IPsec VPN Server Auto Setup with Libreswan

In this guide I will present you with my scripts for setting up an IPsec VPN server with IPsec/L2TP, Cisco IPsec and IKEv2 on Ubuntu, Debian and CentOS. We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.

Introduction

Libreswan Logo

An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.

Libreswan is a free software implementation of IPsec. It had been forked from Openswan 2.6.38, which was forked from FreeS/WAN 2.04.

My VPN setup scripts can be used on any dedicated server or KVM/Xen-based virtual private server (VPS). Besides, you may use it directly as Amazon EC2 "user data" upon launching a new instance. This feature makes it ideal for use on lower-priced spot instances.

Amazon EC2 provides scalable compute capacity in the cloud. Users can deploy Xen-based VPS ("instances") for purposes such as web hosting and VPN. New customers receive a one-year "free tier" with many benefits, such as running an on-demand "micro instance" for very low cost.

For a personal VPN server, the EC2 t2.micro instance (1GB RAM) is more than sufficient. Besides on-demand instances, there are "spot instances" which could give you significant cost-savings. Read more in this section.

IPsec VPN Auto Setup Scripts

Features:

  • Fully automated IPsec VPN server setup, no user input needed
  • Supports IKEv2 with strong and fast ciphers (e.g. AES-GCM)
  • Generates VPN profiles to auto-configure iOS, macOS and Android devices
  • Supports Windows, macOS, iOS, Android and Linux as VPN clients
  • Includes helper scripts to manage VPN users and certificates

Link to VPN scripts: https://github.com/hwdsl2/setup-ipsec-vpn

Deploy using user data

Public cloud users can deploy the VPN rapidly using "user data". This is supported on e.g. DigitalOcean, Vultr, Amazon EC2 and Google Cloud. The example below shows how to deploy on Amazon EC2, which you can adapt for other providers. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN.

Deploy using user data on Amazon EC2:

  1. Click here to open vpnsetup.sh in the GitHub repository.
  2. (Important) Click the Raw button on the right. Press Ctrl/Cmd-A to select all, Ctrl/Cmd-C to copy, then paste into your favorite editor. From there, be sure to replace the variables YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD with your own values. Copy the customized script to clipboard.
    Note: A secure IPsec PSK should consist of at least 20 random characters.
  3. From the EC2 console, launch an instance from one of these images:
  4. At "Step 3: Configure Instance Details", enable the option "Auto-assign Public IP". Then scroll down to section "Advanced Details" and paste your customized script into the "User data" text box.
  5. Proceed to configure other options. When setting up the security group for this instance, open UDP ports 500 and 4500 for the VPN, and open TCP port 22 for SSH. Other ports are not required.
  6. Launch the instance, then wait a few minutes to allow setup to complete. And your fully configured IPsec VPN server is ready for use!

* IPsec/L2TP mode may not work for Debian on EC2. Use IKEv2 or IPsec/XAuth mode to connect. Read more here.

Next steps: Set up your devices to use the VPN. To add or export IKEv2 clients, connect to your server using SSH and run sudo ikev2.sh. Enjoy your very own VPN!

Deploy using VPN setup script

Alternatively, you may deploy the VPN on a cloud server, virtual private server (VPS) or dedicated server using the VPN setup script:

  1. Prepare your server with a fresh install of Ubuntu, Debian or CentOS.
  2. Follow instructions from section Installation on GitHub.

OpenVZ VPS is not supported, as kernel support for IPsec may be unavailable. As an alternative, try OpenVPN.

DO NOT run these scripts on your PC or Mac! They should only be used on a server!

Getting a VPS

Want to run your own VPN but don't have a server for that? No problem, check out these reputable providers:

DigitalOcean is a popular cloud computing provider.

About EC2 Spot Instances

Spot instances are the "best kept open secret" of Amazon EC2. By definition, they are a special type of instance that allows you to bid on unused EC2 capacity, and is typically much cheaper in hourly cost than on-demand instances. However, your spot instances will only run when your "bid price" exceeds the current price, and can be terminated by Amazon at any time whenever your bid price falls below it.

For Linux micro instances, the spot price can go as low as a fraction of a cent per hour, which means the lowest monthly cost could be only a few USD per instance, not including other charges such as storage and data transfer. This could be significantly cheaper when compared to an on-demand instance!

Be careful, however, that when a spot instance is turned off it is automatically "terminated". Whenever a spot instance is terminated, all data on its storage is lost. There are some methods to preserve the data, for example, by creating an Amazon Machine Image (AMI) from the running instance.

The "volatile" nature of spot instances means that they can be difficult to set up for VPN. However, it becomes easy with my auto setup scripts. For detailed instructions, please read the previous sections.

Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.


Next article: Using SSHFS to Share Folders between Your Servers
Previous article: Ghost Blog Auto Setup with Nginx and Naxsi

Return to Lin's Tech Blog Homepage



View or Post


Disclaimer: All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. All trademarks mentioned herein belong to their respective owners.
    The owner of this blog will not be liable for any errors or omissions in this information nor for the availability of it. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Your name:

Email address:

Website URL:

Please leave a comment:

You agree that this form is for A N T I-S P A M B O T S!
     D O-N O T-S U B M I T !