Self-host your very own strongSwan IKEv2/IPsec state-of-the-art VPN server for iOS and macOS

Sun Knudsen
Mar 24, 2019 · 15 min read

If you configured strongSwan using a tutorial, chances are you are using weak cryptography. I was. Here’s how you can check before upgrading your setup.

Know your way around VPNs, skip to the how-to.

Prologue

If you are conscious about internet privacy, chances are you are concerned about how public Wi-Fi networks are vulnerable to spoofing and man-in-the-middle attacks. How your internet service provider (or ISP) is probably logging your every move online. How some DNS providers are logging which apps you use and your browsing habits. Put simply, how many companies are working very hard at (and succeeding to) track you online.

Many recommend using Tor or a virtual private network (or VPN) to reduce how much of what you do online is shared with these companies and, guess what, they are absolutely right. That being said, using a VPN by itself is not a silver bullet and this story explains (in perhaps too much detail) why.

DISCLAIMER #1: if you use a VPN to be anonymous. You aren’t! VPNs are not anonymity tools. Tor is a much better alternative but, even using Tor, your identity may be leaked.

DISCLAIMER #2: if you use a VPN to pirate apps, movies or music that you can afford and care about privacy, don’t. The internet is messed up in part because of how companies are forced to monetize through advertising and data mining which is why we are so heavily tracked in the first place. Nation-state policies is another reason, but that’s for another story.

In this story, I will bring you along in my quest to privacy and explain why I recommend always using a VPN (even at home). Why using a VPN by itself doesn’t solve all privacy problems. Why using third-party VPN providers might not be our best shot at privacy. Finally, I will explain why I recommend strongSwan and how you can self-host your very own VPN server using state-of-the-art cryptography: 256 bit AES-GCM with a 128 bit ICV, SHA2_384 PRF and Diffie Hellman with a 3072 bit modulus.

Always use a VPN (even at home)

Take my word for it, connecting to free Wi-Fi is tempting. That being said, connecting to free Wi-Fi (even when secured by WPA2) compromises your privacy and security. I will put together a video shortly to illustrate why but, for the time being, close your eyes (metaphorically) and picture all these bytes of data flowing between the access point (or Wi-Fi router) and your computer. Each and every one of them is easy to intercept using Wireshark. In a perfect world, all the bytes sent and received by your computer would be encrypted using TLS, but they aren’t. Then again, even if they were, what if someone could stand in the middle and hack these bytes. This is called a man-in-the-middle attack. Beware of “Your connection is not secure” errors. If you get one, close the window immediately! You might be victim of one.

Now, at home, you can trust the network right? Wrong. Your ISP is probably logging your every move online. Short story, I recommend always using a VPN, even at home.

A VPN by itself doesn’t solve all privacy problems

Say you are an avid VPN user. You are probably guessing that your privacy is covered. Unfortunately it isn’t and here’s why. VPNs are only effective when they are well configured and connected. In order to connect, your computer needs access to the internet. See how conflicting this is? How can you be protected online using a VPN when to be protected online by a VPN you need to be online in the first place. WOW. Well, on iOS you simply can’t and that’s why the tracking device that is your smart phone (at so many levels, story to come) can never be considered “safe” from a privacy perspective. Now on macOS, thankfully, there is a lot we can do and this is the subject of another story. Put simply, as soon as your Mac (or iPhone) connects to the internet (before the device has time to connect to a VPN), it immediately sends a ton of data to the internet potentially leaking your identity and, at times, making you vulnerable to attacks.

Avoid third-party VPN providers

Although some third-party VPN providers are presumably well-intentioned, not all have your privacy at heart. Many are focused on turning a quick profit. They advertise great crypto but do not enforce it letting weak clients connect (convenience over privacy). Here’s one of my stories that challenges “trust”.

strongSwan

When I first considered self-hosting my own VPN server, I had a few requirements in mind. I was looking for an open source solution, I didn’t want to install third-party iOS or macOS clients and I wanted strong crypto. I initially followed this tutorial and, before I knew it, I was self-hosting my very own VPN server! Blessed, I went on with my life until I discovered I was using weak broken crypto (3DES, SHA-1 and MODP1024). God Damn It!

The problem, as I later found out, wasn’t with strongSwan. I had followed a poorly written tutorial (which has been updated since, but still isn’t that good). See, if you care about privacy and security, you have to RTFM and that’s what I have been doing for the past week. Yes, a full week. I spent over 60 hours doing research. My girlfriend is quite mad at strongSwan right now and can’t blame her. The good news is that I am going to break it down for you so you can spend time with your loved ones, not reading the ******* manual.

Credits: I would like to thank Tobias (one of strongSwan’s core team members) who was instrumental in writing the following how-to. His patience (I was quite a newbie at this), generosity and dedication towards the strongSwan community is remarkable.

