Instantly share code, notes, and snippets.

@hwdsl2 /.MOVED.md
Last active Nov 14, 2018

Embed
What would you like to do?
IPsec VPN Server Auto Setup Script for Ubuntu and Debian

IPsec VPN Server Auto Setup Script for Ubuntu/Debian


This project has moved to a GitHub repository:

https://github.com/hwdsl2/setup-ipsec-vpn


Script for automatic setup of an IPsec VPN server, with both IPsec/L2TP and Cisco IPsec on Ubuntu LTS and Debian. Works on any dedicated server or virtual private server (VPS) except OpenVZ.

It can also be used as Amazon EC2 "user data" with the official Ubuntu LTS or Debian AMIs.

» Related tutorial: IPsec VPN Server Auto Setup with Libreswan

Alternative VPN script for CentOS/RHEL

↓  ↓  ↓ Scroll down for the script ↓  ↓  ↓

License

Copyright (C) 2014-2018 Lin Song View my profile on LinkedIn
Based on the work of Thomas Sarlandie (Copyright 2012)

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!

Analytics

#!/bin/sh
#
# Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian.
# Works on any dedicated server or virtual private server (VPS) except OpenVZ.
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
#
# The latest version of this script is available at:
# https://github.com/hwdsl2/setup-ipsec-vpn
#
# Copyright (C) 2014-2018 Lin Song <linsongui@gmail.com>
# Based on the work of Thomas Sarlandie (Copyright 2012)
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# =====================================================
# Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes'
# - DO NOT use these special characters within values: \ " '
YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''
# Important notes: https://git.io/vpnnotes
# Setup VPN clients: https://git.io/vpnclients
# =====================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT="$(date +%F-%T)"
exiterr() { echo "Error: $1" >&2; exit 1; }
exiterr2() { exiterr "'apt-get install' failed."; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
bigecho() { echo; echo "## $1"; echo; }
check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
}
vpnsetup() {
os_type="$(lsb_release -si 2>/dev/null)"
if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")"
fi
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu and Debian."
fi
if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then
exiterr "Debian 7 is not supported."
fi
if [ -f /proc/user_beancounters ]; then
exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install"
fi
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null)
if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then
if ! uname -m | grep -qi '^arm'; then
case "$def_iface" in
wl*)
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
;;
esac
fi
NET_IFACE="$def_iface"
fi
net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF
Could not detect the default network interface. Re-run this script with:
sudo VPN_NET_IFACE="default_interface_name" sh "$0"
EOF
fi
exit 1
fi
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
bigecho "VPN credentials not set by user. Generating random PSK and password..."
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)"
VPN_USER=vpnuser
VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
fi
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
bigecho "VPN setup in progress... Please be patient."
# Create and change to working dir
mkdir -p /opt/src
cd /opt/src || exit 1
count=0
APT_LK=/var/lib/apt/lists/lock
PKG_LK=/var/lib/dpkg/lock
while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \
|| lsof "$APT_LK" >/dev/null 2>&1 || lsof "$PKG_LK" >/dev/null 2>&1; do
[ "$count" = "0" ] && bigecho "Waiting for apt to be available..."
[ "$count" -ge "60" ] && exiterr "Could not get apt/dpkg lock."
count=$((count+1))
printf '%s' '.'
sleep 3
done
bigecho "Populating apt-get cache..."
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed."
bigecho "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl \
iptables iproute2 gawk grep sed net-tools || exiterr2
bigecho "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
press Ctrl-C to abort. Then edit it and manually enter IP.
EOF
# In case auto IP discovery fails, enter server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it."
bigecho "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev ppp xl2tpd || exiterr2
case "$(uname -r)" in
4.1[456]*)
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then
L2TP_VER=1.3.12
l2tp_dir="xl2tpd-$L2TP_VER"
l2tp_file="$l2tp_dir.tar.gz"
l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz"
apt-get -yq install libpcap0.8-dev || exiterr2
wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1
/bin/rm -rf "/opt/src/$l2tp_dir"
tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file"
cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/$l2tp_dir"
fi
;;
esac
bigecho "Installing Fail2Ban to protect SSH..."
apt-get -yq install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
SWAN_VER=3.27
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2
fi
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
bigecho "Creating VPN configuration..."
L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}
XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'}
XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'}
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
# Create IPsec config
conf_bk "/etc/ipsec.conf"
cat > /etc/ipsec.conf <<EOF
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
protostack=netkey
interfaces=%defaultroute
uniqueids=no
conn shared
left=%defaultroute
leftid=$PUBLIC_IP
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
sha2-truncbug=yes
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=$XAUTH_POOL
modecfgdns="$DNS_SRV1, $DNS_SRV2"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
ikev2=never
cisco-unity=yes
also=shared
EOF
if uname -m | grep -qi '^arm'; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
%any %any : PSK "$VPN_IPSEC_PSK"
EOF
# Create xl2tpd config
conf_bk "/etc/xl2tpd/xl2tpd.conf"
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
port = 1701
[lns default]
ip range = $L2TP_POOL
local ip = $L2TP_LOCAL
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
# Set xl2tpd options
conf_bk "/etc/ppp/options.xl2tpd"
cat > /etc/ppp/options.xl2tpd <<EOF
+mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns $DNS_SRV1
ms-dns $DNS_SRV2
noccp
auth
mtu 1280
mru 1280
proxyarp
lcp-echo-failure 4
lcp-echo-interval 30
connect-delay 5000
EOF
# Create VPN credentials
conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
conf_bk "/etc/ipsec.d/passwd"
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat > /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
bigecho "Updating sysctl settings..."
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
conf_bk "/etc/sysctl.conf"
if [ "$(getconf LONG_BIT)" = "64" ]; then
SHM_MAX=68719476736
SHM_ALL=4294967296
else
SHM_MAX=4294967295
SHM_ALL=268435456
fi
cat >> /etc/sysctl.conf <<EOF
# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = $SHM_MAX
kernel.shmall = $SHM_ALL
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.$NET_IFACE.send_redirects = 0
net.ipv4.conf.$NET_IFACE.rp_filter = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
EOF
fi
bigecho "Updating IPTables rules..."
# Check if rules need updating
ipt_flag=0
IPT_FILE="/etc/iptables.rules"
IPT_FILE2="/etc/iptables/rules.v4"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
# Add IPTables rules for VPN
if [ "$ipt_flag" = "1" ]; then
service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT"
iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
# Uncomment if you wish to disallow traffic between VPN clients themselves
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2"
/bin/cp -f "$IPT_FILE" "$IPT_FILE2"
fi
fi
bigecho "Enabling services on boot..."
# Check for iptables-persistent
IPT_PST="/etc/init.d/iptables-persistent"
IPT_PST2="/usr/share/netfilter-persistent/plugins.d/15-ip4tables"
ipt_load=1
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
ipt_load=0
fi
if [ "$ipt_load" = "1" ]; then
mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF
chmod +x /etc/network/if-pre-up.d/iptablesload
if [ -f /usr/sbin/netplan ]; then
mkdir -p /etc/systemd/system
cat > /etc/systemd/system/load-iptables-rules.service <<'EOF'
[Unit]
Description = Load /etc/iptables.rules
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
Wants=systemd-modules-load.service local-fs.target
After=systemd-modules-load.service local-fs.target
[Service]
Type=oneshot
ExecStart=/etc/network/if-pre-up.d/iptablesload
[Install]
WantedBy=multi-user.target
EOF
systemctl enable load-iptables-rules 2>/dev/null
fi
fi
for svc in fail2ban ipsec xl2tpd; do
update-rc.d "$svc" enable >/dev/null 2>&1
systemctl enable "$svc" 2>/dev/null
done
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local"
sed --follow-symlinks -i '/^exit 0/d' /etc/rc.local
else
echo '#!/bin/sh' > /etc/rc.local
fi
cat >> /etc/rc.local <<'EOF'
# Added by hwdsl2 VPN script
(sleep 15
service ipsec restart
service xl2tpd restart
echo 1 > /proc/sys/net/ipv4/ip_forward)&
exit 0
EOF
fi
bigecho "Starting services..."
# Reload sysctl.conf
sysctl -e -q -p
# Update file attributes
chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
# Apply new IPTables rules
iptables-restore < "$IPT_FILE"
# Restart services
mkdir -p /run/pluto
service fail2ban restart 2>/dev/null
service ipsec restart 2>/dev/null
service xl2tpd restart 2>/dev/null
cat <<EOF
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: $PUBLIC_IP
IPsec PSK: $VPN_IPSEC_PSK
Username: $VPN_USER
Password: $VPN_PASSWORD
Write these down. You'll need them to connect!
Important notes: https://git.io/vpnnotes
Setup VPN clients: https://git.io/vpnclients
================================================
EOF
}
## Defer setup until we have the complete script
vpnsetup "$@"
exit 0
@letoams

This comment has been minimized.

letoams commented Jul 18, 2014

Thanks for sharing this!
It's good advise for a one person VPN although I'd be wary of using hardcoded PSK and user/passwd and the overhead of L2TP and PPP.

A method that scales better is to use XAUTH (OSX and iOS call it "Cisco IP sec mode"). You can use a pam module for user/password (a default one using unix user/passwords is installed per default), and use certificates you can revoke (when you lose your phone)

See https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH

There is even support for One Time Passwords (OTP) such as google-authenticator:
https://libreswan.org/wiki/Using_XAUTH_with_One_Time_Passwords_%28OTP%29

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jul 19, 2014

Hello Paul, thanks for the insightful comment and your great work on Libreswan!

@loasjerry

This comment has been minimized.

loasjerry commented Aug 7, 2014

Thanks for your awesome script.

However, I got a situation.
Once I installed your script, my apache is not working.

  • apache can start properly
  • apache can restart properly
  • browser can't reach the address, which was reachable before
  • All ports are open at the moment

I wonder if any setting in iptables makes this happen?

Thanks.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Aug 8, 2014

Hi loasjerry, to make Apache reachable you need to open port 80 and/or 443 in IPTables. Here's how:

To open port 80, find this line in my auto setup script: "-A INPUT -p tcp --dport 22 -j ACCEPT", then add an identical line below it, but change the port number on that new line from 22 to 80. You can add another one for port 443 if you use https.

