# IPsec/L2TP VPN Server Auto Setup Scripts
Scripts for automatic configuration of an IPsec/L2TP VPN server on Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7. All you need to do is providing your own values for `IPSEC_PSK`, `VPN_USER` and `VPN_PASSWORD`, and let them handle the rest.
We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
#### Link to VPN tutorial with detailed usage instructions
## Table of Contents
- [Author](#author)
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [For Ubuntu and Debian](#for-ubuntu-and-debian)
- [For CentOS and RHEL](#for-centos-and-rhel)
- [Next Steps](#next-steps)
- [Important Notes](#important-notes)
- [Upgrading Libreswan](#upgrading-libreswan)
- [Bugs & Questions](#bugs--questions)
- [Copyright and License](#copyright-and-license)
## Author
- Lin Song - Final year Ph.D. candidate seeking opportunities in Software or Systems Engineering.
View my profile on LinkedIn at www.linkedin.com/in/linsongui.
- Based on the work of Thomas Sarlandie (sarfata/voodooprivacy).
## Features
- Fully automated IPsec/L2TP VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes basic IPTables rules and `sysctl.conf` settings
- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7
## Requirements
A newly created Amazon EC2 instance, using these AMIs: (See instructions)
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie) EC2 Images
- CentOS 7 (x86_64) with Updates HVM
- CentOS 6 (x86_64) with Updates HVM
**-OR-**
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), with the following OS:
(Note: Starting with a freshly installed system is recommended)
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie)
- Debian 7 (Wheezy) » Not recommended. Requires this workaround to work.
- CentOS / Red Hat Enterprise Linux (RHEL) 6 or 7
OpenVZ VPS users should instead try Nyr's OpenVPN script.
**» I want to run my own VPN but don't have a server for that**
:warning: **DO NOT run these scripts on your PC or Mac! They should only be used on a server!**
## Installation
### For Ubuntu and Debian:
First, update your system with `apt-get update && apt-get dist-upgrade` and reboot. This is optional, but recommended.
```bash
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
nano -w vpnsetup.sh
[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
/bin/sh vpnsetup.sh
```
### For CentOS and RHEL:
First, update your system with `yum update` and reboot. This is optional, but recommended.
```bash
yum -y install wget nano
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
/bin/sh vpnsetup_centos.sh
```
If unable to download via `wget`, you may alternatively open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl+A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
## Next Steps
Get your computer or device to use the VPN. Search the web for instructions, e.g. google.com/search?q=setup+l2tp+client
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
## Important Notes
For **Windows users**, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Also make sure that `CHAP` is enabled under "Allow these protocols" in the "Security" tab of VPN properties.
**Android 6 (Marshmallow) users**: After install, edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to both `ike=` and `phase2alg=`. Then add a new line `sha2-truncbug=yes`. Indent lines with two spaces. Finally, run `service ipsec restart`.
**iPhone/iPad users**: In iOS settings, choose `L2TP` (instead of `IPSec`) as the VPN type. In case you are unable to connect, edit `ipsec.conf` and replace `rightprotoport=17/%any` with `rightprotoport=17/0`. Then restart `ipsec` service.
If you wish to create multiple VPN users with different credentials, just edit a few lines in the scripts.
Clients are configured to use Google Public DNS when the VPN is active. To change, set `ms-dns` in `options.xl2tpd`.
For Amazon EC2 instances only: In the security group, open **UDP ports 500 & 4500** and **TCP port 22** (optional, for SSH).
If you configured a custom SSH port (not 22) or wish to allow other services, edit IPTables rules before using the scripts.
The scripts will backup your existing config files before making changes, to the same folder with `.old-date-time` suffix.
## Upgrading Libreswan
The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to periodically upgrade Libreswan to the latest version. Check the official website and update the `SWAN_VER` variable as necessary.
## Bugs & Questions
- Have a question? Please first search other people's comments in this Gist and on my blog.
- Ask Libreswan (IPsec) related questions on the mailing list, or read these wikis: [1] [2] [3] [4] [5].
- If you found a reproducible bug, open a GitHub Issue to submit a bug report.
## Copyright and License
Copyright (C) 2014-2016 Lin Song
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!