VPN is an acronym for Virtual Private Network. It is commonly used to provide protection or mask users against untrusted networks. This is achieved by encrypting all the traffic, securing a connection to a network, and bypassing all geographical restrictions allowing users to surf over public networks while keeping their data private.
There are several VPN solutions in the market today. StrongSwan is an open-source, modern, and IPsec-based VPN solution. This multi-platform solution fully supports Internet Key Exchange for IKEv1 and IKEv2 to establish security associations (SA) between two hosts. By doing so, the connection between the client and the server is encrypted and a secure gateway is provided to other resources available on the server and its network.
The amazing features provided by StrongSwan are:
- Fully tested support of IPv6 IPsec tunnel and transport connections
- Powerful IPsec policies based on wildcards or intermediate CAs
- Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
- XAUTH server and client functionality on top of IKEv1 Main Mode authentication
- Runs on Linux 2.6, 3.x, 4.x and 5.x kernels, Android, FreeBSD, OS X, iOS and Windows
- Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
- Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
- Modular plugins for crypto algorithms and relational database interfaces
- Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) or protected by a TPM 2.0
- Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
- Smooth Linux desktop integration via the strongSwan NetworkManager applet
- Virtual IP address pool managed by IKE daemon or SQL database
- NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
StrongSwan works with a peer-peer model as a keying daemon that uses the Internet Key Exchange Version 2 to establish secure associations. The below diagram can be used to demonstrate the architecture.
In this guide, we will learn how to install StrongSwan VPN Server on Rocky / AlmaLinux 8|9.
Step 1: Enable Kernel IP Forwarding
We will begin by enabling Kernel IP Forwarding on Rocky / AlmaLinux 8|9. This is done by editing the /etc/sysctl.conf file:
sudo vim /etc/sysctl.conf
Add the below lines to the file:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0 Save the file and reload the parameters.
$ sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0Step 2: Install StrongSwan VPN Server
The StrongSwan VPN packages are provided in the EPEL repositories. To be able to install them, enable the EPEL repo on your Rocky / AlmaLinux 8|9 system using the command:
sudo dnf install epel-releaseOnce enabled, install the StrongSwan VPN Server with the command:
sudo dnf install strongswan libreswan Dependency Tree:
....
Transaction Summary
================================================================================
Install 5 Packages
Total download size: 4.5 M
Installed size: 8.7 M
Is this ok [y/N]: yOnce complete, verify the installation.
$ strongswan version
Linux strongSwan U5.9.8/K5.14.0-70.13.1.el9_0.x86_64
University of Applied Sciences Rapperswil, SwitzerlandStep 3: Configure StrongSwan VPN Server
Once installed, there are several configurations one can make to the StrongSwan VPN Server. Normally, the configurations are located at /etc/strongswan/.
Verify this as shown:
$ ls /etc/strongswan/
ipsec.conf ipsec.d ipsec.secrets strongswan.conf strongswan.d swanctlFor this guide, we will use the IPsec StrongSwan utility, so we need to make adjustments to:
- /etc/strongswan/ipsec.conf: the configuration file for the strongSwan IPsec subsystem.
- /etc/strongswan/ipsec.secrets: this is the secrets file.
a. Generate Self-signed certificates
The StrongSwan VPN server reads all the certificates in /etc/strongswan/ipsec.d/certs. Begin by setting the correct permissions:
mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pkiInstall the required packages:
sudo yum install haveged tpm2-abrmd -yStart and enable the service
sudo systemctl enable --now havegedCreate a private certificate for the server:
strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pemCreate a root certificate authority and sign it:
strongswan pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
--type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pemCreate a private key for the VPN server
strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pemNow generate the certificate file:
strongswan pki --pub --in ~/pki/private/server-key.pem --type rsa \
| strongswan pki --issue --lifetime 1825 \
--cacert ~/pki/cacerts/ca-cert.pem \
--cakey ~/pki/private/ca-key.pem \
--dn "CN=vpn.geeksforgeeks.org" --san vpn.geeksforgeeks.org --san 192.168.205.12 --san @192.168.205.12 \
--flag serverAuth --flag ikeIntermediate --outform pem \
> ~/pki/certs/server-cert.pemHaving the additional --sanarguments provide the required resolution to your IP/domain name. Once generated, copy the certificates to the required directories:
sudo cp -r ~/pki/* /etc/strongswan/ipsec.d/Now set the below permissions for the certs:
sudo chmod -R 775 /etc/strongswan/ipsec.d/b. Configure Security Gateways
To configure the security gateways on StrongSwan, you need to edit the /etc/strongswan/ipsec.conf.
Create a backup conf file.
sudo cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.origNow open the file for editing:
sudo vim /etc/strongswan/ipsec.confIn the opened file, make the below adjustments.
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=no
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel # defines the type of connection, tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected] # if using IP, define it without the @ sign
leftcert=server-cert.pem # reads the VPN server cert in /etc/strongswan/ipsec.d/certs
leftsendcert=always
leftsubnet=192.168.205.0/24
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=192.168.205.0/24
rightdns=192.168.205.1,8.8.8.8 #DNS to be assigned to clients
rightsendcert=never
eap_identity=%identity # defines the identity the client uses to reply to an EAP Identity request.
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!In the above file:
- config setup: defines the IPSec general configuration information which applies to all connections.
- charondebug: specifies how much Charon debugging output should be logged.
- uniqueids: defines whether a particular participant ID should be kept unique.
- conn ikev2-vpn: defines the set connection name.
- keyexchange: defines the version of the IKE protocol to use.
