The following are instructions for setting up an L2TP VPN server on a Raspberry Pi running Raspbian Jessie. This allows you to connect your iPhone or other device using L2TP VPN to your home network, to securely access resources on it. This set up uses a Raspberry Pi sitting behind your normal router.
These instructions are based on an older forum post on the Raspberry Pi forums.
All of the following commands will need to be run as root. Use sudo to become the root user.
$ sudo su -
Configuring a Static IP Address
Since your Raspberry Pi is running a server, it will be important to give it a consistent IP address so that we can forward the necessary ports to it. The IP address you choose depends on your local network setup. My network uses the 192.168.1.XXX range, so I have decided to use 192.168.1.16 for my Raspberry Pi. Here are the full settings for my setup:
IP Address: 192.168.1.16
DNS Server(s): 192.168.1.254
With the release of Raspbian Jessie, the method for configuring IP addresses has changed. Raspbian now uses dhcpcd as the default, so it is no longer recommended that you directly modify /etc/network/interfaces. Instead, we will modify dhcpcd’s configuration.
Edit /etc/dhcpcd.conf and add the following to the end. You will need to modify some of these values based on your setup.
interface eth0 static ip_address=192.168.1.16/24 static routers=192.168.1.254 static domain_name_servers=192.168.1.254
Once you reboot, your Raspberry Pi should now be using the address you have specified.
Installing xl2tpd and openswan
We need to install xl2tpd for our VPN tunnel and openswan for our IPSec security.
Warning: openswan is no longer maintained and has been replaced by strongswan. I have not yet tried this with strongswan.
$ apt-get update $ apt-get install openswan xl2tpd ppp lsof
xl2tpd provides our VPN tunnel into our network.
Replace the contents of /etc/xl2tpd/xl2tpd.conf with the following. You may need to make changes based on your network settings and your static IP address we configured previously.
[global] ipsec saref = yes listen-addr = 192.168.1.16 [lns default] ip range = 192.168.1.201-192.168.1.250 local ip = 192.168.1.16 assign ip = yes require chap = yes refuse pap = yes require authentication = yes name = linkVPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
Replace your /etc/ppp/options.xl2tpd with the following:
ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.254 asyncmap 0 auth crtscts lock idle 1800 mtu 1200 mru 1200 modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 nodefaultroute connect-delay 5000
IPSec is the encryption layer for your VPN tunnel. We are using the openswan implementation.
Replace your /etc/ipsec.conf with the following. Again, you will need to replace any values depending on your network setup.
# /etc/ipsec.conf - Openswan IPsec configuration file # This file:Â /usr/share/doc/openswan/ipsec.conf-sample # # Manual:Â Â Â Â ipsec.conf.5 versionÂ Â Â 2.0Â Â Â # conforms to second version of ipsec.conf specification # basic configuration config setup Â Â Â # Do not set debug options to debug configuration issues! Â Â Â # plutodebug / klipsdebug = "all", "none" or a combation from below: Â Â Â # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" Â Â Â # eg: Â Â Â # plutodebug="control parsing" Â Â Â # Again: only enable plutodebug or klipsdebug when asked by a developer Â Â Â # Â Â Â # enable to get logs per-peer Â Â Â # plutoopts="--perpeerlog" Â Â Â # Â Â Â # Enable core dumps (might require system changes, like ulimit -C) Â Â Â # This is required for abrtd to work properly Â Â Â # Note: incorrect SElinux policies might prevent pluto writing the core Â Â Â dumpdir=/var/run/pluto/ Â Â Â # Â Â Â # NAT-TRAVERSAL support, see README.NAT-Traversal Â Â Â nat_traversal=yes Â Â Â # exclude networks used on server side by adding %v4:!a.b.c.0/24 Â Â Â # It seems that T-Mobile in the US and Rogers/Fido in Canada are Â Â Â # using 25/8 as "private" address space on their 3G network. Â Â Â # This range has not been announced via BGP (at least upto 2010-12-21) Â Â Â #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:22.214.171.124/8,%v6:fd00::/8,%v6:fe80::/10: Â Â Â virtual_private=%v4:192.168.0.0/16,%v4:10.10.0.0/16,%v4:172.16.0.0/12,%v4:126.96.36.199/8,%v4:!10.25.0.0/16 Â Â Â # OE is now off by default. Uncomment and change to on, to enable. Â Â Â oe=off Â Â Â # which IPsec stack to use. auto will try netkey, then klips then mast Â Â Â protostack=netkey Â Â Â # Use this to log to a file, or disable logging on embedded systems (like openwrt) Â Â Â #plutostderrlog=/dev/null # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample #Â Â Â Â Â Â # Left security gateway, subnet behind it, nexthop toward right. #Â Â Â Â Â Â left=10.0.0.1 #Â Â Â Â Â Â leftsubnet=172.16.0.0/24 #Â Â Â Â Â Â leftnexthop=10.22.33.44 #Â Â Â Â Â Â # Right security gateway, subnet behind it, nexthop toward left. #Â Â Â Â Â Â right=10.12.12.1 #Â Â Â Â Â Â rightsubnet=192.168.0.0/24 #Â Â Â Â Â Â rightnexthop=10.101.102.103 #Â Â Â Â Â Â # To authorize this connection, but not