setup-ipsec-vpn/README.md

IPsec/L2TP VPN Server Auto Setup Scripts

Read this in other languages: English, 简体中文.

Scripts for automatic configuration of an IPsec/L2TP VPN server on Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7. All you need to do is providing your own values for IPSEC_PSK, VPN_USER and VPN_PASSWORD, and let them handle the rest.

We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.

Link to my VPN tutorial with detailed instructions

Features

• Fully automated IPsec/L2TP VPN server setup, no user input needed
• Encapsulates all VPN traffic in UDP - does not need ESP protocol
• Can be directly used as "user-data" for a new Amazon EC2 instance
• Automatically determines public IP and private IP of server
• Includes basic IPTables rules and sysctl.conf settings
• Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7

Requirements

A newly created Amazon EC2 instance, using these AMIs: (See instructions)

• Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
• Debian 8 (Jessie) EC2 Images
• CentOS 7 (x86_64) with Updates HVM
• CentOS 6 (x86_64) with Updates HVM

-OR-

A dedicated server or KVM/Xen-based Virtual Private Server (VPS), with freshly installed:

• Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
• Debian 8 (Jessie)
• Debian 7 (Wheezy) » Not recommended. Requires this workaround to work.
• CentOS / Red Hat Enterprise Linux (RHEL) 6 or 7

OpenVZ VPS users should instead try Nyr's OpenVPN script.

» I want to run my own VPN but don't have a server for that

⚠️ DO NOT run these scripts on your PC or Mac! They should only be used on a server!

Installation

Ubuntu & Debian

First, update your system with apt-get update && apt-get dist-upgrade and reboot. This is optional, but recommended.

wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
nano -w vpnsetup.sh
[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
sudo sh vpnsetup.sh

CentOS & RHEL

First, update your system with yum update and reboot. This is optional, but recommended.

yum -y install wget nano
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
sudo sh vpnsetup_centos.sh

If unable to download via wget, you may alternatively open vpnsetup.sh (or vpnsetup_centos.sh) and click the Raw button. Press Ctrl-A to select all, Ctrl-C to copy, then paste into your favorite editor.

Usage

Get your computer or device to use the VPN. Please see: Configure IPsec/L2TP VPN Clients.

Enjoy your very own VPN! ✨🎉🚀✨

Important Notes

For Windows users, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). In case you see Error 628, go to the "Security" tab of VPN connection properties, enable CHAP and disable MS-CHAP v2.

Android 6 (Marshmallow) users: Edit /etc/ipsec.conf and append ,aes256-sha2_256 to both ike= and phase2alg=. Then add a new line sha2-truncbug=yes. Indent lines with two spaces. Finally, run service ipsec restart.

iPhone/iPad users: In iOS settings, choose L2TP (instead of IPSec) as the VPN type.

To enable multiple VPN users with different credentials, just edit a few lines in the scripts.

Clients are configured to use Google Public DNS when the VPN is active. To change, set ms-dns in options.xl2tpd.

For servers with a custom SSH port (not 22) or other services, edit the IPTables rules before using.

The scripts will backup existing config files before making changes, with .old-date-time suffix.

Upgrading Libreswan

The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to periodically upgrade Libreswan to the latest version. Check the official website and update the SWAN_VER variable as necessary.

Bugs & Questions

• Got a question? Please first search other people's comments in this GitHub Gist and on my blog.
• Ask Libreswan (IPsec) related questions on the mailing list, or read these wikis: [1] [2] [3] [4] [5].
• If you found a reproducible bug, open a GitHub Issue to submit a bug report.

Author

Lin Song

• Final year U.S. PhD candidate seeking opportunities in Software or Systems Engineering.
• View my LinkedIn profile and contact me: www.linkedin.com/in/linsongui

License

Copyright (C) 2014-2016 Lin Song   
Based on the work of Thomas Sarlandie (Copyright 2012)

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!