L2TP/IPsec and IKEv2 VPN
This guide provides detailed instructions for setting up a VPN server on Ubuntu 22.04 that supports both L2TP/IPsec and IKEv2 protocols. Using the hwdsl2/setup-ipsec-vpn scripts, you can quickly deploy a secure VPN server. This setup allows clients to connect securely using either L2TP/IPsec or IKEv2, providing flexibility and strong encryption for your VPN connections.
- VPS Server:
- Root or sudo access.
- Client Machine:
- A computer running Ubuntu or any Linux distribution compatible with L2TP/IPsec and IKEv2.
- Root or sudo access.
We will perform the following high-level steps:
- On the VPS Server:
- Update system packages.
- Install necessary dependencies.
- Run the VPN setup script to configure L2TP/IPsec and IKEv2 VPN server.
- Manage VPN users (add or remove).
- On the Client Machine:
- Install VPN client software.
- Configure and establish a VPN connection using L2TP/IPsec or IKEv2.
Ensure your server is up to date.
Explanation: Updates the package lists and upgrades installed packages to their latest versions, ensuring your system is secure and up to date.
Install curl and wget, which are necessary for downloading scripts and files.
Use the setup script from hwdsl2/setup-ipsec-vpn to configure the VPN server.
Run the VPN setup script with custom DNS servers (optional).
Explanation:
- VPN_DNS_SRV1 and VPN_DNS_SRV2 set the DNS servers for VPN clients.
- The script will prompt you to enter VPN credentials (IPsec PSK, username, password). If not, it will generate them automatically.
Script Output Example:
Note: Replace x.x.x.x with your server's public IP address. The script outputs important VPN credentials—keep them secure.
Download the user management script and add a new user.
Explanation:
- The script addvpnuser.sh allows you to add new VPN users with specified usernames and passwords.
- Replace 'newusername' and 'newpassword' with the desired credentials.
Download the user removal script and remove an existing user.
Explanation:
- The script delvpnuser.sh allows you to remove VPN users by specifying their username.
- Replace 'username_to_remove' with the username you wish to delete.
Install the Network Manager L2TP plugin.
Explanation: Installs the necessary packages to enable L2TP/IPsec VPN connections via the GNOME Network Manager.
Follow these steps to set up the VPN connection:
- Access VPN Settings:
- Go to Settings > Network > VPN.
- Click the + button to add a new VPN connection.
- Select VPN Type:
- Choose Layer 2 Tunneling Protocol (L2TP).
- General Configuration:
- Name: Enter a name for your VPN connection (e.g., My L2TP VPN).
- Gateway: Enter your VPN server's IP address (Your VPN Server IP).
- User name: Enter your VPN username (Your VPN Username).
- Password: Click the icon next to the password field and select Store the password only for this user. Then enter your VPN password (Your VPN Password).
- NT Domain: Leave this field blank.
- Configure IPsec Settings:
- Click on IPsec Settings....
- Enable IPsec tunnel to L2TP host: Check this box.
- Pre-shared key: Enter your IPsec PSK (Your VPN IPsec PSK).
- Advanced Settings:
- Expand the Advanced section.
- Phase1 Algorithms: Enter aes128-sha1-modp2048.
- Phase2 Algorithms: Enter aes128-sha1.
- Save and Connect:
- Click OK to close the IPsec settings.
- Click Add to save the VPN connection.
- In the VPN settings, toggle the VPN switch to ON to connect.
Explanation:
- Phase1 and Phase2 Algorithms: These settings ensure compatibility with the VPN server configuration.
After connecting, verify your IP address to confirm that the VPN is working.
Explanation: This command displays your public IP address, which should now be the VPN server's IP if the connection is successful.
Explanation: Installs the StrongSwan plugin, enabling IKEv2 VPN connections via the Network Manager.
You need the following files from your VPN server:
- vpnclient.p12: Contains the client certificate and private key.
- vpnclient.mobileconfig: Configuration profile for macOS/iOS (not needed for Linux).
- vpnclient.sswan: StrongSwan configuration file (optional).
Securely copy these files to your client machine:
Explanation: Replace Your_VPN_Server_IP with your VPN server's IP address.
Create a directory to store the certificates and extract them from the .p12 file.
Explanation:
- ca.cer: The CA certificate.
- client.cer: Your client certificate.
- client.key: Your private key.
Note: If prompted for a password during extraction, simply press Enter.
It's important to protect these sensitive files.
Explanation: Changes ownership to root and restricts permissions to prevent unauthorized access.
Depending on your Linux distribution, install the necessary packages:
Follow these steps to set up the IKEv2 VPN connection:
- Access VPN Settings:
- Go to Settings > Network > VPN.
- Click the + button to add a new VPN connection.
- Select VPN Type:
- Choose IPsec/IKEv2 (strongSwan).
- General Configuration:
- Name: Enter a name for your VPN connection (e.g., My IKEv2 VPN).
- Gateway Configuration:
- Address: Enter your VPN server's IP address or domain name (Your VPN Server IP).
- Certificate: Select the ca.cer file you extracted earlier.
- Client Authentication:
- Authentication: Choose Certificate (/private key).
- Certificate (file): Select the client.cer file.
- Private key: Select the client.key file.
- Options Configuration:
- Request an inner IP address: Check this box.
- Cipher Proposals (Algorithms):
- Enable custom proposals: Check this box.
- IKE: Leave this field blank.
- ESP: Enter aes128gcm16.
- Save and Connect:
- Click Add to save the VPN connection.
- In the VPN settings, toggle the VPN switch to ON to connect.
Explanation:
- Certificates and Keys: The client certificate and private key authenticate your device to the VPN server.
- Cipher Proposals: Setting custom proposals ensures that the encryption algorithms match those expected by the VPN server.
Check your public IP address to confirm that you are connected through the VPN.
- Failed to Establish VPN Connection:
- Ensure that your server's firewall allows necessary VPN ports (e.g., UDP ports 500 and 4500 for IPsec).
- Verify that VPN services are running on the server.
- Authentication Errors:
- Double-check the VPN credentials (IPsec PSK, username, password).
- Ensure that the certificates and keys are correctly installed and permissions are properly set.
- DNS Issues:
- If you cannot resolve domain names after connecting, specify DNS servers in your VPN client settings or update the VPN server configuration to push DNS settings to clients.
- StrongSwan Configuration Errors:
- Check logs for errors: /var/log/syslog or use journalctl -xe.
- Ensure that the IKEv2 configuration matches between the client and server.
By following this guide, you've successfully set up a VPN server on Ubuntu 22.04 that supports both L2TP/IPsec and IKEv2 protocols. This configuration enhances your network security by encrypting your internet traffic and providing flexible connection options for various clients.
Note: Always ensure your use of VPNs complies with local laws and regulations. Keep your VPN credentials and certificates secure to prevent unauthorized access.
