- L2TPServer
- Instructions
- IPSec / Openswan
- L2TP
- Adding Users
- Forward
- Starting the VPN
- Connecting the VPN to iOS device
- Connecting the VPN to an Android device
- Debug
- How to Create Your Own IPsec VPN Server in Linux
- Prerequisites:
- Setting Up IPsec/L2TP VPN Server in Linux
- How to Add or Remove a VPN User in Linux
- How to Upgrade Libreswan Installation in Linux
- How to Uninstall the VPN Server in Linux
- On RHEL/CentOS
- On Debian/Ubuntu
L2TPServer
This configuration has been successfully tested with Android, Windows, and iOS devices.
Instructions
sudo apt-get install xl2tpd openswan ppp
IPSec / Openswan
In the /etc/ipsec.conf file copy:
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24 #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects. oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=30 dpdtimeout=120 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h type=transport # Replace IP address with your local IP (private, behind NAT IP is okay as well) left=x.x.x.x # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 right=%any rightprotoport=17/%any #force all to be nat'ed. because of iOS forceencaps=yes
Make sure you follow the setup in the ipsec.conf file, the part «config setup» and «conn l2tp-psk» should be to the very left while the other text 8 spaces to the right.
In the «/etc/ipsec.secrets» file copy:
x.x.x.x %any: PSK "somegoodpassword"
Replace x.x.x.x with your Server’s IP
Start the IPSEC service with
Please verify the IPSEC service with :
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.28/K2.6.32-32-generic-pae (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
Create a file called «ipsec.vpn» in «/etc/init.d/»
case "$1" in start) echo "Starting my Ipsec VPN" iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec start /etc/init.d/xl2tpd start ;; stop) echo "Stopping my Ipsec VPN" iptables --table nat --flush echo 0 > /proc/sys/net/ipv4/ip_forward /etc/init.d/ipsec stop /etc/init.d/xl2tpd stop ;; restart) echo "Restarting my Ipsec VPN" iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart /etc/init.d/xl2tpd restart ;; *) echo "Usage: /etc/init.d/ipsec.vpn" exit 1 ;; esac
This will configure the firewall forwarding. If you use a local IP pool other than 10.152.2, be sure to update it.
Then set the permission to execute:
Disable the ipsec default init script with
And enable the custom one.
#update-rc.d ipsec.vpn defaults
L2TP
In the file /etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = no [lns default] ip range = 10.152.2.2-10.152.2.254 local ip = 10.152.2.1 require chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
- ip range = range of IP’s to give to the connecting clients
- local ip = IP of VPN server. Value must be outside of «ip range».
- refuse pap = refure pap authentication
- ppp debug = yes when testing, no when in production
Choose a good challenge-response authentication string. The secret should, ideally, be 16 characters long, and should probably be longer to ensure sufficient security. There is no minimum length requirement. In the file /etc/xl2tpd/l2tp-secrets:
* * exampleforchallengestring
In the file /etc/ppp/options.xl2tpd copy:
refuse-mschap-v2 refuse-mschap ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts idle 1800 mtu 1200 mru 1200 lock hide-password local #debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
ms-dns option
Here you set the dns server for your lan, this dns server are pushed to the road warrior when he connects. If you wan to add several servers just add several lines.
If you need to push wins settings to the clients there is an separate option for that.
mtu / mru
On openswan.org they informs that it’s important to reduce the mru/mtu size. Because l2tp/ipsec are encapsulated several times it causes overhead, reducing this makes it possible to transmit all packages over lines with reduced mtu size.
proxyarp
Adds an entry to this system’s ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
name l2tpd
Is used in the ppp authentication file.
Adding Users
In the file /etc/ppp/chap-secrets copy:
user1 l2tpd chooseagoodpassword * user2 * chooseagoodpassword *
- client = username for the user
- server = the name we define in the ppp.options file for xl2tpd
- secret = password for the user
- IP Address = leave to * for any address or define addresses from were a user can login.
Note: you can add as many user you like.
Forward
Load the new settings made in /etc/sysctl.conf
Starting the VPN
sudo /etc/init.d/ipsec.vpn restart sudo /etc/init.d/xl2tpd restart
Connecting the VPN to iOS device
- Go to Settings > General > Network > VPN > Add VPN Configuration > L2TP
- VPN Description > the name you like
- Set VPN server > external ip address of the VPN server (x.x.x.x)
- Account > PPP username
- Set password > somegoodpassword
- Set L2TP Secret > was exampleforchallengestring
- Connect using the PPP username/password (user1 chooseagoodpassword)
Connecting the VPN to an Android device
- Go to Settings > Wireless & networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN >
- VPN Name / Description > the name you like
- Set VPN server > external ip address of the VPN server (x.x.x.x)
- Set IPSec pre-shared key / password > somegoodpassword
- Enable L2TP secret > enable
- Set L2TP Secret > was exampleforchallengestring
- Press back, then connect using the PPP username/password (user1 chooseagoodpassword)
Debug
In case of problems this are a few commands that can help out the debugging.
sudo tcpdump -i ppp0 sudo tail -f /var/log/auth.log sudo tail -f /var/log/syslog
You can also monitor the results on the Server with
sudo tcpdump -i eth0 host aaa.bbb.ccc.ddd and not port ssh
aaa.bbb.ccc.ddd are the public IP address of your Clients
L2TPServer (последним исправлял пользователь c-50-136-58-193 2015-11-01 00:21:27)
The material on this wiki is available under a free license, see Copyright / License for details
You can contribute to this wiki, see Wiki Guide for details
How to Create Your Own IPsec VPN Server in Linux
There are so many benefits of using a VPN (Virtual Private Network), some of which include keeping you safe on the internet by encrypting your traffic and helping you to access blocked content/sites/web applications from anywhere. Not to mention, VPN also helps you to browse the internet anonymously.
