Ben Cordero 9:57 pm on April 21, 2026  

L2TP with AAISP on a Server

I recently posted about using stable IP addresses on a desktop managed by network manager.

This post will go into some detail about using the same tunnel, but server-side, and inside a network namespace.

You can then run servers in that namespace, and have them hosted on the internet, with a real IP address, without sharing the rest of your LAN.

Step 0: Sign up for AAISP’s L2TP service

https://www.aa.net.uk/broadband/l2tp-service/

Or follow my previous post. It’s £10/mo, and you get a stable IP address and a /64 network to do with as you please.

Step 1: Create a network namespace

We won’t be using full containerisation, instead, we’ll just move
specific services into the namespace to “publish” them.

# /etc/systemd/system/[email protected]
[Unit]
Description=Creates a Network Namespace"

[Service]
Type=oneshot
RemainAfterExit=yes

ExecStart=/usr/bin/ip netns add %I
ExecStart=/usr/bin/ip netns exec %I ip link set lo up
ExecStop=/usr/bin/ip netns del %I

# systemctl enable --now netns@aaisp
# ls -l /run/netns/aaisp

Step 2: Xl2tpd

# emerge net-dialup/xl2tpd

# /etc/xl2tpd/xl2tpd.conf
[lac aaisp]
lns = l2tp.aaisp.net.uk
autodial = yes
redial = yes
require authentication = no
pppoptfile = /etc/ppp/options.aaisp

# /etc/ppp/options.aaisp
+ipv6
ipv6cp-use-ipaddr
name a123@a
password XXXXXXXXXX
noauth
ifname aaisp0

# /usr/lib/systemd/system/xl2tpd.service
[Unit]
Description=Layer 2 Tunneling Protocol Daemon (L2TP)
After=syslog.target network.target
After=ipsec.service

[Service]
ExecStart=/usr/sbin/xl2tpd -D
KillSignal=SIGINT
SuccessExitStatus=1

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/xl2tpd.service.d/override.conf
[Unit]
[email protected]
[email protected]

[Service]
EnvironmentFile=/etc/xl2tpd/aaisp.env
ExecStartPost=/usr/bin/sleep 5
ExecStartPost=/usr/bin/ip link set dev aaisp0 netns aaisp
ExecStartPost=/usr/bin/ip netns exec aaisp ip link set aaisp0 up
ExecStartPost=/usr/bin/ip netns exec aaisp ip addr add $LOCAL_ADDR dev aaisp0
ExecStartPost=/usr/bin/ip netns exec aaisp ip addr add $LOCAL_ADDR6 dev aaisp0
ExecStartPost=/usr/bin/ip netns exec aaisp ip route add default dev aaisp0
ExecStartPost=/usr/bin/ip netns exec aaisp ip -6 route add default dev aaisp0

# /etc/xl2tpd/aaisp.env
LOCAL_ADDR=X.X.X.X
LOCAL_ADDR6=2001:8b0:xxxx:xxxx::1/64

The IPv4 address is the fixed address that AAISP assign you. It will be negotiated by pppd as part of the xl2tpd login process, but all of that is wiped when the link is moved into the namespace.

An IPv6 address is also allocated and then lost for the same reason.
But you can allocate yourself a static address from the subnet that AAISP give you.

Step 3: Add services to the namespace

# /usr/lib/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx/nginx.pid
RuntimeDirectory=nginx
ExecStart=nginx
ExecReload=kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/nginx.service.d/override.conf
[Unit]
BindsTo = [email protected]
After = [email protected]

[Service]
NetworkNamespacePath=/run/netns/aaisp

You can now setup a webserver, letsencrypt and other services in this namespace as normal.