Set up VPN on macOS with AWS

PPTP VPN is no longer supported in iOS 10 and macOS Sierra for security concerns[1]. The alternative protocols are L2TP over IPSec,
IKEv2, Cisco IPSec. It forces me to update my previous blog Set up VPN on OS X with AWS.

1. Set up VPN on the server-side, AWS

Step 1: Connect to EC2 instance through SSH

$ ssh -i wp_sparkandshine.pem ubuntu@52.68.57.153

Step 2: Download IPsec VPN Server Auto Setup Scripts

ubuntu@ip-xx-xx-xx-xx:~$ wget https://git.io/vpnsetup -O vpnsetup.sh

Step 3 (Option): Configure the following fieldsvpnsetup.sh

YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''

Step 4: Run the shell script

sudo sh vpnsetup.sh

Done.

2. Set up VPN on the user-side, macOS

Follow the instructions on Configure IPsec/L2TP VPN Clients to set up IPsec/L2TP VPN clients.

Enjoy it:-)

3. Manage VPN Users

Excerpt from Manage VPN Users:

(1) IPsec PSK

The IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK.

%any  %any  : PSK "your_ipsec_pre_shared_key"

(2) IPsec/L2TP

For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:

"your_vpn_username_1"  l2tpd  "your_vpn_password_1"  *
"your_vpn_username_2"  l2tpd  "your_vpn_password_2"  *
... ...

(3) Cisco IPsec

For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is:

your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk
your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk
... ...

Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility:

# The output will be your_vpn_password_1_hashed
openssl passwd -1 'your_vpn_password_1'

(4) Restart service

sudo service ipsec restart
sudo service xl2tpd restart

References:
[1] Prepare for removal of PPTP VPN before you upgrade to iOS 10 and macOS Sierra
[2] GitHub: IPsec VPN Server Auto Setup Scripts
[3] GitHub: Configure IPsec/L2TP VPN Clients
[3] GitHub: Manage VPN Users

发表评论

电子邮件地址不会被公开。 必填项已用*标注