Five years ago, VPNs were reserved for the power users and I.T. departments of large companies.<\/p>\n
Today, VPN services are growing in popularity by each passing day. The need for privacy and internet freedom has never been greater at a time when DMCA notices are flying left and right, ISPs throttle connections and streaming services like Netflix are geo-restricting content.<\/p>\n
Having the ability to set up your own virtual private network server is a skill that can save you a lot of headaches and also some dollars.<\/p>\n
IKEV2 is one of the latest and high tech tunneling protocols. It has strong encryption and an unique feature called VPN-ON-Demand. It allows for devices to remain connected to the VPN even when changing networks.<\/p>\n
VPN-On-Demand is ideal for mobile devices, allowing them to keep the vpn connection alive when switching between wifi networks or wifi and mobile data.<\/p>\n
Because we’re using Let’s Encrypt, there’s no need for the client to download and install the certificate on his machine.\u00a0 This makes IKEV2 ready to be used without having to download anything on the machine.<\/p>\n\n
To setup the vpn server, we’re going to need StrongSwan<\/strong>, Let’s Encrypt<\/strong> and a FreeRadius\u00a0Server<\/strong> for authentication.<\/p>\n The radius authentication isn’t necessary and can be replaced by a secret. Setting up the radius server is out of the scope of this guide. To learn about FreeRADIUS you can check our FreeRADIUS Tutorial<\/a> and our dalorRADIUS GUI Panel Tutorial<\/a>.<\/p>\n Pre-Installed FreeRADIUS Servers<\/p>\r\n Automatic FreeRADIUS 3 + daloRADIUS Set Up<\/span><\/p>\r\n\r\n<\/div>\r\n Instantly deploy machines with FreeRADIUS + MySQL + daloRADIUS GUI Panel already set up, receive the credentials and take over from there! You also get our custom WHMCS Module to help you manage it from our dashboard.<\/p>\r\n\r\n<\/div>\r\n Pick one of our FreeRADIUS KVM plans<\/p>\r\n\r\n<\/div>\r\n P.S. We're available for hire, if you need help. Click here to contact us<\/a>.<\/p>\r\n<\/div>\n Before we get started, make sure that your machine’s hostname resolves to the machine’s ip. You can do that by using cloudflare dns.<\/p>\n If the Ubuntu machine is a new one, make sure to update it<\/p>\n We’re going to need Let’s Encrypt to generate the certificate used by the IKEV2 connection.<\/p>\n First, let’s install cerbot.<\/p>\n Set the key size and the renewal hook. The renewal hook will fire when we renew the certificate after it expires. The Let’s Encrypt Certs have a 90 days validity.<\/p>\n Generate the certificate and get it ready for strongswan.\u00a0Note: hostname must resolve to this machine already, to enable Let’s Encrypt certificate setup.<\/p>\n We’re going to use iptables-persistent to save the routing rules.<\/p>\n Save the rules<\/p>\n Enable forwarding<\/p>\n Set the radius server in strongswan.conf<\/p>\n Paste this and replace with your radius credentials:<\/p>\n Enable forwarding<\/p>\n Add the user and password in the ipsec.secrets file. This step is not necessary when using Radius.<\/p>\n For file stored users, there’s no need to edit the strongswan.conf file. The original works just fine. I’ve added it below as an example.<\/p>\n The IKEV2 server is ready to be used. Start ipsec<\/p>\n The server is ready to accept connections. Creating a vpn connection is pretty easy and there are tons of guides on the web to help you go from here.<\/p>\n Setting up a vpn server is pretty easy when you know what you’re doing.<\/p>\n A $9.99 virtual private server<\/a> let’s you be in control of your own VPN server. Order now and take control of your privacy.