OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
L2TP/IPSec with OpenBSD and npppd
Contributed by jj on Wed May 9 04:15:41 2012 (GMT)
from the its-a-truck-not-a-series-of-tubes dept.

Maxim Bourmistrov writes in to share his L2TP/IPSEC setup using npppd.

An OpenBSD user since 3.2, I deploy OpenBSD on anything what I want to be secure and stable(yes, even -current is STABLE, as long as you know what you are doing).

This guide is split into two sections. The first and major one is server-side configuration. The second is about what should be done on client-side. I use npppd both at home and at the office. My office setup is a bit more complicated than the one described here.

Read on for the story of how one man conquered his corner of the internet.


The server needs to run OpenBSD 5.1-current with /usr/src populated according documentation. npppd is in development, so it is good idea to have your sources up to date, else you might miss an important patch.

1. Compile and Install

As npppd is not yet linked to the build, you have to compile it yourself:

cd /usr/src/usr.sbin/npppd && make depend && make && make install

2. Configuration

After that it is good practice to take a look at HOWTO in the same directory - HOWTO_PIPEX_NPPPD.txt . There is no manual for npppd yet, so more info can only be gathered by reading the source code.[this should change relatively quickly - ed.] Info provided by Yasuoka in the above mentioned HOWTO covers pretty much all we need for a basic setup; however, I'll write my working Home-configuration here.

Let's start with pf.conf:

pass quick proto { esp, ah } from any to any
pass in quick on egress proto  udp from any to any port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)

Now the IPSec part; isakmpd should start at boot and load rules from ipsec.conf, thus add following to rc.conf:

Then the ipsec.conf itself. Make sure to replace IP with your own external IP.
ike passive esp transport \
        proto udp from to any port 1701 \
        main auth "hmac-sha1" enc "3des" group modp1024 \
        quick auth "hmac-sha1" enc "aes" \
        psk "password"

Finally, npppd.conf. At home I use RADIUS for authentication for a few reasons. If you plan to use plain password file, then uncomment lines after "Local file authentication" Again, the HOWTO mentioned above provides info in how to create this file. My internal network is 192.168.78.x . The is the range there clients connected through the VPN will get their addresses from. will be their gateway to internal network.

interface_list:                 tun0


# Local file authentication
#auth.local.realm_list:                  local
#auth.local.realm.acctlist:              /etc/npppd/npppd-users.csv
#realm.local.concentrate:                tun0

#RADIUS authentication / accounting
auth.radius.realm_list:                radius
auth.radius.realm.server.secret:       radius_password
auth.radius.realm.acct_server.secret:  radius_password
realm.radius.concentrate:              tun0

lcp.mru:                        1400
lcp.timeout:                    18
auth.method:                    mschapv2
ipcp.assign_fixed:              true
ipcp.assign_userselect:         true

l2tpd.enable: true #l2tpd.listener: L2TP l2tpd.ip4_allow: l2tpd.require_ipsec: true l2tpd.accept_dialin: true pipex.enabled: true

A note about l2tpd.listener: this configuration directive can be used with more advanced setups, for instance when you have a CARP:ed range of IP addresses.

3. Start up

Apply the pf.conf first:

pfctl -f /etc/pf.conf
Then start isakmpd and apply IPSec rules
/etc/rc.d/isakmpd start
ipsecctl -f /etc/ipsec.conf
Now start npppd
/usr/sbin/npppd -D

All debugging, in case of misconfiguration or not working VPN, is done with isakmpd/npppd running in foreground and tcpdump listening for relevant packets on relevant interfaces.


Both OSX and Win7 offer to route ALL traffic via VPN-tunnel. Usually no one wants this, thus one have to disable it and set up routing manually.Until then DNS resolves will not work, eg. for instance I'll not be able to reach my internal

I use OSX, thus I'll cover how to set up routing upon established VPN. Basically we need a helper-script. OSX will run in automatically, but on Win7 it has to be executed with Administrative permissions.

