This setup is for remote users to connect into an office/home LAN using a VPN (ipsec). This is based on (but not the same as) the strongSwan documentation and this guide: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
I used strongSwan 5.5.1.
apt-get install -y strongswan strongswan-pki
Replace the variables below with appropriate values for your organisation. Then copy and paste line by line.
COUNTRY_CODE=XX
ORGANISATION=XXXXX
SERVER_NAME=vpn.example.com
IP_ADDRESS=<public ip of the vpn server>
pushd /etc/ipsec.d/
Create self-signed certificate authority (CA):
ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswan.der
chmod 600 private/strongswan.der
ipsec pki --self --ca --lifetime 3650 --in private/strongswan.der --type rsa --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$ORGANISATION Root CA" --outform der > cacerts/strongswan.der
openssl x509 -inform DER -in cacerts/strongswan.der -out cacerts/strongswan.pem -outform PEM
ipsec pki --print --in cacerts/strongswan.der
Create host key:
ipsec pki --gen --type rsa --size 4096 --outform der > private/host-vpn.der
chmod 600 private/host-vpn.der
ipsec pki --pub --in private/host-vpn.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$SERVER_NAME" --san=$SERVER_NAME --san $IP_ADDRESS --san @$IP_ADDRESS --flag serverAuth --flag ikeIntermediate --outform der > certs/host-vpn.der
ipsec pki --print --in certs/host-vpn.der
mkdir -p p12
popd
Note: if you want to use "Remote ID" to let clients choose between connection profiles, then you need to add them as SANs above, as strongSwan will only let you use leftids that are named in your host cert.
Edit /etc/ipsec.secrets to add the host-vpn.der private key we generated for the host above (see the example file in this Gist).
Copy the example ipsec.conf attached to this Gist into /etc/ipsec.conf. Replace <VPN SERVER ID> with the value of $SERVER_NAME above. Replace <INTERNAL SUBNET> with the subnet you want to provide access to in your LAN. If you want to route all internet traffic, use 0.0.0.0/0, otherwise enter something like 192.168.1.0/24. Note that you might have trouble if LAN subnet conflicts with subnets the mobile device might otherwise be on. Replace <LAN DNS SERVERS> with the appropriate DNS servers for your LAN.
Documentation of what the configuration in the conn section means: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
keyexchange=ikev2We use the modern key exchange protocol. This works on all of the platforms we want to support.ike=...A list of cipher suites as recommended by the guide linked aboveesp=...dittodpdaction=clearWhen the Dead Peer Detection detects a dead peer it closes the ipsec connectiondpddelay=60sHow often to send the Dead Peer Detection check if the connection is idle. Don't make this too long as some clients close the connection themselves if it is idle for much longer than this.left=%anyWe don't need to know what our IP address. Just use one of our IP addresses at runtime, depending upon how the client connected.leftid=...This is the "Remote ID" string that macOS and iOS clients use. I suggest using your server's fully-qualified domain name, as above.leftsubnet=...As above.leftcert=host-vpn.derThe certificate representing the server that we created above.leftsendcert=alwaysSee https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX which notes that we should agressively send our certificate so the user doesn't need to install it.right=%anyOur mobile users could have any IP addressrightauth=eap-tlsThis activates user authentication on the client. More below.rightsourceip=%dhcpUse our network's DHCP server to issue an IP address. You can also just give a subnet here, or an IP address range, e.g.10.1.1.50-10.1.1.70rightdns=...DNS servers to give to the mobile user. Probably the same DNS servers you use on your LAN.eap_identity=%identityFor Windows 10 to work.auto=addWhen strongSwan starts up it should add this connection to its list of connections available to use when a mobile user connects.
If we issue remote clients IPs using our LAN's DHCP server, and the DHCP server is on the same server as the VPN, then we need a little extra configuration. Edit the /etc/strongswan.d/charon/dhcp.conf file, consulting the example attached to this Gist. Replace <LAN BROADCAST ADDRESS> with the broadcast address of your LAN.
Documentation: https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
Install the /etc/sysctl.d/99-strongswan.conf file listed below, and make sure it's loaded:
sysctl -p
If your VPN server is not public on the internet, you'll need to setup port forwarding on your internet-facing router.
The following ports must be forwarded to your VPN server:
- UDP 500
- UDP 4500 (for nat traversal)
I use Shorewall to control the iptables firewall on my VPN server. Basically you just need to open UDP 500 and 4500. Here's how to do it using Shorewall.
Add the following line to /etc/shorewall/tunnels:
ipsecnat net 0.0.0.0/0
Add the following line to /etc/shorewall/zones, assuming that your network zone is named net (if not, substitute):
vpn:net ipsec mode=tunnel mss=1024
Add the following line to /etc/shorewall/hosts, assuming that the interface your VPN is connected to is eth0 (if not, substitute):
vpn eth0:0.0.0.0/0
Then either configure the vpn zone using rules or an entry in /etc/shorewall/policy.
Then restart Shorewall:
shorewall safe-restart
To startup strongSwan:
ipsec start
To stop it:
ipsec stop
To reload the configuration from /etc/ipsec.conf when you've made changes, but without interfering with any existing connected users:
ipsec reload
To restart strongSwan when you've made configuration changes, or want to bump connected users:
ipsec restart
To get the status of established strongSwan connections:
ipsec status
To get more details of strongSwan's status:
ipsec statusall
We use certificates to authenticate users. This works on macOS 10.12, iOS 10 and Windows 10. So next you need to create user certificates so that you can connect to the VPN.
