Set up a L2TP/IPsec VPN server on Ubuntu 11.04 to connect with Apple iOS and OS X clients

01 Jun 2012

Update 24 Jan 2014: I just set up another VPN server, this time using SoftEther. Not only is it much easier to use than Openswan and friends, it also has the ability to create a virtual hub, a simulated group of local IP addresses that can be assigned to VPN clients. This is essential if your server is hidden behind a router. (On the other hand, SoftEther seems to be less mature than Openswan, which might mean it has more vulnerabilities. I am not a security researcher.)

Just for fun, I decided to set up a VPN on an Ubuntu server I have in my house. A VPN will secure otherwise unencrypted Internet traffic when you’re on public Wi-Fi, and it can allow you to bypass internet filters.

I followed Riobard Zhan’s instructions, but there were some changes I made to be compatible with the latest Apple devices and Ubuntu. The changes below were tested with an Ubuntu 12.04 server and iOS 5.1.1 and OS X 10.7.4 clients.

In the file /etc/ipsec.conf, under conn L2TP-PSK-noNAT, you need to enable dead-peer detection (DPD) so that you can connect to the VPN more than once without restarting IPsec and friends:

dpddelay = 15
dpdtimeout = 30
dpdaction = clear

Also, whenever there is something like

echo 1 > /proc/sys/net/ipv4/ip_forward

use this instead:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

because you don’t have permission to write to that file if you’re not logged in as root. Which you should not be doing.

If you are getting this error:

ipsec_setup: ERROR: Module xfrm4_mode_transport is in use
ipsec_setup: ERROR: Module esp4 is in use

this guy says it’s harmless.

Thanks for reading! If you’re enjoying my writing, I’d love to send you infrequent notifications for new posts via my newsletter. You’ll receive the full text of each post, plus occasional bonus content.

You can also follow me on Twitter (@kevinchen) or subscribe via RSS.