search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
488 stars 84 forks source link

Certificate-base connections #54

Closed PROBLEMCHYLD closed 5 years ago

PROBLEMCHYLD commented 7 years ago

It seems like the network-manager-l2tp doesn't accept Certificates from strongswan. I have the ipsec.conf to load certificates, but it is ignored by network-manager-l2tp. Is there a work around or fix for this?

dkosovic commented 7 years ago

The code would need to be modified, if you are familiar with C, it wouldn't be too hard to do quick and dirty modifications to src/nm-l2tp-service.c. But a proper fix would be to add certificate support to the GUI using NMACertChooser introduced with NetworkManager 1.8.0.

There was one volunteer last year that was going to look into implementing certificate support in the master branch of this VPN plugin, but I never heard back from him.

It's probably one of my TODOs, but I don't have any access to a VPN server that is using certificates, so is a low priority on my part.

PROBLEMCHYLD commented 7 years ago

I'm not a programmer, so I guess I'm S.O.L. Thanks anyways. I'll check in the future to see if the feature has been added.

dkosovic commented 7 years ago

Could you send me you ipsec.conf file and I'll take a look? Obfuscate any IP addresses, hostnames, etc in the file if you don't want to make them public.

PROBLEMCHYLD commented 7 years ago

Here is the tutorial I used. http://www.remy.org.uk/tech.php?tech=1483049761

dkosovic commented 7 years ago

Based on that tutorial the following diff shows what you'll need to modify in src/nm-l2tp-service.c

diff --git a/src/nm-l2tp-service.c b/src/nm-l2tp-service.c
index ad75287..aec3303 100644
--- a/src/nm-l2tp-service.c
+++ b/src/nm-l2tp-service.c
@@ -737,20 +737,18 @@ nm_l2tp_config_write (NML2tpPlugin *plugin,
        write_config_option (fd, "  auto=add\n");
        write_config_option (fd, "  type=transport\n");

-       write_config_option (fd, "  authby=secret\n");
+       write_config_option (fd, "  authby=rsasig\n");
        write_config_option (fd, "  keyingtries=0\n");
        write_config_option (fd, "  left=%%defaultroute\n");
+       write_config_option (fd, "  leftcert=client.crt\n");
+       write_config_option (fd, "  leftid=\"C=UK, OU=VPN, O=MyNET, CN=S4\"\n");
        if (l2tp_port_is_free) {
            write_config_option (fd, "  leftprotoport=udp/l2tp\n");
        }

        write_config_option (fd, "  right=%s\n", priv->saddr);
-       value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GATEWAY_ID);
-       if (value) {
-           write_config_option (fd, "  rightid=%s\n", value);
-       } else {
-           write_config_option (fd, "  rightid=%%any\n");
-       }
+       write_config_option (fd, "  rightrsasigkey=%cert\n");
+       write_config_option (fd, "  rightid=\"C=UK, OU=VPN, O=MyNET, CN=S4\"\n");
        write_config_option (fd, "  rightprotoport=udp/l2tp\n");

        if (priv->is_libreswan) {

Use the instructions on the following page to build from source code:

Then every time you modify src/nm-l2tp-service.c, issue the following in the parent directory of the network-manager-l2tp source tree:

make
sudo make install
sudo systemctl restart network-manager
tpimont commented 6 years ago

I try to modify the code , but nothing appear in the GUI to choose certificates . i try to look at the old source code from https://github.com/seriyps/NetworkManager-l2tp but there to many changes in the code to port it could you please add this feature ? i can test it if you want

dkosovic commented 6 years ago

The code modification I mentioned above was for manually added certificates to strongswan as described in the tutorial.

The L2TP certificate support you are referring to from the old source code is commit # https://github.com/nm-l2tp/network-manager-l2tp/commit/3da37463ad730e3b3bcc3c0c2f107f5f42d58dd9 in the nm-1-0 branch of this repository and there was a subsequent fix from the author in issue https://github.com/nm-l2tp/network-manager-l2tp/issues/7 . As mentioned in issue #7, that the code hasn't been updated to work with the master branch which has changed a fair bit like you mentioned and I never heard back from the author for updates.

Unlike the first message in this issue which is for machine certificate support (i.e. instead of using a preshared-key), the code you are referring to is for user certificate support (i.e. instead of using username/password credentials).

To be able to use user certificates, the ppp package has to have the EAP-TLS patch for pppd applied to the source code (which has already been done so with most Linux distributions) :

Also note that the GUI changes from the old source code were for KDE Plasma (i.e. KDE's GIT repository) and not the GNOME GUI code in this repository (and its ancestors). If you are using the KDE plasma-nm l2tp package, you might need to upgrade to a newer version if you don't see the user certificate support.

