Tuesday, 4 August 2015

OpenBSD L2TP/IPSEC VPN (Works with Windows Phone 8.1!)

Now I've got  my OpenBSD router at home I thought I'd have a crack at making a VPN work.
I chose a L2TP over IPSEC VPN because I was lazy and didn't want the hassle of creating certificates. Also Windows Phone 8.1 since Update 2 (GDR2) has supported L2TP/IPSEC, and as this is the primary device I'll be using my VPN with it was a sealed deal.

In OpenBSD to use L2TP / IPSEC you can use the native NPPPD (8) as I have done. I'm a big fan of using the out of the box features, afterall OpenBSD is built for security from the ground up, so using a 3rd party L2TP/IPSEC port wasn't an option, I literally didn't even give it a thought.

If you're looking for L2TP/IPSEC for Android, see my other post here:

With NPPPD there are a bunch of files you'll need to configure in order to make it work.

My npppd.conf file looks something like this, note the reference to the npppd-users file, you can configure multiple VPN's here with different users in different files. You'll see I'm using tun instead of pppx

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"

tunnel L2TP protocol l2tp {
        listen on
        listen on ::

ipcp IPCP {

interface tun0 address ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

and list of users in the npppd-users file, add as many users you require, you can set them a static IP here too, check the man page for npppd for additional options:


and ipsec.conf file should look something like this, the first two lines set macros as you can in pf.conf, this helps as I have a dynamic IP, although I still have some issues if the IP changes and need to run pf.conf, possibly also reloading ipsec.conf rules, you may need to change aes to 3des or something else your device requires, same applies to modp2048 and hmac-sha1, check /var/log/messages after trying to connect your device:


ike passive esp transport \
        proto udp from $IF_WAN to any port 1701 \
        main auth "hmac-sha1" enc "aes" group modp2048 \
        quick auth "hmac-sha1" enc "aes" \
        psk $key

If you've got a working OpenBSD router using pf.conf as your firewall, you'll need to modify this too, adding tun to your skip statement, NAT rule allowing VPN clients LAN and WAN access, and the last two lines allow the VPN traffic in otherwise the VPN's wouldn't establish:

set skip on { lo, enc, tun }      #Added tun here

match out on $IF_WAN from {$IF_LAN:network,} nat-to ($IF_WAN:0) \
scrub (no-df max-mss 1440) #Added the network range for the VPN clients

pass quick proto { esp, ah }
pass in proto udp to $IF_WAN:0 port {isakmp, ipsec-nat-t}

You also need to add in some sysctl.conf options:


and in rc.conf.local


Now once you've configured your VPN, reboot and try connect your device. You will need to set the username, password and passphrase you had earlier in the npppd-users file. If you have any errors check /var/log/messages log file for hints on what's wrong.

With this configuration I'm able to get 15Mb down and up through the VPN on my Lumia 930, my home FTTP (Fibre To the Premise) connection only has 20Mb upload, so all in its not too shabby taking into count the internet is otherwise in use by my family and the VPN overhead. 

PS: My work where I tested it for optimal performance has a 1Gb dedicated fibre line and I'm connected to a Cisco WAP371 AC wireless router no more than 3 metres away, so that wouldn't slow anything down either.

If you have any issues, just ask and I'll do my best to help, don't post any configuration files without altering sensitive data, like passwords, username and the passphrase.

PS: Thanks go to the guys at the BSD Now podcast for linking to my BSD blog articles :) Keep up the good work guys, I am an occasional listener!


  1. Hey there thanks for posting. Have you tried this with the default VPN client on Android 4.X? Do you know what crypto proposals the android would try? Thank you will give it a shot.

  2. Hi Matt,

    I've not yet tried as my Lumia 930 is my daily driver, I do have a Samsung Galaxy S3 with Cyanogen mod on it at home which I can use to see what crypto it wants to use, mod my config and see if it connects and get back to you.

    1. Hello,

      No glory with Android have you any luck? I run into exact same issue as described here.


  3. Hi Matt,

    I've not had time to test it with my Android phone yet. When I do I'll update my post.

  4. Hey Jayton,
    Please, please, please... do testing with Android devices.
    I am smashing my head against the wall cause my Samsung S6 with 5.1.1 keep using strange options on ipsec specifications, like "lifetime 28800", ENCRYPTION_ALGORITHM of AES_CBC.

    1. Hi sorry I've not been able to get Roundy to this yet, my Samsung S3 has been on loan Toa friend waiting to upgrade after he broke his iPhone, I will get round to it soon.

    2. Hi, I've tested it with my Samsung S3, have a look at my blog post on that, its only a few changes from Windows Phone, there is a link under the 2nd paragraph on this post.

  5. I configured the ipsec.conf file and when it is loaded via ipsecctl it returns:

    /etc/ipsec.conf: 32: could not parse host specification

    The line 32 is where $IF_WAN is and I checked and there is no pppoe0 interface in my OpenBSD box.

    Any thoughts? Thanks!

    1. Replace pppoe0 with whatever your WAN interface is.

  6. This is a great article thanks for sharing this informative information. I will visit your blog regularly for some latest post. I will visit your blog regularly for Some latest post. vpn service