Need help with setup-ipsec-vpn?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

hwdsl2
15.7K Stars 4.3K Forks Other 752 Commits 0 Opened issues

Description

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

Services available

!
?

Need anything else?

Contributors list

# 150
Shell
Docker
ipsec
encrypt...
714 commits
# 11,722
vpn-cli...
Shell
l2tp
8 commits
# 13,492
Shell
vpn-cli...
l2tp
Kuberne...
6 commits
# 13,468
google-...
google-...
Google
Go
5 commits
# 19,777
HTML
CSS
Shell
ikev2
3 commits
# 45,512
Shell
ikev2
l2tp
1 commit
# 42,181
Dart
Shell
jvm-lan...
flash
1 commit
# 40,628
Shell
l2tp
.NET
cpluspl...
1 commit
# 45,053
Scala
Shell
playfra...
MongoDB
1 commit
# 1,462
CSS
Shell
PHP
dns-ser...
1 commit

IPsec VPN Server Auto Setup Scripts

Build Status GitHub Stars Docker Stars Docker Pulls

Set up your own IPsec VPN server in just a few minutes, with IPsec/L2TP, Cisco IPsec and IKEv2 on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest.

An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.

We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.

» See also: IPsec VPN Server on Docker

Read this in other languages: English, 简体中文.

Table of Contents

Quick start

First, prepare your Linux server* with a fresh install of one of the following OS.

Use this one-liner to set up an IPsec VPN server:

Ubuntu & Debian
wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh && sudo /opt/src/ikev2.sh --auto
CentOS & RHEL
wget https://git.io/vpnsetup-centos -O vpn.sh && sudo sh vpn.sh && sudo /opt/src/ikev2.sh --auto
Amazon Linux 2
wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh && sudo /opt/src/ikev2.sh --auto

Your VPN login details will be randomly generated, and displayed on the screen when finished.

For other installation options and how to set up VPN clients, read the sections below.

* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported.

Features

  • New: The faster
    IPsec/XAuth ("Cisco IPsec")
    and
    IKEv2
    modes are supported
  • New: A pre-built Docker image of the VPN server is now available
  • Fully automated IPsec VPN server setup, no user input needed
  • Encapsulates all VPN traffic in UDP - does not need ESP protocol
  • Can be directly used as "user-data" for a new Amazon EC2 instance
  • Includes
    sysctl.conf
    optimizations for improved performance
  • Tested with Ubuntu, Debian, CentOS/RHEL and Amazon Linux 2

Requirements

A newly created Amazon EC2 instance, from one of these images: - Ubuntu 20.04 (Focal) or 18.04 (Bionic) - Debian 10 (Buster)* or 9 (Stretch) - CentOS 8** or 7 - Red Hat Enterprise Linux (RHEL) 8 or 7 - Amazon Linux 2

See detailed instructions and EC2 pricing. Alternatively, you may also deploy rapidly using CloudFormation.

-OR-

A dedicated server or virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try OpenVPN.

This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace.

Deploy to AWS Deploy to Azure Install on DigitalOcean Deploy to Linode

» I want to run my own VPN but don't have a server for that

Advanced users can set up the VPN server on a $35 Raspberry Pi. See [1] [2].

* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. If using Debian 10 on EC2, you must first switch to the standard Linux kernel before running the VPN setup script.
** Support for CentOS Linux 8 will end on December 31, 2021. Read more here.

:warning: DO NOT run these scripts on your PC or Mac! They should only be used on a server!

Installation

First, update your system with

apt-get update && apt-get dist-upgrade
(Ubuntu/Debian) or
yum update
and reboot. This is optional, but recommended.

To install the VPN, please choose one of the following options:

Option 1: Have the script generate random VPN credentials for you (will be displayed when finished):

Ubuntu & Debian
wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh
CentOS & RHEL
yum -y install wget
wget https://git.io/vpnsetup-centos -O vpn.sh && sudo sh vpn.sh
Amazon Linux 2
wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh

After successful installation, it is recommended to set up IKEv2:

sudo bash /opt/src/ikev2.sh --auto

Option 2: Edit the script and provide your own VPN credentials:

Ubuntu & Debian
wget https://git.io/vpnsetup -O vpn.sh
nano -w vpn.sh
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
sudo sh vpn.sh
CentOS & RHEL
yum -y install wget nano
wget https://git.io/vpnsetup-centos -O vpn.sh
nano -w vpn.sh
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
sudo sh vpn.sh
Amazon Linux 2
wget https://git.io/vpnsetup-amzn -O vpn.sh
nano -w vpn.sh
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
sudo sh vpn.sh

Note: A secure IPsec PSK should consist of at least 20 random characters.

