Setting up VPN the Easy Way
I wanted to get a L2TP VPN set up quickly and found a way to get a Linux server going with minimal effort.
Normally, setting up a VPN server correctly would take time and testing.
I have found a way to create a VPN in minutes using a script that automates the complex server configuration.
In this article, I go over how to use that script, add users to the VPN server, and how to configure the iOS client using the credentials.
Why?
There are reasons for a using a VPN server. If you do not know why you would want to use one, you probably do not need one.
If you do know why you want a VPN server, then this article will provide an easy way to set up a VPN server.
Requirements
To follow along, ensure:
- An Internet connected Linux server, I am using Ubuntu 18.04 Bionic Beaver at home. A server on cloud Services would be perfect.
- The server must be accessible on the Internet with ports 500 & 4500 open. A VPN server needs these ports for communication.
Getting Started
When you can log into the server, from the command line of the server, run:
$ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.shThis script will install and configure the system for L2TP server. You can ignore most of the on-screen output…
BUT the important item is at the end of the process, which will reveal the VPN server credentials:
Server IP: 127.0.0.78
IPsec PSK: KmY8ZYXATMFifBCdBgTK
Username: vpnuser
Password: nFGybHvNF5e7wHBdThe script generates these credentials and the VPN client requires them.
The only item that does not match VPN client fields is IPsec PSK. In VPN clients, this is usually known as the “shared secret”. Enter every other item into the VPN client as is.
For example, this is how to enter the above information for an iOS VPN configuration page.
Adding Another User
Having every user of the VPN share the same account is dangerous, so here is how to create another user.
-
Edit two files: chap-secrets file and the IPsec passwd file. The configuration for each are slightly differently.
-
After editing each file, restart the VPN service.
Adding user to chap-secrets
The chap-secrets file has user information in the following format:
# User entry format
"<username>" l2tpd "<password_in_plaintext>" <IP addresses>So, to add a new user name: “andrew” with a password: “supersecretpassword”, the entry to chap-secret file would be:
# entry for user andrew
"andrew" l2tpd "supersecretpassword" *Adding user to ipsec.d/passwd
The IPsec user file has a format as:
<username>:<hashed password>:xauth-pskTo create a hashed password, use the openssl program:
$ openssl passwd -l "password"
$1$Gyv4uver$S3SVtjP8wjzf5OvPEFUp30Note, each time the value will be different, even for the same password.
The password for the user in the /etc/ipsec.d/passwd file should
be the same as the chap-secrets entry.
Example
So, to create the entry for the “andrew” user above, this would be the process
To add the “andrew” user from above to the /etc/ipsec.d/passwd file:
First, create a hashed password:
$ openssl passwd -1 "supersecretpassword"
$1$RfR4vvQd$Dmp7PuVbcXWbSLkQx2BIa/Copy and in the /etc/ipsec.d/passwd file, modify to have entry:
andrew:$1$RfR4vvQd$Dmp7PuVbcXWbSLkQx2BIa/:xauth-pskRestart VPN service
For these changes to have effect, restart the service:
$ service xl2tpd restartClient connect
To have the “andrew” user connect to the VPN server, fill out the VPN client form as:
After entering details, hit connect and voila!
Conclusion
Setting up a L2TP VPN server was trivial using the script provided by https://github.com/hwdsl2/setup-ipsec-vpn.
Adding users to the VPN server is not straight-forward and requires modification of two different files in their particular way.
Configuring clients to use the VPN server is easy, filling out fields with credientials.
Thanks to spz.io’s article. That helped a great deal in learning about setting up a L2TP VPN server and user entry.