The 2 AM Incident and the Linux VPN Challenge
The clock struck 2 AM. My phone buzzed incessantly: ‘The backup server at the datacenter can’t push data, the VPN is down!’ Managing the network for a 50-person office and a small datacenter cluster, this was a routine occurrence for me. The backup server was running Ubuntu Server, headless. Meanwhile, the VPN configuration files sent by the partner came in all sorts of formats.
Setting up a VPN on Linux isn’t as simple as clicking a mouse like on Windows. You have to work directly with routes, interfaces, and annoying checksum errors. To save you from sleepless nights, I’ve compiled how to handle the three most common VPN types: OpenVPN, WireGuard, and IPsec, right from the terminal.
Which ‘Weapon’ Should You Choose for Your System?
Each protocol has its own pros and cons. Choosing the right tool helps the system run stably and saves significant CPU resources.
- WireGuard: Modern and extremely fast. The source code is only about 4,000 lines, whereas OpenVPN exceeds 100,000. If you have the choice, prioritize WireGuard.
- OpenVPN: Flexible and robust. It can run on TCP port 443 to masquerade as HTTPS, helping it bypass the strictest firewalls. The downside is high latency and heavy resource consumption.
- IPsec (StrongSwan): The standard for Enterprise devices like Cisco and Juniper. IPsec configuration is quite complex, but it is mandatory when connecting to large corporate systems.
Real-world Performance Comparison
| Criteria | WireGuard | OpenVPN | IPsec (IKEv2) |
|---|---|---|---|
| Throughput | ~95% network speed | ~60-70% network speed | ~85-90% network speed |
| Complexity | Low | Medium | Very High |
| Kernel Integration | Yes (since v5.6) | No (User space) | Yes |
1. WireGuard: Speed and Simplicity
WireGuard treats the VPN interface like a physical network card. Once configured, it just works, with very few minor issues during operation.
Quick Installation
sudo apt update && sudo apt install wireguard -yClient Setup
Copy the wg0.conf file from the server to the /etc/wireguard/ directory. A standard file usually looks like this:
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = 1.2.3.4:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Activating the Connection
Use the wg-quick tool to initialize the interface:
sudo wg-quick up wg0Check with the command sudo wg show. If you see the latest handshake line appearing within the last 1-2 minutes, the connection is successful.
2. OpenVPN: The Firewall-Bypassing Solution
Many datacenters block all unusual ports, leaving only 80 and 443 open. In these cases, OpenVPN running on TCP port 443 becomes the only lifeline to maintain connectivity.
Installation
sudo apt install openvpn -yRunning OpenVPN as a Service
To ensure the VPN starts automatically with the system, follow these steps:
- Rename the configuration file:
sudo cp client.ovpn /etc/openvpn/client.conf - Open the
/etc/default/openvpnfile, find and uncomment (#) theAUTOSTART="all"line. - Start the service:
sudo systemctl enable --now openvpn@client
Note on Routing: If you are connected but cannot ping internal IPs, check the routing table with the ip route command. You might need to add a route manually: sudo ip route add 192.168.1.0/24 dev tun0.
3. IPsec/StrongSwan: Working with Enterprise Devices
Connecting to Cisco or Fortinet routers often requires IPsec. This is the hardest part because a single incorrect encryption parameter will cause the connection to fail.
Installing StrongSwan
sudo apt install strongswan libcharon-extra-plugins -yIKEv2 Configuration
Edit the /etc/ipsec.conf file. Below is a sample configuration for a connection using EAP (Username/Password):
conn my-vpn
keyexchange=ikev2
dpdaction=clear
eap_identity=business_user
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=vpn.company.com
rightauth=pubkey
rightsubnet=0.0.0.0/0
auto=addDeclare the password in the /etc/ipsec.secrets file: business_user : EAP "your_password".
Troubleshooting: Why is the VPN Connected but there’s no Internet?
This is a common scenario: the VPN status is Connected but you cannot access any websites. Check these three factors:
1. Stuck DNS
Try pinging 8.8.8.8. If the ping is successful but you cannot reach google.com, your DNS is failing. Install the resolvconf package or manually add nameserver 8.8.8.8 to /etc/resolv.conf.
2. Maximum Transmission Unit (MTU)
VPN packets are usually larger than normal because they carry additional encryption headers. If the MTU is too large, intermediate routers will drop the packets. Try reducing the MTU to 1300 to fix this:
sudo ifconfig wg0 mtu 1300
# Or add "mssfix 1300" to the OpenVPN config file3. IP Forwarding
If you are using this Linux machine as a gateway for other devices, you must enable forwarding:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forwardConclusion
Mastering VPNs on Linux means understanding how data flows through interfaces. WireGuard is always my top priority due to its stability. OpenVPN is an excellent fallback, while IPsec helps you communicate with legacy systems. When troubleshooting, stay calm and check in this order: Interface -> Routing -> DNS -> MTU. Good luck with your configuration!
