Note: This is my personal snippets, if you need a complete documentation, please go to hwdsl2/setup-ipsec-vpn GitHub repository, it's really well documented! A pre-built Docker image of the VPN server is also available, go and get it.
NOTICE: You should upgrade Libreswan to the latest version due to IKEv1 informational exchange packets not integrity checked (CVE-2019-10155).
- Default Configurations
- Manage VPN Users and PSK
- Next Steps
- Links and Resources
Since PPTP VPN no longer supported by Apple's built-in VPN client on macOS Sierra and iOS 10 due to many well-known security issues, I have to use other VPN communications protocols to access my internal company networks. And here Lin Song and contributors with their bash scripts become an angel. All I need to do is download and execute the bash script on my servers, and let the script configure the rest IPsec VPN server setup.
In short: this script download, compile and configure Libreswan as the IPsec server, and xl2tpd as the L2TP provider. This script also writes changes to
sysctl.conf to improve performance, mask
firewalld (on CentOS), updating
iptables firewall and configure simple
Fail2Ban rules on sshd daemon.
NOTE: This script are mean to be executed on server(s). DO NOT run auto install scripts on your personal PC or Mac!
A dedicated server or Virtual Private Server (VPS) with one of these OSes:
- Ubuntu 16.04 (Xenial) / 18.04 (Bionic)
- Debian 8 (Jessie) /9 (Stretch)
- CentOS 6/7 (x86_64)
- Red Hat Enterprise Linux (RHEL) 6/7
- Open UDP ports 500 and 4500 (if your machine is running behind external firewall)
Note: OpenVZ VPS is not supported.
First (this is not necessary but recommended), make sure system is up to date with
apt-get update && apt-get dist-upgrade for Debian and Ubuntu or
yum update for RHEL and CentOS.
To install the VPN we have 3 options described here: I'd love to use the first option with 1 line command to configure and generate random VPN credentials (will be displayed when finished) because I love to manage VPN users and PSK manually latter. So :
For Debian and Ubuntu:
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
For RHEL and CentOS:
wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh
After installation script done, VPN login details will be randomly generated, and displayed on the screen.
VPN DNS Client is set to use Google Public DNS. You can replace with your server provider DNS if you want by editing
220.127.116.11 in both
/etc/ipsec.conf, then reboot the server.
When connecting via
IPsec/L2TP, the VPN server has IP
192.168.42.1 within the VPN subnet
The same VPN account can be used by multiple devices. However, to avoid connection issues when connecting multiple devices simultaneously from behind the same NAT (e.g. home router), use IPsec/XAuth mode.
To modify the iptables rules after install, edit
/etc/iptables/rules.v4 (Ubuntu/Debian), or
/etc/sysconfig/iptables (CentOS/RHEL). Then reboot your server.
Manage VPN Users and PSK
You can use this helper scripts to make it easier to manage VPN users. But I love to manage my VPN users manually. Content below describe how to manage IPsec/L2TP and IPsec/XAuth manually.
The IPsec PSK (pre-shared key) is stored in
/etc/ipsec.secrets. All VPN users will share the same IPsec PSK. If PSK changed,
xl2tpd service need to be restarted.
IPsec/L2TP, VPN users are stored in
/etc/ppp/chap-secrets. The format of this file is:
"username1" l2tpd "password1" * "username2" l2tpd "password2" * ... ...
You can add more users, use one line for each user. DO NOT use these special characters within values:
\ " '
IPsec/XAuth ("Cisco IPsec"), VPN users are stored in
/etc/ipsec.d/passwd. The format of this file is:
username1:password1hashed:xauth-psk username2:password2hashed:xauth-psk ... ...
Passwords in this file are salted and hashed. You need to use
openssl command to generate IPsec/XAuth user password:
openssl passwd -1 'your_password'
As I mentioned before, you must restart services if changing the PSK. For add/edit/remove VPN users, this is normally not required.
service ipsec restart service xl2tpd restart
Get your computer and devices to use the VPN service:
- Configure IPsec/L2TP VPN Clients
- Configure IPsec/XAuth ("Cisco IPsec") VPN Clients
- Set Up IKEv2 VPN Server and Clients (Advanced)
Links and Resources