L2TP IPSec VPN for private browsing

Why an L2TP IPSec VPN

I use VPNs all the time these days to access resources that I have restricted on the servers I manage. I also want to be able to watch live TV programs from various countries regardless of where I am; in most cases live TV is only available in the country of origin, therefore without a VPN or similar solutions it is not possible to watch them from elsewhere, using the original websites. I know that there are reasons for these geographical restrictions, but that’s not the point of this article ;). I also own an iPad and an iPhone so I prefer having a private connection when I am on the move and need to surf the Internet or just check my emails, but have to use some network over which I have no control. Gmail and many sites I need use SSL, but nevertheless using a VPN gives peace of mind since you don’t have to worry as much about how much attention has been paid to the security aspects of these services, at least as far as the encryption of the data is concerned. So the VPN I use must also be compatible with these devices, and that’s why I have replaced my long time favourite OpenVPN with an L2TP IPSec VPN on each of my servers. These VPNs are IMO simpler to setup, secure, and compatible with most operating systems and devices without requiring additional client software in order to establish the connection. This is a plus, since it means I can also configure a VPN access on my iPhone without having to jail break it or install third party apps to be able to use another VPN.

So here’s a simple guide on how to set up an L2TP IPSec VPN on a Ubuntu server and get both a Mac and an iPhone connected. The process should be very similar with other Linux distributions. Hopefully this will help you save some trial and error; I won’t go in the details for each setting or command as I am myself not too familiar with several of them; so if you just want a “fast-track” how-to here you are.

To set up an L2TP IPSec VPN, you’ll need to install OpenSwan, which is an IPSec implementation for Linux; IPSec is responsible for the encryption of the packets.

 

You will be asked Do you have an existing X509 certificate file that you want to use for Openswan?. If you, like me, want an L2TP IPSec VPN compatible with iPhones/iPads and other devices, answer No since these typically do not support setups with certificates.

Next you’ll need to edit a few configuration files. I’ll paste below the settings I currently use on 5 L2TP IPSec VPN servers and that I know work for sure; you may want to empty those files before pasting the configurations I suggest, just to keep things simpler.

First, edit /etc/ipsec.conf and change/add the following settings:

 

Obviously, replace the value for the left setting with the actual public IP of the box on which you are installing the L2TP IPSec VPN server.

Next, edit /etc/ipsec.secrets and add the following:

 

Again, you will have to specify here the public IP of the server and also a shared secret that will be used on clients together with the credentials for each specific client account.

Now create the file /etc/vpn-setup and paste the following in it:

 

Making sure you make this file executable with:

 

This is required to redirect all the Internet traffic through the L2TP IPSec VPN gateway; to ensure the commands in the file are executed at startup, edit /etc/rc.local and add, before the exit 0 line, /etc/vpn-setup. Run /etc/vpn-setup once, manually for now, so to apply these settings for the current session, then restart IPSec:

 

Next, let’s configure some firewall rules to allow the redirection of the web traffic. If you are using iptables, run the following commands to apply the required rules immediately:

 

Then backup the current configuration to file with:

 

To ensure these rules are also applied at start up, update /etc/network/interfaces so it looks something like the following:

 

The important line that you need to add is the one starting with post-up.

At this point you should be able to establish an IPSec connection from a client -although we still need to sort out the authentication side- so it’s a good time to test this before going ahead:

 

If all went well -and there are no problems with the version of the kernel you are using- you should see something like the following:

 

I can’t remember how to set up an L2TP IPSec VPN client on Windows or Linux desktop, but here’s how to do it on Mac: go to System Preferences -> Network, and create a new connection by clicking on the + button. When you’re asked for the type of the connection you want to create, choose VPN and leave the default type selected, in order to configure an L2TP IPSec VPN connection. Then give your connection whatever name you prefer:

1-1-jpg-1c6b9a

Then enter either the server’s IP or a hostname pointing to it, and in Account name enter whatever username you’ll want to use to establish the connection. Don’t worry if you haven’t configured this yet, the authentication will fail at first but we’ll need to verify the IPSec connection can be established correctly before proceeding with the rest of the configuration:

2-1-jpg-1c6b9a

Next, in Authentication Settings you need to enter the password you are going to use with your account and the shared secret specified in /etc/ipsec.secrets:

3-png-1c6b9a

In Advanced make sure the option Send all traffic over VPN connection is checked if you want to appear as from the location of your server:

4-png-1c6b9a-2

Now, still on your Mac, open a terminal and run

then click on Connect in the L2TP IPSec VPN connection’s settings. If everything was fine so far you should see something like this:

 

Don’t worry about the message IP connection failed, that’s because we haven’t configured the authentication on the server yet; the important thing is that the connection is fine (i.e. IPSec connection started). Now, for the authentication, install xl2tpd with

 

then edit /etc/xl2tpd/xl2tpd.conf and either change the following settings or just remove everything in there and paste what follows:

 

Next, edit /etc/ppp/options.xl2tpd and paste the following:

 

The last bit of configuration is the file /etc/ppp/chap-secrets which contains the credentials for each VPN account:

 

Finally, restart the various services involved:

 

You should now be able to successfully establish a connection from your Mac client and your IP address, as seen from the Internet, will be that of your L2TP IPSec VPN server.

Configuring the VPN client on a mobile device should be very simple in most cases; with the iPhone for example, go to Settings -> VPN:

5-png-1c6b9a

Then add a new VPN configuration:

6-png-1c6b9a

Then enter the same information you have used on your Mac or anyway other client.

L2TP IPSEC VPN

Ensure the Send all traffic is turned on, so to have a more private connection when you are on the move. Finally, go back to the first screen and turn the VPN on. As said in the beginning these instructions have worked for me with several L2TP IPSec VPN servers, but please let me know if they don’t work for you.

About the author

Vito Botta

I am a passionate web developer based in Espoo, Finland. Besides computing, I love boxing and good food!

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 3 =