How to Create Your Own IPsec VPN Server in Linux

There are so many benefits of using a VPN (Virtual Private Network), some of which include keeping you safe on the internet by encrypting your traffic and helping you to access blocked content/sites/web applications from anywhere. Not to mention, VPN also helps you to browse the internet anonymously.

In this article, you will learn how to quickly and automatically set up your own IPsec/L2TP VPN server in CentOS/RHEL, Ubuntu, and Debian Linux distributions.

Prerequisites:

  1. A fresh CentOS/RHEL or Ubuntu/Debian VPS (Virtual Private Server) from any provider such as Linode.

Setting Up IPsec/L2TP VPN Server in Linux

To set up the VPN server, we will use a wonderful collection of shell scripts created by Lin Song, that installs Libreswan as the IPsec server, and xl2tpd as the L2TP provider. The offering also includes scripts to add or delete VPN users, upgrade the VPN installation and much more.

First, log into your VPS via SSH, then run the appropriate commands for your distribution to set up the VPN server. By default, the script will generate random VPN credentials (pre-shared key, VPN username, and password) for you and display them at the end of the installation.

However, if you want to use your own credentials, first you need to generate a strong password and PSK as shown.

# openssl rand -base64 10
# openssl rand -base64 16
Create VPN Credentials
Create VPN Credentials

Next, set these generated values as described in the following command all values MUST be placed inside ‘single quotes‘ as shown.

  • VPN_IPSEC_PSK – Your IPsec pre-shared key.
  • VPN_USER – Your VPN username.
  • VPN_PASSWORD – Your VPN password.
---------------- On CentOS/RHEL ---------------- 
# wget https://git.io/vpnsetup-centos -O vpnsetup.sh && VPN_IPSEC_PSK='KvLjedUkNzo5gBH72SqkOA==' VPN_USER='tecmint' VPN_PASSWORD='8DbDiPpGbcr4wQ==' sh vpnsetup.sh

---------------- On Debian and Ubuntu ----------------
# wget https://git.io/vpnsetup -O vpnsetup.sh && VPN_IPSEC_PSK='KvLjedUkNzo5gBH72SqkOA==' VPN_USER='tecmint' VPN_PASSWORD='8DbDiPpGbcr4wQ==' sudo sh vpnsetup.sh

The main packages that will be installed are bind-utils, net-tools, bison, flex, gcc, libcap-ng-devel, libcurl-devel, libselinux-devel, nspr-devel, nss-devel, pam-devel, xl2tpd, iptables-services, systemd-devel, fipscheck-devel, libevent-devel, and fail2ban(to protect SSH), and their respective dependencies. Then it downloads, compiles and installs Libreswan from source, enables and starts the necessary services.

Once the installation is complete, the VPN details will be displayed as shown in the following screenshot.

Setup Your Own IPsec VPN Linux Server
Setup Your Own IPsec VPN Linux Server

Next, you need to set up a VPN client, for desktops or laptops with a graphical user interface, refer to this guide: How To Setup an L2TP/Ipsec VPN Client on Linux.

To add the VPN connection in a mobile device such as an Android phone, go to Settings –> Network & Internet (or Wireless & Networks –> More) –> Advanced –> VPN. Select the option to add a new VPN. The VPN type should be set to IPSec Xauth PSK, then use the VPN gateway and credentials above.

How to Add or Remove a VPN User in Linux

To create a new VPN user or update an existing VPN user with a new password, download and use the add_vpn_user.sh script using the following wget command.

$ wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh
$ sudo sh add_vpn_user.sh 'username_to_add' 'user_password'

To delete a VPN user, download and use the del_vpn_user.sh script.

$ wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh
$ sudo sh del_vpn_user.sh 'username_to_delete'

How to Upgrade Libreswan Installation in Linux

You can upgrade the Libreswan installation using the vpnupgrade.sh or vpnupgrade_centos.sh script. Make sure to edit the SWAN_VER variable to the version you want to install, within the script.

---------------- On CentOS/RHEL ---------------- 
# wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh && sh vpnupgrade.sh

---------------- On Debian and Ubuntu ----------------
# wget https://git.io/vpnupgrade -O vpnupgrade.sh && sudo sh  vpnupgrade.sh

How to Uninstall the VPN Server in Linux

To uninstall the VPN installation, do the following.

On RHEL/CentOS

# yum remove xl2tpd

Then open /etc/sysconfig/iptables configuration file and remove the unneeded rules and edit /etc/sysctl.conf and /etc/rc.local file, and remove the lines after the comment # Added by hwdsl2 VPN script, in both files.

