IPsec VPN with RouterOS and Android
I occasionally use WiFi hotspots on my Android phone when I'm either running low on my data plan quota, or when I require more bandwidth. The problem is that most hotspots are insecure, and often use nothing but a basic captive portal for authentication.
Security considerations when using a hotspot
- No encryption between client and hotspot which means that traffic can easily be eavesdropped
- Any authenticated client can easily be spoofed by hijacking their MAC address
- No control over what happens to traffic when it leaves the hotspot router (logging, fingerprinting, packet sniffing, MITM attacks etc.)
One possible solution to these issues is to use a VPN for end-to-end encryption of all traffic leaving your device.
Configuring IPsec/L2TP on RouterOS
RouterOS has builtin support for IPsec/L2TP. The following steps describe a configuration that works with Android devices. This configuration also includes NAT traversal, so it will work for clients behind NAT.
- Enable L2TP server [doc]
/interface l2tp-server server set default-profile=l2tp enabled=yes
- Add an IP address pool for clients [doc]
/ip pool add name=l2tp-pool ranges=192.168.0.10-192.168.0.20
- Set the router IP inside the tunnel by adding a PPP profile [doc]
/ppp profile add local-address=192.168.0.1 name=l2tp remote-address=l2tp-pool
- Add a PPP user [doc]
/ppp secret add name=myusername secret=mypassword profile=l2tp service=l2tp
- Configure IPsec proposal (phase 2) [doc]
/ip ipsec proposal set [ find default=yes ] \ enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h
- Configure IPsec peer (phase 1) [doc]
/ip ipsec peer add enc-algorithm=aes-256 exchange-mode=main-l2tp \ generate-policy=yes hash-algorithm=sha1 nat-traversal=yes \ secret=mysharedsecret send-initial-contact=no
- Allow IPsec/L2TP traffic (and NAT traversal) in firewall
/ip firewall filter add chain=input dst-port=4500 protocol=udp /ip firewall filter add chain=input dst-port=1701 protocol=udp /ip firewall filter add chain=input dst-port=500 protocol=udp /ip firewall filter add chain=input protocol=ipsec-esp
If RouterOS is not your thing, Debian has an excellent guide on setting up a similar Android-compatible VPN stack on their wiki.
Configuring Android client
These are steps required to configure the client-side on Android 4.2.2:
- Go to Settings -> Wireless & Networks -> More… -> VPN
- Add a new VPN profile, give it a name and set the type to
- Enter your pre-shared key under
IPSec pre-shared key
- Connect and you should be prompted for your username and password