Setup your Own L2TP/IPsec VPN Server with Raspberry Pi

I have been traveling quite a bit this year and I have always relied on connecting to my home VPN to access stuff from home, which was using my ASUS RT-AC68U router that supports PPTP VPN. I recently upgraded to iOS 10, which no longer supports PPTP VPN. Desperately needing a new VPN solution, I shopped around for few paid options, but decided to setup my own L2TP/IPsec VPN with Raspberry Pi. In this tutorial, I will show you how you can do this yourself.

Why do you Need a Home VPN Server

VPN is a secure way for you to access your home network from anywhere in the world. It provides convenience and peace of mind when accessing your home server and your smart home devices.

Why use Raspberry Pi

Raspberry Pi is tiny computer about the size of a credit card. It has low power consumption and low cost compare to a regular computer.

Let’s Get Started

1. Get the following before you start:

• Raspberry Pi (Get it here)
• SD card for Raspberry Pi (Get it here)

2. Follow these steps to install an operating system on the Raspberry Pi. Make sure to format the SD card as FAT format. exFAT might not work.

3. Once the operating system setup is done, you can start to configure a VPN server. (Reference: https://www.raspberrypi.org/forums/viewtopic.php?t=31541)

4. Find your home router’s gateway address. Usually it is 192.168.1.1.

5. Find your Raspberry Pi’s IP address with one of two options:

• If your Raspberry Pi is connected to a monitor, open the terminal and type ifconfig.
• Or view all the connected devices on your router to find the Raspberry Pi.

For the following steps, we will assume the gateway address is 192.168.1.1 and the Raspberry Pi’s address is 192.168.1.231. Adjust this tutorial base on your own values.

6. From your router, setup port forwarding on your router. Forward UDP port 500 and UDP port 4500 to your Raspberry Pi device.

[UPDATE] I have created a Docker image and some scripts to automate the following steps. Head over to this follow-up post to run your own L2TP/IPsec VPN Server with Raspberry Pi and Docker.

7. To type commands on the Raspberry Pi, you have one of two options:

• ssh into the Raspberry Pi to configure the device
• or if you have a monitor connected to the Raspberry Pi, you can open the terminal on the Raspberry Pi to type the commands

To ssh, enable ssh on the Raspberry Pi as the latest Raspbian OS has ssh disabled by default. Here are the instructions to enable ssh: https://www.raspberrypi.org/documentation/remote-access/ssh/

$ ssh pi@192.168.1.231  # use your own Raspberry Pi IP address here

8. Let’s use your favorite Raspberry Pi editor to edit the following file. For example, I’m using vi, but you can use nano or something else.

$ sudo vi /etc/dhcpcd.conf

Add the following lines to the end of the file. Make sure you change the IP address and name server to your own.

The above lines set your Raspberry Pi to use static IP address instead of DHCP. On your router, you might want to reserve a range just for static IP addresses so there’s no conflict for static assigned addresses. Now let’s restart the Raspberry Pi to reflect the changes.

$ sudo reboot

8. Change root password and install packages.

$ sudo passwd # this will change the ssh login password
$ su # changing to the root user
$ apt-get update
$ apt-get install openswan xl2tpd ppp lsof

When prompted ‘Use an X.509 certificate for this host?’, answer ‘No’. If you want to add it, use ‘dpkg-reconfigure openswan’ to come back.

9. Type the following commands:

iptables —-table nat —-append POSTROUTING —-jump MASQUERADE
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

10. Use an editor to edit the following file:

$ vi /etc/rc.local

Add the following code to the file:

11. Use an editor to edit the following file:

$ vi /etc/ipsec.conf

Replace the content with the following. Make sure to replace 192.168.1.231 with your Raspberry Pi’s IP address and 192.168.1.1 with your gateway’s IP address.

12. Edit the following file to setup secrets.

$ vi /etc/ipsec.secrets

Add this line to the end of the file:

192.168.1.231 %any: PSK "XXXXXXX"

The IP address is your Raspberry Pi’s address. “XXXXXXX” is your own L2TP secret. The client will need this secret and their username and password to connect to the VPN server.

13. Edit the following file:

$ vi /etc/xl2tpd/xl2tpd.conf

Replace the content with the following and replace 192.168.1.231 with your Raspberry’s IP address.

14. Edit the following file:

$ vi /etc/ppp/options.xl2tpd

Replace the content with the following and replace 192.168.1.1 with your gateway address.

15. Edit the following file:

$ vi /etc/ppp/chap-secrets

Update the following section with your own username and password. This is the username and password used by client when they connect to the VPN server.

# Secrets for authentication using CHAP
# client server secret IP addresses
 username * PASSWORD *

16. Configure VPN server to auto start when the Raspberry Pi boots. From the terminal:

$ update-rc.d -f ipsec remove
$ update-rc.d ipsec defaults

17. Restart the service now. From the terminal:

$ /etc/init.d/xl2tpd restart
$ /etc/init.d/ipsec restart

18. Now use your iphone to connect to the VPN Server.

Voila! Now you have your own VPN server at home no matter where you are in the world.

Troubleshooting

• When you use your iphone to connect to the VPN server, you might get the following error message:

The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

and in the /var/log/auth.log, you might see something like this.

These errors might be caused by openswan, which is broken on the latest release on the Raspberry Pi.
https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=73962
You will need to use an older version of openswan.

To install an older version of openswan, from terminal:

$ wget http://snapshot.raspbian.org/201403301125/raspbian/pool/main/o/openswan/openswan_2.6.37-3_armhf.deb
$ sudo dpkg -i openswan_2.6.37–3_armhf.deb

After installation is complete, restart the VPN server and try again with your iphone. From the terminal:

$ /etc/init.d/xl2tpd restart
$ /etc/init.d/ipsec restart

If VPN still doesn’t work, run the following to get more information:

$ sudo ipsec verify

Your output should look similar to the following:

• If you are seeing the following errors in /var/log/auth.log:

Can’t authenticate: no preshared key found for ‘192.168.1.231’ and ‘%any’. Attribute OAKLEY_AUTHENTICATION_METHOD

This usually means either the shared secret entered does not match the source in this file /etc/ipsec.secrets.