We use strongSwan, in particular the IKEv2 EAP-MD5 with pubkey authentication mechanism; no more susceptable to dictionary attacks than EAP-MSCHAPv2 anyway.

N.B. we would use EAP-TTLS, but the strongSwan Android client does not support it.

Start off by creating an account for yourself by editing:

/var/lib/strongswan/ipsec.secrets.inc

Once done, type

sudo ipsec rereadsecrets

Assuming you are using strongSwan on Android:

1. open the app
2. select 'Add VPN Profile'
3. set the server name to marmot.wormnet.eu
4. set the VPN Type to 'IKEv2 EAP (Username/Password)' (*not* with certificate)
5. set your username to `bob@wormnet.eu`
6. enter in your password
7. (optionally) uncheck 'Select automatically' under CA certificate and set 'Digital Signature Trust Co. (DST Root CA X3)' as the CA
8. click on save

You should be able to tap the newly created profile and just connect; all your traffic should flow via marmot now.

If you are unable to use the Android strongSwan client, or do not have an IKEv2 client, then you probably need to add an IKEv1 mechanism to the configuration. Do ask (Alex) for help if you cannot be bothered to do this yourself.

For debugging, you may find the log /var/log/daemon.log helpful to tail -F.