我为什么使用安德鲁斯·阿诺德（Andrews arnold）的L2TP中继的故事

When your main ISP falls short, time to tunnel your way out of trouble!

当您的主要ISP不足时，是时候摆脱麻烦了！

I recently decided to test out the L2TP relay service from Andrews & Arnold. I have never had broadband services with them, but had read and heard great things. They offer a L2TP relay service, where you can basically use their network, without having a broadband line with them. Instead you connect via your existing broadband provider (in my case Virgin Media) via L2TP (Layer 2 Tunneling Protocol).

我最近决定测试来自Andrews＆Arnold的L2TP中继服务 。 我从来没有与他们一起使用宽带服务，但是阅读并听到了很棒的东西。 他们提供L2TP中继服务，您基本上可以在不使用宽​​带线路的情况下使用他们的网络。 相反，您可以通过L2TP(第2层隧道协议)通过现有的宽带提供商(在我的情况下为Virgin Media)进行连接。

Why would you do this? Well, to explain the quick back story why I became interested in this offering, you might need to read my rather lengthy article on the problems that specifically affect Virgin Media customers with 6in4 IPv6 tunnels. Right now Virgin Media does not have a native IPv6 deployment and because of this, a small group of customers (including myself) are using 6in4 to basically fill in this gap. The problem is, IPv6 with 6in4 through providers like Hurricane Electric or tunnelbroker.ch from SecureBit performs horribly on Virgin Media residential and business connections, and it’s not the tunnel providers, it’s 100% a Virgin Media problem. The issue has been brought back into the spotlight again more recently thanks to ISPReview.

你为什么要这样做？ 好了，要解释一下我为什么对这种产品感兴趣的简短故事，您可能需要阅读我的冗长的文章 ，该文章专门针对使用6in4 IPv6隧道的Virgin Media客户产生的问题。 目前，Virgin Media没有本地IPv6部署，因此，一小部分客户(包括我自己)正在使用6in4来填补这一空白。 问题是，通过SecureBit的 Hurricane Electric或tunnelbroker.ch等提供程序通过6in4进行的IPv6在Virgin Media住宅和企业连接上的表现非常糟糕，而不是隧道提供程序， 这是100％的Virgin Media问题 。 借助ISPReview，该问题最近再次受到关注。

So this got me thinking what viable alternatives do I have to avoid slow 6in4 IPv6 speeds? The short answer, is tunneling! Here’s where the Andrews & Arnold L2TP relay service resolves a lot of my current issues:

因此，这让我开始思考，必须采取哪些可行的替代方法来避免6in4 IPv6速度缓慢？ 简短的答案是隧道！ 这是Andrews＆Arnold L2TP中继服务解决了我当前许多问题的地方：

• Native IPv6 (a static /48 prefix can be delegated)
  本机IPv6(可以委派静态/ 48前缀)
• Bonus static IPv4 address (something you don’t typically see on any “Home” type broadband lines)
  额外的静态IPv4地址(通常在任何“家庭”型宽带线路上都看不到的东西)
• A neutral network, no censorship of content or restrictions on what ports/traffic can go through their relay.
  一个中立的网络，没有内容审查或对可以通过其中继的端口/流量进行限制。
• All you need is an L2TP client running on a router or compatible device to connect to the service
  您需要的是在路由器或兼容设备上运行的L2TP客户端以连接到服务

Of course, there is a cost to this service. After all you are using their network for transit.

当然，这项服务需要付费。 毕竟，您正在使用他们的网络进行运输。

Costs:

费用：

• Domestic: £10.00 per month (1 TB)
  国内：每月£10.00(1 TB)
• Business: £20.00 per month (2 TB)
  业务：每月20.00英镑(2 TB)

One the business lines you can get more IP address blocks allocated where as on the domestic lines you get a single static IPv4 and a /48 IPv6 prefix.

一个业务线可以分配更多的IP地址块，而在国内业务线则可以分配一个静态IPv4和/ 48 IPv6前缀。

The L2TP service is capped at 100 Mbps. However that’s quite reasonable I think for the cost. My overall line speed with Virgin Media is currently 100 Mbps, so the speed cap doesn’t really make any difference for me and because I can’t push more than 15 Mbps download with 6in4 IPv6 currently, anything would be an improvement!

