findelabs

Connecting to an L2TP-IPSec VPN on OpenBSD

· 3min · Dan F.
Table of Contents

Since my most recent article was about creating an OpenBSD L2TP-IPSec VPN, this article was warranted. This post is simply how to configure an OpenBSD client to connect to a L2TP-IPSec VPN.

The first step is to install xl2tpd, as OpenBSD does not come with an l2tp client installed naively. In order for xl2tpd to function properly, there are a couple of things that must be done. First, ensure that the _xl2tpd user is apart of the "network" group, as this is required for the newly installed package to start pppd. Add the user to the group with usermod -G network _xl2tpd. Next, a default setting in pppd must be updated; make sure that "auth" in /etc/ppp/options.l2tp instead is "noauth".

We will need to configure the newly installed service in its configuration file. I have something close to this appended to the bottom of my config.

/etc/xl2tpd/xl2tpd.conf

[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
port = 1701

[lac l2tp]
lns = <remote vpn ip> 
ppp debug = yes

You will also need to update the /etc/ppp/chap.secrets file to include the passphrase for your user created on the VPN. You will also need to update /etc/ppp/options.l2tp to include the connecting username. For example:

/etc/ppp/chap.secrets

# Secrets for authentication using CHAP
# username  server  password    ip addresses
client * <password> *

/etc/ppp/options.l2tp

ipcp-accept-local
ipcp-accept-remote
noccp
noauth
mtu 1456
mru 1456
debug
lock
user <username>
netmask 255.255.255.255

Now let's go ahead and start and enable the necessary services to all the L2TP connection:

rcctl enable ipsec isakmpd xl2tpd
rcctl set isakmpd flags -K
rcctl start isakmpd xlt2pd

Configure ipsec.conf to match the ike, main, quick, and psk settings on the server, with the slight change of connection direction. Example below:

/etc/ipsec.conf

ike dynamic esp transport proto udp from egress to <vpn ip> port l2tp \
    main auth group modp1024 \
    quick auth group modp1024 \
    psk "<my password>"

Now for the tricky part, you will need to enable a static route to the VPN, with a slightly higher priority than your default route. This will ensure that once the tunnel is established, you will still be able to send traffic out the default interface to the VPN server. After that, bring up the ppp0 interface, so that the L2TP tunnel can be bound to it. Finally, load the ipsec.conf, so that the ipsec tunnel will be established.

route add -priority 2 <vpn ip> <client gateway>
ifconfig ppp0 up

Now for the moment of truth, let's load up the ipsec.conf config file:

ipsecctl -f /etc/ipsec.conf

Give it a few seconds, then run the command below to ensure that you see flows to your VPN:

ipsecctl -sa

Now, to initiate the connection to the VPN server, echo the following into xl2tpd's control file as root:

echo c l2tp > /var/run/xl2tpd/l2tp-control

If the connection was successful, your ppp0 interface will show a connection with ifconfig ppp0.

We also need to set the routing table a bit so that routing is correct post-connection. This command simply sets the ppp0 network as the default gateway. Note that the priority here is higher than the first route command we used.

route add -priority 7 default 10.0.0.1

Verify that the traffic is indeed being passed out the VPN interface with mtr 8.8.8.8, or some traceroute command.

Has been tested on OpenBSD 6.5