Since my most recent article was about creating an OpenBSD L2TP-IPSec VPN, this article was warranted. This post is simply how to configure an OpenBSD client to connect to a L2TP-IPSec VPN.
The first step is to install xl2tpd, as OpenBSD does not come with an l2tp client installed naively. In order for xl2tpd to function properly, there are a couple of things that must be done. First, ensure that the _xl2tpd user is apart of the “network” group, as this is required for the newly installed package to start pppd. Add the user to the group with
usermod -G network _xl2tpd. Next, a default setting in pppd must be updated; make sure that “auth” in /etc/ppp/options.l2tp instead is “noauth”.
We will need to configure the newly installed service in its configuration file. I have something close to this appended to the bottom of my config.
[global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes port = 1701 [lac l2tp] lns = <remote vpn ip> ppp debug = yes
# Secrets for authentication using CHAP # username server password ip addresses client * <password> *
ipcp-accept-local ipcp-accept-remote noccp noauth mtu 1456 mru 1456 debug lock user <username> netmask 255.255.255.255
Now let’s go ahead and start and enable the necessary services to all the L2TP connection:
rcctl enable ipsec isakmpd xl2tpd rcctl set isakmpd flags -K rcctl start isakmpd xlt2pd
ike dynamic esp transport proto udp from egress to <vpn ip> port l2tp \ main auth group modp1024 \ quick auth group modp1024 \ psk "<my password>"
Now for the tricky part, you will need to enable a static route to the VPN, with a slightly higher priority than your default route. This will ensure that once the tunnel is established, you will still be able to send traffic out the default interface to the VPN server. After that, bring up the ppp0 interface, so that the L2TP tunnel can be bound to it. Finally, load the ipsec.conf, so that the ipsec tunnel will be established.
route add -priority 2 <vpn ip> <client gateway> ifconfig ppp0 up
route add -priority 7 default 10.0.0.1
Has been tested on OpenBSD 6.5