Introduction
Five years ago, VPNs were reserved for the power users and I.T. departments of large companies.
Today, VPN services are growing in popularity by each passing day. The need for privacy and internet freedom has never been greater at a time when DMCA notices are flying left and right, ISPs throttle connections and streaming services like Netflix are geo-restricting content.
Having the ability to set up your own virtual private network server is a skill that can save you a lot of headaches and also some dollars.
IKEV2 is one of the latest and high tech tunneling protocols. It has strong encryption and an unique feature called VPN-ON-Demand. It allows for devices to remain connected to the VPN even when changing networks.
VPN-On-Demand is ideal for mobile devices, allowing them to keep the vpn connection alive when switching between wifi networks or wifi and mobile data.
Because we’re using Let’s Encrypt, there’s no need for the client to download and install the certificate on his machine. This makes IKEV2 ready to be used without having to download anything on the machine.
Step 0 — Update the machine
If the Ubuntu machine is a new one, make sure to update it
$ apt-get updateStep 1 — Install StrongSwan
apt-get install -y language-pack-en strongswan libstrongswan-standard-plugins strongswan-libcharon libcharon-standard-plugins libcharon-extra-plugins moreutils iptables-persistent
Step 2 — Generate the Certificate
We’re going to need Let’s Encrypt to generate the certificate used by the IKEV2 connection.
First, let’s install cerbot.apt-get install certbot
Set the key size and the renewal hook. The renewal hook will fire when we renew the certificate after it expires. The Let’s Encrypt Certs have a 90 days validity.mkdir -p /etc/letsencrypt echo ‘rsa-key-size = 4096 pre-hook = /sbin/iptables -I INPUT -p tcp –dport 80 -j ACCEPT post-hook = /sbin/iptables -D INPUT -p tcp –dport 80 -j ACCEPT renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets ‘ > /etc/letsencrypt/cli.ini
Generate the certificate and get it ready for strongswan. Note: hostname must resolve to this machine already, to enable Let’s Encrypt certificate setup.certbot certonly –non-interactive –agree-tos –standalone –preferred-challenges http –email your@email.com -d your.domain.com ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/cert.pem /etc/ipsec.d/certs/cert.pem ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem /etc/ipsec.d/private/privkey.pem ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/chain.pem /etc/ipsec.d/cacerts/chain.pemecho “/etc/letsencrypt/archive/YOUR.DOMAIN.COM/* r, ” >> /etc/apparmor.d/local/usr.lib.ipsec.charonaa-status –enabled && invoke-rc.d apparmor reload
Step 3 — Setup Iptables
We’re going to use iptables-persistent to save the routing rules.apt-get install iptables-persistent -yiptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -t mangle -F iptables -A INPUT -p udp –dport 500 -j ACCEPT iptables -A INPUT -p udp –dport 4500 -j ACCEPT # forward VPN traffic anywhere iptables -A FORWARD –match policy –pol ipsec –dir in –proto esp -s 10.10.10.0/24 -j ACCEPT iptables -A FORWARD –match policy –pol ipsec –dir out –proto esp -d 10.10.10.0/24 -j ACCEPT iptables -P FORWARD ACCEPT # reduce MTU/MSS values for dumb VPN clients iptables -t mangle -A FORWARD –match policy –pol ipsec –dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp –tcp-flags SYN,RST SYN -m tcpmss –mss 1361:1536 -j TCPMSS –set-mss 1360 # masquerade VPN traffic over eth0 etc. iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy –pol ipsec –dir out -j ACCEPT # exempt IPsec traffic from masquerading iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
Save the rulesiptables-save > /etc/iptables/rules.v4
Step 4a — IKEV2 with Radius Auth
Enable forwardingecho ‘ # vpnforward net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 ‘ >> /etc/sysctl.confsysctl -pecho “YOUR.DOIMAN.COM : RSA \”privkey.pem\” ” > /etc/ipsec.secretsecho “config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384 esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384 dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@YOUR.DOMAIN.COM leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius # this uses radius authentication eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.10.0/24 rightsendcert=never ” > /etc/ipsec.conf
Set the radius server in strongswan.confvim /etc/strongswan.conf
Paste this and replace with your radius credentials:charon { load_modular = yes plugins { include strongswan.d/charon/*.conf eap-radius { accounting = yes servers { server-a { address = YOUR_RADIUS_SERVER_IP secret = RADIUS_SECRET! auth_port = 1812 # default acct_port = 1813 # default } } } } include strongswan.d/*.conf }
Step 4b — IKEV2 with file stored users
Enable forwardingecho ‘ # vpnforward net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 ‘ >> /etc/sysctl.confsysctl -p
Add the user and password in the ipsec.secrets file. This step is not necessary when using Radius.echo “YOUR.DOMAIN.COM : RSA \”privkey.pem\” VPNUSERNAME : EAP \””VPNPASSWORD”\” ” > /etc/ipsec.secrets echo “config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384 esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384 dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@YOUR.DOMAIN.COM leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 # users are stored in /etc/ipsec.secrets eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.10.0/24 rightsendcert=never ” > /etc/ipsec.conf
For file stored users, there’s no need to edit the strongswan.conf file. The original works just fine. I’ve added it below as an example.vim /etc/strongswan.confcharon { load_modular = yes plugins { include strongswan.d/charon/*.conf } include strongswan.d/*.conf }
Step 5 — Start The VPN Server
The IKEV2 server is ready to be used. Start ipsec
ipsec restart
Stopping strongSwan IPsec…
Starting strongSwan 5.6.2 IPsec [starter]…
Step 6 — Connect to VPN server
The server is ready to accept connections. Creating a vpn connection is pretty easy and there are tons of guides on the web to help you go from here.