Github project hwdsl2/setup-ipsec-vpn provides a simple way to set up a IPSec VPN Server by just using one line of command.
If you will need a VPN to have safe access to Internet or remote network, this might give you a good option to have your VPN in the cloud.
Table of Contents
Introduction
Features
- Fully automated IPsec VPN server setup, no user input needed
- Supports IKEv2 with strong and fast ciphers (e.g. AES-GCM)
- Generates VPN profiles to auto-configure iOS, macOS and Android devices
- Supports Windows, macOS, iOS, Android, Chrome OS and Linux as VPN clients
- Includes helper scripts to manage VPN users and certificates
Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using “IPsec” and the Internet Key Exchange (“IKE”). These standards are produced and maintained by the Internet Engineering Task Force (“IETF”).
One Line Command
wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh
root@ub20-1-test:~# wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh
–2023-08-07 02:12:44– https://get.vpnsetup.net/
Resolving get.vpnsetup.net (get.vpnsetup.net)… 172.64.80.1, 2606:4700:130:436c:6f75:6466:6c61:7265
Connecting to get.vpnsetup.net (get.vpnsetup.net)|172.64.80.1|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 9781 (9.6K) [text/plain]
Saving to: ‘vpn.sh’
vpn.sh 100%[======================================================================================================================>] 9.55K –.-KB/s in 0s
2023-08-07 02:12:44 (52.8 MB/s) – ‘vpn.sh’ saved [9781/9781]
+ wget -t 3 -T 30 -q -O /tmp/vpn.iMFul/vpn.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/vpnsetup_ubuntu.sh
## VPN credentials not set by user. Generating random PSK and password…
## VPN setup in progress… Please be patient.
## Installing packages required for setup…
+ apt-get -yqq update
+ apt-get -yqq install wget dnsutils openssl iptables iproute2 gawk grep sed net-tools
## Trying to auto discover IP of this server…
## Installing packages required for the VPN…
+ apt-get -yqq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make libnss3-tools libevent-dev libsystemd-dev uuid-runtime ppp xl2tpd
Extracting templates from packages: 100%
## Installing Fail2Ban to protect SSH…
+ apt-get -yqq install fail2ban
## Downloading helper scripts…
+ ikev2.sh addvpnuser.sh delvpnuser.sh
## Downloading Libreswan…
+ wget -t 3 -T 30 -q -O libreswan-4.11.tar.gz https://github.com/libreswan/libreswan/archive/v4.11.tar.gz
## Compiling and installing Libreswan, please wait…
+ make -j3 -s base
+ make -s install-base
## Creating VPN configuration…
## Updating sysctl settings…
## Updating IPTables rules…
## Enabling services on boot…
## Starting services…
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: 140.238.155.149
IPsec PSK: H2r5V65p4b4uHia2sJb
Username: vpnuser
Password: GeWtsqPDC5tfPKY
Write these down. You’ll need them to connect!
VPN client setup: https://vpnsetup.net/clients
================================================
================================================
IKEv2 setup successful. Details for IKEv2 mode:
VPN server address: 140.238.155.149
VPN client name: vpnclient
Client configuration is available at:
/root/vpnclient.p12 (for Windows & Linux)
/root/vpnclient.sswan (for Android)
/root/vpnclient.mobileconfig (for iOS & macOS)
Next steps: Configure IKEv2 clients. See:
https://vpnsetup.net/clients
================================================
root@ub20-1-test:~#
Firewall Ports
Clients
Get your computer or device to use the VPN. Please refer to:
- Configure IKEv2 VPN Clients (recommended)
- Configure IPsec/L2TP VPN Clients (Easiest way to configure)
- Configure IPsec/XAuth (“Cisco IPsec”) VPN Clients (Need Additional Clients installed)
For IPsec/L2TP VPN Windows Clients:
Windows 11
- Right-click on the wireless/network icon in your system tray.
- Select Network and Internet settings, then on the page that opens, click VPN.
- Click the Add VPN button.
- Select Windows (built-in) in the VPN provider drop-down menu.
- Enter anything you like in the Connection name field.
- Enter
Your VPN Server IPin the Server name or address field. - Select L2TP/IPsec with pre-shared key in the VPN type drop-down menu.
- Enter
Your VPN IPsec PSKin the Pre-shared key field. - Enter
Your VPN Usernamein the User name field. - Enter
Your VPN Passwordin the Password field. - Check the Remember my sign-in info checkbox.
- Click Save to save the VPN connection details.
Error message: Windows error 809
Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.
Note: The registry change below is only required if you use IPsec/L2TP mode to connect to the VPN. It is NOT required for the IKEv2 and IPsec/XAuth modes.
To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the .reg file below, or run the following from an elevated command prompt. You must reboot your PC when finished.
-
For Windows Vista, 7, 8, 10 and 11 (download .reg file)
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
For IPsec/xAuth (Cisco IPsec) VPN Windows Clients:
- Download and install the free Shrew Soft VPN client. When prompted during install, select Standard Edition.
Note: This VPN client does NOT support Windows 10/11. - Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager
- Click the Add (+) button on toolbar.
- Enter
Your VPN Server IPin the Host Name or IP Address field. - Click the Authentication tab. Select Mutual PSK + XAuth from the Authentication Method drop-down menu.
- Under the Local Identity sub-tab, select IP Address from the Identification Type drop-down menu.
- Click the Credentials sub-tab. Enter
Your VPN IPsec PSKin the Pre Shared Key field. - Click the Phase 1 tab. Select main from the Exchange Type drop-down menu.
- Click the Phase 2 tab. Select sha1 from the HMAC Algorithm drop-down menu.
- Click Save to save the VPN connection details.
- Select the new VPN connection. Click the Connect button on toolbar.
- Enter
Your VPN Usernamein the Username field. - Enter
Your VPN Passwordin the Password field. - Click Connect.
For IKEv2 VPN Windows Clients:
Windows 8, 10 and 11 users can automatically import IKEv2 configuration:
- Securely transfer the generated
.p12file to your computer. - Right-click on ikev2_config_import.cmd and save this helper script to the same folder as the
.p12file. - Right-click on the saved script, select Properties. Click on Unblock at the bottom, then click on OK.
- Right-click on the saved script, select Run as administrator and follow the prompts.
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP“.
Manager VPN Users
See Manage VPN users.
Upgrade
Upgrade Libreswan
Use this one-liner to update Libreswan on your VPN server.
wget https://get.vpnsetup.net/upg -O vpnup.sh && sudo sh vpnup.sh
Uninstall IPSec VPN
To uninstall IPsec VPN, run the helper script:
Warning: This helper script will remove IPsec VPN from your server. All VPN configuration will be permanently deleted, and Libreswan and xl2tpd will be removed. This cannot be undone!
wget https://get.vpnsetup.net/unst -O unst.sh && sudo bash unst.sh
Videos
