1
0
mirror of synced 2024-11-25 06:16:07 +03:00
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Go to file
2016-02-08 10:46:06 -06:00
LICENSE.md Update copyright year 2016-01-25 10:38:07 -06:00
README.md Update README.md 2016-02-06 13:30:30 -06:00
vpnsetup_centos.sh Minor improvement to ignore IPv6 errors 2016-02-08 10:46:06 -06:00
vpnsetup.sh Minor improvement to ignore IPv6 errors 2016-02-08 10:46:06 -06:00
vpnupgrade_Libreswan_centos.sh Minor improvements and clean up 2016-01-30 13:12:15 -06:00
vpnupgrade_Libreswan.sh Minor improvements and clean up 2016-01-30 13:12:15 -06:00

IPsec/L2TP VPN Server Auto Setup Scripts

Scripts for automatic configuration of IPsec/L2TP VPN server on Ubuntu 14.04 & 12.04, Debian 8 and CentOS/RHEL 6 & 7. All you need to do is providing your own values for IPSEC_PSK, VPN_USER and VPN_PASSWORD, and they will handle the rest. These scripts can also be directly used as the Amazon EC2 "user-data" when creating a new instance.

We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.

Features

  • Fully automated IPsec/L2TP VPN server setup, no user input needed
  • Encapsulates all VPN traffic in UDP - does not need the ESP protocol
  • Can be directly used as "user-data" for a new Amazon EC2 instance
  • Automatically determines public IP and private IP of server
  • Includes basic IPTables rules and sysctl.conf settings
  • Tested with Ubuntu 14.04 & 12.04, Debian 8 and CentOS/RHEL 6 & 7

Requirements

A newly created Amazon EC2 instance, using these AMIs: (Follow the link above for instructions)

-OR-

A dedicated server or any KVM- or Xen-based Virtual Private Server (VPS), with these Linux OS:
 (Using the VPN scripts on a freshly installed system is recommended)

  • Ubuntu 14.04 (Trusty) or 12.04 (Precise)
  • Debian 8 (Jessie)
  • Debian 7 (Wheezy) - Not recommended. Requires this workaround to work.
  • CentOS / Red Hat Enterprise Linux (RHEL) 6 or 7

OpenVZ VPS users should instead try Nyr's OpenVPN script.

» I want to run my own VPN but don't have a server for that
DO NOT run these scripts on your PC or Mac! They are meant to be run on a dedicated server or VPS!

Installation

For Ubuntu and Debian:

First, update your system with apt-get update && apt-get dist-upgrade and reboot. This is optional, but recommended.

wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
nano -w vpnsetup.sh
[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
/bin/sh vpnsetup.sh

For CentOS and RHEL:

First, update your system with yum update and reboot. This is optional, but recommended.

yum -y install wget nano
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
/bin/sh vpnsetup_centos.sh

If unable to download via wget, you may alternatively open the VPN scripts above and click the Raw button on the right. Press Ctrl+A to select all, Ctrl-C to copy, then paste into your favorite editor.

Next Steps

Get your computer to use the VPN. Search the web for instructions, e.g. https://www.google.com/search?q=setup+l2tp+client

Enjoy your very own VPN! 🎉🚀

Important Notes

For Windows users, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).

Android 6 (Marshmallow) users: After install, edit /etc/ipsec.conf and append ,aes256-sha2_256 to both ike= and phase2alg=. Also add a new line sha2-truncbug=yes. Start lines with two spaces. Finally, run service ipsec restart.

iPhone/iPad users: In iOS settings, choose L2TP (instead of IPSec) for the VPN type. In case you're unable to connect, edit ipsec.conf and replace rightprotoport=17/%any with rightprotoport=17/0. Then restart ipsec service.

If you wish to enable multiple VPN users with different credentials, just edit a few lines in the scripts.

Clients are configured to use Google Public DNS when the VPN is active. To change, set ms-dns in options.xl2tpd.

If using Amazon EC2, open these ports in the server's security group: UDP 500 & 4500, and TCP port 22 (optional, for SSH).

If you configured a custom SSH port or wish to allow other services, edit the IPTables rules in the scripts before using.

The scripts will backup your existing config files before making changes, to the same folder with .old-date-time suffix.

Upgrading Libreswan

You may use vpnupgrade_Libreswan.sh (for Ubuntu/Debian) and vpnupgrade_Libreswan_centos.sh (for CentOS/RHEL) to upgrade Libreswan to a newer version. Check and update the SWAN_VER variable on top of the scripts as necessary.

Bugs & Questions

Copyright (C) 2014-2016 Lin Song   View my profile on LinkedIn
Based on the work of Thomas Sarlandie (Copyright 2012)

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!