How to Setup IKEv2 VPN Server with Radius Authentication and Let’s Encrypt on Ubuntu 18.04

Introduction

Five years ago, VPNs were reserved for the power users and I.T. departments of large companies.

Today, VPN services are growing in popularity by each passing day. The need for privacy and internet freedom has never been greater at a time when DMCA notices are flying left and right, ISPs throttle connections and streaming services like Netflix are geo-restricting content.

Having the ability to set up your own virtual private network server is a skill that can save you a lot of headaches and also some dollars.

IKEV2 is one of the latest and high tech tunneling protocols. It has strong encryption and an unique feature called VPN-ON-Demand. It allows for devices to remain connected to the VPN even when changing networks.

VPN-On-Demand is ideal for mobile devices, allowing them to keep the vpn connection alive when switching between wifi networks or wifi and mobile data.

Because we’re using Let’s Encrypt, there’s no need for the client to download and install the certificate on his machine.  This makes IKEV2 ready to be used without having to download anything on the machine.

Programs & Tech Required

To setup the vpn server, we’re going to need StrongSwan, Let’s Encrypt and a FreeRadius Server for authentication.

The radius authentication isn’t necessary and can be replaced by a secret. Setting up the radius server is out of the scope of this guide. To learn about FreeRADIUS you can check our FreeRADIUS Tutorial and our dalorRADIUS GUI Panel Tutorial.

Before we get started, make sure that your machine’s hostname resolves to the machine’s ip. You can do that by using cloudflare dns.

Step 0 — Update the machine

If the Ubuntu machine is a new one, make sure to update it

$ apt-get update

Step 1 — Install StrongSwan

apt-get install -y language-pack-en strongswan libstrongswan-standard-plugins strongswan-libcharon libcharon-standard-plugins libcharon-extra-plugins moreutils iptables-persistent

Step 2 — Generate the Certificate

We’re going to need Let’s Encrypt to generate the certificate used by the IKEV2 connection.

First, let’s install cerbot.

apt-get install certbot

Set the key size and the renewal hook. The renewal hook will fire when we renew the certificate after it expires. The Let’s Encrypt Certs have a 90 days validity.

mkdir -p /etc/letsencrypt

echo 'rsa-key-size = 4096
pre-hook = /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
post-hook = /sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets
' > /etc/letsencrypt/cli.ini

Generate the certificate and get it ready for strongswan. Note: hostname must resolve to this machine already, to enable Let’s Encrypt certificate setup.

certbot certonly --non-interactive --agree-tos --standalone --preferred-challenges http --email your@email.com -d your.domain.com

ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/cert.pem    /etc/ipsec.d/certs/cert.pem
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/chain.pem   /etc/ipsec.d/cacerts/chain.pem

echo "/etc/letsencrypt/archive/YOUR.DOMAIN.COM/* r,
" >> /etc/apparmor.d/local/usr.lib.ipsec.charon

aa-status --enabled && invoke-rc.d apparmor reload

Step 3 — Setup Iptables

We’re going to use iptables-persistent to save the routing rules.

apt-get install iptables-persistent -y

iptables -P INPUT   ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT  ACCEPT

iptables -F
iptables -t nat -F
iptables -t mangle -F


iptables -A INPUT -p udp --dport  500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# forward VPN traffic anywhere
iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

iptables -P FORWARD ACCEPT

# reduce MTU/MSS values for dumb VPN clients
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

# masquerade VPN traffic over eth0 etc.
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT  # exempt IPsec traffic from masquerading
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

Save the rules

iptables-save > /etc/iptables/rules.v4

Step 4a — IKEV2 with Radius Auth

Enable forwarding

echo '
# vpnforward
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
' >> /etc/sysctl.conf

sysctl -p

echo "YOUR.DOIMAN.COM : RSA \"privkey.pem\"
" > /etc/ipsec.secrets

echo "config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384
  esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384

  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@YOUR.DOMAIN.COM
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius # this uses radius authentication 
  eap_identity=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  rightsendcert=never

" > /etc/ipsec.conf

Set the radius server in strongswan.conf

vim /etc/strongswan.conf

Paste this and replace with your radius credentials:

charon {
    load_modular = yes
         plugins {
                  include strongswan.d/charon/*.conf
    eap-radius {
          accounting = yes
         servers {
    server-a {
      address = YOUR_RADIUS_SERVER_IP
      secret = RADIUS_SECRET!
      auth_port = 1812   # default
      acct_port = 1813   # default

    }
  }
  }
  }
  include strongswan.d/*.conf
  }

Step 4b — IKEV2 with file stored users

Enable forwarding

echo '
# vpnforward
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
' >> /etc/sysctl.conf

sysctl -p

Add the user and password in the ipsec.secrets file. This step is not necessary when using Radius.

echo "YOUR.DOMAIN.COM : RSA \"privkey.pem\"
VPNUSERNAME : EAP \""VPNPASSWORD"\"
" > /etc/ipsec.secrets

echo "config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384
  esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384

  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@YOUR.DOMAIN.COM
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2 # users are stored in /etc/ipsec.secrets
  eap_identity=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  rightsendcert=never

" > /etc/ipsec.conf

For file stored users, there’s no need to edit the strongswan.conf file. The original works just fine. I’ve added it below as an example.

vim /etc/strongswan.conf

charon {
    load_modular = yes
         plugins {
                  include strongswan.d/charon/*.conf
  }
  include strongswan.d/*.conf
  }

Step 5 — Start The VPN Server

The IKEV2 server is ready to be used. Start ipsec

Step 6 — Connect to VPN server

The server is ready to accept connections. Creating a vpn connection is pretty easy and there are tons of guides on the web to help you go from here.

Conclusion

Setting up a vpn server is pretty easy when you know what you’re doing.

A $9.99 virtual private server let’s you be in control of your own VPN server. Order now and take control of your privacy.