Five years ago, VPNs were reserved for the power users and I.T. departments of large companies.

Today, VPN services are growing in popularity by each passing day. The need for privacy and internet freedom has never been greater at a time when DMCA notices are flying left and right, ISPs throttle connections and streaming services like Netflix are geo-restricting content.

Having the ability to set up your own virtual private network server is a skill that can save you a lot of headaches and also some dollars.

IKEV2 is one of the latest and high tech tunneling protocols. It has strong encryption and an unique feature called VPN-ON-Demand. It allows for devices to remain connected to the VPN even when changing networks.

VPN-On-Demand is ideal for mobile devices, allowing them to keep the vpn connection alive when switching between wifi networks or wifi and mobile data.

Because we’re using Let’s Encrypt, there’s no need for the client to download and install the certificate on his machine.  This makes IKEV2 ready to be used without having to download anything on the machine.

Programs & Tech Required

To setup the vpn server, we’re going to need StrongSwan, Let’s Encrypt and a FreeRadius Server for authentication.

The radius authentication isn’t necessary and can be replaced by a secret. Setting up the radius server is out of the scope of this guide. To learn about FreeRADIUS you can check our FreeRADIUS Tutorial and our dalorRADIUS GUI Panel Tutorial.

Pre-Installed FreeRADIUS Servers

Automatic FreeRADIUS 3 + daloRADIUS Set Up

Instantly deploy machines with FreeRADIUS + MySQL + daloRADIUS GUI Panel already set up, receive the credentials and take over from there! You also get our custom WHMCS Module to help you manage it from our dashboard.

Pick one of our FreeRADIUS KVM plans

P.S. We're available for hire, if you need help. Click here to contact us.

Before we get started, make sure that your machine’s hostname resolves to the machine’s ip. You can do that by using cloudflare dns.

Step 0 — Update the machine

If the Ubuntu machine is a new one, make sure to update it

Step 1 — Install StrongSwan

Step 2 — Generate the Certificate

We’re going to need Let’s Encrypt to generate the certificate used by the IKEV2 connection.

First, let’s install cerbot.

Set the key size and the renewal hook. The renewal hook will fire when we renew the certificate after it expires. The Let’s Encrypt Certs have a 90 days validity.

Generate the certificate and get it ready for strongswan. Note: hostname must resolve to this machine already, to enable Let’s Encrypt certificate setup.

Step 3 — Setup Iptables

We’re going to use iptables-persistent to save the routing rules.

Save the rules

Step 4a — IKEV2 with Radius Auth

Enable forwarding

Set the radius server in strongswan.conf

Paste this and replace with your radius credentials:

Step 4b — IKEV2 with file stored users

Enable forwarding

Add the user and password in the ipsec.secrets file. This step is not necessary when using Radius.

For file stored users, there’s no need to edit the strongswan.conf file. The original works just fine. I’ve added it below as an example.

Step 5 — Start The VPN Server

The IKEV2 server is ready to be used. Start ipsec

ipsec restart
Stopping strongSwan IPsec…
Starting strongSwan 5.6.2 IPsec [starter]…

Step 6 — Connect to VPN server

The server is ready to accept connections. Creating a vpn connetion is pretty easy and there are tons of guides on the web.

VPNBaron has a step by step tutorial on connecting a from Windows computer.

Just replace the their domain with the hostname of your server. You can check out how to connect to IKEv2 from Windows here.


Setting up a vpn server is pretty easy when you know what you’re doing.

A $6.99 virtual private server let’s you be in control of your own VPN server. Order now and take control of your privacy.

Leave a Comment


Enter your email below to get 20% OFF on any of our Linux VPS plans and receive weekly deals on our services!