Alternatively, if you have already set up the system: edit the file "/etc/iptables.rules", add the above mentioned line(s), and then use command "iptables-restore < /etc/iptables.rules" to apply the new rules.

If your server is in Amazon EC2, besides making the changes above you would also need to authorize TCP port 80 and/or 443 in the EC2 Security Group for that instance.

@macinux

This comment has been minimized.

macinux commented Aug 10, 2014

Thank you for the script. It works fine on my mac. However it is not working on my iOS device. Do you have any idea about this?
Thanks,

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Aug 10, 2014

Hi macinux, do you mean that your iOS device cannot connect to the VPN server? Please give more details about your iOS device's VPN configuration and/or any error(s) you encountered.

You can try the config change mentioned in this article:
http://serverfault.com/questions/461996/l2tp-over-ipsec-vpn-openswan-centos-6-unable-to-connect-via-iphone-ios-5-1

Please note that due to a limitation of the IPsec protocol, multiple devices behind the same NAT (e.g. a home router) cannot simultaneously connect to the same IPsec VPN server. If this is the case, try first disconnecting your Mac from the VPN server, then run "service ipsec restart" and "service xl2tpd restart" on the server, and after that, connect your iOS device.

@loasjerry

This comment has been minimized.

loasjerry commented Aug 11, 2014

hwdsl2, you are so great.
Thanks. =D

@zengfenfei

This comment has been minimized.

zengfenfei commented Aug 20, 2014

Do I need to configure /etc/xl2tpd/l2tp-secrets as mentioned in https://help.ubuntu.com/community/L2TPServer

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Aug 20, 2014

@zengfenfei The file /etc/xl2tpd/l2tp-secrets is NOT needed when using my VPN auto setup script.

@edwingit

This comment has been minimized.

edwingit commented Sep 18, 2014

Thanks for your script. I am new to l2tp and github
I have two question and hope someone can help me.

  1. How to create another l2tp VPN account?
  2. I cannot use same account connect to l2tp VPN server at the same time. The second session will kick out the first session. Is this caused by my device behind a NAT device(home router)?

Thanks
Edwin

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Sep 18, 2014

@edwingit To enable multiple VPN accounts, you only need to edit a few lines in the script:
https://gist.github.com/hwdsl2/123b886f29f4c689f531

Due to a limitation of the IPsec protocol, multiple devices behind the same NAT (e.g. a home router) cannot simultaneously connect to the same IPsec VPN server.

@edwingit

This comment has been minimized.

edwingit commented Sep 19, 2014

hwdsl2, thanks for your help and effort.
Great script file!
Edwin

@tigertoo

This comment has been minimized.

tigertoo commented Sep 25, 2014

hwdsl2, Great work on the script!!! I have been playing with a L2TP setup for some time but I am having difficulty working out the configuration for a Linux/ubuntu L2TP client for connecting to the L2TP server. Would you have a subsequent script which would configure this? Or know of any information which would help?

Thanks in advance!!

Regards,
Greg.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Sep 26, 2014

@tigertoo Hi Greg, I did a quick web search and found this nice-looking GUI for IPsec/L2TP VPN on Ubuntu. See the first link below. I haven't used it before but maybe you can give it a try. By the way, it seems that adding the PPA is no longer needed and you can directly install "l2tp-ipsec-vpn" from the app manager or using apt-get.

References: [1] [2] [3] [4]

@gengpo

This comment has been minimized.

gengpo commented Oct 3, 2014

hwdls2, thank you very much. The script works fine with my macbook and iphone.

@kyelup

This comment has been minimized.

kyelup commented Nov 8, 2014

hi my friend,
I'm a new on Ubuntu scripting, appreciate u can help me on this article.
seems i can not access below URL

# Those two variables will be found automatically
PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`
PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`

and met below errors
iptables: Applying firewall rules: iptables-restore v1.4.7: option --port' requires an argument Error occurred at line: 25 Tryiptables-restore -h' or 'iptables-restore --help' for more information.

can please advise me how to Set "PRIVATE_IP" and "PUBLIC_IP"?
thanks for u help.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Nov 9, 2014

@kyelup Those two lines are only for use on Amazon EC2 instances, where the PRIVATE_IP and PUBLIC_IP will be automatically fetched from instance metadata.

For all other servers not in EC2, before running the script you must replace PRIVATE_IP=... and PUBLIC_IP=... with the actual IP addresses of your server (for example: PRIVATE_IP=10.0.1.1 PUBLIC_IP=123.123.123.123). If your server is running on its public IP directly with no private IP, just use that public IP for both.

Please refer to:
My Blog Post: https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
How to determine public IP of Ubuntu server: http://askubuntu.com/a/145017
(Note: The "ifconfig" command in the linked post should give your server's private IP, if it has one. Otherwise it will show the server's public IP. Look for the "eth0" line in the output.)

@zeusbaba

This comment has been minimized.

zeusbaba commented Nov 16, 2014

well done! thnx for your efforts!
i can confirm that this script works like a charm "on Ubuntu 14.04"

@wanliqun

This comment has been minimized.

wanliqun commented Nov 18, 2014

Good script, but I met some problem:
Nov 18 08:02:55 linux pluto[29956]: packet from x.x.x.x:13328: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK.

Anyone know how to fix this?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Nov 18, 2014

@wanliqun Please check the following:

  1. The IPsec PSK configured in your VPN Client should match "/etc/ipsec.secrets" on the server.
  2. If your VPN server is not in Amazon EC2, replace PRIVATE_IP and PUBLIC_IP in this script with:
    PRIVATE_IP: Run command "ifconfig" on your VPN server. Locate "inet addr" under "eth0".
    PUBLIC_IP: Run command "wget -qO- http://ipecho.net/plain ; echo" on your server.

After making any necessary changes, restart the ipsec and xl2tpd services.

References: [1] [2] [3] [4]

@wanliqun

This comment has been minimized.

wanliqun commented Nov 19, 2014

@hwdsl2 Really appreciate for the instructions, it helps a lot.
Actually I'm using Linode. The control panel told me that my VPS private ip is 192.168.1xx.xx, so I used this private ip in my ipsec/l2tp config files. With 'ifconfig' the 'inet addr' is the same with my public ip, and after changing that, this L2TP configuration works like charm on my Ubuntu 14.10 VPS. I've tried a lot of L2TP tutorials and scripts on the web, but this one is most helpful. Thanks for the good work.

@geekan

This comment has been minimized.

geekan commented Dec 15, 2014

Can you connect the vpn server with a windows machine? (win7 / win8)
Mac succeed but windows is not.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Dec 15, 2014

@geekan For Windows users, a registry change is required to allow connections to a VPN server behind NAT (e.g. in EC2). Please refer to the URL below (scroll down to the bottom of page).
https://kb.meraki.com/knowledge_base/troubleshooting-client-vpn

@geekan

This comment has been minimized.

geekan commented Jan 4, 2015

@hwdsl2 Thanks, the problem has been solved and this ipsec.reg script may be useful.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000000
@gopher-maker

This comment has been minimized.

gopher-maker commented Jan 12, 2015

@hwdsl2

Thank you for the stellar work on this script! Just set up my 1st VPN server on Amazon ec2 (Ubuntu 14.04 micro instance). I have a problem though: I am forced to open all UDP ports on the instance to get traffic through on a VPN connection. How do I solve this? I thought that only the following ports need to be open for VPN to work:

ICMP: All
UDP: 500 (IPSec), 4500 (IPSec), 1701 (L2TP control/datapath)
TCP: 80 (http), 443 (https), 22 (ssh), 1723 (PPTP control path) << Some of these are open just so I can access the instance
IP: ESP (50)

And yet the only time I can browse the web when connected to VPN is when I open all UDP ports in my security group for the instance. Thanks in advance!

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 12, 2015

@gopher-maker That certainly does not look right to me. For this IPsec/L2TP VPN script to work, the only ports that must be opened are UDP 500 and 4500. ICMP and TCP port 22 (for SSH) are optional (as needed), and other ports are NOT required. Please start over with a new Ubuntu EC2 instance, double check your configuration and try again.

@jejayhe

This comment has been minimized.

jejayhe commented Jan 24, 2015

The script process got stuck in the downloading phase."connecting to security.ubuntu.com"
the line above is Ign http://mirrors.linode.com trusy/universe Translation-en US
I don't know why it can't use apt-get update.
I changed to 12.04 and it's OK.
I find it very frustrating, those open-source software. They suck.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 24, 2015

@hejiaju This looks like an issue with IPv6 on Linode [1][2], where IPv6 is enabled on the server but hostnames fail to resolve. If you want to try again, please rebuild the server and before running your customized VPN setup script, follow the steps in [1]. For more information, see [3].

References:
[1] http://linuxaria.com/pills/how-to-convince-apt-get-not-to-use-ipv6
[2] http://forums.whirlpool.net.au/archive/2133158
[3] http://unix.stackexchange.com/a/13263

@Richard-air

This comment has been minimized.

Richard-air commented Feb 3, 2015

Dear sir.
I have done exactly what you have said. And reviewed the comments in front of me.
I still can't use iOS to connect to my Ec2 Ubuntu.
I have changed the "rightprotoport=17/%any" with "rightprotoport=17/0".......it doesnt work.

Tks for helping me.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 3, 2015

@Richard-airbus Please check your iOS VPN configuration - you should use the "L2TP" tab to configure, NOT the "IPsec" tab. See screenshot [1]. Don't forget to put your chosen PSK into the "Secret" field.

[1] https://www.softether.org/@api/deki/files/351/=05.jpg

@pfriedland

This comment has been minimized.

pfriedland commented Feb 9, 2015

works great! Thanks :)

@Richard-air

This comment has been minimized.

Richard-air commented Feb 16, 2015

I've done EXACTLY what you have said......

here's what I have got from /var/log/auth.log:
(removed for privacy)

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 16, 2015

@Richard-airbus Your issue looks very similar to [1]. Specifically, in your log file, we see:
"... the peer proposed: ... -> 192.168.1.101/32:17/0"

Please try replacing this line in /etc/ipsec.conf:
"rightprotoport=17/%any" with "rightprotoport=17/0".
Then restart IPsec and xl2tpd: service ipsec restart; service xl2tpd restart

References:
[1] http://serverfault.com/q/461996
[2] https://libreswan.org/wiki/FAQ#Common_error_messages

@AbdulRafay

This comment has been minimized.

