Set up your own IPsec VPN server in just a few minutes, with IPsec/L2TP, Cisco IPsec and IKEv2 on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest.
An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.
We will use <ahref="https://libreswan.org/"target="_blank">Libreswan</a> as the IPsec server, and <ahref="https://github.com/xelerance/xl2tpd"target="_blank">xl2tpd</a> as the L2TP provider.
-<ahref="https://wiki.centos.org/Cloud/AWS"target="_blank">CentOS 8</a>[\*\*](#centos-8-note)<ahref="https://wiki.centos.org/Cloud/AWS"target="_blank"> or 7</a>
See <ahref="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup"target="_blank">detailed instructions</a> and <ahref="https://aws.amazon.com/ec2/pricing/"target="_blank">EC2 pricing</a>. Alternatively, you may also deploy rapidly using <ahref="aws/README.md"target="_blank">CloudFormation</a>.
A dedicated server or virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try <ahref="https://github.com/Nyr/openvpn-install"target="_blank">OpenVPN</a>.
This also includes Linux VMs in public clouds, such as <ahref="https://blog.ls20.com/digitalocean"target="_blank">DigitalOcean</a>, <ahref="https://blog.ls20.com/vultr"target="_blank">Vultr</a>, <ahref="https://blog.ls20.com/linode"target="_blank">Linode</a>, <ahref="https://cloud.google.com/compute/"target="_blank">Google Compute Engine</a>, <ahref="https://aws.amazon.com/lightsail/"target="_blank">Amazon Lightsail</a>, <ahref="https://azure.microsoft.com"target="_blank">Microsoft Azure</a>, <ahref="https://www.ibm.com/cloud/virtual-servers"target="_blank">IBM Cloud</a>, <ahref="https://www.ovh.com/world/vps/"target="_blank">OVH</a> and <ahref="https://www.rackspace.com"target="_blank">Rackspace</a>.
<ahref="aws/README.md"target="_blank"><imgsrc="docs/images/aws-deploy-button.png"alt="Deploy to AWS"/></a><ahref="azure/README.md"target="_blank"><imgsrc="docs/images/azure-deploy-button.png"alt="Deploy to Azure"/></a><ahref="http://dovpn.carlfriess.com/"target="_blank"><imgsrc="docs/images/do-install-button.png"alt="Install on DigitalOcean"/></a><ahref="https://cloud.linode.com/stackscripts/37239"target="_blank"><imgsrc="docs/images/linode-deploy-button.png"alt="Deploy to Linode"/></a>
<ahref="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps"target="_blank">**» I want to run my own VPN but don't have a server for that**</a>
Advanced users can set up the VPN server on a $35 <ahref="https://www.raspberrypi.org"target="_blank">Raspberry Pi</a>. See <ahref="https://elasticbyte.net/posts/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/"target="_blank">[1]</a><ahref="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/"target="_blank">[2]</a>.
\* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more <ahref="docs/clients.md#debian-10-kernel"target="_blank">here</a>. If using Debian 10 on EC2, you must first switch to the standard Linux kernel before running the VPN setup script.
**Note:** If unable to download via `wget`, you may also open <ahref="vpnsetup.sh"target="_blank">vpnsetup.sh</a>, <ahref="vpnsetup_centos.sh"target="_blank">vpnsetup_centos.sh</a> or <ahref="vpnsetup_amzn.sh"target="_blank">vpnsetup_amzn.sh</a>, and click the **`Raw`** button on the right. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
**Windows users**: A <ahref="docs/clients.md#windows-error-809"target="_blank">one-time registry change</a> is required if the VPN server or client is behind NAT (e.g. home router).
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only <ahref="docs/clients-xauth.md"target="_blank">IPsec/XAuth mode</a>, or <ahref="docs/ikev2-howto.md"target="_blank">set up IKEv2</a>.
If you wish to view or update VPN user accounts, see <ahref="docs/manage-users.md"target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
For servers with an external firewall (e.g. <ahref="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html"target="_blank">EC2</a>/<ahref="https://cloud.google.com/vpc/docs/firewalls"target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN. Aliyun users, see <ahref="https://github.com/hwdsl2/setup-ipsec-vpn/issues/433"target="_blank">#433</a>.
Clients are set to use <ahref="https://developers.google.com/speed/public-dns/"target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, [read below](#use-alternative-dns-servers).
Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package and run `service xl2tpd restart`.
