Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Fully Automated IPsec/L2TP VPN Setup with Libreswan
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Fully Automated IPsec/L2TP VPN Setup with Libreswan

howardsl2howardsl2 Member
edited February 2014 in Tutorials

Hello guys, I have created a fully automated ("one-click") IPsec/L2TP VPN install script for Ubuntu 12.04. My script was inspired by and is based on the work of Thomas Sarlandie (original post), that I took time to improve by replacing Openswan with Libreswan, which is more actively developed with recent bug fixes. I also corrected a few errors in his script, added sysctl.conf and basic IPTables rules.

This script is designed for use as Amazon EC2 "user-data" when launching an instance. The fact that it can be run purely from user-data makes it ideal for use on low-priced "spot instances". With minor modifications, the script can also be used on KVM- or XEN-based VPS from other providers.

Main features:

  • Fully automated IPsec/L2TP VPN install with no user interaction required
  • Encapsulates all VPN traffic in UDP - no ESP protocol support is needed
  • Can be directly used as the "user-data" when launching an Amazon EC2 instance
  • Can be used in both EC2 Classic and VPC, with on-demand OR spot instances
  • Automatically obtains public and private IP info from instance metadata
  • Includes a basic IPTables firewall as well as sysctl.conf settings
  • Tested on both Ubuntu 12.04 LTS 32-bit and 64-bit

Link to the script: https://gist.github.com/hwdsl2/9030462
Detailed instructions can also be found at my blog article here.

Instructions for use in Amazon EC2:

  1. Browse to my script at the link above.
  2. Click on the < > sign on top-right corner that says "View Raw". Ctrl-A to select all, Ctrl-C to copy. Then paste into your favorite editor. From there, be sure to replace the three variables IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values.
  3. Launch an Amazon EC2 Ubuntu 12.04 instance (on-demand OR spot). Copy and paste the customized script into the "User data" field under "Advanced Details" in Step 3 (reference).
  4. Proceed to configure other details. When setting up the EC2 security group for your instance, remember to allow inbound UDP ports 500 and 4500 for the VPN, and TCP port 22 for SSH. Other ports are not required.
  5. Wait a few minutes after the instance finishes launching, and your fully configured IPsec/L2TP VPN server will be ready for you!

Instructions for use on other VPS (KVM- or XEN-based):

  1. Make sure to prepare your VPS with a fresh install of Ubuntu 12.04 LTS server.
  2. Save the script as vpnsetup.sh on your VPS. Edit it in your favorite editor. From there, change the first line to #!/bin/bash, replace the three variables as mentioned in "Step 2" above, and change PRIVATE_IP=... and PUBLIC_IP=... to the actual IP addresses of your VPS. In case your VPS is run on its public IP directly with no private IP, just use that public IP for both.
  3. Save and exit the editor. Finally, run bash vpnsetup.sh to install.

Use of the script on OpenVZ VPS is NOT recommended, as kernel support for IPsec may not be available on your host node. In addition, the IPTables rules in the script could give errors due to missing kernel modules.

Feel free to reply with your comments or suggestions.

Disclaimer: Although the script has been tested, there is NO guarantee and use at your own risk!

Comments

  • Thanks for this guide - worked great on a KVM VPS 12.04lts.
    I had to amend 1 line and add 1 line in order to get Windows clients to connect:

    • In /etc/xl2tpd/xl2tpd.conf, change require chap = yes to refuse chap = yes
    • In /etc/ppp/options.xl2tpd, insert require-mschap-v2

    (also, windows clients likely need a registry change as per this note)

  • howardsl2howardsl2 Member
    edited February 2014

    To add to my original post: For Windows users, a registry change may be required in order to be able to connect to an IPsec/L2TP VPN behind NAT (e.g. in EC2). Please follow instructions in this article:
    http://support.microsoft.com/kb/885407

    Thanks to vbap for reminding me about this.

    @vbap said:

    Thank you for sharing your experience. By the way, is there a need for another mschapv2 secrets file in your modified configuration?

    I was able to connect OK from Windows 7 with my original config, after making that registry change as you mentioned.

  • No, I did not need a separate mschapv2 secrets file.

    And you're right, by default (at least in Windows 7, haven't tested other versions) a new VPN connection has both CHAP and MSCHAPv2 protocols selected. If you are happy to use CHAP, then my changes above are not needed. I just read that mschapv2 is preferred over CHAP for security reasons - I'm a noob at this so please seek professional advice in your own circumstances :)

    Thanked by 1howardsl2
  • howardsl2howardsl2 Member
    edited March 2014

    Just want to make a correction to my previous post regarding IPsec/L2TP VPN behind NAT and Windows users. Someone reminded me yesterday that different registry changes are needed for XP users, and for those running later versions.

    For XP users, see: http://support.microsoft.com/kb/885407
    For Vista, 7, and Server 2008 users, see: http://support.microsoft.com/kb/926179
    Alternatively, see this article for combined instructions (scroll down to end of page).
    https://kb.meraki.com/knowledge_base/troubleshooting-client-vpn

  • howardsl2howardsl2 Member
    edited April 2014

    Update: The IPsec/L2TP VPN auto setup script mentioned in this thread has been tested and confirmed to work in Ubuntu 14.04 (Trusty Tahr). However, use at your own risk.

    Latest instructions are available at my blog article here.

  • howardsl2howardsl2 Member
    edited January 2016

    Update: The IPsec/L2TP VPN auto setup scripts have been moved to a GitHub repository:
    https://github.com/hwdsl2/setup-ipsec-vpn

    Currently supported OS include Ubuntu 14.04 & 12.04, Debian 8 and CentOS/RHEL 6 & 7.
    Simple upgrade scripts for Libreswan have also been added to the repo.

    Thanked by 2doughmanes apidevlab
  • CellowCellow Member

    Hello,
    First of all thanks for your work!. After running the script on CentOS when trying to connect from Windows 7 I get the following error:

    "Error 809: The network connection between your computer and the VPN could not be established because the remote server is not responding."

    Can you help me with this?

    Thanks!

  • SplitIceSplitIce Member, Host Rep

    Good Work. Getting NAT to work reliably was always an issue for us.

    On the client side perhaps this is useful: https://www.x4b.net/kb/WindowsVPNConnecting

    From the time we used to offer IPSec + L2TP.

    Thanked by 1howardsl2
  • howardsl2howardsl2 Member
    edited June 2016

    @Cellow said:

    >

    To resolve Error 809, a one-time registry change is required. Please refer to:
    https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809

    To all: The VPN scripts have been moved to a GitHub repository:
    https://github.com/hwdsl2/setup-ipsec-vpn

Sign In or Register to comment.