VPN Setup
VPN Setup
Making a VPN Server
Credits to OnlyCS for the original Kajig and awsame for the
Prerequisites
To make a VPN server, you will need:
- A VPS running Ubuntu 20.04 (DigitalOcean Recommended)
- A chromebook for testing
- Forwarded Ports
- 22
- 500
- 4500
- 53
- Basic Knowledge of Linux
- downloading files online with
wget - modifying files on terminal
- ssh/sftp
- installing packages with
apt - basic knowledge of commands like
ls,cd, etc
- downloading files online with
Installing and Configuring
Make sure ports 500 and 4500 are enabled and run sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins
Next, make sure to backup /etc/ipsec.conf and then open it in vim or nano
Replace the contents of the file with
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
authby=secret
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=YOUR_SERVER_IP_HERE
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightid=%any
rightsourceip=10.10.10.0/24
rightdns=YOUR_SERVER_IP_HERE
rightauth=psk
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
backup /etc/ipsec.secrets and replace its contents with:
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: PSK "SOME_PASSWORD1!"
Firewall & IP Routing
run these four commands:
sudo ufw allow OpenSSH
sudo ufw allow 500,4500/udp
sudo ufw allow 5
sudo ufw enable
Then run ip route show default. You should get default via [your_server_ip] dev [device] proto static
Keep note of the text where I have left device. This could be something like eth0 or wlan0
Edit /etc/ufw/before.rules
Above *filter, insert (replacing DEVICE_HERE with your device name):
*nat
-A POSTROUTING -s 10.10.10.0/24 -o DEVICE_HERE -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o DEVICE_HERE -j MASQUERADE
COMMIT
*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o DEVICE_HERE -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
Below the *filter section (below :ufw-not-local - [0:0]):
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
In /etc/ufw/sysctl.conf, bottom of the file
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/ip_no_pmtu_disc=1
Restart ufw with:
sudo ufw disable
sudo ufw enable
Finally, start the vpn server
sudo systemctl enable strongswan-starter
sudo systemctl start strongswan-starter
DNS Server with Pi-Hole
First, Install Pi-Hole:
curl -sSL https://install.pi-hole.net | bash
Make 1.1.1.1 (Cloudflare's DNS) the upstream and enable the Web UI/Admin Panel
In your Browser, go to the server IP. Port 80 should be open.
Open the filter list: This is where we block URLs Click the Regex Filter button
There are many regex filters, and they can be found here. Make sure to convert these to Regex to use them, as they are in Adguard format. Here is an example of some links in Regex format:
(\.|^)goguardian\.com$
(\.|^)securly\.com$
In the Admin Panel, go to Settings > DNS > Interface Settings Select permit all origins Scroll to bottom and hit save
Troubleshooting
If you're having trouble go to discord.gg/unblock and look for the making your own vpn server kajig for assistance.
A common error that occurs is that your VPN will connect but you will have no internet connection. In this case, try: sudo iptables -I FORWARD 1 -j ACCEPT
Connecting with a Chromebook
Go to chrome://flags and enable the ikev2 VPN flag
Then open network settings and add a network connection
Click built in vpn
Click provider then ipsec (ikev2)
Click Authentication Type > Pre-Shared Key
Click server hostname, then put the IP address
Click the Pre-Shared Key and put the value you added in for the password in ipsec.secrets
In local identity put your name or anything else
And in remote identity put the server and click Connect.