Since my most recent article was about creating an OpenBSD L2TP-IPSec VPN, this article was warranted. This post is simply how to configure an OpenBSD client to connect to a L2TP-IPSec VPN.
The first step is to install xl2tpd, as OpenBSD does not come with an l2tp client installed naively. In order for xl2tpd to function properly, there are a couple of things that must be done. First, ensure that the _xl2tpd user is apart of the “network” group, as this is required for the newly installed package to start pppd. Add the user to the group with
usermod -G network _xl2tpd. Next, a default setting in pppd must be updated; make sure that “auth” in /etc/ppp/options.l2tp instead is “noauth”.
We will need to configure the newly installed service in its configuration file. I have something close to this appended to the bottom of my config.
[global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes port = 1701 [lac l2tp] lns = <remote vpn ip> ppp debug = yes
You will also need to update the /etc/ppp/chap.secrets file to include the passphrase for your user created on the VPN. You will also need to update /etc/ppp/options.l2tp to include the connecting username. For example:
# Secrets for authentication using CHAP # username server password ip addresses client * <password> *
ipcp-accept-local ipcp-accept-remote noccp noauth mtu 1456 mru 1456 debug lock user <username> netmask 255.255.255.255
Now let’s go ahead and start and enable the necessary services to all the L2TP connection:
rcctl enable ipsec isakmpd xl2tpd rcctl set isakmpd flags -K rcctl start isakmpd xlt2pd
Configure ipsec.conf to match the ike, main, quick, and psk settings on the server, with the slight change of connection direction. Example below:
ike dynamic esp transport proto udp from egress to <vpn ip> port l2tp \ main auth group modp1024 \ quick auth group modp1024 \ psk "<my password>"
Now for the tricky part, you will need to enable a static route to the VPN, with a slightly higher priority than your default route. This will ensure that once the tunnel is established, you will still be able to send traffic out the default interface to the VPN server. After that, bring up the ppp0 interface, so that the L2TP tunnel can be bound to it. Finally, load the ipsec.conf, so that the ipsec tunnel will be established.
route add -priority 2 <vpn ip> <client gateway> ifconfig ppp0 up
Now for the moment of truth, let’s load up the ipsec.conf config file:
ipsecctl -f /etc/ipsec.conf
Give it a few seconds, then run the command below to ensure that you see flows to your VPN:
Now, to initiate the connection to the VPN server, echo the following into xl2tpd’s control file as root:
echo c l2tp > /var/run/xl2tpd/l2tp-control
If the connection was successful, your ppp0 interface will show a connection with
We also need to set the routing table a bit so that routing is correct post-connection. This command simply sets the ppp0 network as the default gateway. Note that the priority here is higher than the first route command we used.
route add -priority 7 default 10.0.0.1
Verify that the traffic is indeed being passed out the VPN interface with
mtr 220.127.116.11, or some traceroute command.
Has been tested on OpenBSD 6.5