After successful installation, it is recommended to set up IKEv2:

sudo bash /opt/src/ikev2.sh --auto

Option 3: Define your VPN credentials as environment variables:

Ubuntu & Debian
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
wget https://git.io/vpnsetup -O vpn.sh
sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpn.sh
CentOS & RHEL
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
yum -y install wget
wget https://git.io/vpnsetup-centos -O vpn.sh
sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpn.sh
Amazon Linux 2
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
wget https://git.io/vpnsetup-amzn -O vpn.sh
sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpn.sh

After successful installation, it is recommended to set up IKEv2:

sudo bash /opt/src/ikev2.sh --auto

Note: If unable to download via

wget
, you may also open vpnsetup.sh, vpnsetupcentos.sh or <a href="vpnsetupamzn.sh" target="blank">vpnsetupamzn.sh, and click the
Raw
button on the right. Press
Ctrl-A
to select all,
Ctrl-C
to copy, then paste into your favorite editor.

Next steps

Get your computer or device to use the VPN. Please refer to:

Configure IPsec/L2TP VPN Clients

Configure IPsec/XAuth ("Cisco IPsec") VPN Clients

Guide: How to Set Up and Use IKEv2 VPN

If you get an error when trying to connect, see Troubleshooting.

Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:

Important notes

Read this in other languages: English, 简体中文.

Windows users: A one-time registry change is required if the VPN server or client is behind NAT (e.g. home router).

Android users: If you encounter connection issues, try these steps.

The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode, or set up IKEv2.

If you wish to view or update VPN user accounts, see Manage VPN Users. Helper scripts are included for convenience.

For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see #433.

Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, read below.

Using kernel support could improve IPsec/L2TP performance. It is available on all supported OS. Ubuntu users should install the

linux-modules-extra-$(uname -r)
(or
linux-image-extra
) package and run
service xl2tpd restart
.

The scripts will backup existing config files before making changes, with

.old-date-time
suffix.

Upgrade Libreswan

The additional scripts in extras/ can be used to upgrade Libreswan (changelog | announce). Edit the

SWAN_VER
variable as necessary. The latest supported version is
4.4
. Check which version is installed:
ipsec --version
.
Ubuntu & Debian
wget https://git.io/vpnupgrade -O vpnup.sh &amp;&amp; sudo sh vpnup.sh
CentOS & RHEL
wget https://git.io/vpnupgrade-centos -O vpnup.sh &amp;&amp; sudo sh vpnup.sh
Amazon Linux 2
wget https://git.io/vpnupgrade-amzn -O vpnup.sh &amp;&amp; sudo sh vpnup.sh

Advanced usage

Read this in other languages: English, 简体中文.

Use alternative DNS servers

Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, you may replace

8.8.8.8
and
8.8.4.4
in these files:
/etc/ppp/options.xl2tpd
,
/etc/ipsec.conf
and
/etc/ipsec.d/ikev2.conf
(if exists). Then run
service ipsec restart
and
service xl2tpd restart
.

Advanced users can define

VPN_DNS_SRV1
and optionally
VPN_DNS_SRV2
when running the VPN setup script and the IKEv2 helper script. For example, if you want to use Cloudflare's DNS service:
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.sh
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash /opt/src/ikev2.sh --auto

DNS name and server IP changes

For

IPsec/L2TP
and
IPsec/XAuth ("Cisco IPsec")
modes, you may use a DNS name (e.g.
vpn.example.com
) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required.

For

IKEv2
mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when setting up IKEv2. The DNS name must be a fully qualified domain name (FQDN). Example:
sudo VPN_DNS_NAME='vpn.example.com' bash /opt/src/ikev2.sh --auto

Alternatively, you may customize IKEv2 setup options by running the helper script without the

--auto
parameter.

Internal VPN IPs and traffic

When connecting using

IPsec/L2TP
mode, the VPN server has internal IP
192.168.42.1
within the VPN subnet
192.168.42.0/24
. Clients are assigned internal IPs from
192.168.42.10
to
192.168.42.250
. To check which IP is assigned to a client, view the connection status on the VPN client.