The additional scripts in <ahref="extras/"target="_blank">extras/</a> can be used to upgrade <ahref="https://libreswan.org"target="_blank">Libreswan</a> (<ahref="https://github.com/libreswan/libreswan/blob/master/CHANGES"target="_blank">changelog</a> | <ahref="https://lists.libreswan.org/mailman/listinfo/swan-announce"target="_blank">announce</a>). Edit the `SWAN_VER` variable as necessary. The latest supported version is `4.4`. Check which version is installed: `ipsec --version`.
Clients are set to use <ahref="https://developers.google.com/speed/public-dns/"target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, you may replace `8.8.8.8` and `8.8.4.4` in these files: `/etc/ppp/options.xl2tpd`, `/etc/ipsec.conf` and `/etc/ipsec.d/ikev2.conf` (if exists). Then run `service ipsec restart` and `service xl2tpd restart`.
Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script and the <ahref="docs/ikev2-howto.md#using-helper-scripts"target="_blank">IKEv2 helper script</a>. For example, if you want to use [Cloudflare's DNS service](https://1.1.1.1):
For `IPsec/L2TP` and `IPsec/XAuth ("Cisco IPsec")` modes, you may use a DNS name (e.g. `vpn.example.com`) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required.
For `IKEv2` mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when <ahref="docs/ikev2-howto.md"target="_blank">setting up IKEv2</a>. The DNS name must be a fully qualified domain name (FQDN). Example:
Alternatively, you may customize IKEv2 setup options by running the <ahref="docs/ikev2-howto.md#using-helper-scripts"target="_blank">helper script</a> without the `--auto` parameter.
When connecting using `IPsec/L2TP` mode, the VPN server has internal IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. Clients are assigned internal IPs from `192.168.42.10` to `192.168.42.250`. To check which IP is assigned to a client, view the connection status on the VPN client.
When connecting using `IPsec/XAuth ("Cisco IPsec")` or `IKEv2` mode, the VPN server \*does not\* have an internal IP within the VPN subnet `192.168.43.0/24`. Clients are assigned internal IPs from `192.168.43.10` to `192.168.43.250`.
You may use these internal VPN IPs for communication. However, note that the IPs assigned to VPN clients are dynamic, and firewalls on client devices may block such traffic.
Client-to-client traffic is allowed by default. If you want to \*disallow\* client-to-client traffic, run the following commands on the VPN server. Add them to `/etc/rc.local` to persist after reboot.
After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. For example, if the VPN server's local subnet is `192.168.0.0/24`, and an Nginx server is running on IP `192.168.0.2`, VPN clients can use IP `192.168.0.2` to access the Nginx server.
Please note, additional configuration is required if the VPN server has multiple network interfaces (e.g. `eth0` and `eth1`), and you want VPN clients to access the local subnet behind the network interface that is NOT for Internet access. In this scenario, you must run the following commands to add IPTables rules. To persist after reboot, you may add these commands to `/etc/rc.local`.
```bash
# Replace eth1 with the name of the network interface
# on the VPN server that you want VPN clients to access
Libreswan 4.2 and newer versions support the `ikev1-policy` config option. Using this option, advanced users can set up an IKEv2-only VPN, i.e. only IKEv2 connections are accepted by the VPN server, while IKEv1 connections (including the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) are dropped.
To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in this README. Then check Libreswan version using `ipsec --version`, and [update Libreswan](#upgrade-libreswan) if needed. After that, edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled.
If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
- Got a question? Please first search other people's comments <ahref="https://gist.github.com/hwdsl2/9030462#comments"target="_blank">in this Gist</a> and <ahref="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread"target="_blank">on my blog</a>.
- Ask VPN related questions on the <ahref="https://lists.libreswan.org/mailman/listinfo/swan"target="_blank">Libreswan</a> or <ahref="https://lists.strongswan.org/mailman/listinfo/users"target="_blank">strongSwan</a> mailing list, or read these wikis: <ahref="https://libreswan.org/wiki/Main_Page"target="_blank">[1]</a><ahref="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks"target="_blank">[2]</a><ahref="https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation"target="_blank">[3]</a><ahref="https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server"target="_blank">[4]</a><ahref="https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup"target="_blank">[5]</a>.
- If you found a reproducible bug, open a <ahref="https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue"target="_blank">GitHub Issue</a> to submit a bug report.
Copyright (C) 2014-2021 <ahref="https://www.linkedin.com/in/linsongui"target="_blank">Lin Song</a><ahref="https://www.linkedin.com/in/linsongui"target="_blank"><imgsrc="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"width="160"height="25"border="0"alt="View my profile on LinkedIn"></a>
This work is licensed under the <ahref="http://creativecommons.org/licenses/by-sa/3.0/"target="_blank">Creative Commons Attribution-ShareAlike 3.0 Unported License</a>