Why I use a L2TP relay from Andrews & Arnold
When your main ISP falls short, time to tunnel your way out of trouble!
I recently decided to test out the L2TP relay service from Andrews & Arnold. I have never had broadband services with them, but had read and heard great things. They offer a L2TP relay service, where you can basically use their network, without having a broadband line with them. Instead you connect via your existing broadband provider (in my case Virgin Media) via L2TP (Layer 2 Tunneling Protocol).
Why would you do this? Well, to explain the quick back story why I became interested in this offering, you might need to read my rather lengthy article on the problems that specifically affect Virgin Media customers with 6in4 IPv6 tunnels. Right now Virgin Media does not have a native IPv6 deployment and because of this, a small group of customers (including myself) are using 6in4 to basically fill in this gap. The problem is, IPv6 with 6in4 through providers like Hurricane Electric or tunnelbroker.ch from SecureBit performs horribly on Virgin Media residential and business connections, and it’s not the tunnel providers, it’s 100% a Virgin Media problem. The issue has been brought back into the spotlight again more recently thanks to ISPReview.
So this got me thinking what viable alternatives do I have to avoid slow 6in4 IPv6 speeds? The short answer, is tunneling! Here’s where the Andrews & Arnold L2TP relay service resolves a lot of my current issues:
- Native IPv6 (a static /48 prefix can be delegated)
- Bonus static IPv4 address (something you don’t typically see on any “Home” type broadband lines)
- A neutral network, no censorship of content or restrictions on what ports/traffic can go through their relay.
- All you need is an L2TP client running on a router or compatible device to connect to the service
Of course, there is a cost to this service. After all you are using their network for transit.
Costs:
- Domestic: £10.00 per month (1 TB)
- Business: £20.00 per month (2 TB)
One the business lines you can get more IP address blocks allocated where as on the domestic lines you get a single static IPv4 and a /48 IPv6 prefix.
The L2TP service is capped at 100 Mbps. However that’s quite reasonable I think for the cost. My overall line speed with Virgin Media is currently 100 Mbps, so the speed cap doesn’t really make any difference for me and because I can’t push more than 15 Mbps download with 6in4 IPv6 currently, anything would be an improvement!
Andrews & Arnold L2TP on OpenWrt 19.07
Because I use OpenWrt, I will be setting up an L2TP client on my router where I can then do NAT. Andrews & Arnold helpfully provide some specific guidance on configuring an L2TP client on OpenWrt. The documentation is a little out of date, based on the kmod versions it looks like this was written and tested on Chaos Calmer (15.05/15.05.1) which is quite a few releases back for OpenWrt today, but the general premise is the same. You will need to install various L2TP kmods and packages as below, then reboot your router to load the kmod packages so you can configure an L2TP network interface.
opkg update
opkg install kmod-l2tp kmod-l2tp-eth kmod-l2tp-ip kmod-pppol2tp ppp-mod-pppol2tp xl2tpd luci-proto-ipv6 luci-proto-pppYou may already have some of these packages already installed e.g. luci-proto-ipv6 .
The main PPP interface can be configured like so. This is for the IPv4 connection. Replacing the username and password for your specific line credentials. IPv6 is handled with another configuration step below.
config interface 'aaisp'
option proto 'l2tp'
option server 'l2tp.aa.net.uk'
option username 'yourusername@a'
option password 'YOURPASSWORD'
option metric '50'
option ipv6 '1'
option peerdns '0'IPv6 users: For those that may be IPv6 only or where your provider is using something awful like DS-Lite you can also connect to their L2TP relay over IPv6 with l2tp6.aa.net.uk.
The IPv6 interface setup in their documentation can be tweaked to having an alias interface instead. As the IPv6 prefix is obtained using DHCPv6, this is a slightly simplified version of configuring the IPv6 interface.
config interface 'aaisp6'
option proto 'dhcpv6'
option reqprefix '48'
option peerdns '0'
option ifname '@aaisp'
option reqaddress 'force'Then making sure the L2TP tunnel connects through your “bulk WAN” with a static route. This is important if you are multihomed and have multiple internet connections, making sure the L2TP connection is established over the right WAN network.
config route
option interface 'wan'
option target '90.155.53.19'You may have to specify a gateway, depending on your WAN connection.
That’s pretty much the network interface configuration you need. OpenWrt uses xl2tpd for the tunnel connection itself. A network interface called l2tp-aaisp will be created that both IPv4 and IPv6 will be configured on.
