Page 1 of 2

IPsec VPN Server

Posted: Sun Aug 13, 2017 4:10 pm
by Carnot
DietPi has an openvpn server, but it doesn't support windows, android or iphone without client.
IPsec VPN is the most supported server, will you put it into DietPi?


Re: IPsec VPN Server

Posted: Sun Sep 09, 2018 5:05 pm
by carlevans459
Try Ivacy, it supports windows, linux, mac and android. Read the detailed analysis here:

Re: IPsec VPN Server

Posted: Tue Nov 13, 2018 8:49 am
by WarHawk
When OpenVPN creates the .ovpn file...all the included information and keys are included

The hard part is getting that info out into a "network" config in windows...I think there is a batch file to pull info like that out ... onfigFiles ... n-windows/

Here is the script ...

Re: IPsec VPN Server

Posted: Thu Nov 15, 2018 2:07 pm
by MichaIng
Did you try WireGuard? Seems to be a promising new approach and the next software I am aiming to implement:

Re: IPsec VPN Server

Posted: Fri Mar 29, 2019 5:54 pm
by cdlenfert
I found this thread after using the IPSEC VPN server script from the Github link the OP shared on a previous Pi (before I came across dietpi).

The script works great on Raspbian Stretch, but fails on DietPi in the Fail2Ban setup. I remembered seeing Fail2Ban as an option for installation via dietpi-software so I thought I'd give that a try. Fail2Ban also fails to install when I use the dietpi-software scripts to install it. Maybe this is because I previously broke something trying to use the setup-ipsec-vpn script?

I'd definitely like to get a similar VPN server running on my DietPi box (Pi 3b) because of the OPs stated reasons. Basically natively supported (no client app) on Mac and iOS devices. I don't fully grasp WireGuard and how that works, and if the end result is the same user experience (because the setup certainly seems more challenging to me).

Anyway, thanks in advance for any nudges in the right direction. If I can get the setup-ipsec-vpn script to work, I'd be totally happy with that, but not sure why I can't get fail2ban installed.

Re: IPsec VPN Server

Posted: Mon May 27, 2019 2:19 am
by MichaIng
Could you paste which exact step failed when installing fail2ban?
apt install fail2ban

Re: IPsec VPN Server

Posted: Mon May 27, 2019 3:46 am
by cdlenfert
Thank you for the response. I have since installed the VPN on another device on my network running Debian, however I think the issue on my DietPi (Raspberry Pi 3b) could have been resolved with the same fix I ended up doing on my other device. Here is an issue I hijacked on the iPSEC VPN script repo - ... -478674824

The fix was:
run this before running the install script:

Code: Select all

touch /var/log/auth.log
Just having that auth.log file in place prior to running the script made the installation successful.

Re: IPsec VPN Server

Posted: Mon May 27, 2019 4:02 am
by MichaIng
Ah indeed that was an issue a while ago. However our installer meanwhile includes this step as well.

Re: IPsec VPN Server

Posted: Mon May 27, 2019 11:47 am
by dandymon
Nah, i'm afraid this bug persists as of 10 minutes ago, though, I did the fix and it all seems to work fine.

Great work on the scripting - I've wasted HOURS googling and trying to get a simple native solution like this to work on a pi- and this was an absolute doddle to install. Don't like OpenVPN, do like IPSec

Also thanks for the fix - it's simple!


Re: IPsec VPN Server

Posted: Mon May 27, 2019 3:55 pm
by MichaIng
Ah yeah our solution is different now:
- We pre-create the /etc/fail2ban/jail.conf to not use /var/log/auth.log for login fail detection but systemd-journald (journalctl), which is always present thus does not depend on rsyslog.
- The install only failed because the default jail.conf shipped by the packages has auth.log detection pre-configured thus requires this file.

So the question is now why this does not work in your case. I just tested on VM and works as expected. Did you install the APT package prior to the dietpi-software install manually or when following the IPsec setup guide? Because we do not override existing jail.conf, but expect it this already exists, then it's most likely customised and should have worked before.