> ## Documentation Index
> Fetch the complete documentation index at: https://docs.edisglobal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# L2TP/IPsec and IKEv2 VPN

> Build an L2TP/IPsec and IKEv2 VPN server on Ubuntu 22.04 with the hw5ds2/setup-ipsec-vpn scripts for flexible, encrypted connections on an EDIS VPS.

## Setting up L2TP/IPsec and IKEv2 VPN server on Ubuntu 22.04

## Introduction

This guide provides detailed instructions for setting up a VPN server on Ubuntu 22.04 that supports both L2TP/IPsec and IKEv2 protocols. Using the [hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn) scripts, you can quickly deploy a secure VPN server. This setup allows clients to connect securely using either L2TP/IPsec or IKEv2, providing flexibility and strong encryption for your VPN connections.

## Prerequisites

* **VPS Server:**

  * An <a href="https://www.edisglobal.com" target="_blank">EDIS Global VPS</a> running Ubuntu 22.04.

  * Root or sudo access.

* **Client Machine:**

  * A computer running Ubuntu or any Linux distribution compatible with L2TP/IPsec and IKEv2.

  * Root or sudo access.

## Overview

We will perform the following high-level steps:

1. **On the VPS Server:**

   * Update system packages.

   * Install necessary dependencies.

   * Run the VPN setup script to configure L2TP/IPsec and IKEv2 VPN server.

   * Manage VPN users (add or remove).

2. **On the Client Machine:**

   * Install VPN client software.

   * Configure and establish a VPN connection using L2TP/IPsec or IKEv2.

***

## Steps on the VPS Server

### 1. Update and upgrade system packages

Ensure your server is up to date.

```bash theme={"system"}
sudo apt update && sudo apt upgrade -y
```

**Explanation:** Updates the package lists and upgrades installed packages to their latest versions, ensuring your system is secure and up to date.

### 2. Install required packages

Install `curl` and `wget`, which are necessary for downloading scripts and files.

```bash theme={"system"}
sudo apt install curl wget -y
```

### 3. Download and run the VPN setup script

Use the setup script from [hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn) to configure the VPN server.

```bash theme={"system"}
wget https://get.vpnsetup.net -O vpn.sh
```

Run the VPN setup script with custom DNS servers (optional).

```bash theme={"system"}
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.sh
```

**Explanation:**

* `VPN_DNS_SRV1` and `VPN_DNS_SRV2` set the DNS servers for VPN clients.

* The script will prompt you to enter VPN credentials (IPsec PSK, username, password). If not, it will generate them automatically.

**Script Output Example:**

```plaintext theme={"system"}
===============================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: x.x.x.x
IPsec PSK: Your_IPsec_PSK
Username: vpnuser
Password: Your_VPN_Password

Write these down. You'll need them to connect!

VPN client setup: https://vpnsetup.net/clients

===============================================

===============================================

IKEv2 setup successful. Details for IKEv2 mode:

VPN server address: x.x.x.x
VPN client name: vpnclient

Client configuration is available at:
/root/vpnclient.p12 (for Windows & Linux)
/root/vpnclient.sswan (for Android)
/root/vpnclient.mobileconfig (for iOS & macOS)

Next steps: Configure IKEv2 clients. See:
https://vpnsetup.net/clients

===============================================
```

**Note:** Replace `x.x.x.x` with your server's public IP address. The script outputs important VPN credentials—keep them secure.

### 4. Managing VPN users

### Adding a new VPN user

Download the user management script and add a new user.

```bash theme={"system"}
sudo wget https://get.vpnsetup.net/adduser -O /opt/src/addvpnuser.sh
sudo chmod +x /opt/src/addvpnuser.sh
sudo ln -s /opt/src/addvpnuser.sh /usr/bin/addvpnuser.sh

sudo addvpnuser.sh 'newusername' 'newpassword'
```

**Explanation:**

* The script `addvpnuser.sh` allows you to add new VPN users with specified usernames and passwords.

* Replace `'newusername'` and `'newpassword'` with the desired credentials.

