Are you looking for a tutorial on how to install StrongSwan VPN server on Rocky Linux 9? Then this guide is for you.
StrongSwan is an Open-source IPsec-based VPN solution launched in 2005. It implements the IKEv2 key exchange protocol. It’s well known for its modularity and portability. You can learn more about them in their official documentation here.
In this tutorial, we’ll show you the step-by-step process to install and set up the StrongSwan VPN server on your Rocky Linux machine. Let’s get started!
How to Install StrongSwan VPN Server on Rocky Linux 9
First things first, we have to go through each step and see how you can install and configure your StrongSwan VPN server.
Install StrongSwan VPN Server
We’ll kick things off by installing the StrongSwan VPN. But before doing that, you must enable the Extra Packages for Enterprise Linux (EPEL) repo. To do that, use this command:
$ sudo dnf install epel-release
Output:
Now since the StrongSwan package is in the EPEL repo, you may start installing it. You can install the VPN server using this command:
$ sudo dnf install strongswan libreswan
Output:
Check if the installation was successful with this command:
$ strongswan version
Output:
The output shows us the installed version, which means StrongSwan was installed successfully.
Enable Kernel IP Forwarding
By enabling IP forwarding, you allow your machine to receive packets and automatically forward that traffic. This will make your machine act similar to a router.
To do this, we need to edit the /etc/sysctl.conf
file. Open the file in your preferred text editor. We will use nano for this. To open the file in nano, use this command:
$ sudo nano /etc/sysctl.conf file
Then add the following lines to the file:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Output:
Save the file with “Ctrl + O” and exit using “Ctrl + X”. Now load new sysctl
settings from the file with this command:
$ sudo sysctl -p
Output:
Configure StrongSwan VPN Server
Since we’re done with the installation part. Now let’s set up the server to make it usable.
Generate Self-signed certificates
Let’s start by generating the required certificates. Make some directories to organize everything. We will create a PKI (Public Key Infrastructure) directory and make some subdirectories under it. Do these with this command:
$ mkdir -p ~/pki/{cacerts,certs,private}
Also, change the read or write permission of the new directory with this command:
$ chmod 700 ~/pki
Next, we need some packages for generating random numbers and resource management. Install them with this command:
$ sudo yum install haveged tpm2-abrmd
Output:
After installing, start and enable the haveged
service by running this command:
$ sudo systemctl enable --now haveged
Output:
When that is done, generate a private certificate for the VPN using this command:
$ strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem
Output:
You also need to create a root certificate authority. Do that with this command:
$ strongswan pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
--type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem
Output:
Then create a private key for your VPN server using this:
$ strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem
Output:
After that, generate the certificate using this command:
$ strongswan pki --pub --in ~/pki/private/server-key.pem --type rsa \
| strongswan pki --issue --lifetime 1825 \
--cacert ~/pki/cacerts/ca-cert.pem \
--cakey ~/pki/private/ca-key.pem \
--dn "CN=vpn.mysite.com" --san vpn.mysite.com --san <IP Address> --san @<IP Address> \
--flag serverAuth --flag ikeIntermediate --outform pem \
> ~/pki/certs/server-cert.pem
Output:
Remember to replace ‘vpn.mysite.com’ with your own domain and <IP address> with your IP address (do this without the angle brackets). Now you can copy the certificate to the correct directory with this:
$ sudo cp -r ~/pki/* /etc/strongswan/ipsec.d/
Change the permission for the certificates by running this command:
$ sudo chmod -R 775 /etc/strongswan/ipsec.d/
Configure Security Gateways
To configure the security gateways, edit the /etc/strongswan/ipsec.conf
file in a text editor. You can make a copy just to be safe. To do that, use this command:
$ sudo cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.main
Now open the file in a text editor and make the following changes:
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=no
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel # defines the type of connection, tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected] # if using IP, define it without the @ sign
leftcert=server-cert.pem # reads the VPN server cert in /etc/strongswan/ipsec.d/certs
leftsendcert=always
leftsubnet=<IP Address subnet>
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=<IP Address subnet>
rightdns=<IP Address>,8.8.8.8 #DNS to be assigned to clients
rightsendcert=never
eap_identity=%identity # defines the identity the client uses to reply to an EAP Identity request.
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
Configure PSK for Peer-to-Peer Authentication
In this step, you need to configure the credentials for client-server authentication. Start by generating a password with this command:
$ head -c 24 /dev/urandom | base64
Output:
Add this password to /etc/strongswan/ipsec.secrets
. Also, add the following lines:
: RSA "server-key.pem"
vpnsecure : EAP "your-secure-password"
Once done, start StrongSwan and check the status with these commands:
$ sudo strongswan start
Output:
Change your firewall settings so that the required ports can be used. Use these commands:
$ sudo firewall-cmd --add-port=500/udp --permanent
$ sudo firewall-cmd --add-port=4500/udp --permanent
$ sudo firewall-cmd --permanent --add-service="ipsec"
$ sudo firewall-cmd --permanent --add-masquerade
$ sudo firewall-cmd --reload
Output:
Configure StrongSwan VPN Client
For the last step, we must do some small configuring work. First, copy your CA cert with this command:
$ sudo scp <user>@<IP Address>:/etc/strongswan/ipsec.d/cacerts/ca-cert.pem ~/
Then copy it to the /etc/strongswan/ipsec.d/cacerts/ directory using this command:
$ sudo mv ~/ca-cert.pem /etc/strongswan/ipsec.d/cacerts/
Set SELinux to the permissive mode by running this command:
$ sudo setenforce 0
Restart StrongSwan and check the service status with these commands:
$ sudo systemctl restart strongswan-starter
$ systemctl status strongswan-starter
Lastly, check StrongSwan status using this command:
$ sudo strongswan status
If everything goes well, you should see a connection established between the two devices.
Final Thoughts
This guide shows you how to install StrongSwan VPN server on Rocky Linux 9. It’s a very technical guide where you must pay attention to each command. A single mistake can heavily mess up your process. So, we recommend you follow every step we mentioned in this tutorial so you may set up your server in no time.
If this guide helped you, please share it.