Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


IPSEC/L2TP VPN on Arch Linux on a Raspberry Pi with OpenSwan
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

IPSEC/L2TP VPN on Arch Linux on a Raspberry Pi with OpenSwan

ArchonPi

The Raspberry Pi is a great little small computer, both for tinkering but also as a low power 24/7 running homeserver system. I've got multiple Pi's, one running as my home VPN gateway. It is running an IPSEC/L2TP VPN server. This is a guide on setting up an IPSEC/L2TP vpn server with Arch Linux on the Raspberry Pi using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp or local users / PAM for authentication. It has a detailed explanation with every step. We choose the IPSEC/L2TP protocol stack because of recent vulnerabilities found in pptpd VPNs.

This tutorial is available for the following platforms:

This tutorial was tested on a Raspberry Pi running Arch Linux ARM, installed via NOOBS. It ran the current up to date Arch Linux ARM, here are the versions used:

  • uname -a: Linux pi2.raymii.nl 3.10.25-1-ARCH #1 PREEMPT Mon Dec 23 16:07:25 MST 2013 armv6l GNU/Linux
  • ipsec --version: Linux Openswan U2.6.39/K3.10.25-1-ARCH (netkey)
  • xl2tpd -v: xl2tpd version: xl2tpd-1.3.1
  • pppd --version: pppd version 2.4.5

IPSec encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. L2TP provides a tunnel to send data. It does not provide encryption and authentication though, that is why we combine the two.

To work trough this tutorial you should have:

  • 1 Raspberry Pi running Arch Linux ARM
  • 1 (or more) clients running an OS that support IPsec/L2tp vpns (Ubuntu, Mac OS, Windows, Android).
  • Ports 1701 TCP, 4500 UDP and 500 UDP opened in the firewall.

I do all the steps as the root user. You should do to, but only via sudo -i or su -. Do not allow root to login via SSH!

Read on for the full tutorial: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_a_Raspberry_Pi_with_Arch_Linux.html

Thanked by 2vRozenSch00n k0nsl

Comments

  • @Raymii I always love a good read. Thanks for this great tutorial.

  • howardsl2howardsl2 Member
    edited January 2014

    @Raymii Nice tutorial! Thanks for sharing. I was planning to document my VPN setup experience in my tech blog but never got around to it.

    I have a suggestion for you: Adding the line forceencaps=yes will enable your VPN to work on ISPs that do not support or block the GRE protocol. Basically it encapsulates everything in UDP. I use Libreswan and my setup is similar to those at this link at GitHub.

    In addition, if you have a dynamic IP at home, I wrote up an IP update script that you may find useful. It is also in my (ad free) tech blog at blog.ls20.com. There are other articles there that you might be interested in.

  • VPNVPN Member

    Excellent tutorial. I almost wasn't going to bother but then I saw the link for your equivalent CentOS one instead.

    Thanks!

  • VPNshVPNsh Member, Host Rep

    Nice tutorial :), just need to get myself a Pi now :P

  • @hwdsl2 is freeswan a fork of openswan?

    @Okiedoke I try to have one for both Ubuntu and CentOS, only the later releases less of ten...

    I'm also planning a tutorial for Raspbian...

  • howardsl2howardsl2 Member
    edited January 2014

    @Raymii No, OpenSwan is a fork of the now defunct FreeSwan. And LibreSwan is a fork of OpenSwan by some of its former developers, following some license dispute.

    StrongSwan is another fork of FreeSwan...

Sign In or Register to comment.