### Removing a VPN user

Download the user removal script and remove an existing user.

```bash theme={"system"}
sudo wget https://get.vpnsetup.net/deluser -O /opt/src/delvpnuser.sh
sudo chmod +x /opt/src/delvpnuser.sh
sudo ln -s /opt/src/delvpnuser.sh /usr/bin/delvpnuser.sh

sudo delvpnuser.sh 'username_to_remove'
```

**Explanation:**

* The script `delvpnuser.sh` allows you to remove VPN users by specifying their username.

* Replace `'username_to_remove'` with the username you wish to delete.

***

## Steps on the Client Machine

### Option 1: connect using L2TP/IPsec

### 1. Install L2TP VPN client

Install the Network Manager L2TP plugin.

```bash theme={"system"}
sudo apt install network-manager-l2tp-gnome -y
```

**Explanation:** Installs the necessary packages to enable L2TP/IPsec VPN connections via the GNOME Network Manager.

### 2. Configure the VPN connection

Follow these steps to set up the VPN connection:

1. **Access VPN Settings:**

   * Go to **Settings** > **Network** > **VPN**.

   * Click the **+** button to add a new VPN connection.

2. **Select VPN Type:**

   * Choose **Layer 2 Tunneling Protocol (L2TP)**.

3. **General Configuration:**

   * **Name:** Enter a name for your VPN connection (e.g., `My L2TP VPN`).

   * **Gateway:** Enter your VPN server's IP address (`Your VPN Server IP`).

   * **User name:** Enter your VPN username (`Your VPN Username`).

   * **Password:** Click the **icon** next to the password field and select **Store the password only for this user**. Then enter your VPN password (`Your VPN Password`).

   * **NT Domain:** Leave this field blank.

4. **Configure IPsec Settings:**

   * Click on **IPsec Settings...**.

   * **Enable IPsec tunnel to L2TP host:** Check this box.

   * **Pre-shared key:** Enter your IPsec PSK (`Your VPN IPsec PSK`).

   * **Advanced Settings:**

     * Expand the **Advanced** section.

     * **Phase1 Algorithms:** Enter `aes128-sha1-modp2048`.

     * **Phase2 Algorithms:** Enter `aes128-sha1`.

5. **Save and Connect:**

   * Click **OK** to close the IPsec settings.

   * Click **Add** to save the VPN connection.

   * In the VPN settings, toggle the **VPN** switch to **ON** to connect.

**Explanation:**

* **Phase1 and Phase2 Algorithms:** These settings ensure compatibility with the VPN server configuration.

### 3. Verify the VPN connection

After connecting, verify your IP address to confirm that the VPN is working.

```bash theme={"system"}
curl ifconfig.me
```

**Explanation:** This command displays your public IP address, which should now be the VPN server's IP if the connection is successful.

### Option 2: connect using IKEv2

### 1. Install StrongSwan network manager plugin

```bash theme={"system"}
sudo apt install network-manager-strongswan -y
```

**Explanation:** Installs the StrongSwan plugin, enabling IKEv2 VPN connections via the Network Manager.

### 2. Obtain VPN client configuration files

You need the following files from your VPN server:

* `vpnclient.p12`: Contains the client certificate and private key.

* `vpnclient.mobileconfig`: Configuration profile for macOS/iOS (not needed for Linux).

* `vpnclient.sswan`: StrongSwan configuration file (optional).

**Securely copy these files to your client machine:**

```bash theme={"system"}
scp root@Your_VPN_Server_IP:/root/vpnclient.p12 ~/
```

**Explanation:** Replace `Your_VPN_Server_IP` with your VPN server's IP address.

### 3. Extract certificates and private key

Create a directory to store the certificates and extract them from the `.p12` file.

```bash theme={"system"}
mkdir ~/ikev2-vpn
cd ~/ikev2-vpn

openssl pkcs12 -in ~/vpnclient.p12 -cacerts -nokeys -out ca.cer
openssl pkcs12 -in ~/vpnclient.p12 -clcerts -nokeys -out client.cer
openssl pkcs12 -in ~/vpnclient.p12 -nocerts -nodes -out client.key

rm ~/vpnclient.p12
```

**Explanation:**

* `ca.cer`: The CA certificate.

