IPsec) is still widely supported by legacy clients and integrated OS VPN clients. This guide walks through a full, production-oriented deployment on RHEL 10 with emphases on reliability, security, firewall integration, and troubleshooting.

Overview and prerequisites

Before starting, ensure you have:

A RHEL 10 server with a public IP address and root or sudo privileges.
Access to the RHEL subscription repositories (or the necessary packages available locally).
Basic familiarity with systemd, firewalld, and networking concepts such as NAT, routing, and IP forwarding.

Packages used in the examples: strongswan for the IPsec layer and xl2tpd for the L2TP/PPP layer. We will also configure PPP options and firewall rules (firewalld). This deployment uses a PSK for demonstration but includes guidance on upgrading to certificates for better security.

High-level architecture

The stack consists of:

IPsec (IKEv1) — provides authenticated and encrypted tunnel for L2TP control traffic (ESP for payload protection).
L2TP — handles PPP negotiation over the IPsec-protected channel.
PPP — assigns virtual IPs, negotiates authentication (PAP/CHAP/MS-CHAPv2), and configures network parameters.
Routed or NATted traffic from VPN clients to internal networks or the internet (via MASQUERADE).

Step 1 — Install required packages

Update and install packages with:

sudo dnf update -y

sudo dnf install -y strongswan xl2tpd ppp iptables-services

Note: RHEL 10 may prefer firewalld. iptables-services is optional if you prefer raw iptables rules, but this guide uses firewalld examples as well.

Step 2 — Kernel & sysctl preparation

Enable IP forwarding and adjust kernel parameters for VPN traffic handling. Add or update the following to /etc/sysctl.d/99-sysctl.conf (or echo below):

net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.rp_filter = 1

net.ipv4.ip_no_pmtu_disc = 0

Apply changes with: sudo sysctl –system

For PPP and L2TP you may also want to permit non-default MTU/MSS behavior; we will address MSS clamping in the firewall section.

Step 3 — Configure strongSwan (IPsec)

On RHEL 10 strongSwan typically stores configuration in /etc/strongswan/. For a minimal L2TP/IPsec configuration using a PSK, edit /etc/strongswan/ipsec.conf to include a connection that supports IKEv1 transport for L2TP:

conn L2TP-PSK

auto=add

keyexchange=ikev1

type=transport

left=%any

leftid=@server.example.com

leftcert=(optional certificate name)

leftfirewall=yes

right=%any

rightprotoport=17/1701

rightsubnet=0.0.0.0/0

authby=psk

ike=aes256-sha1-modp1024!

esp=aes256-sha1!

keyingtries=0

rekey=no

Notes:

type=transport is used because L2TP provides the tunneling of PPP; IPsec only secures it.
Replace leftid with your server’s identifier (IP or DNS) used by clients.
For production, prefer stronger algorithms and consider IKEv2/certificates; the above uses conservative compatibility settings for older clients.

Set the PSK in /etc/strongswan/ipsec.secrets:

@server.example.com : PSK “your-strong-pre-shared-key”

Step 4 — Configure xl2tpd and PPP

Edit /etc/xl2tpd/xl2tpd.conf:

[global]

listen-addr = 0.0.0.0

[lns default]

ip range = 10.10.10.100-10.10.10.200

local ip = 10.10.10.1

require chap = yes

ppp debug = no

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

Then create /etc/ppp/options.xl2tpd with typical PPP options:

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 1.1.1.1

auth

mtu 1400

mru 1400

nodefaultroute

debug

passwords for users go into /etc/ppp/chap-secrets in the format:

username * password 10.10.10.100-10.10.10.200

Replace username/password and IP range as appropriate. For centralized authentication, integrate with RADIUS or LDAP instead of local chap-secrets.

Step 5 — Firewall and NAT

Open necessary ports and enable NAT for VPN client traffic. With firewalld:

sudo firewall-cmd –permanent –add-service=”ipsec”

sudo firewall-cmd –permanent –add-port=1701/udp

sudo firewall-cmd –permanent –add-masquerade

sudo firewall-cmd –reload

Note: The ‘ipsec’ service in firewalld typically opens UDP 500 and UDP 4500 and allows ESP protocol. For strict environments add explicit rules for ESP protocol and AH if needed.

