L2TP/IPsec VPN Server Setup
Complete guide to setting up L2TP/IPsec VPN server with strong authentication and encryption
🚀 Quick Installation
Use our automated script for fastest setup:
Terminal
wget https://git.io/vpnsetup -O vpnsetup.sh
sudo sh vpnsetup.shThe script will automatically configure L2TP/IPsec with secure defaults. For manual setup, continue reading below.
1 System Preparation
Update System & Install Dependencies
Terminal
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan xl2tpd ppp-dev libstrongswan-extra-plugins -yEnable IP Forwarding
Terminal
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_redirects = 0' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.send_redirects = 0' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p2 Configure StrongSwan (IPsec)
IPsec Configuration
Create the main IPsec configuration file:
/etc/ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@YOUR_SERVER_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR_SERVER_IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%anyIPsec Secrets
Configure pre-shared keys and user credentials:
/etc/ipsec.secrets
# PSK for L2TP
YOUR_SERVER_IP %any : PSK "YOUR_STRONG_PSK_HERE"
# User credentials for IKEv2
username1 : EAP "password1"
username2 : EAP "password2"
# RSA private key for server certificate
: RSA server-key.pem3 Configure xl2tpd (L2TP)
xl2tpd Configuration
/etc/xl2tpd/xl2tpd.conf
[global]
port = 1701
[lns default]
ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yesPPP Options
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
connect-delay 5000
logfile /var/log/xl2tpd.log4 User Authentication
CHAP Secrets
Configure user credentials for L2TP authentication:
/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
username1 l2tpd password1 *
username2 l2tpd password2 *5 Firewall Configuration
Configure UFW
Terminal
sudo ufw allow 22/tcp
sudo ufw allow 500/udp
sudo ufw allow 4500/udp
sudo ufw allow 1701/udp
sudo ufw --force enableNAT Rules
Terminal
sudo iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v46 Start Services
Terminal
sudo systemctl enable strongswan
sudo systemctl start strongswan
sudo systemctl enable xl2tpd
sudo systemctl start xl2tpd
sudo systemctl status strongswan
sudo systemctl status xl2tpd📱 Client Configuration
Windows/macOS/iOS
- • Server: YOUR_SERVER_IP
- • Type: L2TP/IPsec
- • Pre-shared Key: YOUR_PSK
- • Username/Password: As configured
Android
- • VPN Type: L2TP/IPsec PSK
- • Server Address: YOUR_SERVER_IP
- • IPsec Pre-shared Key: YOUR_PSK
- • Username/Password: As configured
🔧 Troubleshooting
Connection Issues
- • Check if services are running:
sudo systemctl status strongswan xl2tpd - • Verify firewall rules allow UDP ports 500, 4500, and 1701
- • Check logs:
sudo journalctl -u strongswan -f
Authentication Problems
- • Verify PSK matches on server and client
- • Check username/password in chap-secrets file
- • Ensure proper file permissions on configuration files