1
0
mirror of synced 2024-12-02 01:26:03 +03:00
setup-ipsec-vpn/README.md

168 lines
10 KiB
Markdown
Raw Normal View History

2016-06-29 22:35:28 +03:00
# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn)
2016-04-17 10:20:02 +03:00
*Read this in other languages: [English](README.md), [简体中文](README-zh.md).*
2015-08-19 00:14:42 +03:00
2016-07-11 03:15:12 +03:00
Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest.
2015-08-19 00:14:42 +03:00
2016-05-09 09:39:17 +03:00
We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://github.com/xelerance/xl2tpd" target="_blank">xl2tpd</a> as the L2TP provider.
2016-01-08 12:17:50 +03:00
2016-05-29 22:38:31 +03:00
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">**&raquo; Related tutorial: IPsec VPN Server Auto Setup with Libreswan**</a>
2016-03-22 18:48:01 +03:00
2016-05-29 22:38:31 +03:00
#### Table of Contents
2016-05-12 07:39:23 +03:00
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Ubuntu & Debian](#ubuntu--debian)
- [CentOS & RHEL](#centos--rhel)
- [Next Steps](#next-steps)
- [Important Notes](#important-notes)
2016-06-29 22:35:28 +03:00
- [Upgrade Libreswan](#upgrade-libreswan)
2016-05-12 07:39:23 +03:00
- [Bugs & Questions](#bugs--questions)
2016-06-25 04:42:57 +03:00
- [Uninstallation](#uninstallation)
2016-05-20 09:22:55 +03:00
- [See Also](#see-also)
2016-05-12 07:39:23 +03:00
- [Author](#author)
- [License](#license)
2016-04-22 05:35:57 +03:00
## Features
2016-01-09 22:21:30 +03:00
2016-07-11 03:15:12 +03:00
- **New:** The faster `IPsec/XAuth ("Cisco IPsec")` mode is supported
2016-06-29 22:35:28 +03:00
- **New:** A pre-built [Docker image](#see-also) of the VPN server is now available
2016-05-26 22:31:38 +03:00
- Fully automated IPsec VPN server setup, no user input needed
2016-02-11 00:16:41 +03:00
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
2016-01-09 22:21:30 +03:00
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes basic IPTables rules and `sysctl.conf` settings
2016-04-06 10:51:37 +03:00
- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7
2016-01-08 07:33:42 +03:00
## Requirements
2015-08-19 00:14:42 +03:00
2016-02-18 03:30:30 +03:00
A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> instance, using these AMIs: (See <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">instructions</a>)
2016-04-06 10:51:37 +03:00
- <a href="https://cloud-images.ubuntu.com/locator/" target="_blank">Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank">Debian 8 (Jessie) EC2 Images</a>
2016-05-15 22:18:32 +03:00
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
2016-01-08 07:33:42 +03:00
2016-01-09 22:21:30 +03:00
**-OR-**
2016-01-08 07:33:42 +03:00
2016-07-16 17:25:01 +03:00
A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with <a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">this workaround</a>. OpenVZ VPS is not supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>.
2016-07-20 21:47:21 +03:00
This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr and Linode.
2016-01-08 07:33:42 +03:00
2016-02-15 04:57:36 +03:00
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**&raquo; I want to run my own VPN but don't have a server for that**</a>
2016-01-09 22:21:30 +03:00
2016-04-16 01:47:52 +03:00
:warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server!
2015-08-19 00:14:42 +03:00
## Installation
2016-04-24 02:47:03 +03:00
### Ubuntu & Debian
2016-01-19 19:34:52 +03:00
First, update your system with `apt-get update && apt-get dist-upgrade` and reboot. This is optional, but recommended.
2016-06-29 22:35:28 +03:00
To install the VPN, please choose one of the following options:
2016-06-11 23:38:30 +03:00
**Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished):
2016-05-14 08:35:33 +03:00
```bash
2016-05-21 21:57:14 +03:00
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
2016-05-14 08:35:33 +03:00
```
2016-06-11 23:38:30 +03:00
**Option 2:** Edit the script and provide your own VPN credentials:
2016-05-14 08:35:33 +03:00
```bash
2016-05-21 21:57:14 +03:00
wget https://git.io/vpnsetup -O vpnsetup.sh
2016-06-22 10:55:27 +03:00
nano -w vpnsetup.sh
2016-06-11 23:38:30 +03:00
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
2016-04-24 02:47:03 +03:00
sudo sh vpnsetup.sh
```
2016-06-29 22:35:28 +03:00
**Option 3:** Define your VPN credentials as environment variables:
```bash
# All values MUST be placed inside 'single quotes'
# DO NOT use these characters within values: \ " '
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh
```
2016-07-16 17:25:01 +03:00
For installation on DigitalOcean, check out this <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">step-by-step guide</a> by Tony Tran.
2016-06-29 22:35:28 +03:00
**Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
2016-04-24 02:47:03 +03:00
### CentOS & RHEL
2016-01-19 19:34:52 +03:00
First, update your system with `yum update` and reboot. This is optional, but recommended.
2016-06-22 10:55:27 +03:00
Follow the same steps as above, but replace `https://git.io/vpnsetup` with `https://git.io/vpnsetup-centos`.