This is a good time to take a break and make yourself a double-shot espresso.

How to self-host your very own strongSwan IKEv2/IPsec state-of-the-art VPN server

This how-to is designed for people who know their way around Linux and command line. If you don’t, there are tons of tutorials on YouTube that can help you get up to speed.

The following steps refer to DigitalOcean as our virtual private server (or VPS) provider. Feel free to choose another provider as long as the Debian Stretch operating system (or OS) is supported.

For ultimate privacy, consider choosing a provider that is headquartered in a country that doesn’t participate in the Fourteen Eyes surveillance program.

At the time of this writing, Switzerland is a good option.

If you choose DigitalOcean, please use my referral link.

Step 1: Sign up at https://www.digitalocean.com/

Step 2: Choose a hostname for your server

For the following steps, I will be using server as the hostname but it can be what ever you like.

Step 3: Create a SSH key pair for server

When asked for a file in which to save the key, type server and press the Enter key.

When asked for a passphrase, enter a passphrase you will remember (there is no way to recover it otherwise).

Step 4: Add SSH key to your DigitalOcean account

This is done here. Click “Add SSH Key”. Then, paste the output of cat server.pub in the “SSH key content” input. Name is server.

Step 5: Create a Debian Droplet (choose the datacenter region closest to you).

Step 6: Log in using SSH

Replace 159.203.26.109 with the IP of your Droplet.

Step 7: Create admin user

When asked for a password, paste the output of openssl rand -base64 24. For all other fields, press the Enter key. Then, enter y.

Step 8: Copy root’s authorized_keys file over to vpn-server-admin.

Step 9: Grand sudo privileges to vpn-server-admin

Security tip #1: It is bad practice to allow root to log in via SSH or allow password log-ins as they are vulnerable to brute-force attacks.

Some of the following commands are going to use Vim as text editor. Let’s adjust some Vim settings first by creating a .vimrc config file (not a big fan of visual mode among other things).

Create a new file using the command vi ~/.vimrc, paste the following code block into the window, save and exit.

Vim is a strange app. Once you enter Vim, you first have to press i to enter insert more. Then, you can paste the following code block. Then press Esc to exit insert mode. Then press Shift+z+z to save and exit.

Using command export EDITOR=vim; visudo, add the line vpn-server-admin ALL=(ALL) NOPASSWD:ALL under the line root ALL=(ALL:ALL) ALL and save file.

Step 10: Log out

Step 11: Log in as vpn-server-admin (don’t forget to replace 159.203.26.109 with the IP of your Droplet)

Step 12: Create a .vimrc file for vpn-server-admin (using the same code block found in step 9)

Step 13: Update SSH config to prevent root log-ins and restart SSH daemon

Replace line PermitRootLogin yes with PermitRootLogin no and make sure PasswordAuthentication is set to no.

Step 14: Set timezone (the following command is for Montreal time)

Step 15: Configure and enable iptables and make rules persistent

Security tip #2: By default, iptables (which is a firewall btw) allows all traffic in and out from the server which makes the server vulnerable to attacks. You can check if iptables is enforcing rules by using command sudo iptables -L.

The output bellow shows no rules are enforced.

Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

First, let’s install iptables-persistent. When asked if you wish to save current IPv4 or IPv6 rules, answer Yes.

Then, run the following commands to only allow SSH, DNS and HTTP(S) traffic. DNS and HTTP(S) is required by apt-get, which will later be use to download and install packages.

Make sure the rules are enforced by using the command sudo iptables -L.

The output bellow shows that the above rules are now enforced.

I recommend logging out using command exit and logging-in again to make sure the above rules didn’t lock you out. If somehow you got locked out, use the DigitalOcean dashboard to power cycle your Droplet and start over.

Finally, make rules persistent using the following command.

By default, DigitalOcean does not enable IPv6, but, to be extra safe, we will drop all IPv6 packets using the following commands.

Step 16: Switch DNS nameservers over to privacy first 1.1.1.1

Replace the content of /etc/resolv.conf with the following code block using command sudo vi /etc/resolv.conf.

You now have a secure server. Good job!

Step 17: Install strongSwan

If you are shown a “old runlevel management superseded” warning, answer Ok.

Step 18: Configure strongSwan

Backup /etc/ipsec.conf using command sudo cp /etc/ipsec.conf /etc/ipsec.conf.backup.

Replace the content of /etc/ipsec.conf with the following code block using command sudo vi /etc/ipsec.conf. vpn-server.crt will be created in a few moments.

