Have you been struggling to set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on CentOS, Ubuntu and Debian Linux flavor?. I’ll show you the easiest way to have your VPN server up and running in minutes, all you need to do is provide your own VPN credentials, and let the scripts handle the rest.
An IPsec VPN works to ensure all network traffic is encrypted to prevent any eavesdropping between you and the VPN server. This is a highly recommended setup especially for guys using unsecured networks to access internet e.g at airports, like coffee shops, hotel rooms e.y.c.
Setup Environment
This setup is supported on the following operating systems
- Ubuntu 20.04, 18.04 (Bionic), 16.04 (Xenial)
- Debian 11 / Debian 10 / Debian 9 (Stretch)
- CentOS 8 / CentOS 7
- Rocky Linux 8 / AlmaLinux 8
- Red Hat Enterprise Linux (RHEL) 8 or 7
- Amazon Linux 2
It is advisable to use a freshly installed server with updates.
Update Ubuntu / Debian
sudo apt update && sudo apt upgrade -y
[ -f /var/run/reboot-required ] && sudo reboot -fUpdate CentOS / Rocky Linux
sudo yum install epel-release && sudo yum -y update
sudo rebootThis will ensure all packages on your Server are up to date.
Setup IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian
We’ll use a script that eases the deployment of IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian Linux distributions. This script has been written by Lin Song.
Setup IPsec VPN server on Ubuntu / Debian
You should have updated your system packages before running the deployment script. This is a fully automated IPsec VPN server setup, no user input needed.
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
Setup IPsec VPN server on CentOS 8/7 / Rocky Linux 8
For a CentOS server, run the following command instead to download and install with default parameter values.
wget https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/vpnsetup_centos.sh -O vpnsetup.sh
sudo sh vpnsetup.shYour VPN login details will be randomly generated and displayed on the screen when finished.
Install with customized the settings
If you would like to define your own VPN credentials, edit vpnsetup.sh before execution.
vim vpnsetup.shSet your values inside single quotes
YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''
The run vpnsetup.sh
sudo vpnsetup.shSample output:
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
## Creating VPN configuration..
## Updating sysctl settings..
## Updating IPTables rules...
## Enabling services on boot...
## Starting services...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: 159.88.127.33
IPsec PSK: EvA6M5wDZw4kbgL8
Username: vpnuser
Password: TNotmZ7EmGyRa2CY
Write these down. You'll need them to connect!
Important notes: https://git.io/vpnnotes
Setup VPN clients: https://git.io/vpnclients
================================================
Enable ipsec service to start on boot
sudo systemctl enable ipsecThis deployment Includes sysctl.conf optimizations for improved performance.
# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
All VPN traffic is encapsulated in UDP – does not need ESP protocol.
How To Manage VPN Users
By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read IPSec VPN User management.
The IPsec PSK (pre-shared key) is stored in./etc/ipsec.secrets All VPN users share the same IPsec PSK. You can set a new one by changing the line:
%any %any : PSK "your_new_ipsec_pre_shared_key"For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:
"your_vpn_username_1" l2tpd "your_vpn_password_1" *
"your_vpn_username_2" l2tpd "your_vpn_password_2" *For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is:
your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk
your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk
... ...Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility:
# The output will be your_vpn_password_1_hashed
openssl passwd -1 'your_vpn_password_1'Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required.
sudo service ipsec restart || sudo systemctl restart ipsec
sudo service xl2tpd restart || sudo systemctl restart xl2tpdConnecting your Computer to the VPN
The final step is to connect your computer or device to use the VPN. Refer to the following guides for this.
- Configure IPsec/L2TP VPN Clients
- Configure IPsec/XAuth (“Cisco IPsec”) VPN Clients
- How-To: IKEv2 VPN for Windows 7 and above
If you get an error when trying to connect, see Troubleshooting.
You have installed your very own IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian. Enjoy using it.
