Skip to content
L2TP/IPSEC VPN with built-in Duo support
Branch: master
Clone or download
ttheune Interface and docs (#18)
* Dynamically set interface name
Add link for windows documentation

* Remove eth0 references from sysctl and add ifaddr to requirements

* Replace whitespace

* More whitespace replacement

* Import ifaddr
Latest commit 295ab31 Nov 12, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
foxpass-radius-agent @ c77f5fb
.gitmodules Use the new radius agent as a sub-module (#4) Oct 13, 2016 Interface and docs (#18) Nov 12, 2018
foxpass_vpn.json added okta mfa (#13) May 29, 2018
gcp_foxpass_vpn.json Added radiusclient with the timeout changed to 30 (#10) Aug 28, 2017
sample_s3_config.json added okta mfa (#13) May 29, 2018

What it does

This repo helps you create an AMI image that offers a simple IPSEC/L2TP VPN server. Username and password will be checked against Foxpass (which in-turn syncs with Google Apps) and optionally against Duo or Okta for two-factor authentication (HIGHLY RECOMMENDED). NOTE: If you use emails for your Duo requests instead of usernames, you must enable username normalization. You can find more info about that setting here. If you use Okta instead, Foxpass requires credentials with at least Group Admin privileges in order to check the 2FA API endpoint with Okta.

Note that you don't have to build it. We have ready-to-go, free-of-charge AMIs on the AWS Marketplace.

How to build it

  • Clone this repo
  • init and update the submodules:
    • git submodule init
    • git submodule update
  • Download and install Hashicorp's Packer (
  • Put your AWS access key and secret key someplace that Packer can find them.
  • set your region and base AMI (currently designed for Ubuntu 16.04 base images) in foxpass_vpn.json
  • run packer build foxpass_vpn.json

for Google Cloud Platform :

  • Get account file JSON if not building on a GCE instance as described here
  • populate config variables via command line or variable file (docs)
  • run packer build gcp_foxpass_vpn.json

How to run it

  • Instantiate an image with the resulting AMI

    • Make sure it has a public IP address
    • Make sure it is in a security group with the following inbound rules:
      • UDP 500
      • UDP 4500
      • TCP 22 to your IP (for SSH management)
    • (optional, see below) for AWS: setup script can pull config from S3. Set role and user-data as described below.
  • When the instance comes up

    ssh ubuntu@<hostname-or-ip>
    sudo /opt/bin/
  • To automatically pull config from S3 (optional)

    • Set EC2 user-data to
     sudo /opt/bin/ s3://bucket-name/path/to/config.json

    This will run the config script on startup, you will not need to run the config script manually.

    • Set EC2 role to a role in IAM that has ListBucket and GetObject permissions (GetObjectVersion, too, if your bucket has versioning enabled) to the above-mentioned bucket and path in S3. (Only required if you choose to automatically pull your config from S3.)
    • Upload the config file with the following format (mfa_type, duo_config, okta_config, and require_groups are optional):
     "dns_primary": "",
     "dns_secondary": "",
     "local_cidr": "",
     "foxpass_api_key": "PUT_YOUR_FOXPASS_API_KEY_HERE",
     "mfa_type": "duo_OR_okta",
     "duo_config": {"api_host": "API_HOST_FROM_DUO", "skey": "SKEY_FROM_DUO", "ikey": "IKEY_FROM_DUO"},
     "okta_config": {"hostname": "OKTA_HOSTNAME", "apikey": "OKTA_APIKEY"},
     "require_groups": ["group_1", "group_2"] <- optionally requires user to be a member of one of the listed groups

How to set up your clients

How to make changes

Pull requests welcome!

  • templates/ are the configuration templates that will be updated by the script.
  • scripts/ include the script and the static configuration files that need to be installed.
  • foxpass-radius-agent/ is a submodule (See here) that contains a radius agent that connects L2TP to Foxpass and Duo authentication APIs.

Thank you

  • Huge thank-you to Travis Theune who was an instrumental collaborator throughout the design, implementation, and testing.
  • Based on the work of Lin Song (Copyright 2014-2016), which was based on the work of Thomas Sarlandie (Copyright 2012)
You can’t perform that action at this time.