我是使用centos 7，安装vpn后，ss和web服务都无法打开。
系统上没有防火墙开启

systemctl status iptables

● iptables.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
[root@localhost ~]# systemctl start iptables
Failed to start iptables.service: Unit iptables.service failed to load: No such file or directory.

systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)

看安装源码，有/etc/sysconfig/iptables规则存在。
再看

vi /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 5
backend = auto

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure

正常应该是只针对ssh的啊？
我很奇怪这个问题，能帮我解答下吗

Hi,
I use EC2 as a VPN server and have configured it with this script smoothly, but I've noticed that after instance has been stopped I can no longer connect VPN. Are there any special commands that could make the settings permanent?

Is it possible to connect Fedora with the Vpn?
I cant find it anywhere how i can connect with linux..

Is there a way to block hosts from being accessed via the VPN? I know it can be done by changing the DNS but it's a very heavy fix.

I am trying to add "Adblock" functionality to this VPN for my iPhone.

I have followed this guide successfully and have a working VPN connection. Now with this server setup on Digital Ocean, I've uploaded a /etc/hosts file to help filter a lot of unwanted domains. When using the server itself, it filters the domains. However, when I use my client to connect to the server, the domains are still accessible on the client.

Is there a way block domains via the /etc/hosts file, or something similar, on the client as well when connected to the server? Do I need to setup Dnsmasq, Squid, or something else to accomplish this?

Let me know if you need any clarification. I don't know if I asked the question in the right way.

hi,
when I setup the vpn in windows, it give me this error:
the connection was terminated by the remote computer before it could be completed

I'm sure that IPSEC_PSK, VPN_USER and VPN_PASSWORD are set.

how to solve this?

执行脚本后无法连接，错误809，关闭iptables后可连接

It might be great if docker is supported.
Will you consider to port it? Thanks.

Hello,

I have a problem, after installing this script, ssh server is unreachable "Operation timed out", but i can ping the server, and connect to it with VPN.

Other services like web server or ftp is unreachable too.

What can I do ?

I running with Debian 8.

As I browse on my iPad (have had this issue before on other devices) the vpn just disconnects randomly. I was wondering if this may be related to the session time and if so, how can I increase the length of a single session time. Thanks.

hello, I'm try the l2tp-ipsec-vpn client first, but it's not work.
so I purge it, and try arch wili and linux-l2tpipsec-vpn-client
but I can't find the ppp...

It's this have any client shell?

我使用Android 6, Mac Os 10.11，已經設定好cisco ipsec的設定了，還是連接不上去。。
在Mac 的錯誤訊息是 user authentication failed.
我用一般l2tp卻可以使用

我看到之前的问题，#30
我也碰到同样的问题，现将这部分的信息附后。其中3388端口是我使用的ss端口，在没有安装L2TP前确认可以使用。希望可以一起解决这个问题

$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

10 560 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
18 1115 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
12 608 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- eth+ ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ eth+ 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 192.168.42.0/24

0 0 ACCEPT all -- eth+ * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * eth+ 192.168.43.0/24 0.0.0.0/0

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6 packets, 674 bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination

0 0 REJECT all -- * * 61.51.18.101 0.0.0.0/0 reject-with icmp-port-unreachable
10 560 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

$ sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 44 packets, 2232 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 178 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 2 packets, 178 bytes)
pkts bytes target prot opt in out source destination

0 0 SNAT all -- * eth+ 192.168.42.0/24 0.0.0.0/0 to:XX.XX.XX.XX
0 0 SNAT all -- * eth+ 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none to:XX.XX.XX.XX

$ sudo netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 978/sshd

tcp 0 0 XX.XX.XX.XX:3388 0.0.0.0:* LISTEN 1583/python

tcp 0 332 XX.XX.XX.XX:22 211.162.33.131:28595 ESTABLISHED 1702/sshd: ubuntu [
tcp6 0 0 :::22 :::* LISTEN 978/sshd

udp 0 0 127.0.0.1:4500 0.0.0.0:* 7749/pluto

udp 0 0 XX.XX.XX.XX:4500 0.0.0.0:* 7749/pluto

udp 0 0 127.0.0.1:500 0.0.0.0:* 7749/pluto

udp 0 0 XX.XX.XX.XX:500 0.0.0.0:* 7749/pluto

udp 0 0 0.0.0.0:68 0.0.0.0:* 651/dhclient

udp 0 0 0.0.0.0:63124 0.0.0.0:* 651/dhclient

udp 0 0 0.0.0.0:1701 0.0.0.0:* 7767/xl2tpd

udp 0 0 XX.XX.XX.XX:3388 0.0.0.0:* 1583/python

udp6 0 0 :::61828 :::* 651/dhclient

udp6 0 0 ::1:500 :::* 7749/pluto

I made another account for my another PC , but I can't connect to it.

