8.8 KiB
IPsec/L2TP VPN Server Auto Setup Scripts 
Read this in other languages: English, 简体中文.
With these scripts, you can set up your own IPsec/L2TP VPN server in just a few minutes on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials (or auto-generate them). The scripts will handle the rest.
We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
Link to my VPN tutorial with detailed instructions
Table of Contents
- Features
- Requirements
- Installation
- Next Steps
- Important Notes
- Upgrading Libreswan
- Bugs & Questions
- Author
- License
Features
- 🎉 NEW:
IPsec/XAUTHis now supported in addition toIPsec/L2TP - Fully automated IPsec/L2TP VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes basic IPTables rules and
sysctl.confsettings - Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7
Requirements
A newly created Amazon EC2 instance, using these AMIs: (See instructions)
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie) EC2 Images
- CentOS 7 (x86_64) with Updates
- CentOS 6 (x86_64) with Updates
-OR-
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used after applying this workaround. OpenVZ VPS users should instead try OpenVPN.
» I want to run my own VPN but don't have a server for that
⚠️ DO NOT run these scripts on your PC or Mac! They should only be used on a server!
Installation
Ubuntu & Debian
First, update your system with apt-get update && apt-get dist-upgrade and reboot. This is optional, but recommended.
Option 1: Have the script generate random VPN credentials for you (will be displayed when done):
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
Option 2: Alternatively, enter your own VPN credentials in the script:
wget https://git.io/vpnsetup -O vpnsetup.sh
nano -w vpnsetup.sh
[Replace with your own values: IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup.sh
CentOS & RHEL
First, update your system with yum update and reboot. This is optional, but recommended.
Option 1: Have the script generate random VPN credentials for you (will be displayed when done):
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh && sudo sh vpnsetup_centos.sh
Option 2: Alternatively, enter your own VPN credentials in the script:
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Replace with your own values: IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup_centos.sh
If unable to download via wget, you may alternatively open vpnsetup.sh (or vpnsetup_centos.sh) and click the Raw button. Press Ctrl-A to select all, Ctrl-C to copy, then paste into your favorite editor.
Next Steps
Get your computer or device to use the VPN. Please see: Configure IPsec/L2TP VPN Clients.
NEW: IPsec/XAUTH is now supported in addition to IPsec/L2TP. See: Configure IPsec/XAUTH VPN Clients.
Enjoy your very own VPN! ✨🎉🚀✨
Important Notes
For Windows users, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). In case you see Error 628, go to the "Security" tab of VPN connection properties, enable CHAP and disable MS-CHAP v2.
Android 6 (Marshmallow) users: Edit /etc/ipsec.conf and append ,aes256-sha2_256 to both ike= and phase2alg=. Then add a new line sha2-truncbug=yes. Indent lines with two spaces. Finally, run service ipsec restart.
To create multiple VPN users with different credentials, just edit a few lines in the scripts.
Clients are set to use Google Public DNS when the VPN is active. To change, edit options.xl2tpd and ipsec.conf.
For servers with a custom SSH port (not 22) or other services, edit the IPTables rules before using.
The scripts will backup existing config files before making changes, with .old-date-time suffix.
Upgrading Libreswan
The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to periodically upgrade Libreswan to the latest version. Check the official website and update the SWAN_VER variable as necessary.
Bugs & Questions
- Got a question? Please first search other people's comments in this GitHub Gist and on my blog.
- Ask Libreswan (IPsec) related questions on the mailing list, or read these wikis: [1] [2] [3] [4] [5].
- If you found a reproducible bug, open a GitHub Issue to submit a bug report.
Author
Lin Song
- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE)
- Actively seeking opportunities in areas such as Software or Systems Engineering
- Contact me on LinkedIn: https://www.linkedin.com/in/linsongui
License
Copyright (C) 2014-2016 Lin Song 
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!