While reading and searching for which IPSEC app to use for this server on Raspi (that is how I am going to call my Raspberry Pi now) I realised that Openswan may have some issues and as I had successfully installed Strongswan on my VPS, I stick to Strongswan.

We will do it in small steps. First Strongswan, then L2TP and then firewall rules.

Strongswan

sudo apt-get install strongswan iptables-persistent

go to /etc directory

cd /etc

copy both ‘ipsec.conf’ and ‘ipsec.secrets’ to keep default originals

sudo cp ipsec.conf ipsec.conf.original
sudo cp ipsec.secrets ipsec.secrets.original

cleanup the ‘ipsec.conf’ to put your own config

sudo echo ''| sudo tee ipsec.conf
and now edit with your favourite editor

sudo vim ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup

# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.

conn vpnserver
type=transport
authby=secret
pfs=no
rekey=no
keyingtries=1
left=%any
leftprotoport=udp/l2tp
leftid=@wildfire
right=%any
rightprotoport=udp/%any
auto=add

include /var/lib/strongswan/ipsec.conf.inc

As we are using PSK instead of certificates, we will be editing the ipsec.secrets file next. You need to insert the line below in the file replacing x.x.x.x with IP of the interface on server which will listen for connections and ‘password’ with a pass phrase.

x.x.x.x &any : PSK "password"

L2TP (Xl2tpd)

Now it is the turn for L2TP installation.

sudo apt-get install xl2tpd

Make a copy of the config file to keep

sudo cp xl2tpd.conf xl2tpd.conf.original

Edit the config file and add these lines at the end of file

[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
access control = no

[lns default]
exclusive = no
; enter the IP range you wish to give out to your clients here
ip range = x.x.x.x - x.x.x.x
; address of the L2TP end of the tunnel (i.e. this machine)
local ip = x.x.x.x
require authentication = yes
pppoptfile = /etc/ppp/options

PPP

We will use PPP for authentication hence install

sudo apt-get install ppp

Again, make copies of files we will be changing

sudo cp /etc/ppp/option option.original
sudo cp /etc/ppp/chap-secrets chap-secrets.original

Now at the end of ‘options’ file enter this code replacing the x.x.x.x with your desired DNS server’s IP address which you want to pass to the VPN clients

noccp
auth
mtu 1410
mru 1410
nodefaultroute
proxyarp
silent
debug
ms-dns x.x.x.x

You will also need to ‘remark’ the following lines in the ‘options’ file

#modem
#lock
#crtscts

At the end of ‘chap-secrets’ file, add this code replacing ‘username’ and ‘password’ with what you desire for each client and you can also restrict from a certain IP. We leave it with ‘*’ to allow the connection from anywhere.

user   *    password   *

Firewall rules

First of all make a copy of ‘/etc/sysctl.conf’ to save and then edit this file. Find the first three lines and ‘unremark’ them. Last line may or may not be in your config file. If it is, unremark it and if it isn’t add this.

net.ipv4.ip_forward=1
..
net.ipv4.conf.all.accept_redirects = 0
..
net.ipv4.conf.all.send_redirects = 0
..
net.ipv4.ip_no_pmtu_disc = 1

Now make a copy of ‘/etc/iptables/rules.v4’ and start editing this file. You need to enter the block of code below, replacing x.x.x.x/x with the subnet you have selected to use for allocating IP addresses to your VPN clients.

-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m conntrack --ctstate NEW -s x.x.x.x/x -m policy --pol ipsec --dir in -j ACCEPT

and now you need to run a command to allow the server to serve as a NAT device for all VPN clients. Replace x.x.x.x/x with the subnet allocated for VPN clients to get IP address from.

sudo iptables -t nat -A POSTROUTING -s x.x.x.x/x -j MASQUERADE