IPsec VPN Server Auto Setup with Libreswan

In this guide I will present you with my scripts for setting up an IPsec VPN server, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.

Introduction

Libreswan Logo

An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.

Libreswan is an IPsec implementation for Linux. It had been forked from Openswan 2.6.38, which was forked from FreeS/WAN 2.04.

My VPN setup scripts can be used on any dedicated server or KVM/Xen-based virtual private server (VPS). Besides, you may use it directly as Amazon EC2 "user data" upon launching a new instance. This feature makes it ideal for use on lower-priced spot instances.

Amazon EC2 provides scalable compute capacity in the cloud. Users can deploy Xen-based VPS ("instances") for purposes such as web hosting and VPN. New customers receive a one-year "free tier" with many benefits, such as running an on-demand "micro instance" for very low cost.

For a personal VPN server, the EC2 t2.micro instance (1GB RAM) is more than sufficient. Besides on-demand instances, there are "spot instances" which could give you significant cost-savings. Read more in this section.

As a side note, learn how to set up your personal VoIP server to make cheap phone calls to your family and friends.

My VPN Auto Setup Scripts

See below for a link to my VPN scripts and instructions. They are inspired by and based upon the work of Thomas Sarlandie. Libreswan is used in place of Openswan, as the former is more actively developed.

Main features:

  • New: The faster IPsec/XAuth ("Cisco IPsec") mode is supported
  • New: A pre-built Docker image of the VPN server is now available
  • Fully automated IPsec VPN server setup, no user input needed
  • Encapsulates all VPN traffic in UDP - does not need ESP protocol
  • Can be directly used as "user-data" for a new Amazon EC2 instance
  • Includes sysctl.conf optimizations for improved performance
  • Tested with Ubuntu 16.04/14.04, Debian 9/8 and CentOS 7/6

Link to VPN scripts: https://github.com/hwdsl2/setup-ipsec-vpn

Instructions for use in Amazon EC2:

  1. Follow the link above to my GitHub repository.
    For Ubuntu/Debian, open vpnsetup.sh.
    For CentOS/RHEL, open vpnsetup_centos.sh.
  2. (Important) Click the Raw button on the right. Press Ctrl-A to select all, Ctrl-C to copy, then paste into your favorite editor. From there, be sure to replace the variables YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD with your own values. Copy the customized script to clipboard.
  3. From the EC2 console, launch an instance from these AMIs:
  4. At "Step 3: Configure Instance Details", enable the option "Auto-assign Public IP". Then expand "Advanced Details" and paste your customized script into the "User data" text box.
  5. Proceed to configure other options. When setting up the security group for this instance, open UDP ports 500 and 4500 for the VPN, and TCP port 22 for SSH. Other ports are not required.
  6. Launch the instance, then wait a few minutes to allow setup to complete. And your fully configured IPsec VPN server is ready for use!

Besides EC2, you may adapt these instructions for other providers supporting "user data", e.g. Google Compute Engine, DigitalOcean and Vultr. For servers with an external firewall, open the ports above for the VPN.

Instructions for use on dedicated servers or KVM/Xen-based VPS:

  1. Prepare a fresh install of Ubuntu 16.04/14.04, Debian 9/8 or CentOS 7/6.
  2. Follow instructions from section Installation on GitHub.

OpenVZ VPS is not supported, as kernel support for IPsec may be unavailable. As an alternative, check out Nyr's OpenVPN script.

Next steps: Set up your devices to use the VPN. Enjoy your very own VPN!

DO NOT run these scripts on your PC or Mac! They should only be used on a server!

Getting a VPS

Want to run your own VPN but don't have a server for that? No problem, check out these reputable providers:

DigitalOcean is the provider that I use.

Note: If you like this article and want to support my site, please consider signing up using my referral links above.

About EC2 Spot Instances

Spot instances are the "best kept open secret" of Amazon EC2. By definition, they are a special type of instance that allows you to bid on unused EC2 capacity, and is typically much cheaper in hourly cost than on-demand instances. However, your spot instances will only run when your "bid price" exceeds the current price, and can be terminated by Amazon at any time whenever your bid price falls below it.

For Linux t1.micro instances, the spot price can go as low as ~0.0031/hr, which means the lowest possible cost is ~$2.3/mo per instance excluding other costs such as storage and data transfer. This could be significantly cheaper when compared to an on-demand instance!

Be careful, however, that when a spot instance is turned off it is automatically "terminated". Whenever a spot instance is terminated, all data on its storage is lost. There are some methods to preserve the data, for example, by creating an Amazon Machine Image (AMI) from the running instance.

The "volatile" nature of spot instances means that they can be difficult to set up for VPN. However, it becomes easy with my auto setup scripts. For detailed instructions, please read the previous sections.

Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.


Next article: Using SSHFS to Share Folders between Your Servers
Previous article: Ghost Blog Auto Setup with Nginx and Naxsi

Return to Lin's Tech Blog Homepage

Lin Song

Fresh PhD graduate in Electrical and Computer Engineering (ECE). As a hobby, I love computers, Linux and programming.  LinkedIn Profile  GitHub



View or Post


Disclaimer: All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. All trademarks mentioned herein belong to their respective owners.
    The owner of this blog will not be liable for any errors or omissions in this information nor for the availability of it. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Your name:

Email address:

Website URL:

Please leave a comment:

You agree that this form is for A N T I-S P A M B O T S!
     D O-N O T-S U B M I T !