I want to change the IP range that the server uses but whenever I try the server will not accept any connections.

Hello,

I've been using this vpn, it's works fine.

however I would like to build shadowsocks-libev in the same VPS,

it doesn't work for me, I think that has iptable settings problem.

therefore, how could I adjust iptable that would be work for shadowsocks-server ?

FYI:

local port: 1080
server port: 8898

os: ubuntu 14.04

If yes - how i can do this?

I tried:(in /etc/ipsec.conf)

conn xauth-psk
  #ikev2=never
  keyexchange=ikev2

but get; (/var/log/syslog/):

Jun 24 01:21:33 unix xl2tpd[29837]: death_handler: Fatal signal 15 received
Jun 24 01:21:34 unix xl2tpd[30198]: setsockopt recvref[30]: Protocol not available
Jun 24 01:21:34 unix xl2tpd[30198]: This binary does not support kernel L2TP.
Jun 24 01:21:34 unix xl2tpd[30199]: xl2tpd version xl2tpd-1.3.6 started on unix PID:30199

When I run the authentication command
sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX <user> <pass>" > /var/run/xl2tpd/l2tp-control
(replacing the connection name, username, and password), I get the following output:
-bash: /var/run/xl2tpd/l2tp-control: Permission denied

I've verified that I've editing config files as instructed and have restarting the two services, and that the credentials are valid on a windows machine.

Hi,

I'm far from a expert in networking/vpn.

I need to connect my EC2 on a meraki router thru a vpn.

Does your script can help me to figure this out?

thank you

运行这个脚本安装vpn后，shadowsocks就没法工作，收不到链接了
请问可以同时开这两个服务吗？

Hello,
I have successfully installed on my server, and iOS users can use this VPN. However, when I am using it on windows, it can not burn through the Chinese Great Firewall. For example, the browser can open 'baidu.com' but 'google.com' cannot be opened.

Is it possible to limit the number of simultaneous connections? Thanks

@hwdsl2
I tried the suggestion you made in the gist comments about changing the conn l2tp-psk's leftsubnet from leftsubnet=.../32 with leftsubnet=10.0.0.0/8, restarting the service, and re-connecting, but no luck. If you have other suggestions, I'd love to try them. If not, just let me know and I'll close out the issue. I'm guessing I'll probably have to handle this through some outbound NAT with firewalld.

Thanks again for your help!

is there any way to unistall vpn server installed by this script?

ip6tables-restore v1.4.7: ip6tables-restore: unable to initialize table 'filter'

Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Hi,

I'm on ubuntu 12.04 and I'm getting this error. Any idea?

In file included from /opt/src/libreswan-3.17/lib/libswan/alg_info.c:34:0: /opt/src/libreswan-3.17/include/constants.h:107:45: fatal error: prcpucfg.h: No such file or directory compilation terminated. make[3]: *** [alg_info.o] Error 1 make[3]: Leaving directory/opt/src/libreswan-3.17/OBJ.linux.x86_64/lib/libswan'
make[2]: *** [local-base] Error 2
make[2]: Leaving directory /opt/src/libreswan-3.17/lib/libswan' make[1]: *** [all] Error 2 make[1]: Leaving directory/opt/src/libreswan-3.17/lib'
make: *** [all] Error 2
`

@hwdsl2 thanks for your work!
I want to use firewalld to instead of iptables. In your script , you use iptables and add it in the rc.local. i deleted it ! I Now i can connect to the vpn server but i cannot surf the Internet. I have already opened the needed port(500,4500). I support that is a NAT setup missing. I use 'firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source $my_server_ip' ... it seems right after reload firewalld.. But it dosenot work!!
After a long time search and read the firewalld man page, i still cannot find a way. Could you give me a favour!? Thank you !

So what kind of server should I choose , plz give a hint

Can this work on Windows/Android/iPhone at same time?
it is work for me in Android and iPhone.... but not in windows 10.... any idea?

in iPhone the VPN is well,but the macbook can't use it.
I can login with the macbook ,but the network is not well.i can't get google through the vpn from china.

