docs | ||
extras | ||
.travis.yml | ||
LICENSE.md | ||
README-zh.md | ||
README.md | ||
vpnsetup_centos.sh | ||
vpnsetup.sh |
IPsec VPN Server Auto Setup Scripts
Read this in other languages: English, 简体中文.
These scripts will let you set up your own IPsec VPN server, with IPsec/L2TP and Cisco IPsec on Ubuntu, Debian & CentOS. All you need to do is provide your own VPN credentials, and the scripts will handle the rest.
We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
» Related tutorial: IPsec VPN Server Auto Setup with Libreswan
Table of Contents
- Features
- Requirements
- Installation
- Next Steps
- Important Notes
- Manage VPN Users
- Upgrading Libreswan
- Bugs & Questions
- See Also
- Author
- License
Features
- NEW: The faster
IPsec/XAuth ("Cisco IPsec")
mode is now supported - NEW: A pre-built Docker image of the VPN server is now available
- Fully automated IPsec VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes basic IPTables rules and
sysctl.conf
settings - Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7
Requirements
A newly created Amazon EC2 instance, using these AMIs: (See instructions)
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie) EC2 Images
- CentOS 7 (x86_64) with Updates
- CentOS 6 (x86_64) with Updates
-OR-
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used after applying this workaround. OpenVZ VPS users should instead try OpenVPN.
» I want to run my own VPN but don't have a server for that
⚠️ DO NOT run these scripts on your PC or Mac! They should only be used on a server!
Installation
Ubuntu & Debian
First, update your system with apt-get update && apt-get dist-upgrade
and reboot. This is optional, but recommended.
Option 1: Have the script generate random VPN credentials for you (will be displayed on the screen):
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
Option 2: Enter your own VPN credentials, or define them as environment variables:
wget https://git.io/vpnsetup -O vpnsetup.sh
nano -w vpnsetup.sh
[Replace with your own values: VPN_IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup.sh
CentOS & RHEL
First, update your system with yum update
and reboot. This is optional, but recommended.
Option 1: Have the script generate random VPN credentials for you (will be displayed on the screen):
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh && sudo sh vpnsetup_centos.sh
Option 2: Enter your own VPN credentials, or define them as environment variables:
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Replace with your own values: VPN_IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup_centos.sh
If unable to download via wget
, you may alternatively open vpnsetup.sh (or vpnsetup_centos.sh) and click the Raw
button. Press Ctrl-A
to select all, Ctrl-C
to copy, then paste into your favorite editor.
Next Steps
Get your computer or device to use the VPN. Please see: Configure IPsec/L2TP VPN Clients.
NEW: The faster "Cisco IPsec"
mode is also supported: Configure IPsec/XAuth VPN Clients.
Enjoy your very own VPN! ✨🎉🚀✨
Important Notes
For Windows users, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Also, if you see Error 628
, go to the "Security" tab of VPN connection properties and make sure only "CHAP" is selected.
Android 6 (Marshmallow) users: Please see notes in Configure IPsec/L2TP VPN Clients.
Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace 8.8.8.8
and 8.8.4.4
in both options.xl2tpd
and ipsec.conf
with new ones. Then reboot your server.
For servers with a custom SSH port (not 22) or other services, edit IPTables rules in the script before using.
The scripts will backup existing config files before making changes, with .old-date-time
suffix.
Manage VPN Users
By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this section.
First, the IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets
. To change to a new PSK, just edit this file.
<VPN Server IP> %any : PSK "<VPN IPsec PSK>"
For IPsec/L2TP
, VPN users are specified in /etc/ppp/chap-secrets
. The format of this file is:
"<VPN User 1>" l2tpd "<VPN Password 1>" *
"<VPN User 2>" l2tpd "<VPN Password 2>" *
... ...
You can add more users, use one line for each user. DO NOT use these characters within values: \ " '
For IPsec/XAuth ("Cisco IPsec")
, VPN users are specified in /etc/ipsec.d/passwd
. The format of this file is:
<VPN User 1>:<VPN Password 1 (hashed)>:xauth-psk
<VPN User 2>:<VPN Password 2 (hashed)>:xauth-psk
... ...
Passwords in this file are salted and hashed. This step can be done using e.g. the openssl
utility:
# The output will be <VPN Password 1 (hashed)>
openssl passwd -1 "<VPN Password 1>"
When finished making changes, reboot your server.
Upgrading Libreswan
The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to upgrade Libreswan. Check the official website and update the swan_ver
variable as necessary.
Bugs & Questions
- Got a question? Please first search other people's comments in this GitHub Gist and on my blog.
- Ask Libreswan (IPsec) related questions on the mailing list, or read these articles: [1] [2] [3] [4] [5].
- If you found a reproducible bug, open a GitHub Issue to submit a bug report.
See Also
Author
Lin Song (linsongui@gmail.com)
- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE)
- Actively seeking opportunities in areas such as Software or Systems Engineering
- Contact me on LinkedIn: https://www.linkedin.com/in/linsongui
Thanks to all contributors of this project!
License
Copyright (C) 2014-2016 Lin Song
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!