- left: defines the IP address of the left participant’s public-network interface.
- leftid: Specifies the domain name or IP address of the server.
- leftcert: Specifies the name of the server certificate.
- leftsubnet: defines the private subnet behind the left participant.
- right: declares the IP address of the right participant’s public-network interface.
- rightsubnet: defines the private subnet behind the right participant.
- rightsourceip: IP address pool to be assigned to the clients.
- rightdns: DNS to be assigned to clients.
To find more definitions for all other parameters, read the ipsec.conf man page:
man ipsec.confc. Configure PSK for Peer-to-Peer Authentication
We have already configured the strongSwan VPN server to accept the client connections. Next, we need to configure client-server authentication credentials, define the RSA private keys and provide the EAP user credentials
Generate the character string for your password with the command:
$ head -c 24 /dev/urandom | base64
7yyoC32RpKeSRDhdEI9Z+XXaL8aTS7V0Once generated, add it to the file below:
sudo vim /etc/strongswan/ipsec.secretsAdd the below lines to the file:
: RSA "server-key.pem"
vpnsecure : EAP "your-secure-password"Save the file and start the service:
sudo strongswan startCheck the status of the service:
$ sudo strongswan statusall
Status of IKE charon daemon (strongSwan 5.9.8, Linux 5.14.0-70.13.1.el9_0.x86_64, x86_64):
uptime: 33 seconds, since Jan 27 10:47:42 2023
malloc: sbrk 1892352, mmap 0, used 1204176, free 688176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Virtual IP pools (size/online/offline):
192.168.205.0/24: 254/0/0
Listening IP addresses:
192.168.205.12
Connections:
ikev2-vpn: %any...%any IKEv2, dpddelay=300s
ikev2-vpn: local: [vpn.geeksforgeeks.org] uses public key authentication
ikev2-vpn: cert: "CN=vpn.geeksforgeeks.org"
ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 192.168.205.0/24 === dynamic TUNNEL, dpdaction=none
Security Associations (0 up, 0 connecting):
noneFrom the above output, we currently have no associations with our server. Allow the required ports and services through the firewall.
sudo firewall-cmd --add-port=500/udp --permanent
sudo firewall-cmd --add-port=4500/udp --permanent
sudo firewall-cmd --permanent --add-service="ipsec"
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reloadStep 4 – Install and Configure StrongSwan VPN Client
To establish To configure a StrongSwan VPN Client, install the strongSwan client packages:
##On Debian/Ubuntu
sudo apt update && sudo apt-get install strongswan libcharon-extra-plugins -y
##On RHEL/Rocky/Alma Linux
sudo dnf install epel-release && sudo dnf install strongswan -yCopy the ca cert from your StrongSwan server.
##For Example
sudo scp rock[email protected]:/etc/strongswan/ipsec.d/cacerts/ca-cert.pem ~/Now copy the cert to IPsec the directory.
##On Debian/Ubuntu
sudo mv ~/ca-cert.pem /etc/ipsec.d/cacerts/
##On RHEL/Rocky/Alma Linux
sudo mv ~/ca-cert.pem /etc/strongswan/ipsec.d/cacerts/On Rhel-based clients, set SELinux in permissive mode for the certs to be accessed.
sudo setenforce 0Create the authentication on the client;
##On Debian/Ubuntu
sudo vim /etc/ipsec.secrets
##On RHEL/Rocky/AlmaLinux
sudo vim /etc/strongswan/ipsec.secretsAdd the below lines to the file, replacing values where required.
vpnsecure : EAP "your-secure-password"Also, create the IPsec config on the client
##On Debian/Ubuntu
sudo vim /etc/ipsec.conf
##On RHEL/Rocky/Alma Linux
sudo vim /etc/strongswan/ipsec.confAdd the below lines to the config.
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn ikev2-vpn
right=vpn.geeksforgeeks.org
rightid=@vpn.geeksforgeeks.org # This should match the `leftid` value on your server's configuration
rightsubnet=192.168.205.0/24
rightauth=pubkey
leftsourceip=%config
leftid=vpnsecure
leftauth=eap-mschapv2
leftcacert=ca-cert.pem
eap_identity=%identity
auto=startNow restart the service
sudo systemctl restart strongswan-starterNow check the status of the service:
$ systemctl status strongswan-starter
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-01-27 12:56:13 EAT; 2min 28s ago
Main PID: 162058 (starter)
Tasks: 18 (limit: 4629)
Memory: 4.3M
CPU: 32ms
CGroup: /system.slice/strongswan-starter.service
├─162058 /usr/lib/ipsec/starter --daemon charon --nofork
└─162062 /usr/lib/ipsec/charon
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] adding DNS server failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] adding DNS server failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[CFG] handling INTERNAL_IP4_DNS attribute failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] adding DNS server failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[CFG] handling INTERNAL_IP4_DNS attribute failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] installing new virtual IP 192.168.205.1
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c906aacf_i c421b22b_o and TS 192.168.205.1/32 === 192.168.205.0/24
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c906aacf_i c421b22b_o and TS 192.168.205.1/32 === 192.168.205.0/24
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] peer supports MOBIKENow on the StrongSwan server, you can check the status:
sudo strongswan statusSample Output:
That is it, you have a VPN tunnel between two devices created. You can use this connection for encrypting and providing a secure gateway to other resources available on the server and its network. I hope this was significant.
See more on this page:
- Deploy WireGuard and IPsec VPN Server using Ansible
- Bypass Any Website Region Restrictions using Ivacy VPN
- How to set up VPN on any VPS
