Mikrotik Ubuntu L2TPv3
Jump to navigation
Jump to search
L2TPv3 Tunnel: Linux to MikroTik
Overview
This guide explains how to set up a static L2TPv3 site-to-site tunnel between a Linux server and a MikroTik router using ql2tpd from the go-l2tp package.
| Server | Client | |
|---|---|---|
| Device | Ubuntu 24.04 | MikroTik RouterOS 7.20+ |
| Public IP | 157.9.2.4 | 85.57.4.221 |
| Tunnel IP | 10.0.0.1/30 | 10.0.0.2/30 |
| Tunnel ID | 100 | 200 |
| Session ID | 1000 | 2000 |
---
Prerequisites
- Ubuntu 24.04 (kernel 6.8+)
- MikroTik RouterOS 7.20 or later
- Root access on both devices
- IP protocol 115 allowed in firewall on both sides
---
Linux Server Setup
1. Install packages
apt install -y linux-modules-extra-$(uname -r) go-l2tp
2. Load kernel modules
modprobe l2tp_eth l2tp_ip l2tp_netlink
echo -e "l2tp_eth\nl2tp_ip\nl2tp_netlink" > /etc/modules-load.d/l2tp.conf
3. Create ql2tpd configuration
mkdir -p /etc/ql2tpd
cat > /etc/ql2tpd/ql2tpd.toml << 'EOF'
[tunnel.t1]
version = "l2tpv3"
encap = "ip"
local = "157.9.2.4:0"
peer = "85.57.4.221:0"
tid = 100
ptid = 200
[tunnel.t1.session.s1]
pseudowire = "eth"
sid = 1000
psid = 2000
interface_name = "l2tpeth0"
EOF
4. Create systemd service
cat > /etc/systemd/system/ql2tpd.service << 'EOF'
[Unit]
Description=L2TPv3 Static Tunnel
After=network.target
[Service]
ExecStart=/usr/sbin/ql2tpd -config /etc/ql2tpd/ql2tpd.toml
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now ql2tpd
5. Assign tunnel IP
sleep 2
ip addr add 10.0.0.1/30 dev l2tpeth0
ip link set l2tpeth0 up
6. Persist IP after reboot
cat > /etc/networkd-dispatcher/routable.d/l2tp-ip.sh << 'EOF'
#!/bin/bash
sleep 3
ip addr add 10.0.0.1/30 dev l2tpeth0 2>/dev/null
ip link set l2tpeth0 up 2>/dev/null
EOF
chmod +x /etc/networkd-dispatcher/routable.d/l2tp-ip.sh
---
MikroTik Client Setup
Run the following commands in the MikroTik terminal:
/interface l2tp-ether add name=l2tpv3 connect-to=157.9.2.4 local-address=85.57.4.221 local-tunnel-id=200 remote-tunnel-id=100 local-session-id=2000 remote-session-id=1000 l2tp-proto-version=l2tpv3-ip unmanaged-mode=yes disabled=no
/ip address add address=10.0.0.2/30 interface=l2tpv3
---
Verification
From Linux server:
ping 10.0.0.2 -c 4
From MikroTik:
/ping 10.0.0.1 count=4
---
Cleanup
Linux server:
systemctl stop ql2tpd
systemctl disable ql2tpd
rm /etc/systemd/system/ql2tpd.service
rm -rf /etc/ql2tpd
rm -f /etc/networkd-dispatcher/routable.d/l2tp-ip.sh
rm -f /etc/modules-load.d/l2tp.conf
systemctl daemon-reload
ip link del l2tpeth0 2>/dev/null
modprobe -r l2tp_eth l2tp_ip l2tp_netlink 2>/dev/null
apt remove -y go-l2tp
MikroTik:
/ip address remove [find interface=l2tpv3]
/interface l2tp-ether remove l2tpv3
---
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
Module l2tp_eth not found |
Missing extra modules | apt install linux-modules-extra-$(uname -r)
|
| Interface not created | ql2tpd not running in background |
Run with & or use systemd service
|
| Link stays DOWN | MikroTik sending control messages | Add unmanaged-mode=yes
|
| No packets arriving | Firewall blocking proto 115 | Allow IP protocol 115 on both sides |
| IP lost after reboot | No persistence script | Add networkd-dispatcher script (step 6) |
---
Notes
ql2tpdis a static (quiescent) L2TPv3 daemon — it does not run the L2TPv3 control protocol. Both peers must have matching tunnel and session IDs configured manually.- MikroTik
l2tp-etherwithunmanaged-mode=yesbypasses the control protocol and operates as a pure static data plane, making it compatible withql2tpd. - The tunnel carries raw Ethernet frames (pseudowire type:
eth), making it suitable for Layer 2 bridging between sites. - No encryption is applied by default. For production use, consider wrapping the tunnel with IPsec.
---