如题，使用此基本搭建VPN服务器后，VPN服务可以正常使用，但外网无法访问80端口的WEB服务了。请问需要怎么设置才能正常使用WEB服务。

Hello, @hwdsl2
I just installed vpn service on my vps (CentOS 6) sucessfully with your script.
But after I connected to the vpn server, there's no internet access.
Could you help? Thx!

Hi, I want to thank you for making this super easy vpn server installation for linux. However, I followed these instruction to setup in my DigitalOcean droplet using Centos 6.7, but couldn't connect to it from my Windows client. The installation runs fine, after fresh install from new droplet I followed the instruction as it says and no problem found.

Then I tried to connect using my WIndows 7 with same credential I entered in install script. I have tried to connect using windows and android with same configuration (l2tp/ipsec with psk) but to no avail. The windows error says the remote server didn't responded (error 809). I don't know where to look or what to do to trace the problem, because your magic script do all these stuff automatically, hehe. Do you have any suggestions?

Thank you.

Very nice container here... good job.

I got it up and running and connected to it easily. Now that I'm connected (with an IP of 192.168.42.10), how can communicate with machines on my LAN (192.168.56.x, using 255.255.255.0 subnet)?

Thanks

After editing "ipsec.conf" and appending ",aes256-sha2_256" to "ike=" and "phase2alg=" and adding "sha2-truncbug=yes" under section "conn shared", I still can't connect to the server.

Hi. thanks for a great script! I lately encountered an issue which i tried to solve, but with no success.

I finish the instalation and everything works fine with the first predefined user. But then if I edit the chap-secrets file, im unable to log in with any user. I have checked and tried everything - file permissions, file content for proper formating, restarted both services, rebooted and nothing.

If I edit your script before the installation with the users I need everything then works fine. But if I edit the chap-secrets file later, nothing works. Do you have any idea, what could i be doing wrong? Thanks a lot!

iOS 能连接。
注册表确认已经安装了，重启了好几次电脑。
但是还是出现了下面的问题。

I paste auth.log, but I can't figure out the reason. please help me. I tried to connect with IPsec/XAuth on the MAC computer.

Aug  4 06:00:29  pluto[12425]: last message repeated 12 times
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: 1DES is not encryption
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: 1DES is not encryption
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: no acceptable Oakley Transform
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: sending notification NO_PROPOSAL_CHOSEN to 11.22.33.44:500
Aug  4 06:00:29 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #44: deleting state (STATE_MAIN_R0)
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: responding to Main Mode from unknown peer 11.22.33.44
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
Aug  4 06:00:32  pluto[12425]: last message repeated 12 times
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: 1DES is not encryption
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: 1DES is not encryption
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: no acceptable Oakley Transform
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: sending notification NO_PROPOSAL_CHOSEN to 11.22.33.44:500
Aug  4 06:00:32 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #45: deleting state (STATE_MAIN_R0)
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: responding to Main Mode from unknown peer 11.22.33.44
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
Aug  4 06:00:36  pluto[12425]: last message repeated 12 times
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: 1DES is not encryption
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: 1DES is not encryption
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: no acceptable Oakley Transform
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: sending notification NO_PROPOSAL_CHOSEN to 11.22.33.44:500
Aug  4 06:00:36 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #46: deleting state (STATE_MAIN_R0)
Aug  4 06:00:56 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #4: deleting state (STATE_MAIN_R1)
Aug  4 06:05:54 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #47: responding to Main Mode from unknown peer 11.22.33.44
Aug  4 06:05:54 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #47: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP2048] refused
Aug  4 06:05:54 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #47: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  4 06:05:54 guest pluto[12425]: "l2tp-psk"[1] 11.22.33.44 #47: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  4 06:05:54 guest pluto[12425]: packet from 11.22.33.44:500: phase 1 message is part of an unknown exchange

May 3 17:28:06 iZ23g1qi4a3Z xl2tpd[1402]: Can not find tunnel 55415 (refhim=0)
May 3 17:28:06 iZ23g1qi4a3Z xl2tpd[1402]: network_thread: unable to find call or tunnel to handle packet. call = 21990, tunnel = 55415 Dumping.

Scratch this, it's not working because Android needed some extra configs: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android

Hi

I've installed and used your script to install the VPN software, however it's not working as intendend.

