IPsec (L2TP, XAuth, IKEv2) VPN Server Auto Setup

A few years ago, I've found this gem which allow us to set up our own IPsec VPN server with L2TP, XAuth and IKEv2 on Ubuntu, Debian, RHEL, and CentOS.

A few years ago, I’ve found this gem which allow us to set up our own IPsec VPN server with L2TP, XAuth and IKEv2 on Ubuntu, Debian and CentOS distro.

Note: This is my personal snippets, if you need a complete documentation, please go to hwdsl2/setup-ipsec-vpn GitHub repository, it’s really well documented! A pre-built Docker image of the VPN server is also available, go and get it.

NOTICE: You should upgrade Libreswan to the latest version due to IKEv1 informational exchange packets not integrity checked (CVE-2019-10155).

Intro

Since PPTP VPN no longer supported by Apple’s built-in VPN client on macOS Sierra and iOS 10 due to many well-known security issues, I have to use other VPN communications protocols to access my internal company networks. And here Lin Song and contributors with their bash scripts become an Angel. All I need to do is download and execute the bash script on my servers, and let the script configure the rest IPsec VPN server setup.

In short: this script download, compile and configure Libreswan as the IPsec server, and xl2tpd as the L2TP provider. This script also writes changes to sysctl.conf to improve performance, mask firewalld (on CentOS), updating iptables firewall and configure simple Fail2Ban rules on sshd daemon.

NOTE: This script are mean to be executed on server(s). DO NOT run auto install scripts on your personal PC or Mac!

Requirements

A dedicated server or Virtual Private Server (VPS) with one of these OSes:

  • Ubuntu 16.04 (Xenial) / 18.04 (Bionic)
  • Debian 8 (Jessie) / 9 (Stretch)
  • CentOS 6/7 (x86_64)
  • Red Hat Enterprise Linux (RHEL) 6/7
  • Open UDP ports 500 and 4500 (if your machine is running behind external firewall)

Note: OpenVZ VPS is not supported.

Installation

First (this is not necessary but recommended), make sure system is up to date with apt-get update && apt-get dist-upgrade for Debian and Ubuntu or yum update for RHEL and CentOS.

To install the VPN we have 3 options described here: I’d love to use the first option with 1 line command to configure and generate random VPN credentials (will be displayed when finished) because I love to manage VPN users and PSK manually latter. So : For Debian and Ubuntu:

1wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh

For RHEL and CentOS:

1wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh

After installation script done, VPN login details will be randomly generated, and displayed on the screen.

Default Configurations

VPN DNS Client is set to use Google Public DNS. You can replace with your server provider DNS if you want by editing 8.8.8.8 and 8.8.4.4 in both /etc/ppp/options.xl2tpd and /etc/ipsec.conf, then reboot the server.

When connecting via IPsec/L2TP, the VPN server has IP 192.168.42.1 within the VPN subnet 192.168.42.0/24.

The same VPN account can be used by multiple devices. However, to avoid connection issues when connecting multiple devices simultaneously from behind the same NAT (e.g. home router), use IPsec/XAuth mode.

To modify the iptables rules after install, edit /etc/iptables.rules and/or /etc/iptables/rules.v4 (Ubuntu/Debian), or /etc/sysconfig/iptables (CentOS/RHEL). Then reboot your server.

Manage VPN Users and PSK

You can use this helper scripts to make it easier to manage VPN users. But I love to manage my VPN users manually. Content below describe how to manage IPsec/L2TP and IPsec/XAuth manually.

The IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets. All VPN users will share the same IPsec PSK. If PSK changed, ipsec and xl2tpd service need to be restarted.

IPsec/L2TP Users

For IPsec/L2TP, VPN users are stored in /etc/ppp/chap-secrets. The format of this file is:

1"username1"  l2tpd  "password1"  *
2"username2"  l2tpd  "password2"  *
3... ...

You can add more users, use one line for each user. DO NOT use these special characters within values: \ " '.

IPsec/XAuth Users

For IPsec/XAuth ("Cisco IPsec"), VPN users are stored in /etc/ipsec.d/passwd. The format of this file is:

1username1:password1hashed:xauth-psk
2username2:password2hashed:xauth-psk
3... ...

Passwords in this file are salted and hashed. You need to use openssl command to generate IPsec/XAuth user password:

1openssl passwd -1 'your_password'

As I mentioned before, you must restart services if changing the PSK. For add/edit/remove VPN users, this is normally not required.

1service ipsec restart
2service xl2tpd restart

Next Steps

Get your computer and devices to use the VPN service:

Credits