How To Set Up A L2TP/IPSec VPN In A VPS

Looking for a simple, stable and significant VPS as your web hosting? Check out DigitalOcean, only $5 per month, and you can get $10 in credit just for signing up now.

As mentioned before, PPTP VPN may be not workable for Mac OS X, at least mine, so that I have to use L2TP/IPSec (L2TP over IPSec) VPN.

This post will show you how to set up a L2TP/IPSec VPN in a VPS, and what you need are a Xen VPS and a computer. Same as the PPTP tutorial, the following steps are based on the Terminal application of Mac, for Linux, the steps will be nearly the same, and for Windows, you need to install Putty first.

By the way, make sure you are using Ubuntu 11.04, since the lower versions (at least Ubuntu 10.04 LTS Lucid 64Bit) may be not workable. Here we go:

How To Set Up A L2TP/IPSec VPN In A VPS

I. Connect to your VPS

Run your Terminal, and enter the following command:

ssh [email protected]

Just replace "xxx.xxx.xxx.xxx" with your VPS’ IP, such as "178.18.17.30".

Then you will see the following message:

Are you sure you want to continue connecting (yes/no)?

Enter "yes" and press the "Return" key, then, enter your password and press the "Return" key.

P.S.:

If you’ve rebuilt your VPS, you may meet the following error:

Host key verification failed.

In that case, enter the following command at first:

ssh-keygen -R xxx.xxx.xxx.xxx

Remember to replace "xxx.xxx.xxx.xxx" with your VPS’ IP address.

II. Install OpenSwan

Although you can enter the command "aptitude install openswan" to install OpenSwan directly, it was not workable during my test in two different VPS, so you’d better get OpenSwan from its official website and install.

1. Enter the following command:

aptitude install build-essential

Press the "Return" key, then enter "y" and press the "Return" key again.

2. Enter the following command:

aptitude install libgmp3-dev gawk flex bison

Press the "Return" key, then enter "y" and press the "Return" key again.

3. Enter the following command:

wget http://www.openswan.org/download/openswan-2.6.35.tar.gz

Press the "Return" key.

4. Enter the following command:

tar xzvf openswan-2.6.35.tar.gz

Press the "Return" key.

5. Enter the following command:

cd openswan-2.6.35

Press the "Return" key.

6. Enter the following command:

make programs

Press the "Return" key.

7. Enter the following command:

make install

Press the "Return" key.

P.S.:

a. 2.6.35 is the latest version now, and you can check the OpenSwan website to see if there is a new version later, if yes, you can use it instead of this one.

b. When it says "Enter" something, you can always copy and paste it.

III. Edit IPSec

While OpenSwan is used for IPSec, IPSec is used for L2TP.

1. Enter the following command:

vi /etc/ipsec.conf

Press the "Return" key,enter "dG" to delete all the existing contents, and press the "i" key, then copy and paste the following ones:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=netkey

conn %default
    forceencaps=yes

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.VPS.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

Remember to change YOUR.VPS.IP.ADDRESS to your VPS’ IP address, such as 178.18.17.30 for this post. To do so, press the "ESC" key to quit the insert mode, move the cursor to the "Y" letter, press the "i" key, enter your IP address, then press the "ESC" key, and move the cursor over the "YOUR.VPS.IP.ADDRESS" characters to delete them one by one by pressing the "x" key. Or you can edit the contents with Notepad or Stickies and paste them into your Terminal without any edition later.

After that, enter ":wq", then press the "Return" key to save.

P.S.:

You need to press the "i" key before you insert anything, and press the "ESC" key to quit the insert mode, or there will be something wrong.

2. Enter the following command:

vi /etc/ipsec.secrets

Press the "Return" key, and press the "i" key, then enter the following content:

YOUR.VPS.IP.ADDRESS %any: PSK “YourSharedSecret”

For example:

178.18.17.30 %any: PSK “123456abcdef”

(Tips: You need to press the Tab key to make a pace among each value.)

Then press the "ESC" key, enter ":wq", and press the "Return" key to save.

3. Enter the following commands one by one:

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

Remember to press the "Return" key after every command.

4. Enter the following command:

service ipsec restart

And then press the "Return" key.

P.S.:

Enter "ipsec verify", press the "Return" key, if everything is right, then you will see the results as the following image:

Ipsec verify

If not, double check the above steps, especially the "ipsec.conf" settings.

IV. Install L2TP

Based on IPSec, L2TP is used for VPN.

1. Enter the following command:

cd ..

Press the "Return" key and go back to the root.

2. Enter the following command:

aptitude install xl2tpd

Press the "Return" key, enter "y" and press the "Return" key again.

3. Enter the following command:

vi /etc/xl2tpd/xl2tpd.conf

And enter "dG" to delete all the existing contents, then press the "i" key, and paste the following contents:

[global]
; listen-addr = 192.168.1.98

[lns default]
ip range = 10.1.1.2-10.1.1.255
local ip = 10.1.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Then press the "ESC" key, enter ":wq", and press the "Return" key to save.

V. Set up xl2tpd

Supposed that your VPS has PPP support already, if not, enter "aptitude install ppp" before the following steps:

1. Enter the following command:

vi /etc/ppp/options.xl2tpd

Press the "Return" key, and press the "i" key, then paste the following codes:

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Then press the “ESC” key, enter “:wq”, and press the “Return” key to save it.

P.S.:

You can also replace 8.8.8.8 & 8.8.4.4 with 208.67.222.222 & 208.67.220.220.

2. Enter the following command:

vi /etc/ppp/chap-secrets

Press the "Return" key, then press the "i" key to enter the following contents:

username l2tpd password *

For example:

freenuts l2tpd 123456 *

Again, remember to use the "tab" key for a space, and enter “:wq” to save it.

3. Enter the following command:

service xl2tpd restart

Press the "Return" key.

VI. IP forward

This step will let your VPN connect with the whole internet world:

1. Enter the following command:

vi /etc/sysctl.conf

Press the "Return" key, find the line of "#net.ipv4.ip_forward=1" and remove the "#" by pressing the "x", then press "ESC", enter ":wq" to save it.

2. Enter the following command:

sysctl -p

Press the "Return" key, then you will only see "net.ipv4.ip_forward=1" as the result if everything is right.

3. Enter the following command:

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE

Now, you can connect your L2TP/IPSec VPN and use it to get access to any blocked sites, but if you reboot your VPS, your forwarding settings will be gone, to avoid this, you can enter the following command:

vi /etc/rc.local

Press the "Return" key and paste the following contents before the "exit 0" line:

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
/etc/init.d/ipsec restart

Save it, then you are done.

Bonus:

The following is a L2TP/IPSec VPN account created in a 2Host VPS according to the above tutorials:

Server Address: 178.18.17.30
Account Name: freenuts
Password: 123456
Shared Secret: 123456abcdef

The above VPN will be free and available for a month, and you can check out this post for how to use it in your computer and mobile phone.

Spread the love
This entry was posted in Free Online Anti-censorship Tools and tagged , . Bookmark the permalink.