IKEv2 VPN server with strongSwan and Let’s Encrypt

1+

VPN helps to secure your Internet connection. There are many cases when you want your network traffic to be encrypted to prevent stealing your sensitive data, e.g., public Wi-FI networks. Numerous of VPN protocols exist. Most popular are PPTP, L2TP/IPsec, OpenVPN and IKEv2. In this guide I will explain setting up IKEv2 VPN server with strongSwan and Let’s Encrypt certificate with automatic renewal configuration.

IKEv2 stands for Internet Key Exchange protocol version 2. The protocol works natively on macOS, iOS, Windows. Several IKEv2 implementations exist for Android, Blackberry and Linux. The key strength of this protocol is resistance to network change, so VPN connection will remain established after you change the network, e.g., from cellular to Wi-FI.

Prerequisites

For this tutorial you need VPS with Linux (DigitalOcean provides machines starting at $5/month) and domain. This guide covers the following software versions:

  • Ubuntu 16.04 LTS
  • strongSwan 5.3.5
  • Certbot 0.26.1

Installing strongSwan

strongSwan is an open source IPsec implementation with full support of IKEv2 protocol. Let’s install it:

Installing Certbot and obtaining Let’s Encrypt certificate

You can generate your own certificate if you don’t have a domain. The only drawback is that you will need to install your root certificate on any client, which will use your VPN server. This case is not covered in this guide.

If you have a domain, you can buy or use a free certificate provided by Let’s Encrypt certificate authority (CA). Let’s Encrypt issues a certificate which is valid for 90 days. After the certificate expires, you will have to renew it. Fortunately the process of certificate obtaining and renewal can be automated with Certbot utility.

Certbot packages in Ubuntu are old, so we will add PPA and install newer verision of utility:

Next we will obtain the certificate. Replace yourdomain with your domain name:

Your certificate and private key will be stored in /etc/letsencrypt/live/yourdomain.

Certbot will handle automatic certificate renewal process for you. Let’s create symbolic links to the files so you will not have to manually copy them to make available to strongSwan after every renewal:

To restart strongSwan after successful certificate renewal edit file /lib/systemd/system/certbot.service and change this line to:

Reload systemctl daemon for the changes to take effect:

Configuring strongSwan

Next thing we need to do is to edit /etc/ipsec.conf:

For the configuration parameters explanation refer to General Connection Parameters.

Configuring authentication

Now we have to add users to be able to connect to our VPN server. Edit /etc/ipsec.secrets file and replace username and password with client user name and password:

You can add more users by inserting additional lines. In order for changes to take effect you don’t have to reload the daemon. Just run:

Disabling AppArmor profile

AppArmor strongSwan profiles cause problems with permissions. As a result, when daemon tries to read certificate or private key you will get Permission denied error. You can check if AppArmor is running:

If you see profiles /etc/apparmor.d/usr.lib.ipsec.charon or /etc/apparmor.d/usr.lib.ipsec.stroke, you should remove them:

Restarting and checking strongSwan status

After we successfully configured strongSwan, we can restart the service and check if it’s up and running:

If something went wrong you can check the logs with:

Configuring iptables

Next thing we need to do is to configure iptables properly to close all ports which we don’t need and to set up masquerading to redirect all client traffic through VPN server.

First we clear all iptables rules:

We need to open ports TCP 22 (SSH), TCP 80, 443 (Certbot), UDP 500, 4500 (IPsec):

Enable Encapsulating Security Payload (ESP) forwarding and traffic masquerading:

Also we should adjust packet maximum segment size to prevent problems with some VPN clients:

Finally we will drop other packets:

These iptables rules will be lost after restart. So in order to make them persistent:

Configuring IPv4 forwarding

Add or change the following parameters in /etc/sysctl.conf to enable IPv4 forwaring, disable ICMP redirects sending/receiving and disable Path MTU discovery to prevent the man-in-the-middle attacks:

Finally reboot the system:

Configuring VPN client connection

macOS 10.12 and iOS 11

Setting connection in macOS and iOS is simple using my Python script generate-mobileconfig.zip. To generate Apple Configuration file, execute the script with the following arguments:

The resulting file will appear in the same directory. Just import it on macOS or iOS and VPN connection will always be established. You can disable on demand connection and trigger it manually.

Windows 8.1

Setting connection in Windows 8.1 is pretty straightforward. Just set up a new VPN connection, then enter your hostname, user name and password.

Android

Download strongSwan VPN Client from Google Play.

1+