Set the variables first. The username should be a string that is okay as a filename, and doesn't contain any spaces. Like a username. The user id is usually an email address.
Note that we store the user files in the same directories as the CA and host ones. So don't use strongswan as a username, or host-vpn, or you'll overwrite your previous files!
NAME=John Doe
USERNAME=jdoe
USERID=jdoe@example.com
COUNTRY_CODE=XX
ORGANISATION=XXXXX
Then run these commands. You will be prompted for a password on the final openssl command. This password protects the .p12 file that contains the private key and certificate for the user. I suggest making up a random password for each .p12 file.
pushd /etc/ipsec.d
ipsec pki --gen --type rsa --size 2048 --outform der > private/$USERNAME.der
chmod 600 private/$USERNAME.der
ipsec pki --pub --in private/$USERNAME.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$USERID" --san "$USERID" --outform der > certs/$USERNAME.der
openssl rsa -inform DER -in private/$USERNAME.der -out private/$USERNAME.pem -outform PEM
openssl x509 -inform DER -in certs/$USERNAME.der -out certs/$USERNAME.pem -outform PEM
openssl pkcs12 -export -inkey private/$USERNAME.pem -in certs/$USERNAME.pem -name "$NAME's VPN Certificate" -certfile cacerts/strongswan.pem -caname "$ORGANISATION Root CA" -out p12/$USERNAME.p12
popd
The /etc/ipsec.d/p12/$USERNAME.p12 file contains the user's private key and certificate. It is a binary file. You need to send this file to the user, and send the password (entered above) separately.
Send the .p12 file for the user and the /etc/ipsec.d/cacerts/strongswan.pem file.
On macOS, double-click the .p12 file, and enter the password, to add the user's certificate and private key to the keychain using Keychain Access.app. In Keychain Access.app you should see the certificate in the My Certificates list of the login keychain, with the user id from above as its name.
Double-click the .pem file to add our CA certificate to the keychain using Keychain Access.app. Find the CA certificate in the Certificates list of the login keychain, named with your organisation name followed by "Root CA". Double-click to open it. Expand the Trust section, and choose "Always Trust".
- Open the Network system preferences pane.
- Click the + button to add a new connection.
- Interface: VPN
- VPN Type: IKEv2
- Service Name: A name of your choice
- Click "Create", then fill in the details for the connection:
- Server Address: the fully-qualified domain name (or IP) of your VPN server
- Remote ID: the same as the Server Address, unless you've done something different with your
leftid - Local ID: the user id, and name on your user certificate, probably the email address
- Click "Authentication Settings…"
- Choose "Certificate" from the dropdown for authentication settings
- Click "Select…" and choose the certificate matching the Local ID you entered above.
- Click "OK" to close the Authentication Settings sheet.
- Click "Connect" to connect your VPN.
One way to get the .p12 file and CA cert (/etc/ipsec.d/cacerts/strongswan.pem) onto an iOS device is to put them on a web server and browse to them. Another is to use the Apple Configurator application.
The web server approach is pretty easy. Browse to each file and follow the prompts to add them to your profiles.
- Open the Settings app
- Open the VPN settings
- Tap "Add VPN Configuration…"
- Type: IKEv2
- Description: Anything here
- Server: the fully-qualified domain name (or IP) of your VPN server
- Remote ID: the same as the Server Address, unless you've done something different with your
leftid - Local ID: the user id, and name on your user certificate, probably the email address
- User Authentication: Certificate
- Certificate: choose the certificate matching the Local ID you entered above.
- Done
You can now connect to the VPN from your iOS device.
Send the .p12 file for the user and the /etc/ipsec.d/cacerts/strongswan.der file, but rename strongswan.der to strongswan.cer. That will make it easier to use on Windows.
-
On Windows 10, double-click the
.p12file to open the Certificate Import Wizard. -
Choose "Current User" and click "Next".
-
Check the file path, and click "Next" again.
-
Enter the password for the
.p12file that you used above. The default import options are fine (just "Include all extended properties" is ticked) -
Choose "Automatically select the certificate store..." and click Next (it will choose the Personal certificate store, which is good).
-
Click Finish.
-
Open the "Manage computer certificates" control panel (use the search from the Windows menu)
-
Right-click on "Trusted Root Certification Authorities" in the tree, and choose All Tasks > Import…
-
The Store Location will be "Local Machine". If not you need to exit out of the app and make sure you are in the computer certificates control panel, not the user certificates. Click Next.
-
Browse for
strongswan.cer. Click Next. (If the file is namedstrongswan.der, then you'll need to change the file type dropdown to All Files) -
The certificate store option will be the specific store, "Trusted Root Certification Authoritities". Click Next.
-
Click Finish.
-
Open the "Change virtual private networks (VPN)" control panel.
-
Click the "Add a VPN connection" button
-
VPN provider: Windows (built-in)
-
Connection name: A name of your choice
-
Server name or address: the fully-qualified domain name (or IP) of your VPN server
-
VPN type: IKEv2
-
Type of sign-in info: Certificate
-
User name and Password can stay blank
-
Click "Save"
Then click on the VPN connection you just created and connect.
If you want to route your entire internet connection over the VPN, you need to get to the advanced settings on the IPv4 and enable "Use default gateway on remote network".
- Open the "Network and Sharing Center"
- Click "Change adapter settings" (left)
- Right-click on your VPN and choose Properties
- Click the "Networking" tab.
- Click "Internet Protocol Version 4 (TCP/IPv4)", then click "Properties"
- Tick on "Use default gateway on remote network"
- OK out of all of those screens.