Connecting to an L2TP-IPSec VPN on OpenBSD

Since my most recent article was about creating an OpenBSD L2TP-IPSec VPN, this article was warranted. This post is simply how to configure an OpenBSD client to connect to a L2TP-IPSec VPN.

The first step is to install xl2tpd, as OpenBSD does not come with an l2tp client installed naively. In order for xl2tpd to function properly, there are a couple of things that must be done. First, ensure that the _xl2tpd user is apart of the “network” group, as this is required for the newly installed package to start pppd. Add the user to the group with usermod -G network _xl2tpd. Next, a default setting in pppd must be updated; make sure that “auth” in /etc/ppp/options.l2tp instead is “noauth”.

We will need to configure the newly installed service in its configuration file. I have something close to this appended to the bottom of my config.

/etc/xl2tpd/xl2tpd.conf

[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
port = 1701

[lac l2tp]
lns = <remote vpn ip> 
ppp debug = yes

/etc/ppp/chap.secrets

# Secrets for authentication using CHAP
# username  server  password    ip addresses
client * <password> *

/etc/ppp/options.l2tp

ipcp-accept-local
ipcp-accept-remote
noccp
noauth
mtu 1456
mru 1456
debug
lock
user <username>
netmask 255.255.255.255

Now let’s go ahead and start and enable the necessary services to all the L2TP connection:

rcctl enable ipsec isakmpd xl2tpd
rcctl set isakmpd flags -K
rcctl start isakmpd xlt2pd

/etc/ipsec.conf

ike dynamic esp transport proto udp from egress to <vpn ip> port l2tp \
    main auth group modp1024 \
    quick auth group modp1024 \
    psk "<my password>"

Now for the tricky part, you will need to enable a static route to the VPN, with a slightly higher priority than your default route. This will ensure that once the tunnel is established, you will still be able to send traffic out the default interface to the VPN server. After that, bring up the ppp0 interface, so that the L2TP tunnel can be bound to it. Finally, load the ipsec.conf, so that the ipsec tunnel will be established.

route add -priority 2 <vpn ip> <client gateway>
ifconfig ppp0 up

route add -priority 7 default 10.0.0.1

Has been tested on OpenBSD 6.5