Note: You may also connect using the faster IPsec/XAuth mode

follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.

• Platforms
  • Windows
  • OS X (macOS)
  • Android
  • iOS (iPhone/iPad)
  • Chromebook
  • Linux
• Troubleshooting

Windows

Windows 10 and 8.x

1. Right-click on the wireless/network icon in your system tray.
2. Select Open Network and Sharing Center. Or, if using Windows 10 version 1709 or newer, select Open Network & Internet settings, then on the page that opens, click Network and Sharing Center.
3. Click Set up a new connection or network.
4. Select Connect to a workplace and click Next.
5. Click Use my Internet connection (VPN).
6. Enter Your VPN Server IP in the Internet address field.
7. Enter anything you like in the Destination name field, and then click Create.
8. Return to Network and Sharing Center. On the left, click Change adapter settings.
9. Right-click on the new VPN entry and choose Properties.
10. Click the Security tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the Type of VPN.
11. Click Allow these protocols. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes.
12. Click the Advanced settings button.
13. Select Use preshared key for authentication and enter Your VPN IPsec PSK for the Key.
14. Click OK to close the Advanced settings.
15. Click OK to save the VPN connection details.

Note: A one-time registry change is required before connecting. See details below.

Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace Your VPN Server IP and Your VPN IPsec PSK with your own values, enclosed in single quotes:

# Disable persistent command history
Set-PSReadlineOption –HistorySaveStyle SaveNothing
# Create VPN connection
Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -L2tpPsk 'Your VPN IPsec PSK' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -Force -RememberCredential -PassThru
# Ignore the data encryption warning (data is encrypted in the IPsec tunnel)

Windows 7, Vista and XP

1. Click on the Start Menu and go to the Control Panel.
2. Go to the Network and Internet section.
3. Click Network and Sharing Center.
4. Click Set up a new connection or network.
5. Select Connect to a workplace and click Next.
6. Click Use my Internet connection (VPN).
7. Enter Your VPN Server IP in the Internet address field.
8. Enter anything you like in the Destination name field.
9. Check the Don't connect now; just set it up so I can connect later checkbox.
10. Click Next.
11. Enter Your VPN Username in the User name field.
12. Enter Your VPN Password in the Password field.
13. Check the Remember this password checkbox.
14. Click Create, and then Close.
15. Return to Network and Sharing Center. On the left, click Change adapter settings.
16. Right-click on the new VPN entry and choose Properties.
17. Click the Options tab and uncheck Include Windows logon domain.
18. Click the Security tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the Type of VPN.
19. Click Allow these protocols. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes.
20. Click the Advanced settings button.
21. Select Use preshared key for authentication and enter Your VPN IPsec PSK for the Key.
22. Click OK to close the Advanced settings.
23. Click OK to save the VPN connection details.

Note: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).

To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. If prompted, enter Your VPN Username and Password, then click OK. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

OS X

1. Open System Preferences and go to the Network section.
2. Click the + button in the lower-left corner of the window.
3. Select VPN from the Interface drop-down menu.
4. Select L2TP over IPSec from the VPN Type drop-down menu.
5. Enter anything you like for the Service Name.
6. Click Create.
7. Enter Your VPN Server IP for the Server Address.
8. Enter Your VPN Username for the Account Name.
9. Click the Authentication Settings button.
10. In the User Authentication section, select the Password radio button and enter Your VPN Password.
11. In the Machine Authentication section, select the Shared Secret radio button and enter Your VPN IPsec PSK.
12. Click OK.
13. Check the Show VPN status in menu bar checkbox.
14. (Important) Click the Advanced button and make sure the Send all traffic over VPN connection checkbox is checked.
15. Click the TCP/IP tab, and make sure Link-local only is selected in the Configure IPv6 section.
16. Click OK to close the Advanced settings, and then click Apply to save the VPN connection information.

To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose Connect. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

Android

1. Launch the Settings application.
2. Tap "Network & internet". Or, if using Android 7 or earlier, tap More... in the Wireless & networks section.
3. Tap VPN.
4. Tap Add VPN Profile or the + icon at top-right of screen.
5. Enter anything you like in the Name field.
6. Select L2TP/IPSec PSK in the Type drop-down menu.
7. Enter Your VPN Server IP in the Server address field.
8. Leave the L2TP secret field blank.
9. Leave the IPSec identifier field blank.
10. Enter Your VPN IPsec PSK in the IPSec pre-shared key field.
11. Tap Save.
12. Tap the new VPN connection.
13. Enter Your VPN Username in the Username field.
14. Enter Your VPN Password in the Password field.
15. Check the Save account information checkbox.
16. Tap Connect.

Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

iOS

1. Go to Settings -> General -> VPN.
2. Tap Add VPN Configuration....
3. Tap Type. Select L2TP and go back.
4. Tap Description and enter anything you like.
5. Tap Server and enter Your VPN Server IP.
6. Tap Account and enter Your VPN Username.
7. Tap Password and enter Your VPN Password.
8. Tap Secret and enter Your VPN IPsec PSK.
9. Make sure the Send All Traffic switch is ON.
10. Tap Done.
11. Slide the VPN switch ON.

Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

Chromebook

1. If you haven't already, sign in to your Chromebook.
2. Click the status area, where your account picture appears.
3. Click Settings.
4. In the Internet connection section, click Add connection.
5. Click Add OpenVPN / L2TP.
6. Enter Your VPN Server IP for the Server hostname.
7. Enter anything you like for the Service name.
8. Make sure Provider type is L2TP/IPSec + pre-shared key.
9. Enter Your VPN IPsec PSK for the Pre-shared key.
10. Enter Your VPN Username for the Username.
11. Enter Your VPN Password for the Password.
12. Click Connect.

Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

Linux

Ubuntu Linux

Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 users may need to add the nm-l2tp PPA, read more here.

1. Go to Settings -> Network -> VPN. Click the + button.
2. Select Layer 2 Tunneling Protocol (L2TP).
3. Enter anything you like in the Name field.
4. Enter Your VPN Server IP for the Gateway.
5. Enter Your VPN Username for the User name.
6. Right-click the ? in the Password field, select Store the password only for this user.
7. Enter Your VPN Password for the Password.
8. Leave the NT Domain field blank.
9. Click the IPsec Settings... button.
10. Check the Enable IPsec tunnel to L2TP host checkbox.
11. Leave the Gateway ID field blank.
12. Enter Your VPN IPsec PSK for the Pre-shared key.
13. Expand the Advanced section.
14. Enter aes128-sha1-modp2048! for the Phase1 Algorithms.
15. Enter aes128-sha1-modp2048! for the Phase2 Algorithms.
16. Click OK, then click Add to save the VPN connection information.
17. Turn the VPN switch ON.

Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

Fedora and CentOS

Fedora 28 (and newer) and CentOS 7 users can connect using the faster IPsec/XAuth mode.

Other Linux

First check here to see if the network-manager-l2tp and network-manager-l2tp-gnome packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above.

Troubleshooting

• Windows Error 809
• Windows Error 628 or 766
• Windows 10 connecting
• Windows 10 upgrades
• Windows 8/10 DNS leaks
• macOS VPN traffic

Windows Error 809

Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the .reg file below, or run the following from an elevated command prompt. You must reboot your PC when finished.

• For Windows Vista, 7, 8.x and 10 (download .reg file)

  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

• For Windows XP ONLY (download .reg file)

  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC.

• For Windows XP, Vista, 7, 8.x and 10 (download .reg file)

  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f

Windows Error 628 or 766

Error 628: The connection was terminated by the remote computer before it could be completed.

Error 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.

To fix these errors, please follow these steps:

1. Right-click on the wireless/network icon in your system tray.
2. Select Open Network and Sharing Center. Or, if using Windows 10 version 1709 or newer, select Open Network & Internet settings, then on the page that opens, click Network and Sharing Center.
3. On the left, click Change adapter settings. Right-click on the new VPN and choose Properties.
4. Click the Security tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for Type of VPN.
5. Click Allow these protocols. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes.
6. Click the Advanced settings button.
7. Select Use preshared key for authentication and enter Your VPN IPsec PSK for the Key.
8. Click OK to close the Advanced settings.
9. Click OK to save the VPN connection details.

Windows 10 connecting

If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps:

1. Right-click on the wireless/network icon in your system tray.
2. Select Open Network & Internet settings, then on the page that opens, click VPN on the left.
3. Select the new VPN entry, then click Connect. If prompted, enter Your VPN Username and Password, then click OK.

Windows 10 upgrades

After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for Windows Error 809 and reboot.

Windows 8/10 DNS leaks

Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, clear the DNS cache and reboot your PC.

In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to disable IPv6 in Windows.

macOS VPN traffic

OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show Your VPN Server IP, read the OS X section above and complete this step: Click the Advanced button and make sure the Send all traffic over VPN connection checkbox is checked. Then re-connect the VPN.

Android 6 and 7

If your Android 6.x or 7.x device cannot connect, try these steps: