This is a project to create a Makefile that'll bootstrap a newly-provisioned Ubuntu 12.x VM in the Joyent Public Cloud (at http://my.joyentcloud.com ) into a working IPSec+L2TP VPN gateway, suitable for connecting your Mac OSX computer, or iPhone/iPad to. (this probably works with windows and other vpn clients, too, though) How to use this: - provision new ubuntu 12.04 image in JPC and log into it - apt-get update - apt-get install git make - git clone https://ryancnelson@bitbucket.org/ryancnelson/jpc-l2tp-ipsec.git - cd jpc-l2tp-ipsec - make (here, it tells you "you need to run 'make updateto386' to update your kernel") - do that: make updateto386 - reboot, then login again in 30 seconds - cd jpc-l2tp-ipsec - make - answer the questions about creating an X.509 certificate with "No" (just hit return, then again for "ok") - set up your Mac to connect an IPsec+L2TP VPN to the IP Address given, with shared secret "letmein", and default username/password "archer/dutchess" see http://ryan.net/misc/skitch/ipsec_L2TP_vpn_mac-20130324-233228.jpg for a screenshot of where to set this up on your Mac (on the Mac, click "Advanced" and check "Send all traffic over VPN connection" unless you want to add your own routes, manually.) -------- What this is doing: 0. Upgrades your Ubuntu Kernel to something newer with /dev/ppp installed (UPDATE: May 2013 -- There exists now a Joyent Ubuntu VM image that's already got a suitable kernel installed. I believe it's "Ubuntu 12.04 v 2.4.2") 1. Sets up IPSec on your VM with a PSK shared-secret. This is "letmein" (you should change this. look in /etc/ipsec.secrets ) 2. Sets up L2TP tunneling and a username/password for that ppp-over-IPsec connection. This is "archer/dutchess". (you should change this. look in /etc/ppp/chap-secrets ) 3. Adds a "SNAT" rule on your Linux VM's iptables setup to allow any packets forwarded over the tunnel to go out to the internet, as if they were sourced from your VM's IP itself. This lets you "surf through your VPN tunnel." One other note for SmartOS users: because this SNAT is a "one-way NAT" (outbound through your VPN tunnel), we never are sourcing TCP packets with anything other than your SmartDataCenter "blessed" public IP. This means that this solution works fine without having to disable any of the "IP anti-spoof" rules, and works for any VM in the Joyent Public Cloud, not just enterprise VLAN customers. That's it... let me know if it's helpful for you. I'm "@ryancnelson" on twitter, and "ryancnelson" on irc.freenode.net in #smartos