AbdulRafay commented Feb 17, 2015

tnx alot for your effort can you guide me hw can i edit it so to add the xauth capability, i need to support multiple clients behind same NAT
Regards.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 18, 2015

@AbdulRafay I wish I could help but unfortunately I have very little experience with XAUTH. I suggest that you ask for help on the Libreswan mailing list above, or search for related tutorials on the web. Good luck!

@leeivan

This comment has been minimized.

leeivan commented Apr 11, 2015

very think you to share this script, but, after successfully connecting to vpn, I cann't visit internet through vpn. please give some idea. thank you

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 11, 2015

@leeivan What error(s) did you see? Please double check your PUBLIC_IP and PRIVATE_IP variables and try again.

@leeivan

This comment has been minimized.

leeivan commented Apr 11, 2015

thank everything, I did the whole job with these awesome script, but I had several problem as well. Now, I resolved these problems. so, I share these problem and solution to you.
1 I can connect to vpn server, but not to access internet through vpn from mac client.
I check 'Send all traffic over VPN connection' at 'Advanced' of 'Open Network Preference'
2 I got error 809 when I use window 8.1 client to connect, but I did not resolve the problem with this doc(https://kb.meraki.com/knowledge_base/troubleshooting-client-vpn)
Run "regedit", allocate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters, and delete ProhibitIpSec key. Restart Windows, and try to connect VPN again.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 11, 2015

@leeivan Thanks for sharing your solutions with us.

@PowerPan

This comment has been minimized.

PowerPan commented May 3, 2015

Thanks for this Awesome Skript
But i have the same problem

when i connect to the vpn server i can not connect to the internet ;( any ideas why ?!

@naoziwatele

This comment has been minimized.

naoziwatele commented May 11, 2015

Is it possible to limit only one device to connect the VPN with it username and password

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented May 12, 2015

@PowerPan Please refer to the comments immediately above yours for helpful hints. Good luck!

@naoziwatele I am not 100% sure, but please see references [1] and [2] below.
[1] https://serverfault.com/q/452431
[2] https://libreswan.org/man/ipsec.conf.5.html

@AndrewFarley

This comment has been minimized.

AndrewFarley commented May 21, 2015

Slight editing to use on non-AWS server, but works perfectly. I took Paul's advice and switched to Cisco IPSec Mode also. Thanks!

@blue-apparition

This comment has been minimized.

blue-apparition commented Jul 14, 2015

Hello. I'm new to VPN, never created any yet. I'm using ike-qtgui package on Debian as a client (I don't use GNOME/KDE, only pure icewm).

I chose "Mutual PSK" as authentication method (and entered the "your_very_secure_key" in the PSK box). But I don't see where do I put the chap credentials:
VPN_USER=your_username
VPN_PASSWORD=your_very_secure_password
(when connecting, it times out on bringing up tunnel)

Can this client be used for your server? It seems it only supports standard IPsec auth methods, not thru ppp/chap.

Can the script be (easily) changed to remove this ppp/chap stuff? (I'm allowing all traffic only from my IP network, so will be safe)

Thanks.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jul 14, 2015

Hello @abvgdee, the "ike-qtgui" package you mentioned is the Linux version of Shrew Soft VPN Client, which does NOT support IPsec/L2TP [1], even if you remove the PPP/CHAP. You can try the "l2tp-ipsec-vpn" package for Debian [2] or Ubuntu [3] instead, which does support IPsec/L2TP.

[1] http://comments.gmane.org/gmane.network.vpn.shrew.user/2110
[2] https://packages.debian.org/search?keywords=l2tp-ipsec-vpn
[3] http://packages.ubuntu.com/search?keywords=l2tp-ipsec-vpn

@blue-apparition

This comment has been minimized.

blue-apparition commented Jul 15, 2015

Thanks for the quick reply.
I upgraded to Jessie, and that GUI is not available anymore.
I tried Windows 7 built-in client - your script works fine.
I'd like console (either command-line or curses) clients. I'll play/look around..
Thanks again, for supporting your work.

@lvlovestory

This comment has been minimized.

lvlovestory commented Aug 26, 2015

Windows 8.1 PRO built-in client (default) cannot connect the server that I was installed by this script. But My IPhone connects by one shot and there are no problem. We need to do improve this script code anyway.

@jlund

This comment has been minimized.

jlund commented Sep 27, 2015

I used this script as a reference for a major upgrade to Streisand that I just pushed to master. Libreswan has replaced strongSwan, and L2TP/IPsec performance seems to be much, much better. The strongSwan configuration that I had previously developed stopped working during the switch from Debian 7 to Ubuntu 14.04 as the base foundation, and I was very sad.

Finding this script and your blog post was an absolute life saver. It allowed me to quickly see what changes needed to be made to the L2TP/IPsec role, and I'm really excited to be using Libreswan now too. I credited you in the LICENSE file and in the relevant commit message. I wish that I could do even more.

Thank you so much for your help. Keep up the great work!

@sgarbesi

This comment has been minimized.

sgarbesi commented Oct 19, 2015

Anyone care to share this script modified to use passwords of the unix users currently on the system or through a LDAP server? @hwdsl2

@atylla11

This comment has been minimized.

atylla11 commented Nov 9, 2015

I have change iptables.rules to open others tcp ports ex:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ICMPALL - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 255 -j ICMPALL
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP
...
at 8080 tcp port running java app, after i start my java app i can connect at vpn but can't navigate using vpn ip. Someone can help me?

@sicloudhosting

This comment has been minimized.

sicloudhosting commented Nov 12, 2015

FYI: This wiped out all my settings in /etc/rc.local

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Nov 12, 2015

@sicloudhosting This script does back up the original /etc/rc.local, which you can find at /etc/rc.local.old-(date-and-time). With that said, it is strongly recommended to use it on a freshly installed Linux OS.

@atylla11 Can you please elaborate on your question about the java app and vpn? I didn't quite understand it. Did you first connect to the VPN and then try to access the Java app?

@sgarbesi Please see Paul's comment about using XAUTH ("Cisco IPsec mode") which supports PAM authentication. Use the Libreswan mailing list (link below) for any question.
https://lists.libreswan.org/mailman/listinfo/swan

@SidBala

This comment has been minimized.

SidBala commented Dec 19, 2015

Awesome script!

I am trying to get access to my AWS VPC with this setup. My VPC subnet is at 172.16.0.0/12. What else do I need to configure in order to be able to access hosts on this subnet from my VPN client host (192.168.42.10)?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Dec 19, 2015

@SidBala Open /etc/ipsec.conf in an editor and replace this line leftsubnet=.../32 with leftsubnet=172.16.0.0/12. Save the file and run service ipsec restart.

In addition, make sure that in the security group of your EC2 instances, you have allowed "All Traffic" from the VPC subnet.

Now re-connect the VPN and test access to your VPC.

@Peacesulh

This comment has been minimized.

Peacesulh commented Jan 11, 2016

Thanks for your awesome script.
I have two problems (questions )... I hope someone can help me

  1. when I'm trying to type : sudo /etc/init.d/ipsec start
    then this lines appeare : failed to start openswan IKE daemon - the following error occured:
    can not load config '/etc/ipsec.conf': /etc/ipsec.conf:2: syntax error, unexpected KEYWORD, expecting $end [virtual_private]
  2. when I'm trying to type : sudo ipsec verify
    then this lines appeare :
    Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan U3.15/K(no kernel code presently loaded) on 3.19.0-25-generic
Checking for IPsec support in kernel [FAILED]

The ipsec service should be started before running 'ipsec verify'

Pluto ipsec.conf syntax [PARSE ERROR]
cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:2: syntax error, unexpected KEYWORD, expecting $end [virtual_private]

Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [FAILED]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips ec.conf options [OBSOLETE KEYWORD]
cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:2: syntax error, unexpecte d KEYWORD, expecting $end [virtual_private]
Opportunistic Encryption [DISABLED]

ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help

Thanks

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 11, 2016

@Peacesulh Your /etc/ipsec.conf does not have the correct indentation. Make sure all the parameters inside ipsec.conf except 'conn', 'version' and 'config' are started after a TAB (or two spaces). Please refer to links [1] and [2] below. After editing ipsec.conf you will need to run service ipsec restart (via sudo). Then try ipsec verify again.

[1] https://gist.github.com/hwdsl2/9030462#file-vpnsetup-sh-L113-L149
[2] http://www.golinuxhub.com/2012/10/unexpected-keyword-expecting-end-type.html

@gengpo

This comment has been minimized.

gengpo commented Jan 13, 2016

Thank you very much, great job!

@katty7

This comment has been minimized.

katty7 commented Jan 15, 2016

Hello dears . I need config my client connection via VPN xl2tpd to server but unsucces ...
Plz who can help me ?
tnx a lot of

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 15, 2016

@katty7 What error(s) did you encounter? Please provide more details.

@Peacesulh

This comment has been minimized.

Peacesulh commented Jan 16, 2016

Thank You Very Much Brother @hwdsl2 👍

@Langleson

This comment has been minimized.

Langleson commented Jan 20, 2016

I am trying to log on to the VPN in Windows and I get the following error: "Error 628: connection terminated by remote computer before it could be completed"

Any suggestions for troubleshooting?

Edit: I just tested it on my android phone and it works. Still Any suggestions would be great.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 20, 2016

@Langleson Please review the steps in [1] and [2] for configuring IPsec/L2TP VPN on Windows 7. Double check all settings including the VPN username/password and PSK for correctness. In addition, make sure "CHAP" under the "Security" tab is allowed. If still not working, reboot your server and try again. Unfortunately I have not seen "Error 628" before. You could try asking on the Libreswan mailing list [3].

1: https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/4.Windows_L2TP_Client_Setup
2: https://www.hideipvpn.com/setup/howto-windows-7-ipsecl2tp-vpn-setup-tutorial/
3: https://lists.libreswan.org/mailman/listinfo/swan

@Langleson

This comment has been minimized.

