Friday, 8 April 2016

OpenBSD L2TP/IPSec VPN for Android

Since posting the L2TP/IPSec VPN configuration for Windows devices I have had a lot of comments asking for me to test this with Android. I wasn't able to follow up on those  requests as I had lent my old Samsung S3 to a friend whose iPhone 5S has been playing up and eventually died while he waited for his new phone, he got an iPhone 6S .. how disappointing ?

Anyway, Once I got the phone back it took me less than 5 minutes to find the correct settings for an Android device - please to bear in mind that if your Android device does not work please check the /var/log/messages file for what was sent by the device and what was expected by the router and make the adjustments in your /etc/ipsec.conf file.

I've decided to make a completely new blog about it so there is no confusion and its just simpler in my mind, I've also just copied and pasted the text and modified the few parts that needed to be for an Android running 4.4.4 (this is an OLD phone and it's running Cyanogen 11).

In OpenBSD to use L2TP / IPSEC you can use the native NPPPD (8) as I have done. I'm a big fan of using the out of the box features, afterall OpenBSD is built for security from the ground up, so using a 3rd party L2TP/IPSEC port wasn't an option, I literally didn't even give it a thought.

With NPPPD there are a bunch of files you'll need to configure in order to make it work.

My npppd.conf file looks something like this, note the reference to the npppd-users file, you can configure multiple VPN's here with different users in different files. You'll see I'm using tun instead of pppx

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"

tunnel L2TP protocol l2tp {
        listen on
        listen on ::

ipcp IPCP {

interface tun0 address ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

and list of users in the npppd-users file, add as many users you require, you can set them a static IP here too, check the man page for npppd for additional options:


and ipsec.conf file should look something like this, the first two lines set macros as you can in pf.conf, this helps as I have a dynamic IP, although I still have some issues if the IP changes and need to run pf.conf, possibly also reloading ipsec.conf rules, you may need to change aes to 3des or something else your device requires, same applies to modp2048 and hmac-sha1, check /var/log/messages after trying to connect your device:


ike passive esp transport \
        proto udp from $IF_WAN to any port 1701 \
        main auth "hmac-sha1" enc "3des" group modp1024 \
        quick auth "hmac-sha1" enc "3des" \
        psk $key

If you've got a working OpenBSD router using pf.conf as your firewall, you'll need to modify this too, adding tun to your skip statement, NAT rule allowing VPN clients LAN and WAN access, and the last two lines allow the VPN traffic in otherwise the VPN's wouldn't establish:

set skip on { lo, enc, tun }      #Added tun here

match out on $IF_WAN from {$IF_LAN:network,} nat-to ($IF_WAN:0) \
scrub (no-df max-mss 1440) #Added the network range for the VPN clients

pass quick proto { esp, ah }
pass in proto udp to $IF_WAN:0 port {isakmp, ipsec-nat-t}

You also need to add in some sysctl.conf options:


and in rc.conf.local


There are not many changes, you can either reboot the router or reload the firewall, load the modules in sysctl and start the services. If you already have a VPN configuration then restarting the services should be enough.