L2TP Routers
I have been setting up VPN's on OS X server for a while and one thing that I did like about configuring them, was how easy it was to add and remove users. A client was after upgrading their server setup, so I decided to use Centos 6, because of its stability, but the one thing I could not find for it was an easy interface for adding and removing L2TP users. To get around this I decided to get some assistance from the clients internet router, which conveniently was also running Centos 6. The main server was setup with the users in LDAP, so that various attributes could be added to their accounts. The users were configured through Fusion Directory, a PHP based LDAP admin front-end, which has a Free-RADIUS plugin, that can allow certain attributes to be added to or removed from users. The router was then configured with IPSEC Tools, XL2TPD and RADIUS Client, so that it could use the server for authenticating the users. Free-RADIUS was installed on the server and it was configured to only search for LDAP users who had a Free-RADIUS attribute in their account, which means it only takes two clicks to enable or disable someones VPN access. This setup has been working well so far and the best thing about it is that it works with both Macs an PCs, while it does not work easily with Windows Vista and above, if the ports are forwarded to the server, because of a change that Microsoft has made to these operating systems.
The next challenge that came up was the need to have an L2TP service running on a reasonably priced router, rather than getting one that costs hundreds of pounds that has the VPN software already installed on it. The only way that this was going to happen was by using a router that can run OpenWRT. There is no support at the moment for L2TP in the web interface, so I had to do the configuration through the command line over SSH. The initial configuration did not take too long, but it took a while to get the clients to connect, because of the many configuration file settings that there are. I have found that once you get an L2TP configuration to work, it will stay stable and not give any problems. Once I had the configuration working on the first router, I then installed the required packages on the next router, copied the configuration files over, adjusted the configuration for that specific network and checked that the login was working from a remote windows machine.
Because of how routers are designed it is not an easy process to make a backup image of the software that has been installed, so the only thing that can be done is to build an image that has the required software already installed. Another important consideration is to chose the right router, because there are some cheaper ones that are stable and some more expensive ones that might have some minor problems.