Langleson commented Jan 21, 2016

@hwdsl2 Thank you so much. It was the CHAP settings. The tutorial I saw for running a VPN in windows didn't show that. You should perhaps link that on the main page. Also, one thing that wasn't immediately obvious to me as a beginner was what an IPSEC_PSK was. I thought this might be the same ssh key I used for the ec2. Also, I wasn't sure if I needed quotation marks around those variables.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 21, 2016

@Langleson You're welcome. And thanks for the suggestions!

@Peacesulh

This comment has been minimized.

Peacesulh commented Jan 24, 2016

Brothers can you help me with this error .while i want to log on to the VPN in Windows 8,1.... ."Error connecting to VPN Connection Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."

@Peacesulh

This comment has been minimized.

Peacesulh commented Jan 24, 2016

putty

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 24, 2016

@Peacesulh Make sure you have made this one-time registry change [1] and rebooted your Windows computer. This registry key is required for VPN connections if the server and/or client is behind NAT (e.g. home router).

[1] https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809

@pl1ght

This comment has been minimized.

pl1ght commented Feb 21, 2016

Having issues talking to other hosts inside of my AWS VPC which is a 10.0.0.0/16. I followed your instructions per the previous poster in relation to his 172.x VPC and adding it to the leftsubnet and performed the iptables suggestion. I connect into my VPN just fine, but never can access the hosts on that 10.x network. I can ssh to my VPN server via its 192.168.42.1 gateway once connected, so i know traffic is working, but the 10.0.0.x are not being routed through to my client. Are there any other options i should be looking for?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 21, 2016

@pl1ght I double checked and found that the IPTables change is unnecessary and may cause issues. Please revert the change (i.e. remove ! -d 10.0.0.0/16 in file /etc/iptables.rules), then run iptables-restore < /etc/iptables.rules.

In addition, make sure that in the security group of your EC2 instances, you have allowed "All Traffic" from the VPC subnet.

I have updated my comment above [1] with the corrected information.

[1] https://gist.github.com/hwdsl2/9030462#gistcomment-1653760

@pl1ght

This comment has been minimized.

pl1ght commented Feb 22, 2016

@hwdsl2 Appreciate the response, and your work on the scripts are amazing. I am still having the same issue. I haven't gone as far as a tcpdump yet, but I blew away ec2 instance, started fresh, added my 10.0.0.0/16 to the leftsubnet in ipsec.conf/restarted, made no iptables changes this time, and I can again VPN in with no issue, ssh to the VPN instance 192.168.42.1 IP, but i still can't get into that instances 10.0.0.6 ip or any other instances subnet, eg 10.0.0.192. I have allowed all VPC subnet traffic via SG groups to those instances. I feel as I am missing a simple stupid setup/config step here at this point.

@pl1ght

This comment has been minimized.

pl1ght commented Feb 22, 2016

@hwdsl2 Nevermind! Added a static route to the ppp0 interface "sudo route add -net 10.0.0.0/16 -interface ppp0". Knew it was stupid. Again, thank you for your help!

@jj777

This comment has been minimized.

jj777 commented Mar 5, 2016

What would I need to do if there isn't a private IP range by default on the server?

E.G: There's only one interface, and it's an internet-facing address block. So both PRIVATE_IP and PUBLIC_IP are being set to 103.1.xxx.xxx/32 etc.

root@server:~# dig +short myip.opendns.com @resolver1.opendns.com
103.1.xxx.xxx
root@server:~# wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com
103.1.xxx.xxx
root@server:~# wget -t 3 -T 15 -qO- http://ipecho.net/plai
root@server:~# ip -4 route get 1 | awk '{print $NF;exit}'
103.1.xxx.xxx
root@server:~# ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*'
103.1.xxx.xxx
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Mar 5, 2016

@jj777 It is perfectly fine if there isn't a private IP range on the server. Just set both PUBLIC_IP and PRIVATE_IP to the server's public IP address, or comment them out and let the script auto-detect. The VPN should work as expected.

@moayman

This comment has been minimized.

moayman commented Apr 4, 2016

After setting up the server on AWS EC2. What is the appropriate way to change the password? Is it by running the script again with the modified password or by some other way?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 4, 2016

@moayman Just run the script again with the new password. Alternatively, you may edit /etc/ipsec.secrets (for PSK) and/or /etc/ppp/chap-secrets (for VPN credentials). When finished, run service ipsec restart and service xl2tpd restart.

@moayman

This comment has been minimized.

moayman commented Apr 5, 2016

@hwdsl2 Thanks a lot. That's what I was looking for.

@bdombrow

This comment has been minimized.

bdombrow commented Apr 22, 2016

Thank you for the great script. I've got my VPN up and running on an EC2 micro instance. I do have one issue. I'm using the same micro instance as a web and mail server. I'm unable to connect to the web and mail server while connected to the VPN. I can get to anything else, just not back to the server. Is there something I can change to fix that?

I figured it out on my own. I had to to tweak the iptable rules to open the ports back up.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 22, 2016

@bdombrow Yes, that is correct. To open additional ports on Ubuntu/Debian, add the appropriate IPTables rules to /etc/iptables.rules and/or /etc/iptables/rules.v4. Then reboot the server.

@coughlinj

This comment has been minimized.

coughlinj commented Jun 16, 2016

@hwdsl2 Thank you very much for this script. It's been a great help to me!

Question: After connecting to the VPN and accessing my resources, I noticed that certain routes I'd setup don't work. My remote IP issued by the VPN server was 10.0.102.10. I'd set up routes for traffic in that subnet (10.0.102.0/8), when needed, to go certain places, for various things (going to aws etc). When I investigated, I found that when I had been accessing local resources, it was logging the VPN host's IP (10.0.0.49), and not the one issued to me by he vpn server during logon (10.0.102.10). I'm trying to resolve this issue, but don't seem to be having much luck. Any thoughts on the issue would be greatly appreciated. You can see an example here:

screen shot 2016-06-16 at 2 27 56 pm

Once again, thank you very much for taking the time to not only create this script, but also for taking the time to respond to questions about, and supporting it.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jun 16, 2016

@coughlinj You're welcome. I understand that you want to make the connection requests originate from the IP issued to the VPN client. Unfortunately this cannot be done unless the server(s) you've trying to access are all connected to the same VPN.

@logs777

This comment has been minimized.

logs777 commented Jun 26, 2016

Hello! Thank you for great solution!
I have one little problem: my Android 4, iOS 9 and Win 10 devices connecting to VPS via ipsec/l2tp psk without any errors, but Android 6 with lastest updates (nexus device) - doesn't connect, in ipsec log I see the following error:

Jun 26 11:12:03 server-12 pluto[23436]: "l2tp-psk"[11] external-ip-here #46: the peer proposed: vps-ip-here/32:17/1701 -> 192.168.1.5/32:17/0
Jun 26 11:12:03 server-12 pluto[23436]: "l2tp-psk"[11] external-ip-here #52: no acceptable Proposal in IPsec SA
Jun 26 11:12:03 server-12 pluto[23436]: "l2tp-psk"[11] external-ip-here #52: sending encrypted notification NO_PROPOSAL_CHOSEN to external-ip-here:1024
Jun 26 11:12:03 server-12 pluto[23436]: "l2tp-psk"[11] external-ip-here #52: deleting state #52 (STATE_QUICK_R0)
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jun 26, 2016

@logs777 Hello there! Android 6 (Marshmallow) users should modify /etc/ipsec.conf. Please see details at https://git.io/vpnclients

@mmocz

This comment has been minimized.

mmocz commented Aug 9, 2016

Hi. thanks for a great script! I lately encountered an issue and I have tried everything i thought of but im unable to solve it.

I complete the instalation and everything works fine with the first predefined user. But then if I edit the chap-secrets file im unable to log in with any user. I have checked and tried everything - file permissions, file content, restarted both services, rebooted and nothing.

If I edit your script before the installation with the users I need everything then works fine. But if I edit the chap-secrets file later, nothing works. Do you have any idea, what could i be doing wrong? Thanks a lot!

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Aug 9, 2016

@mmocz Please open an issue on GitHub. Comment notifications do not work in GitHub Gists.

@toornet

This comment has been minimized.

toornet commented Dec 18, 2016

Hi, Thanks for the script... Install and the server worked..
I tried with a Linux client, it makes the connection satisfactory and I can use the web browsing through the VPN.
Everything good, In this way all the website works, example (speedtest.net, github.com ... etc etc)...

I use a Mikrotik server (www.mikrotik.com), and configure it this way: (https://support.hidemyass.com/hc/en-us/articles/204558497-Mikrotik-Client-Setup) (L2TP Setup), It works, but I have problem that some pages do not open example speedtest.net, github.com, among others.. chrome print "ERR_TIMED_OUT" .. Youtube, Faceebok work fine.

I ping the domain and get a reply, but it does not open the page.

What could be the problem?
something is missing? :(

Thanks!.

@jkyc

This comment has been minimized.

jkyc commented Jan 2, 2017

nub here.
when i run sudo sh ./vpnsetup.sh
all i get is
Error: Network interface 'eth0' is not available.

If running on server, try this workaround:
vpn_iface="$(route etc...

Any ideas what i'm doing wrong? I have a ubuntu workstation that I am trying to install this on for home use/testing.. not a cloud instance..

Thank you!

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 2, 2017

@jkyc Hello! Your server (or workstation) does not have an active 'eth0' network interface. Please follow the workaround and run the two commands mentioned in the output. After install, you may also need to forward UDP ports 500 and 4500 on your router (if any) to the workstation's private IP. Then connect to the VPN using your home public IP.

@minhpfiev51

This comment has been minimized.

minhpfiev51 commented Jan 9, 2017

Hello! I followed your instructions and installed successfully. My VPN ubuntu server is behind a Router modem. I made a VMWARE bridge between VPN ubuntu server and a Windows 7 VM (in the same PC). Both VMs can ping successfully to each other. But Windows 7 VM cannot connect to VPN ubuntu server. The error code is 789
image
I also cannot connect VPN ubuntu server remotely from another Windows 10 VM in the internet (even create port forwarding 500, 4500, 1701 in Router modem).
image

Maybe my Router modem doesn't work properly, but as I cannot connect from the same VMWARE bridge (like in the same LAN segment) so it means the setup for server seems not correct. Or is there any problem with VMWARE ? Could you please give me some suggestions to solve this problem. Thank you so much.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 9, 2017

@minhpfiev51 Hello! The reason that you cannot connect to the VPN server using its private IP, is because the VPN server setup script was designed to work with connections to the public IP only. In order for VPN clients to connect via the private IP, edit the following files:

  1. In /etc/ipsec.conf, change this line: " leftid=YOUR_PUBLIC_IP" to your private IP. e.g. " leftid=192.168.1.80"
  2. In /etc/ipsec.secrets, replace your public IP with your private IP. e.g. "192.168.1.80 %any : PSK ..."
  3. Restart IPsec service: "service ipsec restart".
  4. Try again connecting using the private IP of the VPN server.