L2TP服务的上限为100 Mbps。 但是我认为这是合理的。 我在Virgin Media上的总体线路速度目前为100 Mbps，因此速度上限对我并没有任何影响，并且由于当前使用6in4 IPv6不能将下载速度提高到15 Mbps以上，因此一切都会有所改善！

OpenWrt 19.07上的Andrews＆Arnold L2TP (Andrews & Arnold L2TP on OpenWrt 19.07)

Because I use OpenWrt, I will be setting up an L2TP client on my router where I can then do NAT. Andrews & Arnold helpfully provide some specific guidance on configuring an L2TP client on OpenWrt. The documentation is a little out of date, based on the kmod versions it looks like this was written and tested on Chaos Calmer (15.05/15.05.1) which is quite a few releases back for OpenWrt today, but the general premise is the same. You will need to install various L2TP kmods and packages as below, then reboot your router to load the kmod packages so you can configure an L2TP network interface.

因为我使用的是OpenWrt，所以我将在路由器上设置一个L2TP客户端，然后可以在其中进行NAT。 Andrews＆Arnold有助于提供一些有关在OpenWrt上配置L2TP客户端的特定指导。 基于kmod的版本，该文档有些过时了，它看起来像是在Chaos Calmer(15.05 / 15.05.1)上编写和测试的，该版本今天已经为OpenWrt发行了许多版本，但总体前提是相同的。 您将需要如下安装各种L2TP kmod和软件包，然后重新启动路由器以加载kmod软件包，以便可以配置L2TP网络接口。

opkg update
opkg install kmod-l2tp kmod-l2tp-eth kmod-l2tp-ip kmod-pppol2tp ppp-mod-pppol2tp xl2tpd luci-proto-ipv6 luci-proto-ppp

You may already have some of these packages already installed e.g. luci-proto-ipv6 .

您可能已经安装了其中一些软件包，例如 luci-proto-ipv6 。

The main PPP interface can be configured like so. This is for the IPv4 connection. Replacing the username and password for your specific line credentials. IPv6 is handled with another configuration step below.

可以像这样配置PPP主接口。 这用于IPv4连接。 替换您的特定线路凭据的用户名和密码。 IPv6由下面的另一个配置步骤处理。

config interface 'aaisp'
        option proto 'l2tp'
        option server 'l2tp.aa.net.uk'
        option username 'yourusername@a'
        option password 'YOURPASSWORD'
        option metric '50'
        option ipv6 '1'
        option peerdns '0'

IPv6 users: For those that may be IPv6 only or where your provider is using something awful like DS-Lite you can also connect to their L2TP relay over IPv6 with l2tp6.aa.net.uk.

IPv6用户：对于仅可能是IPv6的用户 ，或者您的提供商使用诸如DS-Lite之类的糟糕方法的用户，您还可以使用l2tp6.aa.net.uk通过IPv6连接到其L2TP中继。

The IPv6 interface setup in their documentation can be tweaked to having an alias interface instead. As the IPv6 prefix is obtained using DHCPv6, this is a slightly simplified version of configuring the IPv6 interface.

他们文档中的IPv6接口设置可以调整为具有别名接口。 由于使用DHCPv6获得了IPv6前缀，因此这是配置IPv6接口的略微简化版本。

config interface 'aaisp6'
        option proto 'dhcpv6'
        option reqprefix '48'
        option peerdns '0'
        option ifname '@aaisp'
        option reqaddress 'force'

Then making sure the L2TP tunnel connects through your “bulk WAN” with a static route. This is important if you are multihomed and have multiple internet connections, making sure the L2TP connection is established over the right WAN network.

然后确保L2TP隧道通过静态路由通过您的“批量WAN”连接。 如果您是多宿主并具有多个Internet连接，则这很重要，请确保在正确的WAN网络上建立L2TP连接。

config route
        option interface 'wan'
        option target '90.155.53.19'

You may have to specify a gateway, depending on your WAN connection.

您可能必须指定网关，具体取决于您的WAN连接。

That’s pretty much the network interface configuration you need. OpenWrt uses xl2tpd for the tunnel connection itself. A network interface called l2tp-aaisp will be created that both IPv4 and IPv6 will be configured on.

这几乎就是您需要的网络接口配置。 OpenWrt将xl2tpd用于隧道连接本身。 将创建一个称为l2tp-aaisp网络接口，将同时配置IPv4和IPv6。

fwmark的奇怪路由问题 (Strange routing issues with fwmark)

L2TP or PPP related network interfaces seem to be a bit broken on OpenWrt 19.07 and I’m not entirely sure why. I’m not sure if this is specific to the L2TPv2 PPP setup A&A have but after configuring the tunnel, there seemed to be some strange routing behaviour occurring with the L2TP interface. At first I thought this could have been due to my usage of mwan3, but after some expert debugging help from Aaron Goodman it looks like a general routing problem.

