After setting up your own VPN server, follow these steps to configure your devices. In case you are unable to connect, first, check to make sure the VPN credentials were entered correctly.
Commands must be run as root
on your VPN client.
To set up the VPN client, first install the following packages:
# For Ubuntu & Debian
apt-get update
apt-get -y install strongswan xl2tpd
# For RHEL/CentOS
yum -y install epel-release
yum --enablerepo=epel -y install strongswan xl2tpd
yum -y install strongswan xl2tpd
Create VPN variables (replace with actual values):
VPN_SERVER_IP=your_vpn_server_ip
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password
Configure strongSwan:
cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
conn myvpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
EOF
cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF
chmod 600 /etc/ipsec.secrets
# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
Configure xl2tpd:
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF
cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF
chmod 600 /etc/ppp/options.l2tpd.client
The VPN client setup is now complete. Follow the steps below to connect.
Note: You must repeat all steps below every time you try to connect to the VPN.
Create xl2tpd control file:
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
Restart services:
service strongswan restart
service xl2tpd restart
Start the IPsec connection:
# Ubuntu & Debian
ipsec up myvpn
# CentOS/RHEL & Fedora
strongswan up myvpn
Start the L2TP connection:
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
Run ifconfig
and check the output. You should now see a new interface ppp0
.
Check your existing default route:
ip route
Find this line in the output: default via X.X.X.X ...
. Write down this gateway IP for use in the two commands below.
Exclude your VPN server’s IP from the new default route (replace with actual value):
route add YOUR_VPN_SERVER_IP gw X.X.X.X
If your VPN client is a remote server, you must also exclude your Local PC’s public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
Add a new default route to start routing traffic via the VPN server:
route add default dev ppp0
The VPN connection is now complete. Verify that your traffic is being routed properly:
wget -qO- http://ipv4.icanhazip.com; echo
The above command should return Your VPN Server IP
.
To stop routing traffic via the VPN server:
route del default dev ppp0
To disconnect:
# Ubuntu & Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn
# CentOS/RHEL & Fedora
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
strongswan down myvpn
Is there a way for me to specify which IP should the client use? I have observed that I can specify the IP to be use by the machine on my Mac, was hoping I can also specify this when connecting via a centOS box.
Hello, please help.
root@frontlogistics-dev /var/log # ipsec up vpn
initiating Main Mode IKE_SA vpn[1] to 92.242.39.89
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (180 bytes)
received packet: from 92.242.39.89[500] to 185.40.30.244[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (372 bytes)
received packet: from 92.242.39.89[500] to 185.40.30.244[500] (364 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (108 bytes)
received packet: from 92.242.39.89[4500] to 185.40.30.244[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IDir ‘192.168.2.254’ does not match to ‘92.242.39.89’
deleting IKE_SA vpn[1] between 185.40.30.244[185.40.30.244]…92.242.39.89[%any]
sending DELETE for IKE_SA vpn[1]
generating INFORMATIONAL_V1 request 3765921865 [ HASH D ]
sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (92 bytes)
establishing connection ‘vpn’ failed