OpenBSD Journal

L2TP for OpenBSD

Contributed by jose on from the commercial-VPNs dept.

Peter Curran writes: "I would like to implement a L2TP tunnel server on my OpenBSD box. Is there any software support out there to do this?



(Comments are closed)

  1. By dengue () on

    If the goal is to have Windows clients tunnel through an OpenBSD machine, why not just use IPSec? What is the problem you're trying to solve?

    1. By Anonymous Coward () on

      Because, contrary to popular assertion, IPSec as currently implemented and deployed does NOT solve the same set of problems as L2TP. L2TP is deployed on TOP of IPSec, and cleans up the ugly pieces that IPSec VPNs tend to forget about.

      First, the L2TP client is nicely integrated into the windows environment, making a VPN connection seem little more than another "dial-up Internet" solution to the end user.

      Second, the NAT issues, which are nicely handled by L2TP (NAT/T is still not here)

      Third, authentication is nicely integrated into an existing infrastructure. (LDAP/RADIUS/NTauth are already deployed at most sites)

      Finally, the L2TP client handles the irksome details of internal DNS, making the client feel like "part of the network"

      I have deployed IPSec VPNs on Windows clients in many configurations. The user headaches are several orders of magnitude greater than the equivalent L2TP solution (unless a remote desktop/terminal server solution is used).

    2. By Peter Curran () on


      Nope this is not my goal. What I am looking for is a no-brainer setup for a windows user to create a secure connection across a wireless network to an Access Point that happens to be running OpenBSD.

      You can actually set this up in a couple of clicks, as the windows wizard takes care of the L2TP setup as well as automatically enabling IPsec transport mode with (by default) an X.509 cert or (if you beat on it) a shared secret.

      The same wizard will also create a setup that automatically checks for either a PPTP tunnel or an L2TP tunnel. PPTP sucks, it is also proprietary. I prefer to stick to recognised standards hence my interest in L2TP.


  2. By paulc () on

    Actually getting IPSEC/L2TP working would be a very useful for remote VPN access from W2K/OSX clients (which have this built in). L2TP also addresses the problem with distributing/managing pre-shared secrets or certificates for users and as there is a secondary password authentication mechanism built into the L2TP/PPP connection.

    There is an open-source L2TP implementation here:

    A port of this was posted to openbsd-ports here:

    I spent a bit of time setting this up a while ago however unfortunately dont have the notes - (from memory) you essentially need the following:

    * IPSEC setup with either pre-shared key or cert (pre-shared key is easiest as this just establishes the tunnel auth - the user is authenticated later using PPP)

    * PF setup to limit enc0 access to the L2TPD server port

    * L2TPD running on lo0

    * PPP setup to authenticate vpn users

    One key problem is that without IPSEC NAT/T this wont work for a client behind a NAT gateway which made it essentially useless for my requirements (and hence I gave up). I believe the OpenBSD IPSEC should support NAT/T in 3.5 and Apple have committed to support this in their client - once this is in place I will probably take another look.

    1. By Peter Curran () on

      Thanks - I was aware of the l2tpd project, but not of the port to OpenBSD.

      As my requirement is really aimed at running this over a wireless LAN to an AP I will not have problems with NAT traversal.

      If I get this working OK then I will, of course, report back to this forum with the details on how I did it.

      Incidentally, I have a very easy to implement solution working using OpenVPN at the moment. Is anybody interested in this?


      1. By Dengue () on

        Yes, submit it as a separate article please. It'll be easier to search for that way.

      2. By Anonymous Coward () on

        I'd love to hear you report back if things work. And personally, I'd really love hear of your OpenVPN solution which I'd be very interested in reading/hearing.

      3. By X () on

        Yes interrested ;)

      4. By yijun () on

        Compare to IPSEC, PP2P/L2TP VPN and OPENVPN, SSLVPN is another rising tech. What's about that?

        1. By Anonymous Coward () on

          encapsulating tcp in tcp is certainly not a good idea, messes up congestion control etc


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]