Set up a L2TP/IPsec VPN server on Ubuntu 11.04 to connect with Apple iOS and OS X clients

01 Jun 2012

Update 24 Jan 2014: I just set up another VPN server, this time using SoftEther. Not only is it much easier to use than Openswan and friends, it also has the ability to create a virtual hub, a simulated group of local IP addresses that can be assigned to VPN clients. This is essential if your server is hidden behind a router. (On the other hand, SoftEther seems to be less mature than Openswan, which might mean it has more vulnerabilities. I am not a security researcher.)

Just for fun, I decided to set up a VPN on an Ubuntu server I have in my house. A VPN will secure otherwise unencrypted Internet traffic when you’re on public Wi-Fi, and it can allow you to bypass internet filters.

I followed Riobard Zhan’s instructions, but there were some changes I made to be compatible with the latest Apple devices and Ubuntu. The changes below were tested with an Ubuntu 12.04 server and iOS 5.1.1 and OS X 10.7.4 clients.

In the file /etc/ipsec.conf, under conn L2TP-PSK-noNAT, you need to enable dead-peer detection (DPD) so that you can connect to the VPN more than once without restarting IPsec and friends:

dpddelay = 15
dpdtimeout = 30
dpdaction = clear

Also, whenever there is something like

echo 1 > /proc/sys/net/ipv4/ip_forward

use this instead:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

because you don’t have permission to write to that file if you’re not logged in as root. Which you should not be doing.

If you are getting this error:

ipsec_setup: ERROR: Module xfrm4_mode_transport is in use
ipsec_setup: ERROR: Module esp4 is in use

this guy says it’s harmless.