Wandering Thoughts archives

2019-11-22

Our problem of checking if our L2TP VPN servers are actually working

We operate some VPN servers to let people who are currently outside our wired networks have access to internal networks and internal services (this includes people using our wireless network, for reasons beyond the scope of this entry). For various reasons, we offer both L2TP and OpenVPN (on different servers). Our OpenVPN servers are pretty reliable, but our current L2TP servers have a little problem where sometimes they'll just stop responding to people's attempts to establish L2TP VPNs while otherwise looking perfectly healthy. Fortunately this is infrequent. Unfortunately, it turns out to be surprisingly hard to automatedly monitor an L2TP server to make sure that it's working.

Many protocols make it relatively easy to connect to a server and ask it to do something from a client program, for instance by being text based and running over TLS in straightforward ways. Often people have put together libraries for doing this, such as Python's libraries for IMAP clients and POP3 clients. Sadly, L2TP is a much more complicated protocol, at least as commonly implemented for VPNs. For a start, it is really L2TP/IPsec, L2TP over IPsec, which requires you to set up an IPSec security associate through IKE before you can even begin talking the L2TP protocol itself (well, L2TP/PPP). As far as I could find, no one has written a good client library for even the L2TP and L2TP/PPP portion of this in the way of the Python IMAP and POP3 packages.

Another option would be to run an actual L2TP client and have it try to establish an L2TP connection with our VPN servers. There are two practical problems with this; it seems to be rather complicated to set up (and requires running IPSec daemons), and typical L2TP clients are more oriented towards establishing and managing network connections instead of reporting whether or not things worked. We could probably make all of this work if we tried hard enough, but it would almost certainly be moderately fragile, because we're using all of the software involved for something other than its actual purpose.

All of this has taught me a valuable lesson about how useful it is to have servers and protocols that are easy to probe and check. Mind you, I sort of knew this lesson already from thinking about how we could check that our NFS servers are actually serving NFS (we can't really), but it hadn't quite sunk in in the same way as it has here.

sysadmin/L2TPServerStatusCheckProblem written at 01:33:07; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.