Hotel Wi-Fi. Airport lounge. A client's guest network. You're SSH-ing into production or checking email and every packet is naked on someone else's LAN. Commercial VPNs help, but you're trusting a company you've never met — and routing Canadian business traffic through a random exit node in Frankfurt isn't always what you want.
setup-ipsec-vpn by hwdsl2 is the boring, reliable answer. ~28k GitHub stars, a one-line bash installer, and your own IPsec VPN server on a Linux VPS in minutes — IKEv2, IPsec/L2TP, and Cisco IPsec (XAuth). Libreswan under the hood. Works on the phone in your pocket without installing a niche client app.
What it actually does
This isn't a VPN app — it's automation for building a VPN server on Ubuntu, Debian, CentOS/RHEL, Alpine, Raspberry Pi, and most cloud VPS images. Run the script on a server; connect from Windows, macOS, iOS, Android, Chrome OS, or Linux using built-in VPN support.
IKEv2 (recommended). Modern ciphers (AES-GCM), certificate-based auth, MOBIKE for mobile handoffs. The script generates client profiles — .mobileconfig for Apple devices, .p12 for Windows and Linux. Import and connect. No proprietary client required.
IPsec/L2TP. The classic combo — Libreswan for IPsec, xl2tpd for L2TP. Built into older Windows and Android VPN settings. Handy when IKEv2 isn't an option, though Windows behind NAT needs a one-time registry tweak documented in their guides.
Cisco IPsec (XAuth). "Cisco-compatible" mode for clients that speak IPsec with extended authentication — another fallback for picky corporate laptops.
Management scripts. Add VPN users, rotate the pre-shared key, upgrade Libreswan, uninstall cleanly. Random credentials on first install, or set your own via environment variables before running the script.
Why self-host a VPN?
You pick the exit country. Spin the server on a Canadian VPS and your encrypted tunnel terminates in Montreal or Toronto — not wherever NordVPN felt like routing you today. Useful for accessing geo-restricted Canadian services while abroad, or just knowing where your traffic lands.
Your keys, your logs. No third-party VPN provider logging policy to parse. No wondering whether "no logs" means what you think. The server is yours; you decide retention and access.
Remote access to your stack. Same VPS can reach your homelab over a private network, or the VPN server is the gateway into services you don't want on the public internet — Proxmox, internal dashboards, admin panels behind the tunnel.
Works where WireGuard doesn't. hwdsl2 also publishes WireGuard and OpenVPN installers. IPsec/IKEv2 shines when you need native OS VPN support on iPhones and corporate Windows boxes without installing another app. Pick the protocol that fits the device fleet.
Quick install
On a fresh Linux VPS (not your laptop — the README warns about this explicitly):
wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.shCredentials print when finished. Open UDP ports 500 and 4500 in your cloud firewall. That's IPsec.
Custom DNS for clients (instead of default Google Public DNS):
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.shDocker image available at hwdsl2/docker-ipsec-vpn-server if you prefer containers. IKEv2 setup and client guides live at vpnsetup.net.
What running it takes
A small VPS handles personal use fine — 1 GB RAM, one CPU, minimal disk. The VPN process itself is light; you're paying for bandwidth and a stable IP. Static IP or DNS name (vpn.yourdomain.ca) makes client configs survive server rebuilds.
Security basics: strong PSK if using L2TP (20+ random characters), keep the OS patched (wget https://get.vpnsetup.net/upg -O vpnup.sh && sudo sh vpnup.sh for Libreswan updates), don't reuse the VPN password elsewhere. IKEv2 certificate management is handled by the included ikev2.sh helper.
One IPsec/L2TP limitation: multiple devices behind the same home NAT can't all use L2TP mode simultaneously. Use IKEv2 or XAuth for that scenario — documented in the README.
Who it's for (and who should skip it)
Good fit: freelancers who need Canadian egress on untrusted Wi-Fi, small teams wanting VPN into a self-hosted stack without per-seat SaaS fees, homelabbers who want native mobile VPN without Tailscale's coordination server (though hwdsl2 also has a Headscale installer if you want that path).
Maybe skip it: you need mesh networking between twenty devices with zero config — Tailscale or WireGuard mesh fits better. If you want someone else to operate the infrastructure entirely, a commercial VPN is less ops. This is a script you run on a server you maintain.
Hosting the VPN in Canada
The whole point is controlling where your tunnel lands. We put VPN exit nodes on Canadian VPS and dedicated servers — low-latency Montreal/Toronto routing, static IPs, and firewall help opening the right UDP ports.
Tell us how many users and devices — we'll size a box that won't choke when the whole team connects from the cottage on LTE.
