Create a Raspberry Pi VPN Server using L2TP/IPsec

There’s a number of reason why you’d want to create your own VPN server to access your home or work network from anywhere else in the world. Maybe you want to stream Netflix from abroad, or want to get files off your home NAS. In this tutorial, I will guide you through the steps to turn your Raspberry Pi into a VPN server using L2TP/IPsec.

Jump through the Steps

Step 1 – Clean installation of Raspbian

To begin, I would strongly recommend ensuring your Raspberry Pi is running a clean version of Raspbian OS. Download the latest Raspbian Lite image from the Raspbian Website.

If you’re using MacOS or Microsoft Windows, I strongly recommend using Etcher to provision your MicroSD card (or USB Flash if you’re using a Raspberry Pi 3 onwards – recommended). Download it from the Etcher website.

Once it’s installed, plugin you MicroSD card (or USB Flash) into your computer, select the Raspbian Lite image and ‘burn’ it. The process doesn’t take long. You will see something like this:

Install Raspbian on Raspberry Pi 3

Once you’ve done that, plugin the media into your Raspberry Pi and start it up.

Step 2 – Securing your Raspberry Pi

At this point, you should see the command prompt on your Raspberry Pi. I recommend linking your Raspberry Pi to your network via an Ethernet cable to ensure a reliable connection. You can always SSH into your Raspberry Pi or run the next commands directly from the Raspberry Pi itself.

Assuming all went well, and you can see the Raspberry Pi command line, you’re good to continue with the tutorial. When prompted, login with the username ‘pi’ and password ‘raspberry’.

Next, we need to change the password for the raspberry pi to ensure that it is secure. To do this, run the following command:

sudo raspi-config

You will now see the Raspberry Pi configuration screen. We’re going to make two changes now, one will enable SSH (optional), the other will change the password for the pi user.

Configure Raspberry Pi

Now choose ‘Change User Password’ and when prompted, enter a new memorable password twice.

If you also want to enable SSH, do so by choosing ‘Interfacing options’ and then ‘Enable/Disable SSH’. CHoose ‘Yes’ and hit enter. That’s all we need to do now, so choose finish to complete the process.

Step 3 – Install the VPN server on your Raspberry Pi

Up to this point, we’ve installed Raspbian, secured our Raspberry Pi, now it’s time to install our VPN server software. Setting up a secure VPN is a notoriously fiddly and time consuming process, and quite easy to intoduce vulnerabilities if you don’t know what you’re doing. Lucky for us, Github user hwdsl2 has created a shell script which makes the process straightforward.

Setting up with a randomly generated password

The shell script will generate a username and password for us as part of the setup process. So if you’re happy with using the assigned password (as I did), run the following command:

wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh

Wait for the installation to complete, and boom! You have successfully setup your own VPN server.

Install VPN Server on Raspberry Pi

At the end of the installation process, you will be given your Pre-Shared Key (PSK), your username and password. Make a note of these, you’ll need them in order to connect.

Setting up with your own username and password

Personally, to ensure security, I would allow the script to generate you a password and PSK, but if you would like to define your own username and password, run the following to initially download the script:

wget https://git.io/vpnsetup -O vpnsetup.sh

Next, edit the file:

nano vpnsetup.sh

Scoll down to the following lines, and set your desired settings:

YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''

For your PSK, you can generate one from RandomKeygen. Remember, your PSK is intended to be a non-menorable key and not a string that you remember. Remember to follow the guidelines for escaping special characters in your password. Press CTRL + X to exit, saving when prompted. Now run the script:

sudo sh vpnsetup.sh

There you go. Done.

Step 4 – Configure your Router to allow VPN traffic into your network

Here in the UK, BT are probably the biggest provider of internet, so this next section is based on the router I have, the BT Smart Hub, but you should try and look for these settings in your own router. These are pretty universal, but the locations in the admin may be different.

Log into your router’s administration screen. On a BT Smart Hub, this is http://192.168.1.254 by default and you need to click ‘Advanced settings’ on the BT Smart Hub to login. You will find your default admin password on your Router or the Router’s box.