Strange routing issues with fwmark
L2TP or PPP related network interfaces seem to be a bit broken on OpenWrt 19.07 and I’m not entirely sure why. I’m not sure if this is specific to the L2TPv2 PPP setup A&A have but after configuring the tunnel, there seemed to be some strange routing behaviour occurring with the L2TP interface. At first I thought this could have been due to my usage of mwan3, but after some expert debugging help from Aaron Goodman it looks like a general routing problem.
With mwan3 disabled the tunnel would connect fine. Whereas with mwan3 enabled the tunnel would regularly be disconnecting and reconnecting, DHCPv6 was also broken with mwan3 enabled so IPv6 could not be configured as the RA request was never getting through. From investigating the issue it was determined that L2TP routing blows up as soon as a fwmark is applied to any packets going through the L2TP interface. That’s really bad news, because mwan3 happens to be using fwmark and needs it for how it does it’s routing.
By applying a fwmark like the example below, this would break all routing for the L2TP interface, which is very strange.
iptables -t mangle -D OUTPUT -d 90.155.53.19 -p udp --dport 1701 --sport 1701 -j MARK --set-mark 0x1Aaron’s thoughts on this were
The kernel will try to route these packets out of
l2tp-aaisp. This is despite not having any rules that relate to the firewall mark or any additional routes that would cause these packets to be assigned to L2TP interface. You can see this by adding logging rules at the end of the OUTPUT chain and the beginning of the POSTROUTING chain.
kern.warn kernel: [576733.222628] main output start IN= OUT=eth0.2 SRC=<wan ip> DST=90.155.53.19 LEN=920 TOS=0x00 PREC=0x00 TTL=64 ID=42237 PROTO=UDP SPT=1
701 DPT=1701 LEN=900 MARK=0x1
kern.warn kernel: [576733.237060] postroute start IN= OUT=l2tp-aaisp SRC=<wan ip> DST=90.155.53.19 LEN=920 TOS=0x00 PREC=0x00 TTL=64 ID=42237 PROTO=UDP SPT
=1701 DPT=1701 LEN=900 MARK=0x1So there’s clearly some funky issues happening, however a workaround was found by Aaron. Having the following as the very first rule in the mangle table within the OUTPUT chain prevents the packets being marked by mwan3 and everything is fine.
iptables -t mangle -I OUTPUT -d 90.155.53.19 -p udp --dport 1701 --sport 1701 -j RETURNThis can be added to /etc/firewall.user so it is persistent with firewall reloading/restarts. It will be added after the firewall has been brought up, so insert is used to make sure it’s always the first rule.
- 90.155.53.19 —IPv4 L2TP tunnel endpoint l2tp.aa.net.uk.
Why use the L2TP tunnel service?
The main benefit about Arnold & Arnold’s L2TP service is the fact you are able to be routed one or more static public IPv4 and IPv6 prefix. With a lot of internet providers turning towards CGNAT, DS-Lite and other deployments that don’t provide native dual stack, the L2TP service allows you to have this without having to move to a more expensive business type service or change provider.
Equally A&A does not have any censorship on their broadband lines and this extends to the L2TP relay service as it using the same network. So unlike the major UK ISPs Virgin Media, Sky, BT, TalkTalk, EE etc. A&A does not implement such measures. While you can of course avoid this by using different DNS rsolvers and a VPN, this is an added perk as any traffic through the L2TP tunnel will be pure and unadulterated.
For me IPv6 was my main area of interest in testing this out. The IPv6 speed test speaks for itself. Here’s the results of an IPv6 speed test from ipv6-test.com.
Compare this to the result of Hurricane Electric 6in4 on Virgin Media.
That is a massive 74.6 Mbit/s difference in terms of speed. The performance of my IPv6 is much closer to native IPv4 from Virgin Media meaning any IPv6 traffic should be a lot faster! It also means that being able to replace 6in4 entirely and I don’t have to avoid certain services going over IPv6 i.e. Netflix, because 6in4 tunnels are seen as “proxies”.
For me the extra £10.00 is worth it to have native IPv6 that just works! Eventually Virgin Media will deploy IPv6, however it sounds like they’ll be using DS-Lite, so I think having a L2TP connection to another ISP is going to be useful when that happens, as I am very much not a big fan of DS-Lite.
Because I am multihomed I mainly use my existing Virgin Media connection for IPv4 and now AAISP for IPv6. I also use the static IPv4 provided from AAISP to NAT existing services that were running on my Dynamic IP from Virgin Media, so no more DDNS configuration! While Virgin Media IPs are “sticky” and don’t tend to change unless either you have a different MAC address or they force a network update that reallocates addresses in the pool. It’s still nice to know it’s a truly static IP!
Note for readers: This article is in no way endorsed by Andrews and Arnold Ltd (AAISP) or written as paid promotion.
