One-Click Script to Set Up an Ocserv Cisco AnyConnect VPN Server

Environments supported by this script:

Supported systems: CentOS6+, Debian7+, Ubuntu12+

Memory requirement: ≥128M

Updated on: September 12, 2016

About this script:

Terminology is explained below

L2TP (Layer 2 Tunneling Protocol)

IPSec (Internet Protocol Security)

IKEv2 (Internet Key Exchange v2)

At present, there are generally three ways to implement IPsec: openswan, libreswan, and strongswan.

libreswan is a fork of openswan, so openswan has basically disappeared from current distributions. Of course, some also use strongswan.

The reason for updating the one-click L2TP installation script is that as Linux distributions continue to evolve, the original script no longer meets current needs.

This script implements IPSec by compiling and installing the latest version of libreswan (on CentOS7, everything is installed via yum), installs xl2tpd via yum or apt-get, and then deploys firewall rules according to the usage differences among distributions.

Before you begin:

This tutorial involves SSH operations. If you are not familiar with them, you should read this article first: Detailed beginner's guide to using the Linux SSH connection tool Putty

VPS instances based on OpenVZ virtualization technology need TUN/TAP enabled in order to work properly. Before purchasing a VPS, please check with the provider whether TUN/TAP can be enabled.

Correction: A VPS virtualized with OpenVZ must have kernel support for IPSec. In other words, if the host server’s kernel does not support it, there is no solution other than switching to another VPS.

Therefore, installing this script on an OpenVZ VPS is generally not recommended. If the script detects that the VPS uses the OpenVZ architecture, it will display a warning.

How do you check whether the TUN module is supported?

Check the PPP/TUN environment

First, check whether pptpd can be installed on the VPS and whether TUN and PPP are enabled.

  1. cat /dev/net/tun

The returned result must be:

  1. cat:
    /dev/net/tun: File
    descriptor
    in bad state

Run:

  1. cat /dev/ppp

The return must be:

  1. cat:
    /dev/ppp: No such device or address

If the returned content is not the result shown in the image below, please contact your VPS provider to change the network permissions.

Of course, the script will also perform a check during installation, and if the environment is not suitable for installation, the script will provide a prompt.

Usage:

After logging in as the root user, run the following commands:

  1. wget nocheckcertificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh
  2. chmod +x l2tp.sh
  3. ./l2tp.sh

After execution, the following interactive interface will appear

  1. Please input IPRange:
  2. (Default
    Range:
    192.168.18):
  3. #Enter the local IP range here (a local IP address assigned after your computer connects to the VPS). Press Enter directly to use the default value 192.168.18
  4.  
  5. Please input PSK:
  6. (Default PSK: teddysun.com):
  7. #PSK means pre-shared key, which is the key that will be required when connecting in the future. Press Enter directly to use the default value teddysun.com
  8.  
  9. Please input Username:
  10. (Default
    Username: teddysun):
  11. #Username means username, that is, the first default user. Press Enter directly to use the default value teddysun
  12.  
  13. Please input teddysuns password:
  14. (Default
    Password:
    Q4SKhu2EXQ
    ):
  15. #Enter the user password. By default, a random 10-character password containing uppercase and lowercase letters and numbers will be generated, but you can also specify your own password.
  16.  
  17. ServerIP:your_server_main_IP
  18. #Displays the primary IP of your VPS (if your VPS has multiple IPs, only one will be shown)
  19.  
  20. Server
    Local IP:192.168.18.1
  21. #Displays the local IP of your VPS (the default is fine)
  22.  
  23. Client
    Remote IP Range:192.168.18.2192.168.18.254
  24. #Displays the IP range
  25.  
  26. PSK:teddysun.com
  27. #Displays the PSK
  28.  
  29. Press any key to startor
    Press
    Ctrl+c to cancel
  30. #Press any key to continue. If you want to cancel the installation, press Ctrl+c.