I am working on a new NetworkManager-l2tp 1.8.0 that will need NetworkManager >= 1.8.0 for the certificate support as it is using the NMACertChooser API and GUI introduced with NetworkManager 1.8.0. But it will take a while as I'm on holidays and then in and out of hospital a few times for operations, unless someone else volunteers.

dkosovic commented 5 years ago

I've been dragging my feet waiting for OpenSSL 3.0 to be released which uses the Apache 2.0 license which is compatible with the GPL v2 license that NetworkManager uses.

NetworkManager-l2tp code in the master branch now supports user and machine TLS certificates. Although OpenSSL 3.0 hasn't been released yet, the code can be built against OpenSSL 1.1.x. Even if the code was ready for a stable version release now, due to license incompatibility issues, it can not ship as a prebuilt binary package for Linux distros until they ship with OpenSSL 3.0.

The code supports the following certificate and private key file types: :

Notes on certificate and private keys:

The following commit and crypto utility files do most of the TLS certificate backend support in the source code:

I ran into some limitations with the NMACertChooser GUI and have some GUI work left to do related to user friendliness in handling certificates and private keys, but is usable now.

The code isn't thoroughly tested yet as it is fairly fresh, but if you could test it it would be appreciated.

iamohtep commented 5 years ago

Hi,

thanks for this update. I was able to test this using IPSec Machine Cert(Client Cert) + AD Credentials User/Password Authentication (l2tp). The tunnel was created 'ppp0' with its corresponding IP which it received from the server. The Plugin somehow throws a permission denied problem if the client certificates are located somewhere else other than /etc/ipsec.d/{cacerts,certs,private} accordingly.

This shows that the update on the code enables the use of certificates to authenticate with ipsec. I haven't got the time to test l2tp with Certs and only was able to do User/Password. However, the connection get cut off after a few keep-alive pakets sent. On the VPN Server logs, it is seen that the client successfully connected but there was no traffic proceeding.

in the NetworkManager journalctl logs shows that the connection is disconnected after a few keep-alive pakets:

Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.4908] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.4938] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.4979] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data: VPN Gateway: IP_OF_MY_VPN
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.4989] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data: Tunnel Device: "ppp0"
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.4998] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data: IPv4 configuration:
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5006] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Internal Address: CLIENT_IP_IN_VPN_NETWORK
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5013] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Internal Prefix: 32
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5021] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Internal Point-to-Point Address: IP_OF_MY_VPN
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5029] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Static Route: 0.0.0.0/0   Next Hop: 0.0.0.0
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5037] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Static Route: IP_OF_MY_VPN/32   Next Hop: 0.0.0.0
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5046] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Internal DNS: IP_OF_DNS1
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5054] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   Internal DNS: IP_OF_DNS2
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5061] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data:   DNS Domain: '(none)'
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5070] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: Data: No IPv6 configuration
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5080] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: VPN plugin: state changed: started (4)
Jan 07 16:37:13 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875433.5222] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: VPN connection: (IP Config Get) complete
Jan 07 16:37:15 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: check_control: Received out of order control packet on tunnel 31359 (got 0, expected 2)
Jan 07 16:37:15 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: handle_packet: bad control packet!
Jan 07 16:37:19 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: check_control: Received out of order control packet on tunnel 31359 (got 0, expected 2)
Jan 07 16:37:19 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: handle_packet: bad control packet!
Jan 07 16:37:27 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: check_control: Received out of order control packet on tunnel 31359 (got 0, expected 2)
Jan 07 16:37:27 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: handle_packet: bad control packet!
Jan 07 16:37:29 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875449.1138] connectivity: (wlp4s0) timed out
Jan 07 16:37:35 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: check_control: Received out of order control packet on tunnel 31359 (got 0, expected 2)
Jan 07 16:37:35 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: handle_packet: bad control packet!
Jan 07 16:37:36 myclient.mydomain.lcl charon[26815]: 12[IKE] sending keep alive to IP_OF_MY_VPN[4500]
Jan 07 16:37:59 myclient.mydomain.lcl charon[26815]: 07[IKE] sending keep alive to IP_OF_MY_VPN[4500]
Jan 07 16:38:19 myclient.mydomain.lcl charon[26815]: 08[IKE] sending keep alive to IP_OF_MY_VPN[4500]
Jan 07 16:38:39 myclient.mydomain.lcl charon[26815]: 15[IKE] sending keep alive to IP_OF_MY_VPN[4500]
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: Maximum retries exceeded for tunnel 47773.  Closing.
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: Terminating pppd: sending TERM signal to pid 26861
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: Connection 31359 closed to IP_OF_MY_VPN, port 1701 (Timeout)
Jan 07 16:38:44 myclient.mydomain.lcl pppd[26861]: Terminating on signal 15
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875524.2801] device (ppp0): state change: disconnected -> unmanaged (reason 'connection-assumed', sys-iface-state: 'external')
Jan 07 16:38:44 myclient.mydomain.lcl pppd[26861]: Connect time 1.6 minutes.
Jan 07 16:38:44 myclient.mydomain.lcl pppd[26861]: Sent 973265849 bytes, received 0 bytes.
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 16[KNL] interface ppp0 deactivated
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 06[KNL] CLIENT_IP_IN_VPN_NETWORK disappeared from ppp0
Jan 07 16:38:44 myclient.mydomain.lcl pppd[26861]: Connection terminated.
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 07[KNL] interface ppp0 deleted
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: xl2tpd[26857]: death_handler: Fatal signal 15 received
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875524.3063] vpn-connection[0x55dcfd120760,485d37e0-ffc0-4b49-aa50-a955c7fccdad,"VPN L2TP",30:(ppp0)]: VPN plugin: state changed: stopping (5)
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: Stopping strongSwan IPsec...
Jan 07 16:38:44 myclient.mydomain.lcl NetworkManager[1035]: <info>  [1546875524.3097] devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[DMN] signal of type SIGINT received. Shutting down
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[IKE] closing CHILD_SA 485d37e0-ffc0-4b49-aa50-a955c7fccdad{1} with SPIs c3099dd0_i (927 bytes) b464826c_o (8663069745 bytes) and TS 192.168.2.172/32[udp/l2f] === IP_OF_MY_VPN/32[udp/l2f]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[IKE] closing CHILD_SA 485d37e0-ffc0-4b49-aa50-a955c7fccdad{1} with SPIs c3099dd0_i (927 bytes) b464826c_o (8663069745 bytes) and TS 192.168.2.172/32[udp/l2f] === IP_OF_MY_VPN/32[udp/l2f]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[IKE] sending DELETE for ESP CHILD_SA with SPI c3099dd0
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[ENC] generating INFORMATIONAL_V1 request 2155306331 [ HASH D ]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[NET] sending packet: from 192.168.2.172[4500] to IP_OF_MY_VPN[4500] (92 bytes)
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[IKE] deleting IKE_SA 485d37e0-ffc0-4b49-aa50-a955c7fccdad[1] between 192.168.2.172[DC=lcl, DC=mydomain, OU=mydomain - Gruppe, OU=Clients, OU=Linux, CN=myclient]...IP_OF_MY_VPN[IP_OF_MY_VPN]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[IKE] deleting IKE_SA 485d37e0-ffc0-4b49-aa50-a955c7fccdad[1] between 192.168.2.172[DC=lcl, DC=mydomain, OU=mydomain - Gruppe, OU=Clients, OU=Linux, CN=myclient]...IP_OF_MY_VPN[IP_OF_MY_VPN]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[IKE] sending DELETE for IKE_SA 485d37e0-ffc0-4b49-aa50-a955c7fccdad[1]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[ENC] generating INFORMATIONAL_V1 request 1048916585 [ HASH D ]
Jan 07 16:38:44 myclient.mydomain.lcl charon[26815]: 00[NET] sending packet: from 192.168.2.172[4500] to IP_OF_MY_VPN[4500] (108 bytes)
Jan 07 16:38:44 myclient.mydomain.lcl ipsec_starter[26814]: child 26815 (charon) has quit (exit code 0)
Jan 07 16:38:44 myclient.mydomain.lcl ipsec_starter[26814]:
Jan 07 16:38:44 myclient.mydomain.lcl ipsec_starter[26814]: charon stopped after 200 ms
Jan 07 16:38:44 myclient.mydomain.lcl ipsec_starter[26814]: ipsec starter stopped
Jan 07 16:38:44 myclient.mydomain.lcl pppd[26861]: Exit.
Jan 07 16:38:44 myclient.mydomain.lcl nm-l2tp-service[26772]: ipsec shut down

Can you give me an idea what is happening and how could I possibly resolve this?

Best Regards,

dkosovic commented 5 years ago

@iamohtep a catastrophic failure of the L2TP connection seems to happen after Received out of order control packet on tunnel ... (got 0, expected 2) error message which then brings down everything.

I've seen similar but not exactly the same issue which was a result of incompatible Attribute Value Pair (AVP) extensions betwen xl2tpd and the L2TP server, e.g. https://github.com/xelerance/xl2tpd/issues/136 issue. I suspect xl2tp is waiting for an AVP response from the server, but doesn't get one, i.e. got 0 packets, expected 2 packets as indicated in the xl2tpd logs.

There was also a recent L2TP kernel bug for a recent kernel, you might like to try a different kernel. Unfortunately I can't find references to that bug at the moment.

Although you mentioned AD, are you using Windows Server RRAS for the L2TP server or some other L2TP server?

