Looking for a simple, stable and significant VPS as your web hosting? Check out DigitalOcean, only $5 per month, and you can get $10 in credit just for signing up now.
To build an L2TP/IPSec VPN, you can follow the following 6 steps:
1. Install OpenSwan
Enter the following command lines one by one:
aptitude install build-essential
aptitude install libgmp3-dev gawk flex bison
wget http://www.openswan.org/download/openswan-2.6.35.tar.gz
tar xzvf openswan-2.6.35.tar.gz
cd openswan-2.6.35
make programs
make install
Remember to press the "Return" key when entering any one of the above lines.
By the way, 2.6.35 is the latest version during my test, and you can check the OpenSwan website to see if there is a new version later, if yes, you can use it instead.
2. Edit IPSec
Firstly, open the ipsec.conf file with the following command:
vi /etc/ipsec.conf
Delete all the existing contents, and paste the following ones:
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
conn %default
forceencaps=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR.VPS.IP.ADDRESS
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
Remember to change YOUR.VPS.IP.ADDRESS to your VPS IP address, such as 178.18.17.30 for this tutorial.
Secondly, open the ipsec.secrets file with the following code:
vi /etc/ipsec.secrets
And insert the following content:
YOUR.VPS.IP.ADDRESS %any: PSK "YourSharedSecret"
For example:
178.18.17.30 %any: PSK "123456abcdef"
Thirdly, enter the following command lines one by one:
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
Remember to press the "Return" key after every command line.
Fourthly, restart IPSEC with the following command:
service ipsec restart
3. Install L2TP
Go back to the root directory, and install the L2TP package with the following command line:
aptitude install xl2tpd
After installation, open the conf file with the following code:
vi /etc/xl2tpd/xl2tpd.conf
Delete all the existing content and paste the following one:
[global]
; listen-addr = 192.168.1.98[lns default]
ip range = 10.1.1.2-10.1.1.255
local ip = 10.1.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
4. Set up xl2tpd
Enter the following command:
vi /etc/ppp/options.xl2tpd
Then insert the following codes:
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
After that, open the chap-secrets file:
vi /etc/ppp/chap-secrets
And insert the following content:
username l2tpd password *
For example:
freenuts l2tpd 123456 *
Then, restart L2TP:
service xl2tpd restart
5. IP forward
Enter the following command:
vi /etc/sysctl.conf
Press the "Return" key, find the line of "#net.ipv4.ip_forward=1" and uncomment it.
After that, enter the following command:
sysctl -p
Press the "Return" key, then you will only see "net.ipv4.ip_forward=1" as the result if everything is right.
After that, enter the following command:
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
6. For reboot
Now, you can connect your L2TP/IPSec VPN, but if you reboot your VPS, your forwarding settings will be gone, to avoid this, you can enter the following command:
vi /etc/rc.local
Press the "Return" key and paste the following contents before the "exit 0" line:
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
/etc/init.d/ipsec restart
Save it, then you are done.