9.8 KiB
IPsec/L2TP VPN Server Auto Setup Scripts
Read this in other languages: English, 简体中文.
These scripts will let you set up your own IPsec/L2TP VPN server in no more than a minute on Ubuntu, Debian and CentOS. Just provide your own VPN credentials, and the scripts will handle the rest.
We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
Link to my VPN tutorial with detailed instructions
Table of Contents
- Features
- Requirements
- Installation
- Next Steps
- Important Notes
- Manage VPN Users
- Upgrading Libreswan
- Bugs & Questions
- See Also
- Author
- License
Features
- 🎉 NEW: The faster
IPsec/XAuth ("Cisco IPsec")
mode is now supported - Fully automated IPsec/L2TP VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes basic IPTables rules and
sysctl.conf
settings - Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7
Requirements
A newly created Amazon EC2 instance, using these AMIs: (See instructions)
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie) EC2 Images
- CentOS 7 (x86_64) with Updates
- CentOS 6 (x86_64) with Updates
-OR-
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used after applying this workaround. OpenVZ VPS users should instead try OpenVPN.
» I want to run my own VPN but don't have a server for that
⚠️ DO NOT run these scripts on your PC or Mac! They should only be used on a server!
Installation
Ubuntu & Debian
First, update your system with apt-get update && apt-get dist-upgrade
and reboot. This is optional, but recommended.
Option 1: Have the script generate random VPN credentials for you (will be displayed on the screen):
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
Option 2: Enter your own VPN credentials, or define them as environment variables:
wget https://git.io/vpnsetup -O vpnsetup.sh
nano -w vpnsetup.sh
[Replace with your own values: VPN_IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup.sh
CentOS & RHEL
First, update your system with yum update
and reboot. This is optional, but recommended.
Option 1: Have the script generate random VPN credentials for you (will be displayed on the screen):
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh && sudo sh vpnsetup_centos.sh
Option 2: Enter your own VPN credentials, or define them as environment variables:
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Replace with your own values: VPN_IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup_centos.sh
If unable to download via wget
, you may alternatively open vpnsetup.sh (or vpnsetup_centos.sh) and click the Raw
button. Press Ctrl-A
to select all, Ctrl-C
to copy, then paste into your favorite editor.
Next Steps
Get your computer or device to use the VPN. Please see: Configure IPsec/L2TP VPN Clients.
NEW: The faster IPsec/XAuth ("Cisco IPsec")
mode is now supported: Configure IPsec/XAuth VPN Clients.
Enjoy your very own VPN! ✨🎉🚀✨
Important Notes
For Windows users, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Also, if you see Error 628
, go to the "Security" tab of VPN connection properties, enable CHAP
and disable MS-CHAP v2
.
Android 6 (Marshmallow) users: Please see notes in Configure IPsec/L2TP VPN Clients.
Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace 8.8.8.8
and 8.8.4.4
in both options.xl2tpd
and ipsec.conf
with your new servers. Then restart ipsec
and xl2tpd
services.
For servers with a custom SSH port (not 22) or other services, edit the IPTables rules before using.
The scripts will backup existing config files before making changes, with .old-date-time
suffix.
Manage VPN Users
By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this section.
First, the IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets
. To change to a new PSK, just edit this file.
<VPN Server IP> %any : PSK "<VPN IPsec PSK>"
For IPsec/L2TP
, VPN users are specified in /etc/ppp/chap-secrets
. The format of this file is:
"<VPN User 1>" l2tpd "<VPN Password 1>" *
"<VPN User 2>" l2tpd "<VPN Password 2>" *
... ...
You can add more users, use one line for each user. DO NOT use the characters \
and "
inside username or password.
For IPsec/XAuth ("Cisco IPsec")
, VPN users are specified in /etc/ipsec.d/passwd
. The format of this file is:
<VPN User 1>:<VPN Password 1 (hashed)>:xauth-psk
<VPN User 2>:<VPN Password 2 (hashed)>:xauth-psk
... ...
Passwords in this file are salted and hashed. This step can be done using e.g. the openssl
utility:
# The output will be <VPN Password 1 (hashed)>
openssl passwd -1 "<VPN Password 1>"
When finished, you must restart services with:
service ipsec restart
service xl2tpd restart
Upgrading Libreswan
The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to upgrade Libreswan. Check the official website and update the swan_ver
variable as necessary.
Bugs & Questions
- Got a question? Please first search other people's comments in this GitHub Gist and on my blog.
- Ask Libreswan (IPsec) related questions on the mailing list, or read these articles: [1] [2] [3] [4] [5].
- If you found a reproducible bug, open a GitHub Issue to submit a bug report.
See Also
Author
Lin Song
- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE)
- Actively seeking opportunities in areas such as Software or Systems Engineering
- Contact me on LinkedIn: https://www.linkedin.com/in/linsongui
License
Copyright (C) 2014-2016 Lin Song
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!