与L2TP或PPP相关的网络接口在OpenWrt 19.07上似乎有点破损，我不确定为什么。 我不确定这是否特定于L2TPv2 PPP设置A＆A，但是在配置隧道之后，L2TP接口似乎发生了一些奇怪的路由行为。 起初我以为这可能是由于我对mwan3的使用所致 ，但是在获得了Aaron Goodman的一些专家调试帮助之后，这似乎是一个普遍的路由问题。

With mwan3 disabled the tunnel would connect fine. Whereas with mwan3 enabled the tunnel would regularly be disconnecting and reconnecting, DHCPv6 was also broken with mwan3 enabled so IPv6 could not be configured as the RA request was never getting through. From investigating the issue it was determined that L2TP routing blows up as soon as a fwmark is applied to any packets going through the L2TP interface. That’s really bad news, because mwan3 happens to be using fwmark and needs it for how it does it’s routing.

禁用mwan3后，隧道将正常连接。 启用mwan3时，隧道将定期断开连接并重新连接，而启用mwan3时，DHCPv6也被破坏，因此无法配置IPv6，因为RA请求从未通过。 通过调查该问题，可以确定一旦将fwmark应用于通过L2TP接口的任何数据包，L2TP路由就会崩溃。 这真是个坏消息，因为mwan3恰好正在使用fwmark，并且需要它来进行路由。

By applying a fwmark like the example below, this would break all routing for the L2TP interface, which is very strange.

通过像下面的示例一样应用fwmark，这将破坏L2TP接口的所有路由，这很奇怪。

iptables -t mangle -D OUTPUT -d 90.155.53.19 -p udp --dport 1701 --sport 1701 -j MARK --set-mark 0x1

Aaron’s thoughts on this were

亚伦对此的想法是

The kernel will try to route these packets out of l2tp-aaisp. This is despite not having any rules that relate to the firewall mark or any additional routes that would cause these packets to be assigned to L2TP interface. You can see this by adding logging rules at the end of the OUTPUT chain and the beginning of the POSTROUTING chain.

内核将尝试将这些数据包从l2tp-aaisp路由出去。 尽管没有任何与防火墙标记有关的规则或任何其他导致这些数据包分配给L2TP接口的路由，但是这仍然没有。 您可以通过在OUTPUT链的末尾和POSTROUTING链的开始处添加日志记录规则来看到这一点。

kern.warn kernel: [576733.222628] main output start IN= OUT=eth0.2 SRC=<wan ip> DST=90.155.53.19 LEN=920 TOS=0x00 PREC=0x00 TTL=64 ID=42237 PROTO=UDP SPT=1
 701 DPT=1701 LEN=900 MARK=0x1 
 kern.warn kernel: [576733.237060] postroute start IN= OUT=l2tp-aaisp SRC=<wan ip> DST=90.155.53.19 LEN=920 TOS=0x00 PREC=0x00 TTL=64 ID=42237 PROTO=UDP SPT
 =1701 DPT=1701 LEN=900 MARK=0x1

So there’s clearly some funky issues happening, however a workaround was found by Aaron. Having the following as the very first rule in the mangle table within the OUTPUT chain prevents the packets being marked by mwan3 and everything is fine.

因此，显然有一些时髦的问题正在发生，但是Aaron找到了一种解决方法。 将以下内容作为OUTPUT链中的mangle表中的第一条规则可以防止数据包被mwan3标记，并且一切都很好。

iptables -t mangle -I OUTPUT -d 90.155.53.19 -p udp --dport       1701 --sport 1701 -j RETURN

This can be added to /etc/firewall.user so it is persistent with firewall reloading/restarts. It will be added after the firewall has been brought up, so insert is used to make sure it’s always the first rule.

可以将其添加到/etc/firewall.user以便在重新加载/重新启动防火墙后保持/etc/firewall.user 。 将在防火墙启动后添加它，因此使用insert来确保它始终是第一条规则。

• 90.155.53.19 —IPv4 L2TP tunnel endpoint l2tp.aa.net.uk.
  90.155.53.19-IPv4 L2TP隧道端点l2tp.aa.net.uk。

为什么要使用L2TP隧道服务？ (Why use the L2TP tunnel service?)

The main benefit about Arnold & Arnold’s L2TP service is the fact you are able to be routed one or more static public IPv4 and IPv6 prefix. With a lot of internet providers turning towards CGNAT, DS-Lite and other deployments that don’t provide native dual stack, the L2TP service allows you to have this without having to move to a more expensive business type service or change provider.