To ensure proper MTU handling and avoid fragmentation issues, add an mangle rule to clamp MSS on the server firewall (using nftables or iptables). Example with iptables-save style:

iptables -t mangle -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

Persist using your preferred firewall backend.

Step 6 — SELinux considerations

RHEL 10 ships with SELinux enabled by default. strongSwan and xl2tpd generally work with SELinux if installed from distro packages. If you encounter AVC denials, check audit logs:

sudo ausearch -m avc -ts recent

For temporary testing you can switch SELinux to permissive (not recommended for production):

sudo setenforce 0

Better approach: create a local SELinux policy module from the denials or use semanage boolean toggles if available. Always prefer least-privilege fixes.

Step 7 — Start and enable services

Enable and start strongSwan and xl2tpd:

sudo systemctl enable –now strongswan

sudo systemctl enable –now xl2tpd

Verify both are active:

sudo systemctl status strongswan

sudo systemctl status xl2tpd

Step 8 — Client configuration examples

Windows built-in VPN client:

Choose “Add VPN connection”.
VPN type: “L2TP/IPsec with pre-shared key”.
Enter server address, username/password, and PSK.
On advanced settings enable MS-CHAPv2 if required.

macOS/iOS: use built-in L2TP profile with server, account, password, and PSK.

Linux: use NetworkManager-l2tp plugin or strongSwan + xl2tpd client tools (ipsec up L2TP-PSK; echo “c l2tp-net” > /var/run/xl2tpd/l2tp-control) for manual setups.

Troubleshooting

Common issues and debugging tips:

IPsec negotiation fails: Check /var/log/secure and strongSwan logs. Run strongSwan in charon control mode with increased logging in /etc/strongswan/strongswan.conf.
L2TP fails to create PPP session: Check /var/log/messages and /var/log/ppp for xl2tpd/ppp logs. Confirm PPP options and chap-secrets entries.
Clients connect but no internet access: Verify IP forwarding, NAT, and firewall FORWARD rules. Check ip route and iptables FORWARD policy.
MTU fragmentation problems: Lower ppp mtu/mru to 1400 and ensure MSS clamping is enabled on the firewall.
SELinux denials: Inspect audit logs and create a policy module or use permissive mode temporarily to isolate the denial.

Security hardening and best practices

While PSK-based L2TP/IPsec is easy to set up, consider these improvements for production-grade security:

Use certificates: Replace PSK with IKE certificate authentication. strongSwan supports PKI and makes each endpoint uniquely verifiable.
Prefer modern cryptography: Use stronger proposals: AES-GCM for ESP, SHA-256/384 for integrity, and larger DH groups. Test compatibility with client platforms.
Limit access and authentication: Integrate with RADIUS/LDAP for centralized credential management and multi-factor authentication where possible.
Logging and monitoring: Enable structured logs, forward to centralized logging/ELK, and monitor for unusual connection attempts.
Fail2ban / intrusion protections: Protect the IKE/XL2TP endpoints from brute-force attacks by monitoring logs and blocking abusive IPs.

Scaling and maintenance considerations

For enterprises planning growth:

Plan IP address pools and subnets to avoid conflicts with client networks.
Consider load balancers or multiple gateway servers with shared state or RADIUS backends for authentication.
Keep kernel and networking packages patched. Test configuration changes in a staging environment before rolling out to production.

Conclusion

Deploying L2TP/IPsec on RHEL 10 is a viable solution for organizations that require broad client compatibility and a proven VPN architecture. By following the steps above—installing strongSwan and xl2tpd, configuring PPP, securing with IPsec, and carefully managing firewall and SELinux—you can provide reliable and secure remote access. For long-term security, transition to certificate-based authentication and modern crypto suites where possible.

For more in-depth guides and managed VPN solutions visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.