I was working on a version of NetworkManager-l2tp that could also work with rp-l2tp but put that on hold to work on the certificate support and due to a recently introduced bug with rp-l2tp (https://github.com/themiron/rp-l2tp/issues/2). I'll get back to it at some point. I suspect rp-l2tp might work in your case, or at the very least provide some useful logs. Not sure when I'll get back to working on rp-l2tp, but might be in the next couple of weeks.

For the certificate permission issues, the nm-l2tp-service is running with root user ID, under some circumstances root doesn't have access to home directories, e.g. NFS home directories, etc. I don't think there is any simple fix, but what you did seems to be a workaround. NetworkManager will eventually get a PKCS#11 hardware token or "soft" token/certificate store like Windows or macOS that will fix the issue, see:

foot3print commented 5 years ago

Hi,

I was able to successfully connect with this setup: deps:

The problem with the Received out of order control packet on tunnel ... (got 0, expected 2) is that after the tunnel is established, there is an entry IP_OF_VPN dev ppp0 proto kernel scope link src IP_OF_CLIENT_IN_VPN metric 50 in the routing table which seem to send the Packets through the tunnel (ppp0). In our case, we are using a proxy to connect outside our intranet and the IP of the VPN Server is not accessible without proxy. I ended up deleting the entry with ip route del IP_OF_VPN.

panlinux commented 5 years ago

It worked for me as well. I just tried 3dd2b2e162bc37d604e3db25fcf339f516524655 built from source on ubuntu disco, against an edgerouter from ubiquiti.

I had the certificates in my home directory, but the apparmor profile in ubuntu prevents charon from reading files in there, so I moved them to /etc/ipsec.d. Then network-manager complained it couldn't read the /etc/ipsec.d/private directory as my user (that dir is 0700 root:root), so I used a bit of ACLs to allow my user to read my private key. Anyway, details for the distros to sort out.

What exactly are the licensing issues you mentioned? This wasn't linked with openssl before?

dkosovic commented 5 years ago

@panlinux thanks for the feedback. That could be a bit of a headache with the AppArmor charon issues, hopefully the distros won't take too long to sort out the issues.

This repository has NetworkManager GPL v2 licensed code. More details as to why it isn't possible to combine OpenSSL with GPL code from the NetworkManager mailing list :

It hasn't been linked with OpenSSL before as the stable releases have never had any certificate support (apart from with the KDE plasma-nm L2TP GUI which only has very simple support for PEM user certificates and does no processing of the certificates other than file paths).

But as mentioned, things will change once OpenSSL 3.0 is released with the Apache 2.0 license that is compatible with the GPL v2 license.

Maybe tomorrow, I will be releasing a NetworkManager-l2tp 1.2.12 tarball with no certificate support from the nm-1-2 branch of this repository, that's intended for Linux distros . I will also release a NetworkManager-l2tp 1.7.0-dev tarball developer release which includes the certificate support from the master branch of this repository, but will discourage people from including it with linux distros.

panlinux commented 5 years ago

Could gnutls be used instead? Beside the usual "it's just a matter of coding", of course :)

dkosovic commented 5 years ago

strongSwan uses OpenSSL for it's certificate support, while Libreswan uses NSS for its.

OpenSSL supports all of the private key and certificate file formats. e.g. although PKCS#8 should now be used for private keys, there is nothing better than OpenSSL to open traditional OpenSSL RSA, DSA and ECDSA private keys in either PEM or DER format, especially if they are password protected.

When Libreswan is used, I use the OpenSSL API to convert certificates and private key to PKCS#12 data arrays then using the NSS API are imported to Libreswan's NSS database.

I started using NSS for the crypto support, but ran into limitations. The GnuTLS version I had on my linux distro was buggy and segfaulted when I tried using it, a patch needed to be backported to that version, also the GnuTLS API is limiting.

dkosovic commented 5 years ago

Closing this issue as NetworkManager-l2tp 1.7.0 with user and machine certificate support was released 3 weeks ago:

dkosovic commented 4 years ago

NetworkManager-l2tp 1.8.0 with user and machine certificate support was released a few weeks ago.

Regarding the GPL and OpenSSL licensing incompatibility. Some Linux distributions like Fedora considers OpenSSL to be a "System Library" and so exempt from the conflict per the "System Library Exception":

So I've released NetworkManager-l2tp 1.8.0 RPMs for Fedora 31 and EPEL8 (i.e. RHEL8/CentOS8):

Other distros like Debian and Ubuntu have taken the opposite stance that OpenSSL is non-essential and therefore not protected by the GPL "System Library Exception":

As it now looks like OpenSSL 3.0.0 won't be released till 2020, I've created the following Ubuntu PPA which has network-manager-l2tp 1.8.0 packages under the GPLv3 license that were statically linked against libcrypto.a built from a bundled copy of an OpenSSL pre-3.0.0 git snapshot which is using Apache License 2.0 (Note: GPLv3 license is compatible with Apache License 2.0) :