The problem is as follows:

When I connect my iPhone to the VPN server via L2TP. The iPhone is connected to the internet via 4G.
When I connect my mates Android to the VPN server via IPSec Xauth PSK. The Android is connected to the internet via WiFI.

The iPhone connects immediately and when browsing the web, it works perfectly.
The Android however connects immediately as well, but browsing the web does not work at all. It spins for about 30 seconds and then disconnects from the VPN server.

You can see my network interfaces below:

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr MAC
          inet addr:IP  Bcast:IP  Mask:255.255.255.255
          inet6 addr: IP/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:86415 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40585 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:94054796 (89.6 MiB)  TX bytes:11651368 (11.1 MiB)

ip_vti0   Link encap:IPIP Tunnel  HWaddr   
          NOARP  MTU:1332  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.42.1  P-t-P:192.168.42.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:857 errors:0 dropped:0 overruns:0 frame:0
          TX packets:686 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:101162 (98.7 KiB)  TX bytes:232809 (227.3 KiB)

The "problem" with my setup is that eth0's assigned IP is the public IP.
So your script detects the public and private IP as the same.

Is that what causes the problems to connect and do you have any suggestions?

Pinging: @hwdsl2

Hope you can help out.

I find myself stuck on a NAT issue. When there are multiple clients behind the same NAT, Only the last connected one can connect to Internet

能不能建立多用户？

A bug was introduced in a previous commit 21629ae on Jan 14, 2016. It removed checks for empty public/private IP strings, in favor of checking against the correct IP regular expression. However, the grep command used in the IP regex checks had an error (the "-v" switch was used instead of negating the exit code). As a result, undefined or empty IP variables would pass the check, which is incorrect.

This bug has been fixed in commit b610351 on Jan 21, 2016. GitHub users @bjzhush and @Geoferry please update your forks to the latest version. Thanks!

Maybe it's stupid question, but i really don't understand, how it will work with ufw.

https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/vpnsetup.sh
iptables are used :/

I tried the script, but at some point i get this compilation failure

/libreswan-3.16/include -I/opt/src/libreswan-3.16/lib/libcrypto -I/opt/src/libreswan-3.16/linux/include      -DNETKEY_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPFKEY  -DUSE_TWOFISH -DUSE_SERPENT -DKLIPS -DPFKEY    -DUSE_AES -DUSE_3DES -DUSE_SHA2 -DUSE_SHA1 -DUSE_MD5 -DUSE_CAMELLIA   -DXAUTH_HAVE_PAM -DLIBCURL    -DHAVE_LIBCAP_NG -DHAVE_NM -I/usr/include/nss -I/usr/include/nspr     \
        -MMD -MF ./crypt_dbg.d \
        -o ./crypt_dbg.o \
        -c /opt/src/libreswan-3.16/programs/pluto/crypt_dbg.c
/opt/src/libreswan-3.16/programs/pluto/crypt_dbg.c: In function ‘symkey_bytes’:
/opt/src/libreswan-3.16/programs/pluto/crypt_dbg.c:102:2: error: implicit declaration of function ‘PK11_Decrypt’ [-Werror=implicit-function-declaration]
/opt/src/libreswan-3.16/programs/pluto/crypt_dbg.c:102:2: error: nested extern declaration of ‘PK11_Decrypt’ [-Werror=nested-externs]
cc1: all warnings being treated as errors
make[3]: *** [crypt_dbg.o] Error 1
make[3]: Leaving directory `/opt/src/libreswan-3.16/OBJ.linux.x86_64/programs/pluto'
make[2]: *** [local-base] Error 2
make[2]: Leaving directory `/opt/src/libreswan-3.16/programs/pluto'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/opt/src/libreswan-3.16/programs'
make: *** [all] Error 2
Sorry, Libreswan 3.16 failed to build. Aborting.

# uname -a
Linux Debian-78-wheezy-64-minimal 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux

If you need further information please ask. Any hints how to solve this?

Hi,
I used your script and tutorial to install VPN server on my public VPS. I'd like to use it to connect to my homeserver (where I installed VPN client also according to your tutorial) from other clients.

The issue is that each client creates a separate pppX interface on the server with 255.255.255.255 netmask so server can ping them and they can ping the server, but the clients cannot see each other.

Is there anything I can do to fix this issue, is there a different mode supported by IPSec used to connect the clients to each other?

It looks like it was bad idea try to setup vpn and web app on same vps=/

@hwdsl2, I tried to deploy the VPN server with this script, it showed this error. please tell me why and how to solve the problem. thank you.