Environments supported by this script:
Supported systems: CentOS6+, Debian7+, Ubuntu12+
Memory requirement: ≥128M
Updated on: September 12, 2016
About this script:
Terminology is explained below
L2TP (Layer 2 Tunneling Protocol)
IPSec (Internet Protocol Security)
IKEv2 (Internet Key Exchange v2)
At present, there are generally three ways to implement IPsec: openswan, libreswan, and strongswan.
libreswan is a fork of openswan, so openswan has basically disappeared from current distributions. Of course, some also use strongswan.
The reason for updating the one-click L2TP installation script is that as Linux distributions continue to evolve, the original script no longer meets current needs.
This script implements IPSec by compiling and installing the latest version of libreswan (on CentOS7, everything is installed via yum), installs xl2tpd via yum or apt-get, and then deploys firewall rules according to the usage differences among distributions.
Before you begin:
This tutorial involves SSH operations. If you are not familiar with them, you should read this article first: Detailed beginner's guide to using the Linux SSH connection tool Putty
VPS instances based on OpenVZ virtualization technology need TUN/TAP enabled in order to work properly. Before purchasing a VPS, please check with the provider whether TUN/TAP can be enabled.
Correction: A VPS virtualized with OpenVZ must have kernel support for IPSec. In other words, if the host server’s kernel does not support it, there is no solution other than switching to another VPS.
Therefore, installing this script on an OpenVZ VPS is generally not recommended. If the script detects that the VPS uses the OpenVZ architecture, it will display a warning.
How do you check whether the TUN module is supported?
Check the PPP/TUN environment
First, check whether pptpd can be installed on the VPS and whether TUN and PPP are enabled.
- cat /dev/net/tun
The returned result must be:
-
cat:
/dev/net/tun: File
descriptor in bad state
Run:
- cat /dev/ppp
The return must be:
-
cat:
/dev/ppp: No such device or address
If the returned content is not the result shown in the image below, please contact your VPS provider to change the network permissions.
Of course, the script will also perform a check during installation, and if the environment is not suitable for installation, the script will provide a prompt.
Usage:
After logging in as the root user, run the following commands:
- wget —no–check–certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh
- chmod +x l2tp.sh
- ./l2tp.sh
After execution, the following interactive interface will appear
- Please input IP–Range:
-
(Default
Range:
192.168.18): - #Enter the local IP range here (a local IP address assigned after your computer connects to the VPS). Press Enter directly to use the default value 192.168.18
- Please input PSK:
- (Default PSK: teddysun.com):
- #PSK means pre-shared key, which is the key that will be required when connecting in the future. Press Enter directly to use the default value teddysun.com
- Please input Username:
-
(Default
Username: teddysun): - #Username means username, that is, the first default user. Press Enter directly to use the default value teddysun
- Please input teddysun’s password:
-
(Default
Password:
Q4SKhu2EXQ): - #Enter the user password. By default, a random 10-character password containing uppercase and lowercase letters and numbers will be generated, but you can also specify your own password.
- ServerIP:your_server_main_IP
- #Displays the primary IP of your VPS (if your VPS has multiple IPs, only one will be shown)
-
Server
Local IP:192.168.18.1 - #Displays the local IP of your VPS (the default is fine)
-
Client
Remote IP Range:192.168.18.2–192.168.18.254 - #Displays the IP range
- PSK:teddysun.com
- #Displays the PSK
-
Press any key to start…or
Press
Ctrl+c to cancel - #Press any key to continue. If you want to cancel the installation, press Ctrl+c.
After the installation is complete, the script will run the ipsec verify command and display the following prompt:
-
If there are no [FAILED]
above, then you can
connect to your -
L2TP VPN Server
with the default
Username/Password
is below: - ServerIP:your_server_IP
- PSK:your PSK
- Username:your usename
- Password:your password
- If you want to add users, please modify
- /etc/ppp/chap–secrets and add it.
- Welcome to visit https://teddysun.com/448.html
- Enjoy it!
If you want to add users, you can manage them with the following commands:
- l2tp –a Add a user
- l2tp –d Delete a user
- l2tp –l List all users
- l2tp –m Change a user’s password
- l2tp –h Show help information
Other notes:
- After installation is complete, the script will automatically start the process and enable it to start on boot.
- The script will modify the iptables or firewalld rules.
-
During script installation, the installation log will be written in real time to the /root/l2tp.log
file. If the installation fails, you can use this file to find error messages.
Commands:
-
ipsec status (check
IPSec
running status) -
ipsec verify (check
IPSec
verification results) -
/etc/init.d/ipsec start|stop|restart|status (for use onCentOS6
) -
/etc/init.d/xl2tpd start|stop|restart|status (for use onCentOS6
) -
systemctl start|stop|restart|status ipsec (for use onCentOS7
) -
systemctl start|stop|restart|status xl2tpd (for use onCentOS7
) -
service ipsec start|stop|restart|status (Debian/Ubuntu
only) -
service xl2tpd start|stop|restart (Debian/Ubuntu
only)
Update Log
Update on April 18, 2016
Current test results on Debian 7 show that compiling libreswan fails because the versions of libnss3 and libnspr4
are too old. A temporary solution is to use dpkg to install the deb packages for libnss3_3.17.2 and libnspr4_4.10.7, then try again.
Reference link: https://libreswan.org/wiki/3.14_on_Debian_Wheezy
Update on April 19, 2016
Fixed the issue on Debian 7 where compiling libreswan failed because the versions of libnss3 and libnspr4
were too old.
Update on April 22, 2016
Fixed the issue on Ubuntu 16.04 where commands such as ipsec
verify could not be used because the python command was missing by default.
Update on April 25, 2016
When installing under the Vultr Debian 7 system template, the package libcurl4-nss-dev
may produce dependency errors, as follows:
-
The
following packages have unmet dependencies: -
libcurl4–nss–dev :
Depends: libldap2–dev but it is not going to be installed - Depends: librtmp–dev but it is not going to be installed
And libldap2-dev and librtmp-dev
in turn depend on several other packages. In short, the final dependency relationships are as follows:
-
libldap2–dev
:
Depends: libldap–2.4–2 (=
2.4.31–2+deb7u1) but 2.4.31+really2.4.40+dfsg–1+deb8u1~bpo70+1
is to be installed -
librtmp–dev :
Depends: libgnutls–dev but it is not going to be installed -
libgnutls–dev
:
Depends: libp11–kit–dev (>=
0.4) but it is not going to be
installed -
libp11–kit–dev :
Depends: libp11–kit0 (= 0.12–3) but 0.20.7–1~bpo70+1 is to
be installed
So the solution is to first uninstall the bottom-level dependency package libp11-kit0,
and then install libcurl4-nss-dev.
-
apt–get
–y remove libp11–kit0 -
apt–get
–y —no–install–recommends install libcurl4–nss–dev
Then just run the script to install it.
Update on June 10, 2016
After the script finishes installing, several new commands have been added for managing users
- l2tp –a Add a user
- l2tp –d Delete a user
- l2tp –l List all users
- l2tp –h Display help information
Update on August 05, 2016
Upgraded libreswan to version 3.18.
Update on September 12, 2016
Fixed the libevent2 dependency issue on CentOS 6;
Added a -m option to modify the password of an existing user.
Other VPN tutorials:
- One-click PPTPD VPN installation script for all CentOS versions
- Centos/Debian one-click PPTP/L2TP script tutorial
-
CentOS/Debian/Ubuntu one-click IPSEC/IKEV2
VPN script
This article is reprinted from TeddySun: https://teddysun.com/448.html