Comments

Latest Posts

One Command To Install IPSec VPN Server - Libreswan (IPSec VPN ServerAuto Secutity Script)

Github project  hwdsl2/setup-ipsec-vpn provides a simple way to set up a IPSec VPN Server by just using one line of command. 

If you will need a VPN to have safe access to Internet or remote network, this might give you a good option to have your VPN in the cloud. 



Introduction


Github project hwdsl2/setup-ipsec-vpn uses Libreswan as the IPsec server, and xl2tpd as the L2TP provider.

Here are some nice features listing in its Github project page:

Features

  • Fully automated IPsec VPN server setup, no user input needed
  • Supports IKEv2 with strong and fast ciphers (e.g. AES-GCM)
  • Generates VPN profiles to auto-configure iOS, macOS and Android devices
  • Supports Windows, macOS, iOS, Android, Chrome OS and Linux as VPN clients
  • Includes helper scripts to manage VPN users and certificates

Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using "IPsec" and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").



One Line Command



wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh


Outputs:

root@ub20-1-test:~# wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh
--2023-08-07 02:12:44--  https://get.vpnsetup.net/
Resolving get.vpnsetup.net (get.vpnsetup.net)... 172.64.80.1, 2606:4700:130:436c:6f75:6466:6c61:7265
Connecting to get.vpnsetup.net (get.vpnsetup.net)|172.64.80.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9781 (9.6K) [text/plain]
Saving to: ‘vpn.sh’
vpn.sh                                               100%[======================================================================================================================>]   9.55K  --.-KB/s    in 0s
2023-08-07 02:12:44 (52.8 MB/s) - ‘vpn.sh’ saved [9781/9781]
+ wget -t 3 -T 30 -q -O /tmp/vpn.iMFul/vpn.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/vpnsetup_ubuntu.sh
## VPN credentials not set by user. Generating random PSK and password...
## VPN setup in progress... Please be patient.
## Installing packages required for setup...
+ apt-get -yqq update
+ apt-get -yqq install wget dnsutils openssl iptables iproute2 gawk grep sed net-tools
## Trying to auto discover IP of this server...
## Installing packages required for the VPN...
+ apt-get -yqq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make libnss3-tools libevent-dev libsystemd-dev uuid-runtime ppp xl2tpd
Extracting templates from packages: 100%
## Installing Fail2Ban to protect SSH...
+ apt-get -yqq install fail2ban
## Downloading helper scripts...
+ ikev2.sh addvpnuser.sh delvpnuser.sh
## Downloading Libreswan...
+ wget -t 3 -T 30 -q -O libreswan-4.11.tar.gz https://github.com/libreswan/libreswan/archive/v4.11.tar.gz
## Compiling and installing Libreswan, please wait...
+ make -j3 -s base
+ make -s install-base
## Creating VPN configuration...
## Updating sysctl settings...
## Updating IPTables rules...
## Enabling services on boot...
## Starting services...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: 140.238.155.149
IPsec PSK: H2r5V65p4b4uHia2sJb
Username: vpnuser
Password: GeWtsqPDC5tfPKY
Write these down. You'll need them to connect!
VPN client setup: https://vpnsetup.net/clients
================================================
================================================
IKEv2 setup successful. Details for IKEv2 mode:
VPN server address: 140.238.155.149
VPN client name: vpnclient
Client configuration is available at:
/root/vpnclient.p12 (for Windows & Linux)
/root/vpnclient.sswan (for Android)
/root/vpnclient.mobileconfig (for iOS & macOS)
Next steps: Configure IKEv2 clients. See:
https://vpnsetup.net/clients
================================================
root@ub20-1-test:~#



You may optionally install WireGuard and/or OpenVPN on the same server. If your server runs CentOS Stream, Rocky Linux or AlmaLinux, first install OpenVPN/WireGuard, then install the IPsec VPN.


Firewall Ports


Open UDP ports 500 and 4500 for the VPN


Clients



Get your computer or device to use the VPN. Please refer to:


For IPsec/L2TP VPN Windows Clients:

If you are using Windows as client and using IPsec/L2TP as protocol, here are some common steps for creating a tunnel with Windows built-in VPN configuration

Windows 11

  1. Right-click on the wireless/network icon in your system tray.
  2. Select Network and Internet settings, then on the page that opens, click VPN.
  3. Click the Add VPN button.
  4. Select Windows (built-in) in the VPN provider drop-down menu.
  5. Enter anything you like in the Connection name field.
  6. Enter Your VPN Server IP in the Server name or address field.
  7. Select L2TP/IPsec with pre-shared key in the VPN type drop-down menu.
  8. Enter Your VPN IPsec PSK in the Pre-shared key field.
  9. Enter Your VPN Username in the User name field.
  10. Enter Your VPN Password in the Password field.
  11. Check the Remember my sign-in info checkbox.
  12. Click Save to save the VPN connection details.


Notes: If you are using IPsec/L2TP Windows client, also there is nat device in the middle of traffic, you have to make one registry change. Reboot is required for taking this change into effect. 

Error message: Windows error 809

Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

Note: The registry change below is only required if you use IPsec/L2TP mode to connect to the VPN. It is NOT required for the IKEv2 and IPsec/XAuth modes.

To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the .reg file below, or run the following from an elevated command promptYou must reboot your PC when finished.

  • For Windows Vista, 7, 8, 10 and 11 (download .reg file)

    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f


For IPsec/xAuth (Cisco IPsec) VPN Windows Clients:

You will need additional software for this connection. 
  1. Download and install the free Shrew Soft VPN client. When prompted during install, select Standard Edition.
    Note: This VPN client does NOT support Windows 10/11.
  2. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager
  3. Click the Add (+) button on toolbar.
  4. Enter Your VPN Server IP in the Host Name or IP Address field.
  5. Click the Authentication tab. Select Mutual PSK + XAuth from the Authentication Method drop-down menu.
  6. Under the Local Identity sub-tab, select IP Address from the Identification Type drop-down menu.
  7. Click the Credentials sub-tab. Enter Your VPN IPsec PSK in the Pre Shared Key field.
  8. Click the Phase 1 tab. Select main from the Exchange Type drop-down menu.
  9. Click the Phase 2 tab. Select sha1 from the HMAC Algorithm drop-down menu.
  10. Click Save to save the VPN connection details.
  11. Select the new VPN connection. Click the Connect button on toolbar.
  12. Enter Your VPN Username in the Username field.
  13. Enter Your VPN Password in the Password field.
  14. Click Connect.

For IKEv2 VPN Windows Clients:

Windows 8, 10 and 11 users can automatically import IKEv2 configuration:

  1. Securely transfer the generated .p12 file to your computer.
  2. Right-click on ikev2_config_import.cmd and save this helper script to the same folder as the .p12 file.
  3. Right-click on the saved script, select Properties. Click on Unblock at the bottom, then click on OK.
  4. Right-click on the saved script, select Run as administrator and follow the prompts.

To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".



Manager VPN Users





Upgrade

Upgrade Libreswan

Use this one-liner to update Libreswan on your VPN server.

wget https://get.vpnsetup.net/upg -O vpnup.sh && sudo sh vpnup.sh

Uninstall IPSec VPN


To uninstall IPsec VPN, run the helper script:

Warning: This helper script will remove IPsec VPN from your server. All VPN configuration will be permanently deleted, and Libreswan and xl2tpd will be removed. This cannot be undone!

wget https://get.vpnsetup.net/unst -O unst.sh && sudo bash unst.sh

Videos

 






No comments