After your experiment, if you wish to connect using the server's public IP, revert the changes above and restart IPsec service. Remember to forward UDP ports 500 and 4500 on your Router to your VPN server. Other ports are not required.

See also: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues

@minhpfiev51

This comment has been minimized.

minhpfiev51 commented Jan 9, 2017

@hwdsl2: Thank you! I followed your suggestion to use private IP address but the Windows 7 VM still can't connect to VPN server. I think that maybe there is a problem with VMWARE regarding forwarding VPN packet.
I also want to note that I don't meet any problem with PPTP VPN in this case

@manili

This comment has been minimized.

manili commented Jan 28, 2017

Thanks a lot for the script.
After I installed the VPN server for a while and connected to it without any problem, now both my macOS and iOS cannot connect to the server via my current ISP (first my iOS refuses to connect and after some days macOS got the same issue). However if I use mobile internet (3G) to connect to the VPN server it has no problem. Is there anything like banning my ISP ip addresses range or something ?
The macOS error is : The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
Thanks a lot.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 28, 2017

@manili Hello! From what you mentioned, it looks like your ISP may have blocked access to your VPN server. Unfortunately there is no easy solution for this. You can try: 1. Reboot the server and VPN clients, or 2. Set up another server with a different IP. Good luck!

@manili

This comment has been minimized.

manili commented Jan 29, 2017

@hwdsl2 Hello
Thanks for the reply. So why first the iOS got blocked and after some DAYS macOS faces the same issue? they are both in the same LAN and use the router to connect to the internet. Even I tried to connect to VPN server with my iOS in some place else (which uses the same ISP) without any problem. Is there anything else you think could cause the issue?
Thanks a lot.
P.S : I can ssh to my server without any problems.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 29, 2017

@manili First, please note that you cannot connect multiple devices simultaneously from behind the same NAT (e.g. home router), due to an IPsec/L2TP limitation.

You can troubleshoot the VPN connection by watching the logs on the server:

tail -F /var/log/auth.log | grep pluto

Run this command, then try connecting. If the connection is not blocked, you should see logs displayed on the screen.

@manili

This comment has been minimized.

manili commented Jan 29, 2017

@hwdsl2 Thanks a lot for your help. This is the result of your command ( after I tried to connect with my iPhone) :

[MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: unknown clock_gettime() error: -1
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: responding to Main Mode from unknown peer [MY IP 1]
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: unknown clock_gettime() error: -1
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: unknown clock_gettime() error: -1
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: unknown clock_gettime() error: -1
Jan 29 03:00:24 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: | ISAKMP Notification Payload
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.100'
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[16] [MY IP 1] #12: switched from "l2tp-psk"[16] [MY IP 1] to "l2tp-psk"
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 1] #12: deleting connection "l2tp-psk"[16] [MY IP 1] instance with peer [MY IP 1] {isakmp=#0/ipsec=#0}
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 1] #12: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 1] #12: new NAT mapping for #12, was [MY IP 1]:500, now [MY IP 2]:4500
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: unknown clock_gettime() error: -1
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048}
Jan 29 03:00:25 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: unknown clock_gettime() error: -1
Jan 29 03:00:28 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jan 29 03:00:30 [MY SERVER NAME] pluto[8644]: unknown clock_gettime() error: -1
Jan 29 03:00:31 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jan 29 03:00:34 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
Jan 29 03:00:44 [MY SERVER NAME] pluto[8644]: unknown clock_gettime() error: -1
Jan 29 03:00:47 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
Jan 29 03:00:50 [MY SERVER NAME] pluto[8644]: unknown clock_gettime() error: -1
Jan 29 03:00:55 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: unknown clock_gettime() error: -1
Jan 29 03:00:55 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: unknown clock_gettime() error: -1
Jan 29 03:01:04 [MY SERVER NAME] pluto[8644]: unknown clock_gettime() error: -1
Jan 29 03:02:07  pluto[8644]: last message repeated 9 times
Jan 29 03:02:55  pluto[8644]: last message repeated 5 times
Jan 29 03:02:55 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: DPD: No response from peer - declaring peer dead
Jan 29 03:02:55 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2] #12: IKEv1 DPD action: Clearing Connection l2tp-psk[17] CK_INSTANCE
Jan 29 03:02:55 [MY SERVER NAME] pluto[8644]: "l2tp-psk" #12: deleting state (STATE_MAIN_R3)
Jan 29 03:02:55 [MY SERVER NAME] pluto[8644]: "l2tp-psk"[17] [MY IP 2]: deleting connection "l2tp-psk"[17] [MY IP 2] instance with peer [MY IP 2] {isakmp=#0/ipsec=#0}
Jan 29 03:03:06 [MY SERVER NAME] pluto[8644]: unknown clock_gettime() error: -1
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jan 29, 2017

@manili From your logs, yes it does appear that the VPN connection is being blocked.

@submerged15

This comment has been minimized.

submerged15 commented Feb 3, 2017

Thank you for your awesome script!
Is there a easy way to change the IP of the vpn server and the subnet? I would like to change these things to IP-Class A.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 3, 2017

@submerged15 Yes, it is possible. For example, if you want to change the IPsec/L2TP subnet to 10.98.0.0/16, and change the IPsec/XAuth subnet to 10.99.0.0/16, make the following changes in the VPN setup script before using, or run it again after editing:

Replace this line:

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23

with:

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.98.0.0/16,%v4:!10.99.0.0/16

Replace this line:

  rightaddresspool=192.168.43.10-192.168.43.250

with:

  rightaddresspool=10.99.0.10-10.99.254.254

Replace these lines:

ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1

with:

ip range = 10.98.0.10-10.98.254.254
local ip = 10.98.0.1

Replace ALL 192.168.42.0/24 with 10.98.0.0/16.
Replace ALL 192.168.43.0/24 with 10.99.0.0/16.

The above is just an example, but you get the idea. I would not recommend using the entire 10.0.0.0/8, because if the VPN client has a local network that is contained within or overlaps with one of the VPN networks you specified, that client will NOT be able to connect.

@submerged15

This comment has been minimized.

submerged15 commented Feb 3, 2017

Thank you very much for your fast help!
Another much simpler question: Some clients of the vpn needs a static address. How can I achieve this? Do they need a seperate address range?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 3, 2017

@submerged15 Unfortunately I am not aware of any method to assign a static address to VPN clients.

@submerged15

This comment has been minimized.

submerged15 commented Feb 3, 2017

Ok, what about this? https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
PPP server configuration -> /etc/ppp/chap-secrets

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 3, 2017

@submerged15 Yes you can try the static IP instructions under "PPP server configuration" on that page. I have not tested it though. Be careful and make sure that:

  1. The static IPs should not be taken from the pool, as mentioned in the article. For example, you can reduce the pool first (e.g. ip range = 10.98.0.10-10.98.99.254, and then assign the remainder part of that subnet individually as static addresses.
  2. The static IPs you assign must be from the subnet you specified (e.g. 10.98.0.0/16 from the comment above). This is to make sure that the IPTables rules continue to work for these clients with assigned static IPs.
@submerged15

This comment has been minimized.

submerged15 commented Feb 4, 2017

@submerged15 Yes you can try the static IP instructions under "PPP server configuration" on that page. I have not tested it though. Be careful and make sure that:

The static IPs should not be taken from the pool, as mentioned in the article. For example, you can reduce the pool first (e.g. ip range = 10.98.0.10-10.98.99.254, and then assign the remainder part of that subnet individually as static addresses.
The static IPs you assign must be from the subnet you specified (e.g. 10.98.0.0/16 from the comment above). This is to make sure that the IPTables rules continue to work for these clients with assigned static IPs.

It worked without any problems!
Is it 'state of the art' to use the same ipsec psk for each vpn client? To add a new different ipsec psk, just add a new line? -> /etc/ipsec.secrets
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users.md

@ghost

This comment has been minimized.

ghost commented Feb 4, 2017

Thanks a lot for the script. I'm a very beginner and need some help..
I need a bidirectional communication between vpn and client. The client (connection established, 192.168.42.10 assigned) can ping the vpn server with "ping 192.168.42.1" but the server cannot reach the client from the pool with "ping 192.168.42.10".Why is the client not reachable? Is the routing table not correct configured?
Thank you for any help!

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 4, 2017

@submerged15 Glad to hear it is working. Regarding your question, you may only specify one IPsec PSK per server. That PSK is shared among all VPN clients. You may edit the PSK in /etc/ipsec.secrets, but not adding more lines.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 4, 2017

@schui17 Hello! The behavior you described is normal. Many operating systems disallow ICMP echo requests (ping) for security reasons. For example, Windows and Android both block them. These packets are allowed by the VPN server, but blocked at your VPN client.

@submerged15

This comment has been minimized.

submerged15 commented Feb 7, 2017

Why is OpenVZ at the moment not supported?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 7, 2017

@submerged15 OpenVZ VPS uses a shared kernel which lacks the IPsec support required for the VPN. Please use a KVM/Xen VPS instead.

@submerged15

This comment has been minimized.

submerged15 commented Feb 8, 2017

There's no workaround for this, except using different vps?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 8, 2017

@submerged15. Unfortunately there is not. However, you may try OpenVPN or Shadowsocks [1] if using OpenVZ.

[1] https://github.com/hwdsl2/setup-ipsec-vpn#see-also

@NoelSaldanha

This comment has been minimized.

