In this guide I will present you with my scripts for setting up an IPsec VPN server, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.
My VPN setup scripts can be used on any dedicated server or KVM/Xen-based virtual private server (VPS). Besides, you may use it directly as Amazon EC2 "user data" upon launching a new instance. This feature makes it ideal for use on lower-priced spot instances.
Amazon EC2 provides scalable compute capacity in the cloud. Users can deploy Xen-based VPS ("instances") for purposes such as web hosting and VPN. New customers receive a one-year "free tier" with many benefits, such as running an on-demand "micro instance" for very low cost.
For a personal VPN server, the EC2
t2.micro instance (1GB RAM) is more than sufficient. Besides on-demand instances, there are "spot instances" which could give you significant cost-savings. Read more in this section.
As a side note, learn how to set up your personal VoIP server to make cheap phone calls to your family and friends.
My VPN Auto Setup Scripts
See below for a link to my VPN scripts and instructions. They are inspired by and based upon the work of Thomas Sarlandie. Libreswan is used in place of Openswan, as the former is more actively developed.
- New: The faster IPsec/XAuth ("Cisco IPsec") mode is supported
- New: A pre-built Docker image of the VPN server is now available
- Fully automated IPsec VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
sysctl.confoptimizations for improved performance
- Tested with Ubuntu 16.04/14.04, Debian 9/8 and CentOS 7/6
Link to VPN scripts: https://github.com/hwdsl2/setup-ipsec-vpn
Instructions for use in Amazon EC2:
- Follow the link above to my GitHub repository.
For Ubuntu/Debian, open
For CentOS/RHEL, open
- (Important) Click the
Rawbutton on the right. Press Ctrl-A to select all, Ctrl-C to copy, then paste into your favorite editor. From there, be sure to replace the variables
YOUR_PASSWORDwith your own values. Copy the customized script to clipboard.
- From the EC2 console, launch an instance from these AMIs:
- At "Step 3: Configure Instance Details", enable the option "Auto-assign Public IP". Then expand "Advanced Details" and paste your customized script into the "User data" text box.
- Proceed to configure other options. When setting up the security group for this instance, open UDP ports 500 and 4500 for the VPN, and TCP port 22 for SSH. Other ports are not required.
- Launch the instance, then wait a few minutes to allow setup to complete. And your fully configured IPsec VPN server is ready for use!
Besides EC2, you may adapt these instructions for other providers supporting "user data", e.g. Google Compute Engine, DigitalOcean and Vultr. For servers with an external firewall, open the ports above for the VPN.
Instructions for use on dedicated servers or KVM/Xen-based VPS:
- Prepare a fresh install of Ubuntu 16.04/14.04, Debian 9/8 or CentOS 7/6.
- Follow instructions from section Installation on GitHub.
OpenVZ VPS is not supported, as kernel support for IPsec may be unavailable. As an alternative, check out Nyr's OpenVPN script.
Next steps: Set up your devices to use the VPN. Enjoy your very own VPN!
⚠ DO NOT run these scripts on your PC or Mac! They should only be used on a server!
Getting a VPS
Want to run your own VPN but don't have a server for that? No problem, check out these reputable providers:
DigitalOcean is the provider that I use.
Note: If you like this article and want to support my site, please consider signing up using my referral links above.
About EC2 Spot Instances
Spot instances are the "best kept open secret" of Amazon EC2. By definition, they are a special type of instance that allows you to bid on unused EC2 capacity, and is typically much cheaper in hourly cost than on-demand instances. However, your spot instances will only run when your "bid price" exceeds the current price, and can be terminated by Amazon at any time whenever your bid price falls below it.
t1.micro instances, the spot price can go as low as ~0.0031/hr, which means the lowest possible cost is ~$2.3/mo per instance excluding other costs such as storage and data transfer. This could be significantly cheaper when compared to an on-demand instance!
Be careful, however, that when a spot instance is turned off it is automatically "terminated". Whenever a spot instance is terminated, all data on its storage is lost. There are some methods to preserve the data, for example, by creating an Amazon Machine Image (AMI) from the running instance.
The "volatile" nature of spot instances means that they can be difficult to set up for VPN. However, it becomes easy with my auto setup scripts. For detailed instructions, please read the previous sections.
Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.