L2TP/IPSec PSK VPN server for single Android user

Nate Riffe



8,788 latest version

3.3 quality score

Version information

  • 2.1.1 (latest)
  • 1.0.1
  • 1.0.0
released Jan 27th 2014

Start using this module


inkblot/android_ec2_vpn — version 2.1.1 Jan 27th 2014



IPsec is a total pain in the ass, and Android devices are finicky about their VPN servers. Add that with EC2 both the server and the device are NATted, and... well... you have trouble sleeping.


There are lots of fun tutorials and war stories about how to set this up. Here are the ones that guided me:

I probably missed some (in addition, of course, to the google+ post I can find any more about incorrect/missing SPD entries when the server is NATted). Many thanks to the Internet.

How to use it


The VPN server is an EC2 instance. Start one up with a security group that has these ports open for inbound traffic:

  • TCP port 22
  • TCP port 500
  • UDP port 500
  • UDP port 4500

Install this module using the command puppet module inkblot/android_ec2_vpn. This will ensure that all of its dependencies are satisfied.

Using puppet and this module, apply something like this on the server:

class { 'android_ec2_vpn':
    username       => 'guesswho',
    password       => 'qwertyuiop',
    pre_shared_key => 'asdfghjkl;',


The VPN client is an Android device. Create a new VPN connection:

  • Name it whatever you want
  • Set type to: L2TP/IPSec PSK
  • Set the Server address to the EC2 instance's public IP
  • Leave L2TP secret blank
  • Leave IPSec identifier blank
  • Set the IPSec pre-shared key to the value of pre_shared_key parameter you used with the puppet class.

When you tell your device to connect, it will prompt for a username and password. Use the username and password parameter values that you used with the puppet class.