How the nuts and bolts are connected

In a previous post that I wrote about VyOS, I’ve shown that the L2TP VPN is using as an IP address. In this blog post, I’ll dive into why this is a problem for me and how to change that.

Why is this a problem for me?

Well, I try to divide my subnets logically, at home I use, and anything in the datacentre uses Now I thought to make it handy I’d start using for any remote connection like Site-to-Site VPN, L2TP, or anything else that comes in the future. I started off with using as the subnet for the Site-to-Site VPN to home and this all work till I started an L2TP VPN and then all remote connected ceased to work.

That remote connection stop working has to do with routing. The VyOS router looks in it’s routing table where to forward the packet. There are two routes in there and the winner is selected based on the ‘metric‘ which defines the trustworthiness of that route.

VyOS uses xl2tpd as the software for L2TP VPN clients. So I found that xl2tpd is configured such that it uses the IP-address This means that it’s not possible to use an IP range where that IP address is in. For the Site-to-Site VPN, I was using the IP range Using that IP range breaks the routing of network traffic. And then the VyOS router no longer knows where the network traffic needs to be routed to, so it arrives at the right destination. Because I noticed this behavior I started to use the IP range for the Site-to-Site VPN. But it’s not nice to have a gateway out of the IP range that I use for L2TP VPN clients. This simply is an unwanted configuration and therefore must change!

C:\Users\Bart>tracert -d

Tracing route to over a maximum of 30 hops

  1    51 ms    37 ms    49 ms
  <<< output omitted >>>
  9    50 ms    44 ms    37 ms

Trace complete.

Now, how to fix this?

So I started searching around and the beauty of VyOS is, that it’s still a Linux distribution, Debian. But the search online didn’t give many results. However, I found out that VyOS uses the Linux application ‘xl2tpd’. This is a term that I also found in the VyOS logs and I started digging deeper. Sadly without much result, so I started to dig into VyOS. Many applications on Linux install in /etc/ and xl2tpd is, luckily, no exception.

EU-GW04:/home/vyos# ls -al /etc/xl2tpd/
total 13
drwxr-xr-x 1 root root 4096 Jan  4 13:51 .
drwxr-xr-x 1 root root 4096 Jan  4 13:51 ..
-rw------- 1 root root  109 May 22  2019 l2tp-secrets
-rw-r--r-- 1 root root  306 Jan  4 19:31 xl2tpd.conf

The folder ‘/etc/xl2tpd‘ just contains two files and ‘xl2tpd.conf’ sounds to make sense. I like ‘nano’ a bit more than ‘vi’ and nano works great on VyOS. So I used nano to open the file.

;### VyOS L2TP VPN Begin ###
listen-addr = XX.XX.XX.192

[lns default]
ip range =
local ip =
refuse pap = yes
require authentication = yes
name = VyOSL2TPServer
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
;### VyOS L2TP VPN End ###

Okay, okay, this looks good. There is a local IP configured here with the value Would it be possible to just change it there? Would it be so simple? Yes, it is. I’ve updated the local IP to which is more logical and restarted xl2tpd. Connected to the VPN and, it works as I want! Awesome!

C:\Users\Bart>tracert -d

Tracing route to over a maximum of 30 hops

  1    72 ms    42 ms    38 ms
  <<< output omitted >>>
  9    89 ms    48 ms    62 ms

Trace complete.

Closing thought

Now the IP use makes more sense. At some point, I might even change the Site-to-Site VPN to use once again. But for now, I’m pretty happy with the current configuration.

Thanks for reading, hopefully, you found it interesting and maybe even learned something new! Want to be informed about a new post? Subscribe! Any questions or just want to leave a remark? Please do, I’m very curious what you think of the content. Enjoy your day!

Leave a Reply

Bart Oevering
Bart vExpert NUC