After the installation is complete, the script will run the ipsec verify command and display the following prompt:

  1. If there are no [FAILED]
    above
    , then you can
    connect to your
  2. L2TP VPN Server
    with the default
    Username/Password
    is below:
  3.  
  4. ServerIP:your_server_IP
  5. PSK:your PSK
  6. Username:your usename
  7. Password:your password
  8.  
  9. If you want to add users, please modify
  10. /etc/ppp/chapsecrets and add it.
  11. Welcome to visit https://teddysun.com/448.html
  12. Enjoy it!

If you want to add users, you can manage them with the following commands:

  1. l2tp a Add a user
  2. l2tp d Delete a user
  3. l2tp l List all users
  4. l2tp m Change a user’s password
  5. l2tp h Show help information

Other notes:

  1. After installation is complete, the script will automatically start the process and enable it to start on boot.
  2. The script will modify the iptables or firewalld rules.
  3. During script installation, the installation log will be written in real time to the /root/l2tp.log
    file. If the installation fails, you can use this file to find error messages.

Commands:

  1. ipsec status (check
    IPSec
    running status)
  2. ipsec verify (check
    IPSec
    verification results)
  3. /etc/init.d/ipsec start|stop|restart|status (for use onCentOS6
    )
  4. /etc/init.d/xl2tpd start|stop|restart|status (for use onCentOS6
    )
  5. systemctl start|stop|restart|status ipsec (for use onCentOS7
    )
  6. systemctl start|stop|restart|status xl2tpd (for use onCentOS7
    )
  7. service ipsec start|stop|restart|status Debian/Ubuntu
    only)
  8. service xl2tpd start|stop|restart Debian/Ubuntu
    only)

Update Log

Update on April 18, 2016

Current test results on Debian 7 show that compiling libreswan fails because the versions of libnss3 and libnspr4
are too old. A temporary solution is to use dpkg to install the deb packages for libnss3_3.17.2 and libnspr4_4.10.7, then try again.

Reference link: https://libreswan.org/wiki/3.14_on_Debian_Wheezy

Update on April 19, 2016

Fixed the issue on Debian 7 where compiling libreswan failed because the versions of libnss3 and libnspr4
were too old.

Update on April 22, 2016

Fixed the issue on Ubuntu 16.04 where commands such as ipsec
verify could not be used because the python command was missing by default.

Update on April 25, 2016

When installing under the Vultr Debian 7 system template, the package libcurl4-nss-dev
may produce dependency errors, as follows:

  1. The
    following packages have unmet dependencies
    :
  2. libcurl4nssdev :
    Depends: libldap2dev but it is not going to be installed
  3. Depends: librtmpdev but it is not going to be installed

And libldap2-dev and librtmp-dev
in turn depend on several other packages. In short, the final dependency relationships are as follows:

  1. libldap2dev
    :
    Depends: libldap2.42 (=
    2.4.312+deb7u1) but 2.4.31+really2.4.40+dfsg1+deb8u1~bpo70+1
    is to be installed
  2. librtmpdev :
    Depends: libgnutlsdev but it is not going to be installed
  3. libgnutlsdev
    :
    Depends: libp11kitdev (>=
    0.4) but it is not going to be
    installed
  4. libp11kitdev :
    Depends: libp11kit0 (= 0.123) but 0.20.71~bpo70+1 is to
    be installed

So the solution is to first uninstall the bottom-level dependency package libp11-kit0,
and then install libcurl4-nss-dev.

  1. aptget
    y remove libp11kit0
  2. aptget
    y noinstallrecommends install libcurl4nssdev

Then just run the script to install it.

Update on June 10, 2016

After the script finishes installing, several new commands have been added for managing users

  1. l2tp a Add a user
  2. l2tp d Delete a user
  3. l2tp l List all users
  4. l2tp h Display help information

Update on August 05, 2016

Upgraded libreswan to version 3.18.

Update on September 12, 2016

Fixed the libevent2 dependency issue on CentOS 6;

Added a  -m option to modify the password of an existing user.


Other VPN tutorials:

This article is reprinted from TeddySun: https://teddysun.com/448.html

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top