In this article, you will learn how to quickly and automatically set up your own IPsec/L2TP VPN server in CentOS/RHEL, Ubuntu, and Debian Linux distributions.
Prerequisites:
- A fresh CentOS/RHEL or Ubuntu/DebianVPS (Virtual Private Server) from any provider such as Linode.
Setting Up IPsec/L2TP VPN Server in Linux
To set up the VPN server, we will use a wonderful collection of shell scripts created by Lin Song, that installs Libreswan as the IPsec server, and xl2tpd as the L2TP provider. The offering also includes scripts to add or delete VPN users, upgrade the VPN installation and much more.
First, log into your VPS via SSH, then run the appropriate commands for your distribution to set up the VPN server. By default, the script will generate random VPN credentials (pre-shared key, VPN username, and password) for you and display them at the end of the installation.
However, if you want to use your own credentials, first you need to generate a strong password and PSK as shown.
# openssl rand -base64 10 # openssl rand -base64 16
Next, set these generated values as described in the following command all values MUST be placed inside ‘single quotes‘ as shown.
- VPN_IPSEC_PSK – Your IPsec pre-shared key.
- VPN_USER – Your VPN username.
- VPN_PASSWORD – Your VPN password.
---------------- On CentOS/RHEL ---------------- # wget https://git.io/vpnsetup-centos -O vpnsetup.sh && VPN_IPSEC_PSK='KvLjedUkNzo5gBH72SqkOA==' VPN_USER='tecmint' VPN_PASSWORD='8DbDiPpGbcr4wQ==' sh vpnsetup.sh ---------------- On Debian and Ubuntu ---------------- # wget https://git.io/vpnsetup -O vpnsetup.sh && VPN_IPSEC_PSK='KvLjedUkNzo5gBH72SqkOA==' VPN_USER='tecmint' VPN_PASSWORD='8DbDiPpGbcr4wQ==' sudo sh vpnsetup.sh
The main packages that will be installed are bind-utils, net-tools, bison, flex, gcc, libcap-ng-devel, libcurl-devel, libselinux-devel, nspr-devel, nss-devel, pam-devel, xl2tpd, iptables-services, systemd-devel, fipscheck-devel, libevent-devel, and fail2ban(to protect SSH), and their respective dependencies. Then it downloads, compiles and installs Libreswan from source, enables and starts the necessary services.
Once the installation is complete, the VPN details will be displayed as shown in the following screenshot.
Next, you need to set up a VPN client, for desktops or laptops with a graphical user interface, refer to this guide: How To Setup an L2TP/Ipsec VPN Client on Linux.
To add the VPN connection in a mobile device such as an Android phone, go to Settings –> Network & Internet (or Wireless & Networks –> More) –> Advanced –> VPN. Select the option to add a new VPN. The VPN type should be set to IPSec Xauth PSK, then use the VPN gateway and credentials above.
How to Add or Remove a VPN User in Linux
To create a new VPN user or update an existing VPN user with a new password, download and use the add_vpn_user.sh script using the following wget command.
$ wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh $ sudo sh add_vpn_user.sh 'username_to_add' 'user_password'
To delete a VPN user, download and use the del_vpn_user.sh script.
$ wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh $ sudo sh del_vpn_user.sh 'username_to_delete'
How to Upgrade Libreswan Installation in Linux
You can upgrade the Libreswan installation using the vpnupgrade.sh or vpnupgrade_centos.sh script. Make sure to edit the SWAN_VER variable to the version you want to install, within the script.
---------------- On CentOS/RHEL ---------------- # wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh && sh vpnupgrade.sh ---------------- On Debian and Ubuntu ---------------- # wget https://git.io/vpnupgrade -O vpnupgrade.sh && sudo sh vpnupgrade.sh
How to Uninstall the VPN Server in Linux
To uninstall the VPN installation, do the following.
On RHEL/CentOS
Then open /etc/sysconfig/iptables configuration file and remove the unneeded rules and edit /etc/sysctl.conf and /etc/rc.local file, and remove the lines after the comment # Added by hwdsl2 VPN script, in both files.
On Debian/Ubuntu
Next, edit /etc/iptables.rules configuration file and remove any unneeded rules. Additionally, edit /etc/iptables/rules.v4 if it exists.
Then edit /etc/sysctl.conf and /etc/rc.local files, remove the lines after the comment # Added by hwdsl2 VPN script, in both files. Do not remove exit 0 if it exists.
Optionally, you can remove certain files and directories that were created during the VPN set up.
# rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto # rm -rf /etc/ipsec.d /etc/xl2tpd
To set up a site-to-site IPSec-based VPN with Strongswan, check out our guides:
At this point, your own VPN server is up and running. You can share any queries or give us feedback using the comment form below.