Have you been struggling to set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on CentOS, Ubuntu and Debian Linux flavor?. I’ll show you the easiest way to have your VPN server up and running in minutes, all you need to do is provide your own VPN credentials, and let the scripts handle the rest.
An IPsec VPN works to ensure all network traffic is encrypted to prevent any eavesdropping between you and the VPN server. This is a highly recommended setup especially for guys using unsecured networks to access internet e.g at airports, like coffee shops, hotel rooms e.y.c.
This setup is supported on the following operating systems
- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty)
- Debian 9 (Stretch) or 8 (Jessie)
- CentOS 7 (x86_64)
- CentOS 6 (x86_64)
It is advisable to use a freshly installed server with updates.
Update Ubuntu / Debian
sudo apt update sudo apt upgrade sudo apt dist-upgrade sudo reboot
Update CentOS 7 / CentOS 6
sudo yum install epel-release sudo yum -y update sudo reboot
This will ensure all packages on your Server are up to date.
Setup IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian
We’ll use a script that eases the deployment of IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian Linux distributions. This script has been written by Lin Song.
Setup IPsec VPN server on Ubuntu 18.04 / Ubuntu 16.04 / Debian
You should have updated your system packages before running the deployment script. This is a fully automated IPsec VPN server setup, no user input needed.
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
Setup IPsec VPN server on CentOS 7 / CentOS 6
For a CentOS server, run the following command instead
wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh
Your VPN login details will be randomly generated and displayed on the screen when finished. If you would like to define your own VPN credentials, edit
vpnsetup.sh before execution.
sudo vim vpnsetup.sh
Set your values inside single quotes
YOUR_IPSEC_PSK='' YOUR_USERNAME='' YOUR_PASSWORD=''
************************** WARNING *********************************** The ipsec service is currently disabled. To enable this service issue: systemctl enable ipsec.service ********************************************************************** ../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck ## Creating VPN configuration.. ## Updating sysctl settings.. ## Updating IPTables rules... ## Enabling services on boot... ## Starting services... ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: 220.127.116.11 IPsec PSK: EvA6M5wDZw4kbgL8 Username: vpnuser Password: TNotmZ7EmGyRa2CY Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes Setup VPN clients: https://git.io/vpnclients ================================================
ipsec service to start on boot
sudo systemctl enable ipsec
This deployment Includes
sysctl.conf optimizations for improved performance.
# Added by hwdsl2 VPN script kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.core.wmem_max = 12582912 net.core.rmem_max = 12582912 net.ipv4.tcp_rmem = 10240 87380 12582912 net.ipv4.tcp_wmem = 10240 87380 12582912
All VPN traffic is encapsulated in UDP – does not need ESP protocol.
Manage VPN Users
By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read IPSec VPN User management.
The IPsec PSK (pre-shared key) is stored in.
/etc/ipsec.secrets All VPN users share the same IPsec PSK. You can set a new one by changing the line:
%any %any : PSK "your_new_ipsec_pre_shared_key"
For IPsec/L2TP, VPN users are specified in
/etc/ppp/chap-secrets. The format of this file is:
"your_vpn_username_1" l2tpd "your_vpn_password_1" * "your_vpn_username_2" l2tpd "your_vpn_password_2" *
IPsec/XAuth ("Cisco IPsec"), VPN users are specified in
/etc/ipsec.d/passwd. The format of this file is:
your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk ... ...
Passwords in this file are salted and hashed. This step can be done using e.g. the
# The output will be your_vpn_password_1_hashed openssl passwd -1 'your_vpn_password_1'
Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required.
sudo service ipsec restart || sudo systemctl restart ipsec sudo service xl2tpd restart || sudo systemctl restart xl2tpd
Connecting your Computer to the VPN
The final step is to connect your computer or device to use the VPN. Refer to the following guides for this.
If you get an error when trying to connect, see Troubleshooting.
You have installed your very own IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian. Enjoy using it.