Arnold＆Arnold的L2TP服务的主要好处是，您可以被路由一个或多个静态公共IPv4和IPv6前缀。 随着许多Internet提供商转向不提供本机双协议栈的CGNAT，DS-Lite和其他部署，L2TP服务使您能够拥有此服务，而不必转向更昂贵的业务类型服务或更改提供商。

Equally A&A does not have any censorship on their broadband lines and this extends to the L2TP relay service as it using the same network. So unlike the major UK ISPs Virgin Media, Sky, BT, TalkTalk, EE etc. A&A does not implement such measures. While you can of course avoid this by using different DNS rsolvers and a VPN, this is an added perk as any traffic through the L2TP tunnel will be pure and unadulterated.

同样，A＆A在其宽带线路上没有任何审查制度，这延伸到了使用同一网络的L2TP中继服务。 因此，与英国主要ISP的Virgin Media，Sky，BT，TalkTalk，EE等不同。A＆A并未实施此类措施。 虽然您当然可以通过使用不同的DNS解析器和VPN来避免这种情况，但这是一个额外的好处，因为通过L2TP隧道的任何流量都是纯净的。

For me IPv6 was my main area of interest in testing this out. The IPv6 speed test speaks for itself. Here’s the results of an IPv6 speed test from ipv6-test.com.

对我而言，IPv6是我进行测试的主要兴趣领域。 IPv6速度测试不言而喻。 这是来自ipv6-test.com的IPv6速度测试的结果。

Andrews and Arnold IPv6 download speed test (87.4 Mbit/s)

安德鲁斯和阿诺德IPv6下载速度测试(87.4 Mbit / s)

Compare this to the result of Hurricane Electric 6in4 on Virgin Media.

将此与维珍媒体上的“飓风电气6合4”的结果进行比较。

Hurricane Electric 6in4 download speed test (12.8 Mbit/s)

飓风电气6合4下载速度测试(12.8 Mbit / s)

That is a massive 74.6 Mbit/s difference in terms of speed. The performance of my IPv6 is much closer to native IPv4 from Virgin Media meaning any IPv6 traffic should be a lot faster! It also means that being able to replace 6in4 entirely and I don’t have to avoid certain services going over IPv6 i.e. Netflix, because 6in4 tunnels are seen as “proxies”.

就速度而言，这是74.6 Mbit / s的巨大差异。 我的IPv6的性能非常接近Virgin Media的本机IPv4，这意味着任何IPv6流量都应该更快！ 这也意味着能够完全替换6in4，而我不必避免某些服务通过IPv6传输，例如Netflix， 因为6in4隧道被视为“代理” 。

For me the extra £10.00 is worth it to have native IPv6 that just works! Eventually Virgin Media will deploy IPv6, however it sounds like they’ll be using DS-Lite, so I think having a L2TP connection to another ISP is going to be useful when that happens, as I am very much not a big fan of DS-Lite.

对我来说，额外的10.00英镑值得拥有能够正常运行的本地IPv6！ 最终，Virgin Media将部署IPv6，但是听起来他们将使用DS-Lite，所以我认为当发生这种情况时，与另一个ISP进行L2TP连接将很有用，因为我不是DS的忠实拥护者-Lite。

Because I am multihomed I mainly use my existing Virgin Media connection for IPv4 and now AAISP for IPv6. I also use the static IPv4 provided from AAISP to NAT existing services that were running on my Dynamic IP from Virgin Media, so no more DDNS configuration! While Virgin Media IPs are “sticky” and don’t tend to change unless either you have a different MAC address or they force a network update that reallocates addresses in the pool. It’s still nice to know it’s a truly static IP!

因为我是多宿主的，所以我主要将现有的Virgin Media连接用于IPv4，现在将AAISP用于IPv6。 我还使用AAISP提供的静态IPv4来对来自Virgin Media的动态IP上运行的NAT现有服务进行NAT，因此不再需要DDNS配置！ 尽管Virgin Media IP是“粘性”的，并且除非您拥有不同的MAC地址或它们强制网络更新以重新分配池中的地址，否则它们通常不会更改。 很高兴知道它是一个真正的静态IP！

Note for readers: This article is in no way endorsed by Andrews and Arnold Ltd (AAISP) or written as paid promotion.

读者注意事项： 本文决不经安德鲁斯和阿诺德有限公司(AAISP)认可或以付费促销的形式撰写。

翻译自: https://medium.com/@jamesmacwhite/the-story-of-why-i-use-a-l2tp-relay-from-andrews-arnold-831b0de42d7b