L2TP + IPsec VPN server on Raspberry Pi (IOS 10 support)
First at all, what is Raspbery Pi?
It is super small computer (credit card size) running on version of Debian linux called Raspbian. It is ideal for home server, and control of your home devices such as cameras, printers,etc… In case your provider gave you the router without VPN support (which is my case) it is the perfect way to make your own VPN server.
As Apple has removed PPTP from IOS 10, L2TP + IPsec is one of the options. Here is my config that works perfectly on my iPhone and iPad. Raspberry Pi runs Raspbian Jessie.
(This setup should be the same on all linux platforms)
1. Forward udp ports 500 and 4500 on your router. You can also put your Pi in DMZ, so all ports will be exposed to internet.
2. Install openswan
apt-get install xl2tpd openswan ppp lsof
Note: Answer NO when asked if an X.509 certificate for this host can be automatically created or imported. This certificate can be created and imported later using:
3. Give your Pi static IP
192.168.0.166 is my Raspberry Pi ip, and 192.168.0.1 is my router. You have to switch those to your ip addresses.
4. Firewall and IP forwarding
Execute those line by line. You have to be root, or you can use sudo.
iptables –table nat –append POSTROUTING –jump MASQUERADE
echo “net.ipv4.ip_forward = 1” | tee -a /etc/sysctl.conf
echo “net.ipv4.conf.all.accept_redirects = 0” | tee -a /etc/sysctl.conf
echo “net.ipv4.conf.all.send_redirects = 0” | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
Add this code to /etc/rc.local
This is whole config. Just replace 192.168.0.166 to your IP and 192.168.0.1 to your router IP
Just put your IP address and your secret here.
Put your IP here and set range that will not conflict with your router dhcp
This one you can just copy.
Set your user and password here.
10. Restart the service
And that is it. Make sure your VPN server starts on boot:
update-rc.d -f ipsec remove
update-rc.d ipsec defaults
Chose MS-Chap v2 when connecting
And put your IPsec secret here
On IOS 10
Windows does not support IPsec NAT-T by default, which is used whenever the server is behind a NAT (as in this case). You have to add a registry key to enable this.
On your Windows Vista, 7 or 8 client machine change or add the following registry item:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\ New DWORD (32-bit) Value:AssumeUDPEncapsulationContextOnSendRule Set the value to 2
This allows the client or server to be behind a NAT firewall.