NoelSaldanha commented Feb 9, 2017

Hey there!
Great script. I was wondering if you could help me resolve something though.
What I want is to create a VPN where my connected clients are in the same logical network as my EC2 instances, therefore being able to use each others private IPs for connectivity.
I've been trying to work my way around it based on your previous answers but I just wasn't able to.
My subnet which contains all my EC2 instances (Asterisk server) that I want to access through my client is 10.0.1.0/24.
Also I wasn't able to access the L2TP, but because I want multiple hosts from a single NAT, I'll use IPSec, which connects just fine. However it doesn't connect to the Internet.

Thank you in advance!

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Feb 9, 2017

@NoelSaldanha Hello! For your use case, you can simply use the script as is. After connecting, you should be able to visit your subnet 10.0.1.0/24, and all traffic would appear to originate from the VPN server's private IP.

The (very) important part is to double check your security group for all instances and ensure that traffic is allowed from each other. For example, if all instances share the same security group, you must add a rule to allow traffic from that group itself.

Based on the information provided, I do not know why your IPsec doesn't connect to the Internet. For further questions, try the Libreswan mailing list [1], where many VPN experts could help. Good luck!

[1] https://lists.libreswan.org/mailman/listinfo/swan

@NoelSaldanha

This comment has been minimized.

NoelSaldanha commented Feb 10, 2017

My EC2 instances can ping each other, however neither my VPN Server (nor the Asterisk server) can ping 192.168.43.10, which was the private IP assigned to my device. Also, my device cannot ping the VPN server's private IP nor public IP. In my subnet routing I only have 10.0.0.0 to local (I have more than a subnet, but the VPN Server and the Asterisk server are in the same subnet) and 0.0.0.0 to IGW. The security groups seem fine, and I tried allowing all inbound traffic just for testing and it didn't work still.
Apologies for being a bother but I've tried a lot of things and I think if I can make this work it's with your help. Thanks in advance!

@spartametje

This comment has been minimized.

spartametje commented Mar 18, 2017

Hello, thanks for the script. I install the VPN server on my Rasperry Pi 3B+. I am able to connect to it from my Chromebook and also from my Windows 10 computer after 'REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f'.

Unfortunately, when I try to connect from my Windows Mobile 10 phone, I receive VPN error 809. Is it possible to connect from Windows Mobile 10 phone?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Mar 18, 2017

@spartametje Windows Mobile phones are known to have problems connecting to an IPsec/L2TP VPN. You may want to instead try setting up the IKEv2 mode [1]. Note that this is for advanced users only.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md

@ORARiccardo

This comment has been minimized.

ORARiccardo commented Mar 25, 2017

Hi @hwdsl2, I'm running a VPS with Ubuntu 16.04, used the auto setup script, but when I check ipsec verify, I get this issues

Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.20 (netkey) on 4.4.38-std-1
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]

ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help

But I opened both udp 500 and udp 4500. How can I fix this?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Mar 25, 2017

@ORARiccardo Hello! It seems you are using Scaleway. Their "standard" kernel does not work with IPsec. To fix, login to the Scaleway control panel, go to "settings" for your server, and change to the "latest" kernel (e.g. 4.8.x). Then reboot the server. Your VPN should work after that - try connecting with your VPN client. For more details, please read [1].

[1] hwdsl2/setup-ipsec-vpn#102

@ORARiccardo

This comment has been minimized.

ORARiccardo commented Mar 27, 2017

change to the "latest" kernel (e.g. 4.8.x). Then reboot the server. Your VPN should work after that - try connecting with your VPN client.

Indeed! Problem solved! Thanks @hwdsl2 !

@UlifiPond

This comment has been minimized.

UlifiPond commented Apr 11, 2017

Hello, I don't know what happened here, i try to open UDP 500 and 4500 but received firewalld is not running, and Failed to start firewalld.service Unit is masked, and then when i try to connect the ipsec on my win10 received Modem error. Please help me with this, i got sick with this for whole week.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 11, 2017

@UlifiPond Unless you use a server that has an external firewall, such as Amazon EC2, the script already opens UDP ports 500 and 4500 for you. During setup it uses IPTables instead of firewalld, and masks firewalld in CentOS 7. You can confirm that these ports are open using command sudo iptables -nL.

For any connection error, please follow all troubleshooting steps in [1]. Good luck!

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting

@rrothermund

This comment has been minimized.

rrothermund commented Apr 12, 2017

Connecting with a Nexus 6P and also a Chromebook. Neither will connect. The logs show the following:

Apr 11 22:09:17 server pluto[2408]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #30: ESP IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA2_512] refused
Apr 11 22:09:17 server pluto[2408]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #30: no acceptable Proposal in IPsec SA

Any idea what causes this?

Edit: Found this in the Android issue tracker.

Update: in the next minor release, on devices that receive it:

  1. SHA384 and SHA512 will be advertised and used if the device kernel was compiled with CONFIG_CRYPTO_SHA512. If the kernel does not support it, it will not be advertised. Bear in mind that the kernel differs from device to device and only the device manufacturer can enable the option if it's not already enabled.
  1. Nexus and Pixel kernels have CONFIG_CRYPTO_SHA512 enabled and will use them if negotiated.
  1. The SHA256 proposal is listed after SHA1, so VPN servers that pick the first acceptable proposal sent by the peer will use (working) SHA1 instead of (possibly non-interoperable) SHA256.

This appears to be referring to the Android 7.1.2 maintenance release that arrived in early April, looks like the changes they proposed were merged into the that update. Now, how do I fix this?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 12, 2017

@rrothermund Thanks for the report. Please edit /etc/ipsec.conf, and replace the ike= and phase2alg= lines with:

  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512

Note that the above lines should be indented by two spaces. When finished, run:

service ipsec restart

Please let us know if this fixes the problem for you.

@rrothermund

This comment has been minimized.

rrothermund commented Apr 12, 2017

@hwdsl2 That change fixed the 6P issue and it can now connect, but my Chromebook is still unable to connect.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 12, 2017

@rrothermund Glad to hear it is working. Not sure about the Chromebook. Any error in the logs?

@rrothermund

This comment has been minimized.

rrothermund commented Apr 12, 2017

@hwdsl2 This is the only thing that looks suspicious in the log. Tried a tcpdump -i on port 500 on the router and I see the isakmp packet come through.

Apr 12 13:35:00 server pluto[1306]: seccomp security not supported
Apr 12 13:35:01 server pluto[1306]: connection l2tp-psk must specify host IP address for our side
Apr 12 13:35:01 server pluto[1306]: attempt to load incomplete connection
Apr 12 13:35:01 server pluto[1306]: connection xauth-psk must specify host IP address for our side
Apr 12 13:35:01 server pluto[1306]: attempt to load incomplete connection
Apr 12 13:35:01 server pluto[1306]: listening for IKE messages
Apr 12 13:35:01 server pluto[1306]: adding interface lo/lo 127.0.0.1:500
Apr 12 13:35:01 server pluto[1306]: adding interface lo/lo 127.0.0.1:4500
Apr 12 13:35:01 server pluto[1306]: adding interface lo/lo ::1:500
Apr 12 13:35:01 server pluto[1306]: | setup callback for interface lo:500 fd 17
Apr 12 13:35:01 server pluto[1306]: | setup callback for interface lo:4500 fd 16
Apr 12 13:35:01 server pluto[1306]: | setup callback for interface lo:500 fd 15
Apr 12 13:35:01 server pluto[1306]: loading secrets from "/etc/ipsec.secrets"
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 12, 2017

@rrothermund That log looks fine. Unfortunately I am not sure about the Chromebook issue.

@rrothermund

This comment has been minimized.

rrothermund commented Apr 13, 2017

@hwdsl2 Now when the chromebook tries to connect I am seeing a proposal of OAKLEY_AES_CBC (256), OAKLEY_SHA2_384, OAKLEY GROUP MODP1024.

Then a connection refusal. Anything that needs to be changed to the IKE= and phase2alg= lines you mentioned above?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 13, 2017

@rrothermund Try (in this order). Let us know which one(s) works for both your Chromebook and Android:

  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024
  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes-sha2_512
  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_384,aes256-sha2_512
  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes-sha2_384,aes-sha2_512
  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_384,aes256-sha2_384;modp1024,aes256-sha2_512
  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes-sha2_384,aes-sha2_512
@rrothermund

This comment has been minimized.

rrothermund commented Apr 13, 2017

@hwdsl2 Tried to connect again with the chromebook at 12:33pm as shown in the logs below. I am really confused on what is going on here, looks like the server keeps restarting when the chromebook attempts to connect? Using pastebin due to length of log file: paste

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 13, 2017

@rrothermund Please report the possible Libreswan bug to https://github.com/libreswan/libreswan/issues

@danijeljw

This comment has been minimized.

danijeljw commented Apr 17, 2017

Is there a way to see the logs of what a user is accessing via the VPN service?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Apr 17, 2017

@danijeljw No, that is beyond the scope of the VPN setup scripts.

@UlifiPond

This comment has been minimized.

UlifiPond commented Apr 17, 2017

I have tried to buid one in Ubuntu 14.04 with vultur VPS, but unfortuanately i got a problem same as the problem with the centos, they both told me about the problem of modem, i check with my windows, i am sure i have done anything that i could. And while i checking the firewall, 500 and 4500 are active, what's happening.

@larry0619

This comment has been minimized.

larry0619 commented May 2, 2017

Hi, I have setup the VPN and successfully connect the windows client to it. but couldn't get anriod phone connected, could you please have a look at the log? thanks.

