After setting up your own VPN server, follow these steps to configure your devices. In case you are unable to connect, first, check to make sure the VPN credentials were entered correctly.
Commands must be run as root on your VPN client.
To set up the VPN client, first install the following packages:
|
1 2 3 4 5 6 7 8 9 |
# For Ubuntu & Debian apt-get update apt-get -y install strongswan xl2tpd # For RHEL/CentOS yum -y install epel-release yum --enablerepo=epel -y install strongswan xl2tpd yum -y install strongswan xl2tpd |
Create VPN variables (replace with actual values):
|
1 2 3 4 |
VPN_SERVER_IP=your_vpn_server_ip VPN_IPSEC_PSK=your_ipsec_pre_shared_key VPN_USER=your_vpn_username VPN_PASSWORD=your_vpn_password |
Configure strongSwan:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
cat > /etc/ipsec.conf <<EOF # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret ike=aes128-sha1-modp2048! esp=aes128-sha1-modp2048! conn myvpn keyexchange=ikev1 left=%defaultroute auto=add authby=secret type=transport leftprotoport=17/1701 rightprotoport=17/1701 right=$VPN_SERVER_IP EOF cat > /etc/ipsec.secrets <<EOF : PSK "$VPN_IPSEC_PSK" EOF chmod 600 /etc/ipsec.secrets # For CentOS/RHEL & Fedora ONLY mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets |
Configure xl2tpd:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
cat > /etc/xl2tpd/xl2tpd.conf <<EOF [lac myvpn] lns = $VPN_SERVER_IP ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes EOF cat > /etc/ppp/options.l2tpd.client <<EOF ipcp-accept-local ipcp-accept-remote refuse-eap require-chap noccp noauth mtu 1280 mru 1280 noipdefault defaultroute usepeerdns connect-delay 5000 name $VPN_USER password $VPN_PASSWORD EOF chmod 600 /etc/ppp/options.l2tpd.client |
The VPN client setup is now complete. Follow the steps below to connect.
Note: You must repeat all steps below every time you try to connect to the VPN.
Create xl2tpd control file:
|
1 2 |
mkdir -p /var/run/xl2tpd touch /var/run/xl2tpd/l2tp-control |
Restart services:
|
1 2 |
service strongswan restart service xl2tpd restart |
Start the IPsec connection:
|
1 2 3 4 5 |
# Ubuntu & Debian ipsec up myvpn # CentOS/RHEL & Fedora strongswan up myvpn |
Start the L2TP connection:
|
1 |
echo "c myvpn" > /var/run/xl2tpd/l2tp-control |
Run ifconfig and check the output. You should now see a new interface ppp0.
Check your existing default route:
|
1 |
ip route |
Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.
Exclude your VPN server’s IP from the new default route (replace with actual value):
|
1 |
route add YOUR_VPN_SERVER_IP gw X.X.X.X |
If your VPN client is a remote server, you must also exclude your Local PC’s public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):
|
1 |
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X |
Add a new default route to start routing traffic via the VPN server:
|
1 |
route add default dev ppp0 |
The VPN connection is now complete. Verify that your traffic is being routed properly:
|
1 |
wget -qO- http://ipv4.icanhazip.com; echo |
The above command should return Your VPN Server IP.
To stop routing traffic via the VPN server:
|
1 |
route del default dev ppp0 |
To disconnect:
|
1 2 3 4 5 6 7 |
# Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn # CentOS/RHEL & Fedora echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn |
Is there a way for me to specify which IP should the client use? I have observed that I can specify the IP to be use by the machine on my Mac, was hoping I can also specify this when connecting via a centOS box.
Hello, please help.
root@frontlogistics-dev /var/log # ipsec up vpn
initiating Main Mode IKE_SA vpn[1] to 92.242.39.89
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (180 bytes)
received packet: from 92.242.39.89[500] to 185.40.30.244[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (372 bytes)
received packet: from 92.242.39.89[500] to 185.40.30.244[500] (364 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (108 bytes)
received packet: from 92.242.39.89[4500] to 185.40.30.244[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IDir ‘192.168.2.254’ does not match to ‘92.242.39.89’
deleting IKE_SA vpn[1] between 185.40.30.244[185.40.30.244]…92.242.39.89[%any]
sending DELETE for IKE_SA vpn[1]
generating INFORMATIONAL_V1 request 3765921865 [ HASH D ]
sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (92 bytes)
establishing connection ‘vpn’ failed