2016-05-14 08:35:33 +03:00
2016-05-12 07:39:23 +03:00
## Next Steps
2016-06-08 23:56:17 +03:00
Get your computer or device to use the VPN. Please refer to:
2016-05-12 07:39:23 +03:00
2016-06-08 23:56:17 +03:00
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
2016-06-29 22:35:28 +03:00
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
2016-05-16 21:56:48 +03:00
2016-05-12 07:39:23 +03:00
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
## Important Notes
2015-08-19 00:14:42 +03:00
2016-07-11 03:15:12 +03:00
For **Windows users**, this <a href="docs/clients.md#regkey" target="_blank">one-time registry change</a> is required if the VPN server and/or client is behind NAT (e.g. home router). If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
2016-06-08 23:56:17 +03:00
**Android 6 (Marshmallow) users**: Please see notes in <a href="docs/clients.md#android" target="_blank">Configure IPsec/L2TP VPN Clients</a>.
2016-06-08 04:10:57 +03:00
If you wish to add, edit or remove VPN user accounts, refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>.
2016-06-29 22:35:28 +03:00
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
2016-06-26 22:51:21 +03:00
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/networking#firewalls" target="_blank">GCE</a>), open UDP ports 500 & 4500, and TCP port 22 (for SSH).
2016-07-11 03:15:12 +03:00
To open additional ports on the server, edit the IPTables rules in `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server.
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.
2016-02-06 22:30:30 +03:00
2016-05-09 09:39:17 +03:00
The scripts will backup existing config files before making changes, with `.old-date-time` suffix.
2016-06-29 22:35:28 +03:00
## Upgrade Libreswan
2016-01-16 19:51:47 +03:00
2016-06-29 22:35:28 +03:00
The additional scripts <a href="extras/vpnupgrade.sh" target="_blank">vpnupgrade.sh</a> and <a href="extras/vpnupgrade_centos.sh" target="_blank">vpnupgrade_centos.sh</a> can be used to upgrade Libreswan (<a href="https://libreswan.org" target="_blank">website</a> | <a href="https://lists.libreswan.org/mailman/listinfo/swan-announce" target="_blank">mailing list</a>). Update the `swan_ver` variable as necessary. Check installed version: `ipsec --version`
2016-01-16 19:51:47 +03:00
## Bugs & Questions
2016-06-11 23:38:30 +03:00
- Got a question? Please first search other people's comments <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">in this Gist</a> and <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">on my blog</a>.
2016-05-21 21:57:14 +03:00
- Ask Libreswan (IPsec) related questions <a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">on the mailing list</a>, or read these articles: <a href="https://libreswan.org/wiki/Main_Page" target="_blank">[1]</a> <a href="https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server" target="_blank">[2]</a> <a href="https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup" target="_blank">[3]</a> <a href="https://help.ubuntu.com/community/L2TPServer" target="_blank">[4]</a> <a href="https://libreswan.org/man/ipsec.conf.5.html" target="_blank">[5]</a>.
2016-06-11 23:38:30 +03:00
- If you found a reproducible bug, open a <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue" target="_blank">GitHub Issue</a> to submit a bug report.
2016-01-16 19:51:47 +03:00
2016-06-25 04:42:57 +03:00
## Uninstallation
2016-06-26 22:51:21 +03:00
Please refer to <a href="docs/uninstall.md" target="_blank">Uninstall the VPN</a>.
2016-05-20 09:22:55 +03:00
## See Also
2016-06-26 22:51:21 +03:00
- <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server" target="_blank">IPsec VPN Server on Docker</a>
2016-07-16 17:25:01 +03:00
- <a href="https://github.com/jlund/streisand" target="_blank">Streisand</a>
- <a href="https://github.com/SoftEtherVPN/SoftEtherVPN" target="_blank">SoftEther VPN</a>
- <a href="https://github.com/breakwa11/shadowsocks-rss" target="_blank">ShadowsocksR</a>
- <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN Install</a>
- <a href="https://github.com/ftao/vpn-deploy-playbook" target="_blank">VPN Deploy Playbook</a>
- <a href="https://github.com/sockeye44/instavpn" target="_blank">Insta VPN</a>
- <a href="https://github.com/quericy/one-key-ikev2-vpn" target="_blank">One Key IKEv2 VPN</a>
2016-05-20 09:22:55 +03:00
2016-05-09 09:39:17 +03:00
## Author
2016-06-08 03:46:10 +03:00
**Lin Song** (linsongui@gmail.com)
2016-05-15 22:18:32 +03:00
- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE)
- Actively seeking opportunities in areas such as Software or Systems Engineering
- Contact me on LinkedIn: <a href="https://www.linkedin.com/in/linsongui" target="_blank">https://www.linkedin.com/in/linsongui</a>
2016-05-09 09:39:17 +03:00
2016-06-26 22:51:21 +03:00
Thanks to <a href="https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors" target="_blank">all contributors</a> to this project!
2016-05-29 22:38:31 +03:00
2016-04-24 02:47:03 +03:00
## License
2015-08-19 00:14:42 +03:00
2016-01-25 19:46:20 +03:00
Copyright (C) 2014-2016&nbsp;Lin Song&nbsp;&nbsp;&nbsp;<a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png" width="160" height="25" border="0" alt="View my profile on LinkedIn"></a>
2016-04-18 07:33:05 +03:00
Based on <a href="https://github.com/sarfata/voodooprivacy" target="_blank">the work of Thomas Sarlandie</a> (Copyright 2012)
2015-08-19 00:14:42 +03:00
2016-01-08 07:33:42 +03:00
This work is licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0/" target="_blank">Creative Commons Attribution-ShareAlike 3.0 Unported License</a>
2015-08-19 00:14:42 +03:00
Attribution required: please include my name in any derivative and let me know how you have improved it!