actually start it, #Â Â Â Â Â Â # at startup, uncomment this. #Â Â Â Â Â Â #auto=add conn L2TP-PSK-NAT Â Â Â # !mwd - disabling this fixed stuff Â Â Â #rightsubnet=vhost:%priv Â Â Â also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT Â Â Â Â Â Â Â authby=secret Â Â Â Â Â Â Â pfs=no Â Â Â Â Â Â Â auto=add Â Â Â Â Â Â Â keyingtries=3 Â Â Â Â Â Â Â # we cannot rekey for %any, let client rekey Â Â Â Â Â Â Â rekey=no Â Â Â Â Â Â Â # Apple iOS doesn't send delete notify so we need dead peer detection Â Â Â Â Â Â Â # to detect vanishing clients Â Â Â Â Â Â Â dpddelay=30 Â Â Â Â Â Â Â dpdtimeout=120 Â Â Â Â Â Â Â dpdaction=clear Â Â Â Â Â Â Â # Set ikelifetime and keylife to same defaults windows has Â Â Â Â Â Â Â ikelifetime=8h Â Â Â Â Â Â Â keylife=1h Â Â Â Â Â Â Â # l2tp-over-ipsec is transport mode Â Â Â Â Â Â Â type=transport Â Â Â Â Â Â Â # Â Â Â Â Â Â Â left=192.168.1.16 Â Â Â Â Â Â Â # Â Â Â Â Â Â Â # For updated Windows 2000/XP clients, Â Â Â Â Â Â Â # to support old clients as well, use leftprotoport=17/%any Â Â Â Â Â Â Â leftprotoport=17/1701 Â Â Â Â Â Â Â # Â Â Â Â Â Â Â # The remote user. Â Â Â Â Â Â Â # Â Â Â Â Â Â Â right=%any Â Â Â Â Â Â Â # Using the magic port of "%any" means "any one single port". This is Â Â Â Â Â Â Â # a work around required for Apple OSX clients that use a randomly Â Â Â Â Â Â Â # high port. Â Â Â Â Â Â Â rightprotoport=17/%any Â Â Â Â Â Â Â #force all to be nat'ed. because of ios Â Â Â Â Â Â Â forceencaps=yes # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted # connection with. With L2TP clients behind NAT, that's not really what # you want. The connection below allows both l2tp/ipsec and plaintext # connections from behind the same NAT router. # The l2tpd use a leftprotoport, so they are more specific and will be used # first. Then, packets for the host on different ports and protocols (eg ssh) # will match this passthrough conn. conn passthrough-for-non-l2tp Â Â Â Â Â Â Â type=passthrough Â Â Â Â Â Â Â left=192.168.1.16 Â Â Â Â Â Â Â leftnexthop=192.168.1.254 Â Â Â Â Â Â Â right=0.0.0.0 Â Â Â Â Â Â Â rightsubnet=0.0.0.0/0 Â Â Â Â Â Â Â auto=route
Configuring your Secret Key
The secret key is a shared key that all of your users will use. Edit /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication.Â See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part.Â Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". # this file is managed with debconf and will contain the automatically created RSA keys #include /var/lib/openswan/ipsec.secrets.inc 192.168.1.16Â %any:Â Â PSK "MYSECRET"
Configuring your Users
You can create as many vpn users as you want. These users are separate from any linux user accounts on your Raspberry Pi. Edit /etc/ppp/chap-secrets
# Secrets for authentication using CHAP # clientÂ Â Â serverÂ Â Â secretÂ Â Â Â Â Â Â Â Â IP addresses usernameÂ Â Â *Â Â Â passwordÂ Â Â *
Modifying iptables and System Services
We need to make some changes to the routing table and system configuration. First we will set some values and add them to our /etc/sysctl.conf which will be loaded each time the system starts up:
$ echo "net.ipv4.ip_forward = 1" |Â tee -a /etc/sysctl.conf $ echo "net.ipv4.conf.all.accept_redirects = 0" |Â tee -a /etc/sysctl.conf $ echo "net.ipv4.conf.all.send_redirects = 0" |Â tee -a /etc/sysctl.conf $ sysctl -p
The iptables and /proc settings won’t survive a reboot. We’ll add these commands to the end of our /etc/rc.local to make sure they are executed on start up:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done iptables --table nat --append POSTROUTING --jump MASQUERADE
Finally, let’s make sure our xl2tpd and ipsec services will be started on boot:
$ update-rc.d -f ipsec remove $ update-rc.d ipsec defaults
At this point, you should restart your Raspberry Pi to make sure all settings have taken effect and is configured correctly.
Configuring your Router Port Forwarding
This section depends on your router. Most consumer routers/wifi have a web admin interface at either 192.168.1.1 or 192.168.1.254. Once you are logged in, you’ll need to find the port forwarding or NAT/Gaming section. You will need to have the following ports forwarded to your Raspberry Pi IP Address, which in my case is 192.168.1.16. Please be aware that these ports are UDP not TCP.
Port 4500 UDP
Port 500 UDP
Connecting an iPhone
On your iPhone, go to Setting > General > VPN
Choose “Add VPN Configuration”. Select “L2TP” as the Type.
Description: Home VPN
Server: Your public IP address (this is NOT your 192.168.1.16 address. You can get this from your router or from http://whatismyip.com)
Account: The username you configured in /etc/ppp/chap-secrets
RSA SecureID: Disabled
Password: The password you configured in /etc/ppp/chap-secrets
Secret: The Shared secret you configured in /etc/ipsec.secrets
Send All Traffic: If enabled, then ALL your internet traffic will be routed through your home network. If you disable this, then normal internet traffic won’t go through your home network. The VPN will only be used to access devices on your home network