On Debian/Ubuntu

$ sudo apt-get purge xl2tpd

Next, edit /etc/iptables.rules configuration file and remove any unneeded rules. Additionally, edit /etc/iptables/rules.v4 if it exists.

Then edit /etc/sysctl.conf and /etc/rc.local files, remove the lines after the comment # Added by hwdsl2 VPN script, in both files. Do not remove exit 0 if it exists.

Optionally, you can remove certain files and directories that were created during the VPN set up.

# rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto 
# rm -rf /etc/ipsec.d /etc/xl2tpd

To set up a site-to-site IPSec-based VPN with Strongswan, check out our guides:

  1. How to Setup IPSec-based VPN with Strongswan on Debian and Ubuntu
  2. How to Setup IPSec-based VPN with Strongswan on CentOS/RHEL 8

Reference: https://github.com/hwdsl2/setup-ipsec-vpn

At this point, your own VPN server is up and running. You can share any queries or give us feedback using the comment form below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

25 Comments

Leave a Reply
  1. Would this option allow us to support more than 1 connection at a time? Is there any other solution that would allow us to connect to two separate instances hidden behind a VPN simultaneously?

    Reply
  2. Hi, why only allows 1 connection? when i try to connect a second or third device it just not connect.

    Thanks for your awesome work!

    Reply
  3. I tried this tutorial so many times on a Ubuntu server 16 VM on Azure but it does not work. The VPN does not work on any device.

    Can someone help, please?

    Reply
  4. Is it recommended to do this on an isolated server? After running I noticed it masks firewalld which broke some things, in particular Docker, though I was able to connect before reverting. I see hwdsl2 also has a docker image which I will probably try instead. Thanks for the article.

    Reply
  5. Hi, How can I put a limit to each account I make, in which for every one account there will be only one user who can use it at a time.

    Reply
  6. I created a VPN server but I was not able to connect it to my router because in LT2P protocol in my router I can’t find a place to inter PSKEY, is there any guide for to create an LT2P server without IPsec?

    Reply
  7. For what it’s worth, on an RHEL instance at least, the all-in-one command DOES NOT correctly set the variables for VPN_IPSEC_PSK, VPN_USER and VPN_PASSWORD.

    When you run the script, you get the following output:

    # VPN credentials not set by the user. Generating random PSK and password
    

    ..and eventually randomized settings at the end.

    Reply
  8. Hi,

    Your post above impressed me so much. I successfully built my VPN server.

    And, how to list the current dial-in VPN users?

    Good days,

    Reply
    • @betsy

      Isn’t it nicer to run a VPN service that you fully have control over? Actually, this setup is fully automated, simply download and run the installation script, and after a few minutes, your VPN server will be up and running. But thanks for sharing your thoughts with us.

      Reply
  9. As for me, AlgoVPN is much more simple, secure, powerful and you can easily deploy it on any server and use wireGuard client.

    Reply
  10. “There are so many benefits of using a VPN (Virtual Private Network), some of which include keeping you safe on the internet by encrypting your traffic and helping you to access blocked content/sites/web applications from anywhere. Not to mention, VPN also helps you to browse the internet anonymously.”

    The benefits only exist if the VPN server and the VPN clients are in different physical locations. Everything in the same location (ie home), grants no advantage. However, a VPN server at home will allow mobile equipment, like smartphones or portable computers, to access the internet at distance, at locations that otherwise would be insecure.

    Reply
    • @Martins

      Of course, the VPN server and client have to be in different locations, that is why we mentioned as a prerequisite: “A fresh CentOS/RHEL or Ubuntu/Debian VPS (Virtual Private Server) from any provider such as Linode.” Thanks for sharing your thoughts with us.

      Reply
  11. I want to learn about Linux because I think this will help me find a way of blocking Simcard in my country. VPN is going to down in my country by blocking the data if you exceed 1gb/day when you are using a VPN.

    Reply
  12. Hi! Very useful article. Thanks!

    I think: what about intensive traffic or how many users connected (on a standard VPS like Linode u$s30/mo plan?

    Reply
  13. If I were going through the trouble of setting up my own VPN, it would be much better to avoid this out modded technology and choose something simple and much more likely to be secure like WireGuard.

    Reply
  14. I have to tell my problem here and is not related to the post above. I run in the latest version of Mint and I was somehow introduced to UKUU. After updating the kernel to the latest version, I lost the wifi driver am6d can’t work further on it. Please help.

    Reply
    • @1501

      Use UKUU to remove the mainline kernel. I believe it provides this option. If the source where you learned it from didn’t explain this, then we have to create a detailed guide about using UKUU. Thanks.

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.