By ShanS
Hi everyone, I’m having a hard time to find a complete guide on how to set up an IPSEC/L2TP VPN on ubuntu with shared key authentication. meaning i don’t want to use a certificate for authentication but a preshared key, username and password. reason i don’t wanna use a certificate is that I’m going to set up this for our workgroup and passing certificates is just not comfortable.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Here’s a basic guide on how to setup an IPSEC/L2TP VPN using a preshared key, username and password for authentication. We’ll use a combination of xl2tpd for L2TP, strongSwan for IPsec, and pppd for user authentication.
- Update your system.
Before starting, make sure your system is up-to-date.
sudo apt-get update
sudo apt-get upgrade
Install required software.
Install xl2tpd, strongSwan and ppp.
- sudo apt-get install strongswan xl2tpd ppp lsof
-
Configure IPsec.
Open /etc/ipsec.conf with a text editor and add the following configuration:
config setup
uniqueids=never
conn %default
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
dpdaction=clear
conn l2tp-psk
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
In the ipsec.secrets file add your shared key:
- sudo nano /etc/ipsec.secrets
Add the following line (replace YOUR_SHARED_KEY with your actual shared key):
: PSK "YOUR_SHARED_KEY"
Configure xl2tpd.
Open /etc/xl2tpd/xl2tpd.conf with a text editor. Add the following configuration:
[global]
port = 1701
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Configure pppd for user authentication.
Open /etc/ppp/options.xl2tpd with a text editor. Add the following configuration:
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
In the chap-secrets file add your users. Add your users in the following format (replace username, password with actual values):
# client server secret IP addresses
username * password *
Configure firewall and forwarding rules.
You will need to adjust your firewall and forwarding rules to allow VPN traffic. Here’s a sample setup for UFW
sudo nano /etc/ufw/before.rules
Add the below rules at the top:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
sudo ufw allow 500
sudo ufw allow 4500
Restart services.
Finally, restart services to apply changes:
sudo service strongswan restart
sudo service xl2tpd restart
This configuration assumes your local network for VPN users is 192.168.1.0/24. Please adjust the IP addresses according to your actual needs.
Remember to test your VPN with multiple network configurations and clients to make sure it works properly.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.