<\/p>\n","protected":false},"excerpt":{"rendered":" Introduction Five years ago, VPNs were reserved for the power users and I.T. departments of large companies. Today, VPN services are growing in popularity by each passing day. The need for privacy and internet freedom has never been greater at a time when DMCA notices are flying left and right, ISPs throttle connections and streaming […]<\/p>\n","protected":false},"author":2,"featured_media":848,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[87,18],"tags":[53,55],"class_list":["post-827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-radius","category-vpn-proxies","tag-freeradius","tag-radius"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"featured_image_urls_v2":{"full":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan.png",1024,512,false],"thumbnail":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan-150x150.png",150,150,true],"medium":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan-300x150.png",300,150,true],"medium_large":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan-768x384.png",768,384,true],"large":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan.png",1024,512,false],"1536x1536":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan.png",1024,512,false],"2048x2048":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan.png",1024,512,false],"pk-small":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan-80x80.png",80,80,true],"pk-thumbnail":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2018\/11\/IKEv2-Ubuntu-strongSwan-300x225.png",300,225,true]},"post_excerpt_stackable_v2":" Introduction Five years ago, VPNs were reserved for the power users and I.T. departments of large companies. Today, VPN services are growing in popularity by each passing day. The need for privacy and internet freedom has never been greater at a time when DMCA notices are flying left and right, ISPs throttle connections and streaming services like Netflix are geo-restricting content. Having the ability to set up your own virtual private network server is a skill that can save you a lot of headaches and also some dollars. IKEV2 is one of the latest and high tech tunneling protocols. It…<\/p>\n","category_list_v2":"Radius<\/a>, VPN \/ Proxies<\/a>","author_info_v2":{"name":"Renfield","url":"https:\/\/draculaservers.com\/tutorials\/author\/george\/"},"comments_num_v2":"3 comments","yoast_head":"\n
\r\nStep 0 \u2014 Update the machine<\/h3>\n
$ apt-get\u00a0update<\/code><\/pre>\nStep 1 \u2014 Install StrongSwan<\/h3>\n
apt-get install -y language-pack-en strongswan libstrongswan-standard-plugins strongswan-libcharon libcharon-standard-plugins libcharon-extra-plugins moreutils iptables-persistent<\/pre>\n
Step 2 \u2014 Generate the Certificate<\/h3>\n
apt-get install certbot\r\n<\/pre>\n
mkdir -p \/etc\/letsencrypt\r\n\r\necho 'rsa-key-size = 4096\r\npre-hook = \/sbin\/iptables -I INPUT -p tcp --dport 80 -j ACCEPT\r\npost-hook = \/sbin\/iptables -D INPUT -p tcp --dport 80 -j ACCEPT\r\nrenew-hook = \/usr\/sbin\/ipsec reload && \/usr\/sbin\/ipsec secrets\r\n' > \/etc\/letsencrypt\/cli.ini<\/pre>\n
certbot certonly --non-interactive --agree-tos --standalone --preferred-challenges http --email your@email.com -d your.domain.com\r\n<\/pre>\n
ln -f -s \/etc\/letsencrypt\/live\/YOUR.DOMAIN.COM\/cert.pem \/etc\/ipsec.d\/certs\/cert.pem\r\nln -f -s \/etc\/letsencrypt\/live\/YOUR.DOMAIN.COM\/privkey.pem \/etc\/ipsec.d\/private\/privkey.pem\r\nln -f -s \/etc\/letsencrypt\/live\/YOUR.DOMAIN.COM\/chain.pem \/etc\/ipsec.d\/cacerts\/chain.pem<\/pre>\n
echo \"\/etc\/letsencrypt\/archive\/YOUR.DOMAIN.COM\/* r,\r\n\" >> \/etc\/apparmor.d\/local\/usr.lib.ipsec.charon<\/pre>\n
aa-status --enabled && invoke-rc.d apparmor reload<\/pre>\n
Step 3 \u2014 Setup Iptables<\/h3>\n
apt-get install iptables-persistent -y<\/pre>\n
