Howto: L2TP VPN with PSK on EC2 Linux AMI to support your Google Chromebook

Chromebooks are great devices. Unfortunately they do not support a wide range of VPN technologies, and PPTP - what we tend to use at Astyran since it is supported by most devices – is not in the list.

No choice thus but to modify our standard images to support L2TP over IPsec with PSK (Pre-shared key). Chromeos also supports L2TP over IPsec with certificate-based authentication and OpenVPN but these are more complicated to set-up, especially if you need to support a wide range of devices.

Goal of our set-up

The goal of this procedure is to document a quick and dirty method to set-up a single L2TP VPN server with PSK to be used for our Chromebooks. It should work with other clients too.

Note that we will be using a Google DNS server ( and once a client is connected, all traffic is allowed through the VPN, including internet traffic.

The documented method should be fine for a single VPN server in a simple environment. If you have a more complicated setup, please spend some weeks cursing and reading on the intricacies of a VPN set-up using Linux.


First create a (micro) EC2 instance (64 bits). We used the latest available Amazon Linux AMI (v2013.03.1). Login as ec2-user, and enter the following in the shell:

sudo su -  
yum update  
yum install -y --enablerepo=epel openswan xl2tpd  

Note that the enablerepo switch enables the Amazon Extra Packages for Enterprise Linux repository.

Use your favourite editor (e.g. nano) to modify the file /etc/xl2tpd/xl2tpd.conf to read:

ip range
local ip
require chap=yes
name = myVPNServer

You can of course use other IP addresses. The above instructs the VPN to use as a local address, and gives remote clients an IP address between and

Note the name myVPNServer that we will need in the next step.

Edit the file /etc/ppp/chap-secrets:

# Secrets for authentication using CHAP
# client    server  secret  IP addresses
Zaphod myVPNServer Beeblebrox *

This will set the user-id to Zaphod and the password to Beeblebrox.

Next edit /etc/ipsec.conf and add the following:

conn EC2

Now edit/create the file /etc/ipsec.d/ec2.secrets and insert the following:

%any %any : PSK "milliways;2013"

This will set the shared secret (PSK) for the L2TP VPN connection to milliways;2013. Please do change this password and use a much, much longer one.

Open /etc/sysctl.conf via a text editor and change the following line to read ‘= 1” (default is “0”):

net.ipv4.ip_forward = 1

Now execute the following commands:

# for f in  /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
# for f in   /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

We are nearly there:

sysctl -p
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart
chkconfig xl2tpd on
chkconfig ipsec on

If there are no errors, execute:

init 6

Now configure your EC2 security groups for this VPN to allow:

UDP port 1701 (for L2TP)
UDP port 500 (for IKE)
UDP port 4500 (for IPSec over UDP)

That’s it! Check here for more information on how to set-up your Chromebook for a L2TP VPN with pre-shared key.


Herman Stevens

Just some guy on the internet. Loves technology, diving, travelling, photography and Belgian Trappist beers.