L2TP (Ubuntu) server setup for iOS clients

For you road warriors who wish to set up their own VPN to secure their traffic when using any untrusted/unprotected networks (“free” WiFi?) when travelling, this would be the thing you use: a trusted VPN setup.

While I did dabble with OpenVPN sometime back, protocols like L2TP would be more commonly supported, especially on the “venerable” iOS device (iPhone, iPod Touch, iPad), and on Windoze machines, Android, etc.

This post will be on what you’ll need to setup a L2TP server in Ubuntu for iOS devices to connect to. The server is assumed to be directly accessible from the internet. Some of the stuff are taken from other places, for my own reference here. There’s also a great write up on IPsec over at Steve Friedl’s Unixwiz.net Tech Tips site, for you geeks who actually want to understand a little regarding what you’re using (high five!).

The L2TP server setup mainly comprises of three parts actually (surprise!). The L2TP daemon, IPsec daemon and the PPP daemon (providing DHCP services).

Main steps:

  1. install openswan (for IPsec), xl2tpd (L2TP) and ppp
  2. configure
  3. configure the (Linux) kernel to turn on IP forwarding, and IP masquerading if the iptables firewall is on
  4. configure the device itself
  5. take a break, have a pina colada or something
  6. profit!


Step #1: install

sudo apt-get install openswan ppp xl2tpd

Say “No” to creating a certificate when installing openswan. You will be using a pre-shared secret (password) instead.

Step #2: configure
The config files:


/etc/ipsec.conf

version 2.0

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

include /etc/ipsec.d/l2tp-psk.conf


/etc/ipsec.d/l2tp-psk.conf
(change left & leftnexthop values accordingly)
left is your external interface IP
leftnexthop is the router for the external interface

conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	type=transport
	left=192.168.1.22
	leftnexthop=192.168.1.1
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	dpddelay=15
	dpdtimeout=30
	dpdaction=clear
	#Uncomment the line below for OSX on MAC? untested!
	#rightprotoport=17/0


/etc/xl2tpd/xl2tpd.conf
(change ip range & local ip)
Important: “local ip” value must be outside “ip range”

[global]
ipsec saref = yes
[lns default]
ip range = 192.168.1.231-192.168.1.239
local ip = 192.168.1.230
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/options.xl2tpd
(change ms-dns value to point to the relevant DNS resolver for the server)

require-mschap-v2
ms-dns 192.168.1.1
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


/etc/ppp/chap-secrets
(change and create username & password values as needed)
In the example below, username=test and password=testpass
Important: The IP address (“192.168.1.233”) for each user must be in the “ip range” from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.

# Secrets for authentication using CHAP
# client	server	secret			IP addresses

test l2tpd testpass 192.168.1.233


/etc/ipsec.secrets
(change IP address to your external IP, and the secret “TestSecret” to something else)

192.168.1.22 %any: PSK "TestSecret"


Restart the daemons after configuring. Remember to configure your firewall for inbound access on UDP/500, UDP/4500 and UDP/1701 too.

sudo /etc/init.d/pppd-dns restart
sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart

Step #3: configure IP forwarding
edit this file below, and add in these lines above the “exit 0;” line in the file (the last line)
/etc/rc.local

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

after editing the file, run it once first

sudo /etc/rc.local

Step #4: configure your device
iOS (iPhone, etc.) settings are below, the settings for desktops like Windows should be similar. You can set them in iOS devices under Settings > General > Network > VPN > Add VPN Configuration…remember to change the example accordingly to what you set in your own configuration files above (you didn’t use the sample configuration flies wholesale…did you?)

L2TP
Description: <as you wish>
Server: <server's external IP address>
Account: test
RSA SecurID: OFF
Password: testpass
Secret: TestSecret
Send All Traffic: ON
Proxy: Off

Step #5: take a break
You’ve survived! Now take a breather 🙂

Step #6: profit!
Turn on the VPN by activating the slider in Settings, and enjoy! 😉

HTH.

Advertisements

14 thoughts on “L2TP (Ubuntu) server setup for iOS clients”

    1. I assume you’re looking for a way to install a SSTP server in Linux? Unfortunately no, I don’t know of a way currently.

      Why would you wish to run that in Linux? 🙂

  1. I followed your guide and everything worked great! However, I tried connecting to my server using Windows 7 and get “Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.”

    Any ideas?

  2. Great thanks! Tired from get
    This solution works on all my devices devices, but win7 default vpn client failed to get default gateway, so what can i do to make it work? (everytime add default route via my server is not a solution)
    Thanks!

    1. What’s the error you get when you try to ping? Were you trying to ping the server’s internal vpn IP after the vpn connection has been established?

  3. Hello, friend! really nice tutorial, i did all the steps, but it just dont connect from iOS.

    First of all, my server is behind my adsl router, 10.1.1.1, should i open a port on it? in this case, witch one?

    my network ip is 10.1.1.x, so in the /etc/ipsec.conf should i change something?

    thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s