May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: responding to Main Mode from unknown peer X.X.X.X
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: STATE_MAIN_R1: sent MR1, expecting MI2
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: STATE_MAIN_R2: sent MR2, expecting MI3
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: Main mode peer ID is ID_IPV4_ADDR: '100.83.68.75'
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[11] X.X.X.X #17: switched from "l2tp-psk"[11] X.X.X.X to "l2tp-psk"
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: deleting connection "l2tp-psk"[11] X.X.X.X instance with peer X.X.X.X {isakmp=#0/ipsec=#0}
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: new NAT mapping for #17, was X.X.X.X:1525, now X.X.X.X:4500
May  2 07:14:11 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
May  2 07:14:12 instance-2 pluto[3418]: | ISAKMP Notification Payload
May  2 07:14:12 instance-2 pluto[3418]: |   00 00 00 1c  00 00 00 01  01 10 60 02
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: received and ignored informational message
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: the peer proposed: Y.Y.Y.Y/32:17/1701 -> 100.83.68.75/32:17/0
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18: responding to Quick Mode proposal {msgid:05d81498}
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18:     us: 10.140.0.2[Y.Y.Y.Y]:17/1701
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18:   them: X.X.X.X[100.83.68.75]:17/0
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x0b0b7260 <0xb38c8723 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=X.X.X.X:4500 DPD=active}
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  2 07:14:12 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #18: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0b0b7260 <0xb38c8723 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=X.X.X.X:4500 DPD=active}
May  2 07:17:13 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: DPD: No response from peer - declaring peer dead
May  2 07:17:13 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X #17: IKEv1 DPD action: Clearing Connection l2tp-psk[12] CK_INSTANCE
May  2 07:17:13 instance-2 pluto[3418]: "l2tp-psk" #18: deleting state (STATE_QUICK_R2)
May  2 07:17:13 instance-2 pluto[3418]: "l2tp-psk" #18: ESP traffic information: in=0B out=0B
May  2 07:17:13 instance-2 pluto[3418]: "l2tp-psk" #17: deleting state (STATE_MAIN_R3)
May  2 07:17:13 instance-2 pluto[3418]: "l2tp-psk"[12] X.X.X.X: deleting connection "l2tp-psk"[12] X.X.X.X instance with peer X.X.X.X {isakmp=#0/ipsec=#0}
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented May 2, 2017

@larry0619 Please try the following:

  1. Enable "Backward Compatible Mode" [1] in your Android VPN settings. If this option does not exist, try (2).
  2. Edit /etc/ipsec.conf and change sha2-truncbug=yes to sha2-truncbug=no. Save the file and run service ipsec restart.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-7

@larry0619

This comment has been minimized.

larry0619 commented May 3, 2017

@hwdsl2
Thank you very much, I set to sha2-truncbug=no
it is working now.

@nslensun

This comment has been minimized.

nslensun commented May 10, 2017

Hi hwdsl2,
I am currently using Alicloud ECS. It has its own network called VPC. The instance is assigned to a private IP like 172.36.xx.xx as eth0. There is no eth1, which makes it an issue when deploying L2TP/IPSec service. It does have a public IP (47.xx.xx.xx). The connection between clients and the server is via NAT or something I think. When client accesses to its public IP, it will then map(or should I call it forward?) to the private IP. Both PPTP and Shadowsocks work fine. However, L2TP/IPSec never works. The strange thing is that, with your script, I could establish connection via Xauth PSK but have no Internet access (got virtual IP 192.43.0.x). And I couldn't establish connection via L2TP/IPSec. I tried other scripts (L2TP/IPSec) and none of them work. I also tried install it manually, but even if I manually configure the conf file step by step(use private IP for xl2tp, ipsec, etc conf files) and get them installed, it's still not working.
I did some research(I have very limited knowledge on network). Someone says it's related to the encryption method of IPSec. Something like the package including the IP is encryped, when the VPC network does the forwarding, the IP data in the UDP package is then modified, which causes the verification failed. I have no idea whether it's true or not.
Do you have any idea what causes this issue? Thanks to your script anyway. When I almost gave up, it gives me hope when I found the connection via Xauth could be established. Really appreciate it if you could help me.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented May 10, 2017

@nslensun Hello! To solve your issue, please try the following steps (in this order):

  1. Set up the VPN server using the latest version of VPN scripts at https://github.com/hwdsl2/setup-ipsec-vpn. Then, on the VPN server, run "iptables -D FORWARD -j DROP" [1]. Finally, try connecting your VPN client(s).
  2. If (1) does not work, edit /etc/ipsec.conf and replace sha2-truncbug=yes with sha2-truncbug=no. Save the file and run service ipsec restart [2]. Then try connecting your VPN client(s).

[1] hwdsl2/setup-ipsec-vpn#137 (comment)
[2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-7

@nslensun

This comment has been minimized.

nslensun commented May 11, 2017

@hwdsl2
Thanks for your time!
After modified ipsec.conf, connection via Xauth it's now working fine. (step 1 + 2)
L2TP/IPSec connection still could not be established for some reason. It looks like the issue is not related to IPSec now as IPSec Xauth is working. For PPTP, as long as iptables is configured correctly (set to VPC private IP 172.xx.xx.xx instead of public IP 47.xx.xx.xx), the connection will be ok.

@Wayne5788

This comment has been minimized.

Wayne5788 commented May 15, 2017

Hi hwdsl2,

First thanks for your script, it's work fine on my server :).
But I have a question, I need to add news users on my VPN server then I need a new PSK key for each user in /etc/ipsec.secrets ?

Thanks,

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented May 16, 2017

@Wayne5788 Hello! All VPN users would share the same IPsec PSK. There is no need to modify /etc/ipsec.secrets. To add new users, you may follow the instructions at:
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users.md

@anqi777

This comment has been minimized.

anqi777 commented May 19, 2017

thanks for vpn
i have a question that i add a account and password as you say,service ipsec restart and restart xl2tpd restart at last.but it didn't work.my iphone display User authentication failed,did i miss something?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented May 20, 2017

@anqi777 Hello! Please follow closely the instructions in [1] to add users for both IPsec/L2TP and Cisco IPsec. Make sure that your VPN credentials do not contain any of these characters: \ " ' Also, do not put <> around values.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users.md

@Wayne5788

This comment has been minimized.

Wayne5788 commented Jun 7, 2017

Hi hwdsl2,

It's your VPN multi user ? Because only one of us have access to the VPN and the others haven't how can I fix the problem and allow multi connexion ?

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jun 7, 2017

@Wayne5788 The same VPN account can be used by multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode.

For more information, see: https://github.com/hwdsl2/setup-ipsec-vpn#important-notes

@Wayne5788

This comment has been minimized.

Wayne5788 commented Jun 7, 2017

Thanks for your quick answer!

Bad news for me, we need a VPN with multi users (with L2TP) with an account for each users :(

@jurapple

This comment has been minimized.

jurapple commented Jun 20, 2017

Anyone using this with CSF (Config Server Firewall)? The VPN itself is running fine but I can't reach the VPN server running at .1 as the rules in iptables.rules added by the script are not honored by CSF as it's only using the iptables binary, not the rules file.

@Kirkenjerk

This comment has been minimized.

Kirkenjerk commented Jun 28, 2017

Hey there, thanks for the guide, I have the VPN up and running and it works great! My only question is: How do I use a domain name, vpn.domainname.com for example, in place of the public IP address?

I am assigned a dynamic IP by my ISP and am running the VPN server from my home. I have a domain name and set it up with cloudflare. Additionally, I have a DDNS script that updates Cloudflare with my current IP address should it ever change.

I would like to do this with this VPN script but am not sure how to make the "Server IP: $PUBLIC_IP" use the domain name of vpn.domainname.com instead of an IP address. This way its using the most current DNS entry from cloudflare instead of my public IP, which changes.

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Jun 28, 2017

@Kirkenjerk After setting up your VPN server, edit /etc/ipsec.conf and replace leftid=... with leftid=vpn.domainname.com. Then run "sudo service ipsec restart". Also make sure that you set this subdomain to "grey cloud" instead of "orange cloud" in Cloudflare.

@Kirkenjerk

This comment has been minimized.

Kirkenjerk commented Jun 28, 2017

Thank you so much for the fast response. It is working amazingly now. I appreciate it!

@fiber-optics

This comment has been minimized.

fiber-optics commented Jul 23, 2017

hi, thank you so much for the script, but i have a question.
I have 1 interface(eth0), but i have many ip(2-3), how me change dest ip from main eth0 to eth0:0 or eth0:1?

@simplejw

This comment has been minimized.

simplejw commented Aug 24, 2017

Hi @hwdsl2
I have a question, how can i connect the VPN more than one user ? Now just one PC can connect VPN at the same time in my office.
Else will display 789 error...

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Aug 28, 2017

@simplejw As mentioned in the "important notes" [1], due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode.

[1] https://github.com/hwdsl2/setup-ipsec-vpn#important-notes

@alxmcc

This comment has been minimized.

alxmcc commented Sep 2, 2017

client iPhone 6s (iOS 11)
server: RPI3

/var/log/auth.log:

Sep  2 00:53:08 raspberrypi pluto[697]: packet from iPhone.ip:500: initial Main Mode message received on 192.168.1.164:500 but no connection has been authorized with policy PSK+XAUTH+IKEV1_ALLOW
Sep  2 00:53:12 raspberrypi pluto[697]: packet from iPhone.ip:500: initial Main Mode message received on 192.168.1.164:500 but no connection has been authorized with policy PSK+XAUTH+IKEV1_ALLOW
Sep  2 00:53:15 raspberrypi pluto[697]: packet from iPhone.ip:500: initial Main Mode message received on 192.168.1.164:500 but no connection has been authorized with policy PSK+XAUTH+IKEV1_ALLOW
Sep  2 00:53:18 raspberrypi pluto[697]: packet from iPhone.ip:500: initial Main Mode message received on 192.168.1.164:500 but no connection has been authorized with policy PSK+XAUTH+IKEV1_ALLOW
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Sep 5, 2017

@alxmcc Try the following fix for the VPN on Raspberry Pi 3 w/ Debian Stretch (9.x). Edit /etc/ipsec.conf and replace the line left=%defaultroute with left=YOUR_IP, where YOUR_IP is your Raspberry Pi’s INTERNAL IP address (e.g. 192.168.0.100). Keep the line indented by two spaces. Save the file and run sudo service ipsec restart; sudo service xl2tpd restart. Finally, try connecting the VPN.

