Applicable environment for this script:
Supported systems: CentOS6+, Debian7+, Ubuntu12+
Memory requirement: ≥128M
Updated on: September 12, 2016
One-click L2TP/IPSec installation script for all CentOS/Debian/Ubuntu systems
About this script:
Terminology is explained below
L2TP (Layer 2 Tunneling Protocol)
IPSec (Internet Protocol Security)
IKEv2 (Internet Key Exchange v2)
Currently, there are generally three ways to implement IPsec:
openswan, libreswan, and strongswan.
libreswan is a fork based on openswan,
so openswan has basically disappeared from current distributions.
Of course, some also use strongswan.
The reason for updating the one-click L2TP installation script is that,
as various Linux distributions continue to evolve, the original script
no longer meets current needs.
This script implements IPSec by compiling and installing the latest version of libreswan (on CentOS7,
everything is installed via yum), uses yum or apt-get to install
xl2tpd, and then deploys firewall rules according to the usage methods of different distributions.
Before you begin:
This tutorial involves SSH operations. If you are not familiar with them, you need to read this article first: Detailed beginner's guide to using the Linux SSH connection tool Putty
VPSs based on OpenVZ virtualization technology
need TUN/TAP to be enabled in order to work properly. Before purchasing a VPS,
please consult the provider to confirm whether TUN/TAP can be enabled.
Correction: A VPS virtualized with OpenVZ requires kernel support for IPSec
in order to work. In other words, if the host server’s kernel does not support it, there is nothing you can do except switch to another
VPS.
Therefore, installing this script on an OpenVZ-based VPS
is generally not recommended. If the script detects that the VPS is using an OpenVZ
architecture, a warning will appear.
How can you check whether the TUN module is supported?
Check the PPP/TUN environment
First, check whether the VPS can install pptpd and whether TUN and PPP are enabled.
- cat /dev/net/tun
It must return:
-
cat:
/dev/net/tun: File
descriptor in bad state
Run:
- cat /dev/ppp
It must return:
-
cat:
/dev/ppp: No such device or address
If the returned content is not the result shown below, please contact your VPS provider to change the network permissions.
Of course, the script will also perform a check during installation, and if it is not suitable for installation, the script will notify you.
Usage:
After logging in as the root user, run the following commands:
- wget —no–check–certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh
- chmod +x l2tp.sh
- ./l2tp.sh
After execution, the following interactive interface will appear
- Please input IP–Range:
-
(Default
Range:
192.168.18): - #Enter the local IP range (a local IP address assigned after the local computer connects to the VPS). Pressing Enter directly means using the default value 192.168.18
- Please input PSK:
- (Default PSK: teddysun.com):
- #PSK means pre-shared key, that is, a key specified here that will be needed when connecting in the future. Pressing Enter directly means using the default value teddysun.com
- Please input Username:
-
(Default
Username: teddysun): - #Username means user name, that is, the first default user. Pressing Enter directly means using the default value teddysun
- Please input teddysun’s password:
-
(Default
Password:
Q4SKhu2EXQ): - #Enter the user’s password. By default, a random 10-character password containing uppercase and lowercase letters and numbers will be generated, though you can also specify your own password.
- ServerIP:your_server_main_IP
- #Displays the main IP of your VPS (if your VPS has multiple IPs, only one will be shown)
-
Server
Local IP:192.168.18.1 - #Displays the local IP of your VPS (the default is fine)
-
Client
Remote IP Range:192.168.18.2–192.168.18.254 - #Displays the IP range
- PSK:teddysun.com
- #Displays the PSK
-
Press any key to start…or
Press
Ctrl+c to cancel - #Press any key to continue. To cancel the installation, press Ctrl+c
After the installation is complete, the script will run the ipsec verify command and display the following:
-
If there are no [FAILED]
above, then you can
connect to your -
L2TP VPN Server
with the default
Username/Password
is below: - ServerIP:your_server_IP
- PSK:your PSK
- Username:your usename
- Password:your password
- If you want to add users, please modify
- /etc/ppp/chap–secrets and add it.
- Welcome to visit https://teddysun.com/448.html
- Enjoy it!
If you want to add users, you can manage them with the following commands:
- l2tp –a Add a user
- l2tp –d Delete a user
- l2tp –l List all users
- l2tp –m Change a user’s password
- l2tp –h Display help information
Other notes:
- After installation is complete, the script will automatically start the process and enable it to start on boot.
- The script will modify the iptables or firewalld rules.
-
During script installation, the installation log will be written in real time to the /root/l2tp.log
file. If the installation fails, you can use this file to look for error messages.
Commands:
-
ipsec status (check
IPSec
running status) -
ipsec verify (check
IPSec
verification results) -
/etc/init.d/ipsec start|stop|restart|status (for use onCentOS6
) -
/etc/init.d/xl2tpd start|stop|restart|status (for use onCentOS6
) -
systemctl start|stop|restart|status ipsec (for use onCentOS7
) -
systemctl start|stop|restart|status xl2tpd (for use onCentOS7
) -
service ipsec start|stop|restart|status (Debian/Ubuntu
only) -
service xl2tpd start|stop|restart (Debian/Ubuntu
only)
Update Log
Update on April 18, 2016
Current test results on Debian 7 show that compiling libreswan fails because the versions of libnss3 and libnspr4
are too low. The temporary solution is to install the deb packages for libnss3_3.17.2 and libnspr4_4.10.7 with dpkg and then try again.
Reference link: https://libreswan.org/wiki/3.14_on_Debian_Wheezy
Update on April 19, 2016
Fixed the issue on Debian 7 where compiling libreswan failed because the versions of libnss3 and libnspr4
were too low.
Update on April 22, 2016
Fixed the issue on Ubuntu 16.04 where commands such as ipsec
verify could not be used because the python command was missing by default.
Update on April 25, 2016
When installing under the Vultr Debian 7 system template, the package libcurl4-nss-dev
may encounter dependency errors, as follows:
-
The
following packages have unmet dependencies: -
libcurl4–nss–dev :
Depends: libldap2–dev but it is not going to be installed - Depends: librtmp–dev but it is not going to be installed
And libldap2-dev and librtmp-dev
in turn depend on several other packages. In short, the final dependency relationships are as follows:
-
libldap2–dev
:
Depends: libldap–2.4–2 (=
2.4.31–2+deb7u1) but 2.4.31+really2.4.40+dfsg–1+deb8u1~bpo70+1
is to be installed -
librtmp–dev :
Depends: libgnutls–dev but it is not going to be installed -
libgnutls–dev
:
Depends: libp11–kit–dev (>=
0.4) but it is not going to be
installed -
libp11–kit–dev :
Depends: libp11–kit0 (= 0.12–3) but 0.20.7–1~bpo70+1 is to
be installed
So the solution is to first uninstall the lowest-level dependency package, libp11-kit0,
and then install libcurl4-nss-dev.
-
apt–get
–y remove libp11–kit0 -
apt–get
–y —no–install–recommends install libcurl4–nss–dev
Then just run the script to install.
Update on June 10, 2016
After the installation is complete, the script adds several new commands for managing users
- l2tp –a Add a user
- l2tp –d Delete a user
- l2tp –l List all users
- l2tp –h Display help information
Update on August 05, 2016
Upgraded libreswan to version 3.18.
Update on September 12, 2016
Fixed the libevent2 dependency issue on CentOS 6;
Added a -m option to modify the password of an existing user.