Page MenuHomeVyOS Platform

Add support for unencrypted L2TPv2 client connections
Open, Requires assessmentPublicFEATURE REQUEST


Please can you add support for unencrypted L2TPv2 over UDP (RFC2661) clients to VyOS.

Configuration might look something like this:

set interface l2tpv2 l2tp0 server
set interface l2tpv2 l2tp0 default-route force
set interface l2tpv2 l2tp0 mtu 1492
set interface l2tpv2 l2tp0 enable-ipv6
set interface l2tpv2 l2tp0 user-id <Username>
set interface l2tpv2 l2tp0 password <Password>

Or maybe l2tpv2 is an encapsulation type of another type of interface.

Andrews and Arnold (AAISP) offer this as a commercial service for people using 'inferior broadband':

They provide configuration guides:

The Cisco configuration seems the least intuitive.

As originally asked here:


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

njh updated the task description. (Show Details)
njh rescinded a token.
njh awarded a token.

Also very interested in this. Ready and willing to test.

njh set Is it a breaking change? to Unspecified (possibly destroys the router).

Not had a lot of time recently, but I have kind of been waiting for the configuration nodes to be ported to Python, so that this can be written in the new / modern way.

Now that this is mostly done, I suspect that it wouldn't be too hard to implement - copying a different PPP based module as a starting point.

It looks like xl2tpd is available in Debian, so won't need packaging separately:

And it looks like the Kernel modules exist in my VyOS kernel (VyOS 1.3-rolling-202006110117):

vyos@vyos:~$ grep 'L2TP' /boot/config-4.19.125-amd64-vyos 

Have you had any time to look into this more? I am at a point of wanting to migrate off a Mikrotik RouterOS virtualized instance to a piece of hardware and would love to move to VyOS at the same time.

Willing to test anything that might be needed in order to help move this along.

Should I hold out any hope for this to be implemented? Still willing to help test and do whatever I can to get this in.

I have a couple of routed public /29's which do not need encryption, as they are just internet crossing data anyway, and would like to use VyOS as a central router for all my connectivity before splitting out into the network.

Jamie removed a subscriber: Jamie.

Just adding my +1 for this feature, would be very useful.
If I get time in the coming weeks/months I will try and pick up on the analysis where @njh left off.