@cho0o0

This comment has been minimized.

cho0o0 commented Sep 12, 2017

Hi, I tried to install it into a GCP compute engine vm instance (CentOS 6 image). I used this command: wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh. I got no error during the installation but failed to connect to the server via my android device (I followed this guide). I also checked the log by using tail -F /var/log/secure | grep pluto, however, due to my limited knowledge on VPN, I'm not able to find out where the problem was.
Here's the log:

Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: responding to Main Mode from unknown peer xxx.xxx.43.248
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.216.98'
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: new NAT mapping for #5, was xxx.xxx.43.248:500, now xxx.xxx.43.248:4500
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: | ISAKMP Notification Payload
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Sep 12 03:02:31 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: received and ignored informational message
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #5: the peer proposed: xxx.xxx.2.201/32:17/1701 -> xxx.xxx.216.98/32:17/0
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6: responding to Quick Mode proposal {msgid:7ec210de}
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6:     us: 10.152.0.2[xxx.xxx.2.201]:17/1701
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6:   them: xxx.xxx.43.248[xxx.xxx.216.98]:17/0
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6: keeping refhim=0 during rekey
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 12 03:02:32 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x03f8745f <0x7a97659b xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=xxx.xxx.43.248:4500 DPD=active}
Sep 12 03:02:33 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 12 03:02:33 ipsec-vpn1 pluto[10690]: "l2tp-psk"[4] xxx.xxx.43.248 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x03f8745f <0x7a97659b xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=xxx.xxx.43.248:4500 DPD=active}
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Sep 13, 2017

@cho0o0 The log you provided above looks fine. Not sure why it's not working. Try the troubleshooting steps in [1].

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-7

@folis

This comment has been minimized.

folis commented Sep 20, 2017

Hi! I've an issue. I successfully connect with L2TP and everything works fine. However when I connect with XAuth, internet disappears. My best guess is than something wrong with iptables. Can you a look?

Modified by hwdsl2 VPN script Generated by iptables-save v1.6.0 on Sun Sep 17 16:46:41 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j DROP
COMMIT

Thanks!

@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Sep 21, 2017

@folis Your IPTables rules in the comment above look fine.

@komanshidaruma

This comment has been minimized.

komanshidaruma commented Sep 28, 2017

i have a router which has a pptp vpn function.
now my iphone updated to ios10, that's why i can not no longer use the pptp vpn because ios 10 does not support pptp.
i need to replace pptp with ipsec.
i have a linux server so i set up ipsec vpn by using this script.
my iphone successfuly connected to my lan but my pc(windows) which is under the router can not access to my iphone.
when i used pptp vpn, my pc can access to my iphone during it is connecting to vpn.
how can i fix this problem?

*** additional comment ***

i added NEW to iptables like below, so that i could fix the problem..

  • before
    iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  • after
    iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Sep 29, 2017

@komanshidaruma You do NOT need to change the IPTables rules like the above. When connecting via IPsec/L2TP, VPN clients can communicate using their assigned internal IPs (192.168.42.10-192.168.42.250). To find out which internal IP is assigned, view the connection details.

@komanshidaruma

This comment has been minimized.

komanshidaruma commented Sep 29, 2017

@hwdsl2 thank you for your reply. i can access the internet by using the internal ips like 192.168.42.10. but i can not access from my pc (outside of vpn) to the internal address.

*example
can connect : IPhone192.168.42.10) -> PC(192.168.1.2)
canNOT connect : PC(192.168.1.2) -> iphone(192.168.42.10)

@ovidiupruteanu

This comment has been minimized.

ovidiupruteanu commented Oct 1, 2017

Awesome script, thank you.

I had issues accessing devices on my network and here is how I fixed it. I'm not sure if this is the correct solution but it works for me and it may help someone else.

Problem

I was only able to access devices on my local network only when all traffic was routed through the VPN:

  • Mac and iOS: "Send all traffic over VPN connection"
  • Windows: "Use default gateway on remote network"

However I did not want my internet traffic to go through this connection, I just wanted to access the devices on my network

Resolution

I put the VPN in the same subnet as my local network. I did this by replacing:

L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'}

with

L2TP_NET=${VPN_L2TP_NET:-'192.168.1.0/24'}
L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.1.201'}
L2TP_POOL=${VPN_L2TP_POOL:-'192.168.1.202-192.168.1.220'}

Now all the VPN clients and all devices in my home network can communicate with each other.

@arashsadr

This comment has been minimized.

arashsadr commented Oct 20, 2017

Hi and thanks.
I have 2 questions to ask:

  1. how to limit available concurrent vpn connections to 1. my target is limit each vpn user have maximum 1 session at the same time (configured in /etc/ipsec.d/passwd)
  2. how to disable timeout? or kind of keep alive vpn session until user disconnects on IOS? I'm mostly using my phone to connect but after few minutes being inactive the vpn session is disconnected.
@hwdsl2

This comment has been minimized.

Owner

hwdsl2 commented Oct 22, 2017

@arashsadr Hello! To answer your questions:

  1. I am not aware of any method to limit each VPN user's concurrent VPN connections. Try asking on the Libreswan mailing list [1].
  2. iPhones/iPads auto-disconnect from Wi-Fi soon after the screen turns off, and the VPN disconnects as a result of Wi-Fi disconnection. According to Apple, this behavior is by design and there is no workaround. As an alternative, try OpenVPN [2]. It supports auto-reconnect after the network is available again.

[1] https://lists.libreswan.org/mailman/listinfo/swan
[2] https://github.com/Nyr/openvpn-install

@komanshidaruma

This comment has been minimized.

komanshidaruma commented Oct 26, 2017

this script does work on ubuntu 16.04 32bit also. but after setup, iSCSI does not work.
this problem does not occur on 64 bit version.

i think this problem is from kernel settings.

virtualbox_test1_25_10_2017_00_27_42

virtualbox_test1_26_10_2017_12_12_23

@Eric2i

This comment has been minimized.

Eric2i commented Dec 15, 2017

This really solved my problem, thanks a lot!

@thegitty

This comment has been minimized.

thegitty commented Dec 24, 2017

Hi,

I want to use this server at home using a RPi. In order to access from e.g. a library (where just Port 80 and 443 is opened), what do I have to configure (port forwarding in my router regarding UDP 500 and 4500) and is this even possible at all?

Thanks for your help.

@pfloosy

This comment has been minimized.

pfloosy commented Jan 18, 2018

Hi,
I have installed your script on a fresh installed Ubuntu 14.04. Everything seems to be fine and I recive my login details at the end of the installation. All Ports 500, 4500 and 1701 (for testing) are forwarded thru the router. When I enter sudo netstat -ntlp | grep LISTEN I just can see my ssh is listening.
Windows nor IOS are able to connect.
ipsec verify shows me this informations:
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]

If I test my open ports with an Online Port check tool I can see that 22 is open... 500, 4500 are not opend. But I am sure that the router is setup correctly since 22 is working.
I guess the problem is, that the ubuntu server is not listening to 500, 4500. So ipsec not running/listening? Restarting ipsec is working but doesn't change anything.

By the way... I also opend the ports on the ubuntu server with ufw

Thanks,
Peter

@ehsanrasta

This comment has been minimized.

ehsanrasta commented Jan 22, 2018

Hi,
I have installed your script on centos and it works fine.
I want to assign every user an specific defined IP address
Is it posible?
Thanks

@inder1989

This comment has been minimized.

inder1989 commented Feb 6, 2018

Hi,

Thanks for the script!
I want to know can we use IKEv2 with username and password with strongswan client?

Thanks

@qythker

This comment has been minimized.

qythker commented Mar 30, 2018

不好意思 英文不好
按照你的方法配置好服务器后,修改注册表,重启,能够给连接得上vpn了,也能上网,但是却无法翻墙了是为什么?gg 那些网站都无法访问
vpn服务器是 ubunt16.04 x64,客户端是win10的
vpn服务器是阿里云香港的服务器,服务器里面还架设了ssr服务,经过测试 ,能够正常访问gg,不知道为什么用你的vpn无法访问gg等国外网站

额 又可以了,莫名其妙的

@vladlosk

This comment has been minimized.

vladlosk commented Mar 31, 2018

Hi @hwdsl2 ,

I found out that vpn connection via IPsec/L2TP doesn't work when I use LTE (my provider T-mobile), but it works when I use home or work wifi. I tried to find root of problem and I came to the conclusion that is it related to IPv6 probably. This problem is related to only iOS devices, for android is everything ok.

I didn't find resolution of this. Do you have any ideas about how to fix it?

Also, I didn't understand how can I generate trusted certificates for iOS devices to use IKEv2?

@ptocadoa

This comment has been minimized.

ptocadoa commented Apr 16, 2018

After doing the modifications proposed for Android 6,7 this is the log when I am trying to connect.

I am stuck at STATE_QUICK_R2: IPsec SA established transport mode

Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: responding to Main Mode from unknown peer ipv4job.x.y.z on port 44004
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP1024] refused
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: Peer ID is ID_IPV4_ADDR: '192.168.193.155'
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Apr 13 14:28:21 raspberry pluto[2046]: | ISAKMP Notification Payload
Apr 13 14:28:21 raspberry pluto[2046]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Apr 13 14:28:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: received and ignored informational message
Apr 13 14:28:22 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: the peer proposed: ipv4home.x.y.z/32:17/1701 -> 192.168.193.155/32:17/0
Apr 13 14:28:22 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: responding to Quick Mode proposal {msgid:126a88d1}
Apr 13 14:28:22 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: us: 192.168.1.6<192.168.1.6>[ipv4home.x.y.z]:17/1701
Apr 13 14:28:22 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: them: ipv4job.x.y.z:17/0
Apr 13 14:28:22 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x0b90f543 <0xada5fb02 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=ipv4job.x.y.z:6428 DPD=active}
Apr 13 14:28:23 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0b90f543 <0xada5fb02 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=ipv4job.x.y.z:6428 DPD=active}

Apr 13 14:29:20 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #9: received Delete SA(0x0b90f543) payload: deleting IPSEC State #10
Apr 13 14:29:20 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: deleting other state #10 (STATE_QUICK_R2) and sending notification
Apr 13 14:29:20 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z #10: ESP traffic information: in=0B out=2KB
Apr 13 14:29:21 raspberry pluto[2046]: "l2tp-psk" #9: deleting state (STATE_MAIN_R3) and sending notification
Apr 13 14:29:21 raspberry pluto[2046]: "l2tp-psk"[3] ipv4job.x.y.z: deleting connection "l2tp-psk"[3] ipv4job.x.y.z instance with peer ipv4job.x.y.z {isakmp=#0/ipsec=#0}
Apr 13 14:29:21 raspberry pluto[2046]: packet from ipv4job.x.y.z:6428: received and ignored empty informational notification payload

@ptocadoa

This comment has been minimized.