Step 4.1 – Ensure the Raspberry Pi gets the same IP each time

Ok, so first of all, you will need to ensure your Raspberry Pi is assigned the same IP address each time the IP address pool is refreshed. This may be different on your Router, but on the BT Smart Hub, choose My Network form the Advanced Settings page.

You will see something like this:

Configure BT Home Hub for VPN

In the list, look for your Raspberry Pi. As you can see in the screenshot above, my Raspberry Pi is called ‘rpivpn’. Go ahead and click on the Raspberry Pi in the list of devices.

Configure firewall for VPN

Make a note of the IP address assigned, and choose Yes for the option Always use this IP address. Save and you will be returned back to the list of devices.

Step 4.2 – Open up the Firewall ports to allow VPN traffic to the Raspberry Pi

Next we need to allow the VPN traffic through to the Raspberry Pi from outside your home network. Yet again, I (and most of the UK) have a BT Smart Hub, so this is tailored for this device.

From the Advanced Settings page, choose Firewall. Choose Create a new Firewall Rule. Give your rule a meaningful name, choose your Raspberry Pi and add the external port start and end to 500 and the same for Internal. In the protocol box, choose UDP. Click the Add button.

Now add another rule, start and end 4500 for both External and Internal Start and Finish. Choose UDP again and click Add. Click save.

Firewall ports for L2TP/IPsec VPN

A summary of the ports is below:

IP Type Internal port External port
Your Raspberry Pi IP UDP 500 500
Your Raspberry Pi IP UDP 4500 4500

Step 4.3 – Make a note of your router’s IP address on the WAN (internet)

You will have noticed, there’s lots of talk around IP addresses. So far we have seen the IP address of your Raspberry Pi on your local network. In order to connect to your VPN externally to your home network, we need to know your Router’s IP address on the Internet.

Note, I would imagine that most people are on a dynamic IP address. This means the IP address asigned to our Router changes periodically. If you have a static IP address, this never changes. I will follow up with another tutorial on how to assign a hostname to a dynamic IP address so that we can use something like remote.your-domain.com instead of using the dynamic IP address each time. When the dynamic IP address changes, you need to know what the new one is before you can reconnect to your VPN from the outside-world.

Simply type What’s my IP address into Google to get this:

Find your IP address

Make a note of this – it’s the IP address of your router on the internet, and we’ll need this to log onto your VPN from the outside world. That’s essentially it – we’ve created our VPN server and we’ve opened the Raspberry Pi to the world. All that’s left now is to connect to it.

Step 5 – Connect to your VPN

In order to connect, you should be on a different network to the one that your Raspberry Pi is connected to. To test this, I tethered my laptop to my mobile phone.

Connect from Windows 10

First, click Start, then choose the settings cog on the left hand side of the screen.

In the settings screen, choose Network & Internet.

On the left hand side of the screen, choose VPN and click Add a VPN Connection

Connect to VPN from Windows 10

As shown above, use the following settings:

Setting Value
VPN Provider Windows (built-in)
Connection Name Anything you like
Server Name or Address Your IP from step 4.3
VPN Type L2TP/IPsec with pre-shared key
Pre-shared key The key generated in step 3
User name The username generated in step 3
Password The password generated in step 3

Save and try connecting to your VPN. You should see something like this:

Connect to VPN in Windows 10

Connect from MacOS

Todo

Conclusion

We’ve installed our Raspberry Pi-based VPN server, set it up on our network and connected to it from our clients. The next step is to setup a hostname so that we don’t always need to find the IP address of our home network as most people will be on a Dynamic IP that changes periodically. I’ll cover this in another tutorial.

Any questions, feedback etc, feel free to ask in the comments.

 

Ste

Web Developer living in Manchester, working for Studio Skylab (http://www.studioskylab.com). Views and thoughts are my own.

You may also like...

3 Responses

  1. Martyn says:

    Thanks very much for this – I will give it a go when I get home. Please can you tell me if this setup will let multiple users connect at the same time?

  2. Nico says:

    after following the instructions I have executed the following script: ipsec verify this gave 2 errors:

    pluto listening for ike on udp 500 failed
    Pluto listening for IKE / NAT-T on udp 4500 [DISABLED]

    how can I solve this.
    regards

  3. Pete says:

    I get the following error
    files list file for package ‘mongodb-clients’ is missing final newline

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.