[root@grey] [/etc/ppp] $ cat /etc/ppp/ip-up

export PATH




GW_FROM_L2TP=`ifconfig ppp0|grep inet| awk '{print $4}'`

if [ $GW_FROM_L2TP == $OFFICE_GW ]

if [ $GW_FROM_L2TP == $HOME_GW ]

route -qn add $NET -interface ppp0

That's it. I'd like to thank all developers working on OpenBSD, making it polished and good looking!

Special thanks to Yasuoka Masahiko (yasuoka@) for his technical review of this submission.

It should be noted, however, that there is a planned change to the npppd() configuration, which will quickly deprecate these instructions. When that time comes, we hope to provide information concerning the migration of your npppd() configurations.


<< Heads up: New SGI hardware supported! | Reply | Flattened | Expanded | Rthreads Hackathon Part the Second >>

Threshold: Help

Related Links
more by jj

  Re: L2TP/IPSec with OpenBSD and npppd (mod -4/28)
by Anonymous Cowbell (anon) ( on Fri Apr 27 13:52:05 2012 (GMT)
  "cd /usr/src/usr.sbin/npppd && make depend && make && make install"

This should have 'make obj' in it too.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: L2TP/IPSec with OpenBSD and npppd (mod 7/27)
by sneaker (sneaker) ( on Fri Apr 27 15:40:27 2012 (GMT)
  Wow, I was just 2 weeks ago having trouble finding info on exactly this setup.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  His name (mod -1/29)
by Tamotsu (tamo) on Fri Apr 27 21:42:38 2012 (GMT)
  typo: s/Masohiko/Masahiko/
according to his site:
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
      Re: His name (-1/21) by tbert on Mon Apr 30 11:20:00 2012 (GMT)

  Re: L2TP/IPSec with OpenBSD and npppd (mod -1/23)
by 0tto (0tto) ( on Fri Aug 17 09:34:54 2012 (GMT)
  Thank you very much for this helpful guide. I got it working fine with OSX. Can someone please post some hints on how to configure Win7 clients?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: L2TP/IPSec with OpenBSD and npppd (mod 7/23)
by rdk (rdk) on Mon Aug 19 12:59:50 2013 (GMT)
  This npppd.conf does not work for me in OpenBSD 5.3.
If the syntax of npppd.conf has changed in 5.3 and this article needs to be updated, would be great if somebody did it. I am really looking for working L2TP/IPSec npppd.conf.
Thanks, rdk
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: L2TP/IPSec with OpenBSD and npppd (mod 0/14)
by Anonymous Coward ( on Sat Sep 12 19:48:55 2015 (GMT)
  Port 1701 doesn't need to be open in PF, it should be protected by IPsec anyway, so you don't want to allow connections coming in over the internet, only enc0.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: L2TP/IPSec with OpenBSD and npppd (mod 1/11)
by mxffiles ( on Tue Feb 7 07:38:27 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: L2TP/IPSec with OpenBSD and npppd (mod 0/0)
by Anonymous Coward (annlike) ( on Sat Jun 17 16:17:06 2017 (GMT)
  puissance de la montre mécanique, a toujours été un tabou plus critiqué la place, automatiquement sur la chaîne de montres est également un peu mieux, aussi longtemps que l'usure normale, la puissance est pas un problème, tant que l'attention le week-end 2 jours de temps de repos ne porte pas le cas, le besoin re-porter pour se réadapter, plus de problèmes. Replique Montblanc Montre en raison de l'absence de problèmes d'alimentation, si longtemps montre la puissance est née, alors pourquoi maintenant la majeure partie de la montre de l'énergie cinétique sont encore dans les 48 heures? Pourquoi pas tous se transformer en une longue montre de puissance? Qu'est-ce qu'une longue montre de puissance, replique montre pense personnellement que la chaîne peut être une précision continue à marcher 72 heures de la montre peut être appelée longue montre de puissance, qui est, 3 jours de réserve de marche, bien sûr, il y a des gens pense que le pouvoir doit être plus de 7 jours à compter de la longue montre de puissance, alors pourquoi maintenant beaucoup de montres de marque à faire toute la croissance de la montre de puissance pour améliorer la compétitivité? est-ce parce que le problème des coûts ou quelle raison? Nous savons tous que l'énergie cinétique de la montre dépend entièrement Le dispositif d'enroulement de la montre
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]