* `client.cer`: Your client certificate.

* `client.key`: Your private key.

**Note:** If prompted for a password during extraction, simply press **Enter**.

### 4. Secure the Certificate and Key Files

It's important to protect these sensitive files.

```bash theme={"system"}
sudo chown root:root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key
```

**Explanation:** Changes ownership to root and restricts permissions to prevent unauthorized access.

### 5. Install network manager plugins (if not already installed)

Depending on your Linux distribution, install the necessary packages:

```bash theme={"system"}
# Ubuntu and Debian
sudo apt update
sudo apt install network-manager-strongswan -y

# Arch Linux
sudo pacman -Syu  # Update package lists
sudo pacman -S networkmanager-strongswan

# Fedora
sudo dnf install NetworkManager-strongswan-gnome

# CentOS
sudo yum install epel-release
sudo yum --enablerepo=epel install NetworkManager-strongswan-gnome
```

### 6. Configure the VPN connection

Follow these steps to set up the IKEv2 VPN connection:

1. **Access VPN Settings:**

   * Go to **Settings** > **Network** > **VPN**.

   * Click the **+** button to add a new VPN connection.

2. **Select VPN Type:**

   * Choose **IPsec/IKEv2 (strongSwan)**.

3. **General Configuration:**

   * **Name:** Enter a name for your VPN connection (e.g., `My IKEv2 VPN`).

4. **Gateway Configuration:**

   * **Address:** Enter your VPN server's IP address or domain name (`Your VPN Server IP`).

   * **Certificate:** Select the `ca.cer` file you extracted earlier.

5. **Client Authentication:**

   * **Authentication:** Choose **Certificate (/private key)**.

   * **Certificate (file):** Select the `client.cer` file.

   * **Private key:** Select the `client.key` file.

6. **Options Configuration:**

   * **Request an inner IP address:** Check this box.

7. **Cipher Proposals (Algorithms):**

   * **Enable custom proposals:** Check this box.

   * **IKE:** Leave this field blank.

   * **ESP:** Enter `aes128gcm16`.

8. **Save and Connect:**

   * Click **Add** to save the VPN connection.

   * In the VPN settings, toggle the **VPN** switch to **ON** to connect.

**Explanation:**

* **Certificates and Keys:** The client certificate and private key authenticate your device to the VPN server.

* **Cipher Proposals:** Setting custom proposals ensures that the encryption algorithms match those expected by the VPN server.

### 7. Verify the VPN connection

Check your public IP address to confirm that you are connected through the VPN.

```bash theme={"system"}
curl ifconfig.me
```

***

## Troubleshooting

* **Failed to Establish VPN Connection:**

  * Ensure that your server's firewall allows necessary VPN ports (e.g., UDP ports 500 and 4500 for IPsec).

  * Verify that VPN services are running on the server.

* **Authentication Errors:**

  * Double-check the VPN credentials (IPsec PSK, username, password).

  * Ensure that the certificates and keys are correctly installed and permissions are properly set.

* **DNS Issues:**

  * If you cannot resolve domain names after connecting, specify DNS servers in your VPN client settings or update the VPN server configuration to push DNS settings to clients.

* **StrongSwan Configuration Errors:**

  * Check logs for errors: `/var/log/syslog` or use `journalctl -xe`.

  * Ensure that the IKEv2 configuration matches between the client and server.

***

## Conclusion

By following this guide, you've successfully set up a VPN server on Ubuntu 22.04 that supports both L2TP/IPsec and IKEv2 protocols. This configuration enhances your network security by encrypting your internet traffic and providing flexible connection options for various clients.

***

## References

* [hwdsl2/setup-ipsec-vpn GitHub Repository](https://github.com/hwdsl2/setup-ipsec-vpn)

* [Managing VPN Users](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users.md)

* [Linux VPN Clients](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux)

* [IKEv2 VPN Setup](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#linux)

***

**Note:** Always ensure your use of VPNs complies with local laws and regulations. Keep your VPN credentials and certificates secure to prevent unauthorized access.
