This is the second part of a two part article about setting up your own VPN services. In the first article I talked about how to set up an SSL-based VPN server. While SSL-based VPNs are very useful and require no inherit support from the OS, they’re only as good as the supported clients. If there isn’t a client for your device, you’re out of luck.

Think Linux, Mac, Windows, iOS, Android, Blackberry

This is where an IPSEC VPN is useful. There is built in native support on almost all operating systems including iPad, iPhone, Blackberry, Android, Linux, Mac, and Windows.

Why setup your own VPN?

Well quite frankly I’m a little biased since I love computer security and might be a little paranoid. But to be honest it’s amazing how much having your own VPN can come in handy. No more worries about open WI-FI networks (think coffee shop), filtering of content, or using work’s VPN for personal business. Don’t pay for a VPN service, it’s really not hard to set up your own for free.

Before you begin

As mentioned in the previous article. These instructions are based off an installation to Ubuntu Linux. However, it really is very easy to port these instructions to another distribution of Linux; I promise! If you want help, leave a comment.

One last thing before we dive in. This isn’t exactly “command line kung fu” (sed & awk) but if you’re uncomfortable using the command line, quit now. After all, I assume that if you know what an IPSEC VPN is and you’re reading this to set up your own IPSEC server, you know how to use the command line. You didn’t expect it to be point-and-click did you?

FYI, I have personally tested the following setup and configuration as working flawlessly on: iPad, iPod Touch, Ubuntu Linux, Mac OS X, Windows XP, and Windows 7.

Installing the software

You can start by installing the packaged version of OpenSwan using your package installer (apt-get, yum, rpm, dpkg, etc) but I’d highly recommend, instead, you download the latest release and compile it yourself. The latest version will have the most up-to-date security fixes that may not have made it to the packages yet.

Building from source can be a nightmare if you run into dependency hell so it’s easiest to have the package manager install all of the build dependencies.

nobody@nobody:~/$ sudo apt-get install build-dep openswan

Next, visit the download page for OpenSwan and note the latest release number. At this time, the latest release is 2.6.37. Make sure you replace below with the latest version.

nobody@nobody:~/$ export OS_REL=2.6.37
nobody@nobody:~/$ wget 
> {OS_REL}.tar.gz

Since OpenSwan now uses the Linux kernel’s native IPSEC stack (added in 2.6 and back ported to 2.4), installation is much simpler than it used to be. Just extract, build, and install.

nobody@nobody:~/$ tar xvvzf openswan-${OS_REL}.tar.gz
nobody@nobody:~/$ cd openswan-${OS_REL}
nobody@nobody:~/$ make programs
nobody@nobody:~/$ sudo make install

IPSEC is a point-to-point communication between the VPN client and the VPN server so we need to install the Point-to-Point Protocol (PPP).

nobody@nobody:~/$ sudo apt-get install ppp dnsmasq

Since we’ll be sending PPP frames over the Internet, we need a way to tunnel them over Internet Protocol (IP). The Layer 2 Tunneling Protocol (L2TP) does just this: tunnels PPP frames (and other types of frames) over IP. Essentially, L2TP creates a UDP packet with an L2TP header that wraps the PPP frame. It’s also worth nothing that L2TP is used just as a means of transferring. IPSEC will provide the confidentiality, authentication, and integrity to the packet. Let’s install it.

nobody@nobody:~/$ sudo apt-get install xl2tpd

We’re now finished with the install part. Next up, we need to configure all of the settings. Be prepared, it’s a lot of configuration!

We’ll set up our VPN to use a Pre-Shared Key (PSK) since it’s the easiest to configure on devices and is still sufficiently secure as long as good practices are used to generate the key (long and random).

Configuring IPSEC

First up, we need to configure the actual IPSEC settings of OpenSwan. You do that by editing


. You’ll see terms like ‘right’ and ‘left’. This is referring to which end of the VPN connection. In our case, ‘left’ is the VPN server and ‘right’ is the client connecting.

version 2.0

# basic configuration
config setup
	# Enable this if you're behind a router
	# exclude networks used on server side so they don't conflict with your NAT
	# which IPsec stack to use. netkey is Linux Kernel Impl


conn L2TP-PSK-noNAT
	# we cannot rekey for %any, let client rekey
	# Set ikelifetime and keylife to same defaults windows has
	# l2tp-over-ipsec is transport mode
	# For updated Windows 2000/XP clients,
	# to support old clients as well, use leftprotoport=17/%any
	# The remote user.

and creating a pre-shared key in

# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
Configuring L2TP

Next up for configuration is L2TP. You can do that by adding the following to the bottom of

ipsec saref = yes

[lns default]
# The range of ips to assign the client when connecting
ip range =
local ip =
# We're going to us Chap-v2
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Configuring PPP

You’ll notice we referenced an options.xl2tpd file in the previous configuration file. Let’s set that up by editing



asyncmap 0
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4

Now we need to setup the username and password to authenticate with in /etc/ppp/chap-secrets. This is different than the pre-shared key that you setup previously. Do not make the passwords the same. Note that the ‘server’ parameter needs to match the ‘name’ parameter in the previous configuration file.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
username 	l2tpd   strong_pass	        *
Configuring the firewall and system start-up

We’re still not done with configuration, hang in there, this is the last one!

We need to configure iptables to properly forward our packets as well as enable ip forwarding in the Linux kernel, among other Linux kernel settings that are related to the IP stack. If you don’t configure these, OpenSwan will complain and may not work properly. Edit


and add the following

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
/etc/init.d/ipsec restart

exit 0
Last steps

At this point, you’ll need to either restart your server or execute /etc/rc.local if you’d prefer not to restart.

Congratulations, you now have a working IPSEC VPN. If you’re familiar with how to setup a client on your operating system, you should be able to fire one up and connect right away. If not, follow one of the many guides that are available online to figure out your specific configuration. Feel free to comment if you need help.