iptables -P INPUT ACCEPT\r\niptables -P FORWARD ACCEPT\r\niptables -P OUTPUT ACCEPT\r\n\r\niptables -F\r\niptables -t nat -F\r\niptables -t mangle -F\r\n\r\n\r\niptables -A INPUT -p udp --dport 500 -j ACCEPT\r\niptables -A INPUT -p udp --dport 4500 -j ACCEPT\r\n\r\n# forward VPN traffic anywhere\r\niptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0\/24 -j ACCEPT\r\niptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0\/24 -j ACCEPT\r\n\r\niptables -P FORWARD ACCEPT\r\n\r\n# reduce MTU\/MSS values for dumb VPN clients\r\niptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0\/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360\r\n\r\n# masquerade VPN traffic over eth0 etc.\r\niptables -t nat -A POSTROUTING -s 10.10.10.0\/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT # exempt IPsec traffic from masquerading\r\niptables -t nat -A POSTROUTING -s 10.10.10.0\/24 -o eth0 -j MASQUERADE\r\n<\/pre>\n
iptables-save > \/etc\/iptables\/rules.v4<\/pre>\n
Step 4a \u2014 IKEV2 with Radius Auth<\/h3>\n
echo '\r\n# vpnforward\r\nnet.ipv4.ip_forward = 1\r\nnet.ipv4.ip_no_pmtu_disc = 1\r\nnet.ipv4.conf.all.rp_filter = 1\r\nnet.ipv4.conf.all.accept_redirects = 0\r\nnet.ipv4.conf.all.send_redirects = 0\r\nnet.ipv6.conf.all.disable_ipv6 = 1\r\n' >> \/etc\/sysctl.conf<\/pre>\n
sysctl -p<\/pre>\n
echo \"YOUR.DOIMAN.COM : RSA \\\"privkey.pem\\\"\r\n\" > \/etc\/ipsec.secrets<\/pre>\n
echo \"config setup\r\n strictcrlpolicy=yes\r\n uniqueids=never\r\nconn roadwarrior\r\n auto=add\r\n compress=no\r\n type=tunnel\r\n keyexchange=ikev2\r\n fragmentation=yes\r\n forceencaps=yes\r\n\r\n ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384\r\n esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384\r\n\r\n dpdaction=clear\r\n dpddelay=180s\r\n rekey=no\r\n left=%any\r\n leftid=@YOUR.DOMAIN.COM\r\n leftcert=cert.pem\r\n leftsendcert=always\r\n leftsubnet=0.0.0.0\/0\r\n right=%any\r\n rightid=%any\r\n rightauth=eap-radius # this uses radius authentication \r\n eap_identity=%any\r\n rightdns=8.8.8.8,8.8.4.4\r\n rightsourceip=10.10.10.0\/24\r\n rightsendcert=never\r\n\r\n\" > \/etc\/ipsec.conf<\/pre>\n
vim \/etc\/strongswan.conf<\/pre>\n
charon {\r\n load_modular = yes\r\n plugins {\r\n include strongswan.d\/charon\/*.conf\r\n eap-radius {\r\n accounting = yes\r\n servers {\r\n server-a {\r\n address = YOUR_RADIUS_SERVER_IP\r\n secret = RADIUS_SECRET!\r\n auth_port = 1812 # default\r\n acct_port = 1813 # default\r\n\r\n }\r\n }\r\n }\r\n }\r\n include strongswan.d\/*.conf\r\n }\r\n\r\n<\/pre>\nStep 4b \u2014 IKEV2 with file stored users<\/h3>\n
echo '\r\n# vpnforward\r\nnet.ipv4.ip_forward = 1\r\nnet.ipv4.ip_no_pmtu_disc = 1\r\nnet.ipv4.conf.all.rp_filter = 1\r\nnet.ipv4.conf.all.accept_redirects = 0\r\nnet.ipv4.conf.all.send_redirects = 0\r\nnet.ipv6.conf.all.disable_ipv6 = 1\r\n' >> \/etc\/sysctl.conf<\/pre>\n
sysctl -p<\/pre>\n
echo \"YOUR.DOMAIN.COM : RSA \\\"privkey.pem\\\"\r\nVPNUSERNAME : EAP \\\"\"VPNPASSWORD\"\\\"\r\n\" > \/etc\/ipsec.secrets\r\n\r\n<\/pre>\n
echo \"config setup\r\n strictcrlpolicy=yes\r\n uniqueids=never\r\nconn roadwarrior\r\n auto=add\r\n compress=no\r\n type=tunnel\r\n keyexchange=ikev2\r\n fragmentation=yes\r\n forceencaps=yes\r\n\r\n ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384\r\n esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384\r\n\r\n dpdaction=clear\r\n dpddelay=180s\r\n rekey=no\r\n left=%any\r\n leftid=@YOUR.DOMAIN.COM\r\n leftcert=cert.pem\r\n leftsendcert=always\r\n leftsubnet=0.0.0.0\/0\r\n right=%any\r\n rightid=%any\r\n rightauth=eap-mschapv2 # users are stored in \/etc\/ipsec.secrets\r\n eap_identity=%any\r\n rightdns=8.8.8.8,8.8.4.4\r\n rightsourceip=10.10.10.0\/24\r\n rightsendcert=never\r\n\r\n\" > \/etc\/ipsec.conf<\/pre>\n
vim \/etc\/strongswan.conf<\/pre>\n
charon {\r\n load_modular = yes\r\n plugins {\r\n include strongswan.d\/charon\/*.conf\r\n }\r\n include strongswan.d\/*.conf\r\n }\r\n\r\n<\/pre>\nStep 5 \u2014 Start The VPN Server<\/h3>\n
Step 6 \u2014 Connect to VPN server<\/h3>\n
Conclusion<\/h3>\n