Setup IPSec VPN Server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian

Have you been struggling to set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on CentOS, Ubuntu and Debian Linux flavor?. I’ll show you the easiest way to have your VPN server up and running in minutes, all you need to do is provide your own VPN credentials, and let the scripts handle the rest.

An IPsec VPN works to ensure all network traffic is encrypted to prevent any eavesdropping between you and the VPN server. This is a highly recommended setup especially for guys using unsecured networks to access internet e.g at airports, like coffee shops,  hotel rooms e.y.c.

Setup Environment

This setup is supported on the following operating systems

• Ubuntu 20.04, 18.04 (Bionic), 16.04 (Xenial)
• Debian 11 / Debian 10 / Debian 9 (Stretch)
• CentOS 8 / CentOS 7
• Rocky Linux 8 / AlmaLinux 8
• Red Hat Enterprise Linux (RHEL) 8 or 7
• Amazon Linux 2

It is advisable to use a freshly installed server with updates.

Update Ubuntu / Debian

sudo apt update
sudo apt upgrade
sudo reboot

Update CentOS / Rocky Linux

sudo yum install epel-release
sudo yum -y update
sudo reboot

This will ensure all packages on your Server are up to date.

Setup IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian

We’ll use a script that eases the deployment of IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian Linux distributions. This script has been written by Lin Song.

Setup IPsec VPN server on Ubuntu / Debian

You should have updated your system packages before running the deployment script. This is a fully automated IPsec VPN server setup, no user input needed.

wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh

Setup IPsec VPN server on CentOS 8/7 / Rocky Linux 8

For a CentOS server, run the following command instead

wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh

Your VPN login details will be randomly generated and displayed on the screen when finished.

Customize the settings

If you would like to define your own VPN credentials, edit vpnsetup.sh before execution.

sudo vim vpnsetup.sh

Set your values inside single quotes

YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''

The run vpnsetup.sh

sudo vpnsetup.sh

Sample output:

************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
 systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck

## Creating VPN configuration..
## Updating sysctl settings..
## Updating IPTables rules...
## Enabling services on boot...
## Starting services...
================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: 159.88.127.33
IPsec PSK: EvA6M5wDZw4kbgL8
Username: vpnuser
Password: TNotmZ7EmGyRa2CY

Write these down. You'll need them to connect!

Important notes:   https://git.io/vpnnotes
Setup VPN clients: https://git.io/vpnclients

================================================

Enable ipsec service to start on boot

sudo systemctl enable ipsec

This deployment Includes sysctl.conf optimizations for improved performance.

# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0

net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912

All VPN traffic is encapsulated in UDP – does not need ESP protocol.

How To Manage VPN Users

By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read IPSec VPN User management.

The IPsec PSK (pre-shared key) is stored in./etc/ipsec.secrets All VPN users share the same IPsec PSK. You can set a new one by changing the line:

%any %any : PSK "your_new_ipsec_pre_shared_key"

For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:

"your_vpn_username_1" l2tpd "your_vpn_password_1" *
"your_vpn_username_2" l2tpd "your_vpn_password_2" *

For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is:

your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk
your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk
... ...

Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility:

# The output will be your_vpn_password_1_hashed
openssl passwd -1 'your_vpn_password_1'

Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required.

sudo service ipsec restart || sudo systemctl restart ipsec
sudo service xl2tpd restart || sudo systemctl restart xl2tpd

Connecting your Computer to the VPN

The final step is to connect your computer or device to use the VPN. Refer to the following guides for this.

If you get an error when trying to connect, see Troubleshooting.

You have installed your very own IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian. Enjoy using it.