When connecting using

IPsec/XAuth ("Cisco IPsec")
or
IKEv2
mode, the VPN server does NOT have an internal IP within the VPN subnet
192.168.43.0/24
. Clients are assigned internal IPs from
192.168.43.10
to
192.168.43.250
.

You may use these internal VPN IPs for communication. However, note that the IPs assigned to VPN clients are dynamic, and firewalls on client devices may block such traffic.

For IPsec/L2TP mode ONLY: You may optionally assign static IPs to VPN clients. Click here for details.

Advanced users can optionally assign static internal IPs to VPN clients. This applies to IPsec/L2TP mode ONLY, and is NOT supported for the IKEv2 and IPsec/XAuth ("Cisco IPsec") modes. See example steps below, commands must be run as root.

  1. First, create a new VPN user for each VPN client that you want to assign a static IP to. Refer to Manage VPN Users. Helper scripts are included for convenience.

  2. Edit /etc/xl2tpd/xl2tpd.conf on the VPN server. Replace ip range = 192.168.42.10-192.168.42.250 with e.g. ip range = 192.168.42.100-192.168.42.250. This reduces the pool of auto-assigned IP addresses, so that more IPs are available to assign to clients as static IPs.

  3. Edit /etc/ppp/chap-secrets on the VPN server. For example, if the file contains:

    "username1"  l2tpd  "password1"  *
    "username2"  l2tpd  "password2"  *
    "username3"  l2tpd  "password3"  *

    Let's assume that you want to assign static IP 192.168.42.2 to VPN user username2, assign static IP 192.168.42.3 to VPN user username3, while keeping username1 unchanged (auto-assign from the pool). After editing, the file should look like:

    "username1"  l2tpd  "password1"  *
    "username2"  l2tpd  "password2"  192.168.42.2
    "username3"  l2tpd  "password3"  192.168.42.3

    Note: The assigned static IP(s) must be from the subnet 192.168.42.0/24, and must NOT be from the pool of auto-assigned IPs (see ip range above). In addition, 192.168.42.1 is reserved for the VPN server itself. In the example above, you can only assign static IP(s) from the range 192.168.42.2-192.168.42.99.

  4. (Important) Restart the xl2tpd service:

    service xl2tpd restart

Client-to-client traffic is allowed by default. If you want to disallow client-to-client traffic, run the following commands on the VPN server. Add them to

/etc/rc.local
to persist after reboot.
iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP

Access VPN server's subnet

After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. For example, if the VPN server's local subnet is

192.168.0.0/24
, and an Nginx server is running on IP
192.168.0.2
, VPN clients can use IP
192.168.0.2
to access the Nginx server.

Please note, additional configuration is required if the VPN server has multiple network interfaces (e.g.

eth0
and
eth1
), and you want VPN clients to access the local subnet behind the network interface that is NOT for Internet access. In this scenario, you must run the following commands to add IPTables rules. To persist after reboot, you may add these commands to
/etc/rc.local
.
# Replace eth1 with the name of the network interface
# on the VPN server that you want VPN clients to access
netif=eth1
iptables -I FORWARD 2 -i "$netif" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -i ppp+ -o "$netif" -j ACCEPT
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -s 192.168.43.0/24 -o "$netif" -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE

IKEv2 only VPN

Libreswan 4.2 and newer versions support the

ikev1-policy
config option. Using this option, advanced users can set up an IKEv2-only VPN, i.e. only IKEv2 connections are accepted by the VPN server, while IKEv1 connections (including the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) are dropped.

To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in this README. Then check Libreswan version using

ipsec --version
, and update Libreswan if needed. After that, edit
/etc/ipsec.conf
on the VPN server. Append
ikev1-policy=drop
to the end of the
config setup
section, indented by two spaces. Save the file and run
service ipsec restart
. When finished, you can run
ipsec status
to verify that only the
ikev2-cp
connection is enabled.

Modify IPTables rules

If you want to modify the IPTables rules after install, edit

/etc/iptables.rules
and/or
/etc/iptables/rules.v4
(Ubuntu/Debian), or
/etc/sysconfig/iptables
(CentOS/RHEL). Then reboot your server.

Bugs & Questions

Uninstallation

See Uninstall the VPN.

See also

License

Copyright (C) 2014-2021 Lin Song View my profile on LinkedIn
Based on the work of Thomas Sarlandie (Copyright 2012)

Creative Commons License
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.