IPsec VPN Server Auto Setup with Libreswan

In this guide I will present you with my scripts for setting up an IPsec VPN server with IPsec/L2TP, Cisco IPsec and IKEv2 on Ubuntu, Debian and CentOS. We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.


Libreswan Logo

An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.

Libreswan is a free software implementation of IPsec. It had been forked from Openswan 2.6.38, which was forked from FreeS/WAN 2.04.

My VPN setup scripts can be used on any dedicated server or KVM/Xen-based virtual private server (VPS). Besides, you may use it directly as Amazon EC2 "user data" upon launching a new instance. This feature makes it ideal for use on lower-priced spot instances.

Amazon EC2 provides scalable compute capacity in the cloud. Users can deploy Xen-based VPS ("instances") for purposes such as web hosting and VPN. New customers receive a one-year "free tier" with many benefits, such as running an on-demand "micro instance" for very low cost.

For a personal VPN server, the EC2 t2.micro instance (1GB RAM) is more than sufficient. Besides on-demand instances, there are "spot instances" which could give you significant cost-savings. Read more in this section.

My VPN Auto Setup Scripts


  • New: The faster IPsec/XAuth ("Cisco IPsec") and IKEv2 modes are supported
  • New: A pre-built Docker image of the VPN server is now available
  • Fully automated IPsec VPN server setup, no user input needed
  • Encapsulates all VPN traffic in UDP - does not need ESP protocol
  • Can be directly used as "user-data" for a new Amazon EC2 instance
  • Includes sysctl.conf optimizations for improved performance

Link to VPN scripts: https://github.com/hwdsl2/setup-ipsec-vpn

Instructions for use in Amazon EC2:

  1. Follow the link above to the GitHub repository, then open vpnsetup.sh.
  2. (Important) Click the Raw button on the right. Press Ctrl-A to select all, Ctrl-C to copy, then paste into your favorite editor. From there, be sure to replace the variables YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD with your own values. Copy the customized script to clipboard.
  3. From the EC2 console, launch an instance from one of these images:
  4. At "Step 3: Configure Instance Details", enable the option "auto-assign public IP". Then scroll down to section "advanced details" and paste your customized script into the "user data" text box.
  5. Proceed to configure other options. When setting up the security group for this instance, open UDP ports 500 and 4500 for the VPN, open TCP port 22 for SSH. Other ports are not required.
  6. Launch the instance, then wait a few minutes to allow setup to complete. And your fully configured IPsec VPN server is ready for use!

* If using Debian 11 or 10 on EC2, leave the "user data" text box blank. You must first switch to the standard Linux kernel before running the VPN setup script. Read more here.
** Support for CentOS Linux 8 will end on December 31, 2021.

Besides EC2, you may adapt these instructions for other providers supporting "user data", e.g. DigitalOcean, Vultr or Google Compute Engine. If your server provider has an external firewall like EC2/GCE, you must open the ports above for the VPN.

Instructions for use on a dedicated server or virtual private server (VPS):

  1. Prepare your server with a fresh install of Ubuntu, Debian, CentOS/RHEL, Rocky Linux or AlmaLinux.
  2. Follow instructions from section Installation on GitHub.

OpenVZ VPS is not supported, as kernel support for IPsec may be unavailable. As an alternative, try OpenVPN.

Next steps: Read important notes, then set up your devices to use the VPN. Enjoy your very own VPN!

DO NOT run these scripts on your PC or Mac! They should only be used on a server!

Getting a VPS

Want to run your own VPN but don't have a server for that? No problem, check out these reputable providers:

DigitalOcean is the provider that I use.

Note: If you like this article and want to support my site, please consider signing up using my referral links above.

About EC2 Spot Instances

Spot instances are the "best kept open secret" of Amazon EC2. By definition, they are a special type of instance that allows you to bid on unused EC2 capacity, and is typically much cheaper in hourly cost than on-demand instances. However, your spot instances will only run when your "bid price" exceeds the current price, and can be terminated by Amazon at any time whenever your bid price falls below it.

For Linux micro instances, the spot price can go as low as a fraction of a cent per hour, which means the lowest monthly cost could be only a few USD per instance, not including other charges such as storage and data transfer. This could be significantly cheaper when compared to an on-demand instance!

Be careful, however, that when a spot instance is turned off it is automatically "terminated". Whenever a spot instance is terminated, all data on its storage is lost. There are some methods to preserve the data, for example, by creating an Amazon Machine Image (AMI) from the running instance.

The "volatile" nature of spot instances means that they can be difficult to set up for VPN. However, it becomes easy with my auto setup scripts. For detailed instructions, please read the previous sections.

Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.

Next article: Using SSHFS to Share Folders between Your Servers
Previous article: Ghost Blog Auto Setup with Nginx and Naxsi

Return to Lin's Tech Blog Homepage

Lin Song

Hi, I'm Lin, a PhD graduate in Electrical and Computer Engineering. As a hobby, I love computers, Linux and programming.  LinkedIn  GitHub

View or Post

Disclaimer: All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. All trademarks mentioned herein belong to their respective owners.
    The owner of this blog will not be liable for any errors or omissions in this information nor for the availability of it. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Your name:

Email address:

Website URL:

Please leave a comment:

You agree that this form is for A N T I-S P A M B O T S!
     D O-N O T-S U B M I T !