If you wish to better understand these settings, have a look here. Highlights are uniqueids=never which allows multiple connections using the same credentials (say your iPhone and Mac), keyexchange=ikev2 which enables IKEv2 (vs v1), ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! which only allows state-of-the-art crypto and rightauth=eap-tls which enables EAP-TLS (or certificate-based) authentication (significantly harder to brute-force).

conn ikev2
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha384-modp3072!
esp=aes256gcm16-sha384-modp3072!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=my-vpn.com
leftcert=vpn-server.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-tls
rightdns=1.1.1.1,1.0.0.1
rightsourceip=10.0.2.0/24
rightsendcert=never
eap_identity=%identity

Backup /etc/ipsec.secrets using command sudo cp /etc/ipsec.secrets /etc/ipsec.secrets.backup.

Replace the content of /etc/ipsec.secrets with the following code block using command sudo vi /etc/ipsec.secrets.

Backup /etc/strongswan.conf using command sudo cp /etc/strongswan.conf /etc/strongswan.conf.backup.

Replace the content of /etc/strongswan.conf with the following code block using command sudo vi /etc/strongswan.conf.

Step 19: Create certificate authority (or CA), server and client private keys and certificates (this is done on your Mac vs the server)

Security tip #3: It is recommended to create the certificate authority private key on a computer that isn’t connected to the internet. Anyone with access to ca.key can sign certificates that grant access to your VPN server.

The following commands will create a certificate-authority folder on your desktop, create a CA private key (ca.key) and use it to create a CA root certificate (ca.crt) used to sign server and client certificates. Then, vpn-server and vpn-client private keys and certificates will be created. Some of these commands are interactive so they should be used one at a time (copy/pasting them all at once will not work). When asked for an export password, paste the output of openssl rand -base64 24, then store that password in your password manager (we will need it later).

The common name (or CN) of the CA root certificate (ca.crt) and the server certificate (vpn-server.crt) should be fully qualified domain names (or FQDNs) and the common name of the client certificate (vpn-client.crt), an email registered under the servers’ FQDN.

Want to learn more about public-key cryptography, watch this video.

Here’s the content of openssl.cnf(you will need this in a moment).

Documentation for the ca, server and client blocks is found here.

Now, the commands:

Step 20: Copy/paste the content of ca.crt, vpn-server.key and vpn-server.crt to server and make private keys root-only.

On your Mac: cat ca.crt

On the server: sudo vi /etc/ipsec.d/cacerts/ca.crt

On your Mac: cat vpn-server.key

On the server: sudo vi /etc/ipsec.d/private/vpn-server.key

On your Mac: cat vpn-server.crt

On the server: sudo vi /etc/ipsec.d/certs/vpn-server.crt

Step 21: Start strongSwan

Step 22: Forward client traffic (required to send iOS and macOS traffic through the VPN) and disable IPv6.

Uncomment line net.ipv4.ip_forward=1 using command sudo vi /etc/sysctl.conf.

Append lines from the following code block to /etc/sysctl.conf using command sudo vi /etc/sysctl.conf.

Reload config using command sudo sysctl -p.

Step 23: Update iptables rules to allow VPN traffic and reboot server

Step 24: Create VPN profile for macOS and iOS

For this step, we will be using Apple Configurator 2, a free app designed by Apple to manage macOS and iOS profiles. This is where part of the magic of this how-to resides (took me for ever to figure this out). macOS and iOS does not offer state-of-the-art crypto by default when setting up VPNs using the user interface. In order to pull that off, we need profiles.

Open Apple Configurator 2, then click File, then New Profile.

In General, fill out Name and Identifier.

In Certificates, click Configure and select ca.crt. Then click + and select vpn-client.p12. The password is the one from step 18.

In VPN, click Configure and enter the settings from the following screenshot. The Child SA Params are the same as IKE SA Params. There is currently a bug in the app that prevents us from selecting the Integrity Algorithm SHA2–384 when the Encryption Algorithm is set to AES-256-GSM. To circumvent this bug, select the Integrity Algorithm first, then the Encryption Algorithm.

Finally, click File, then Save, and save file as My VPN.mobileconfig.

Step 25: Add VPN profile to macOS

This step is super simple, simply double-click My VPN.mobileconfig and follow instructions.

Step 26: Add VPN profile to iOS

This step uses Apple Configurator 2 to add the VPN profile to your iPhone (much safer than sending it to yourself via email or hosting it).

Unlock your iPhone and connect it to your Mac (using a lightning to USB cable) and open Apple Configurator 2.

In All Devices, double-click on your iPhone, then Add, and finally Profiles.

Select My VPN.mobileconfig and follow instructions on your iPhone.

Step 27: Connect to your very own strongSwan IKEv2/IPsec state-of-the-art VPN server for iOS and macOS and enjoy more privacy!

If you run into issues, please submit your questions on Server Fault using hashtag strongswan.

That’s it for today. If you enjoyed this story, please clap and share and don’t forget to follow me to know when others are published. Also, check out my YouTube channel.

Sun Knudsen

Written by

Privacy and security researcher, founder of Lickstats https://sunknudsen.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade