Forge Home


L2TP/IPSec PSK VPN server for single Android user


9,871 latest version

3.3 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.1.1 (latest)
  • 1.0.1
  • 1.0.0
released Jan 27th 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'inkblot-android_ec2_vpn', '2.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add inkblot-android_ec2_vpn
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install inkblot-android_ec2_vpn --version 2.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



inkblot/android_ec2_vpn — version 2.1.1 Jan 27th 2014



IPsec is a total pain in the ass, and Android devices are finicky about their VPN servers. Add that with EC2 both the server and the device are NATted, and... well... you have trouble sleeping.


There are lots of fun tutorials and war stories about how to set this up. Here are the ones that guided me:

I probably missed some (in addition, of course, to the google+ post I can find any more about incorrect/missing SPD entries when the server is NATted). Many thanks to the Internet.

How to use it


The VPN server is an EC2 instance. Start one up with a security group that has these ports open for inbound traffic:

  • TCP port 22
  • TCP port 500
  • UDP port 500
  • UDP port 4500

Install this module using the command puppet module inkblot/android_ec2_vpn. This will ensure that all of its dependencies are satisfied.

Using puppet and this module, apply something like this on the server:

class { 'android_ec2_vpn':
    username       => 'guesswho',
    password       => 'qwertyuiop',
    pre_shared_key => 'asdfghjkl;',


The VPN client is an Android device. Create a new VPN connection:

  • Name it whatever you want
  • Set type to: L2TP/IPSec PSK
  • Set the Server address to the EC2 instance's public IP
  • Leave L2TP secret blank
  • Leave IPSec identifier blank
  • Set the IPSec pre-shared key to the value of pre_shared_key parameter you used with the puppet class.

When you tell your device to connect, it will prompt for a username and password. Use the username and password parameter values that you used with the puppet class.