How to Install StrongSwan VPN Server on Rocky Linux 9

How to Install StrongSwan VPN Server on Rocky Linux 9

Are you looking for a tutorial on how to install StrongSwan VPN server on Rocky Linux 9? Then this guide is for you.

StrongSwan is an Open-source IPsec-based VPN solution launched in 2005. It implements the IKEv2 key exchange protocol. It’s well known for its modularity and portability. You can learn more about them in their official documentation here.

In this tutorial, we’ll show you the step-by-step process to install and set up the StrongSwan VPN server on your Rocky Linux machine. Let’s get started!

How to Install StrongSwan VPN Server on Rocky Linux 9

First things first, we have to go through each step and see how you can install and configure your StrongSwan VPN server.

Install StrongSwan VPN Server

We’ll kick things off by installing the StrongSwan VPN. But before doing that, you must enable the Extra Packages for Enterprise Linux (EPEL) repo. To do that, use this command:

$ sudo dnf install epel-release

Output:

install epel release

Now since the StrongSwan package is in the EPEL repo, you may start installing it. You can install the VPN server using this command:

$ sudo dnf install strongswan libreswan

Output:

How to Install StrongSwan VPN Server on Rocky Linux 9

Check if the installation was successful with this command:

$ strongswan version

Output:

How to Install StrongSwan VPN Server on Rocky Linux 9

The output shows us the installed version, which means StrongSwan was installed successfully.

Enable Kernel IP Forwarding

By enabling IP forwarding, you allow your machine to receive packets and automatically forward that traffic. This will make your machine act similar to a router.

To do this, we need to edit the /etc/sysctl.conf file. Open the file in your preferred text editor. We will use nano for this. To open the file in nano, use this command:

$ sudo nano /etc/sysctl.conf file

Then add the following lines to the file:

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0

Output:

kernel forwarding

Save the file with “Ctrl + O” and exit using “Ctrl + X”. Now load new sysctl settings from the file with this command:

$ sudo sysctl -p

Output:

kernel forwarding

Configure StrongSwan VPN Server

Since we’re done with the installation part. Now let’s set up the server to make it usable. 

Generate Self-signed certificates

Let’s start by generating the required certificates. Make some directories to organize everything. We will create a PKI (Public Key Infrastructure) directory and make some subdirectories under it. Do these with this command:

$ mkdir -p ~/pki/{cacerts,certs,private}

Also, change the read or write permission of the new directory with this command:

$ chmod 700 ~/pki

Next, we need some packages for generating random numbers and resource management. Install them with this command:

$ sudo yum install haveged tpm2-abrmd

Output:

install haveged tpm2-abrmd

After installing, start  and enable the haveged service by running this command:

$ sudo systemctl enable --now haveged

Output:

enable haveged

When that is done, generate a private certificate for the VPN using this command:

$ strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem

Output:

generate private certificate

You also need to create a root certificate authority. Do that with this command:

$ strongswan pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
    --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem

Output:

root certificate authority

Then create a private key for your VPN server using this:

$ strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem

Output:

private key vpn

After that, generate the certificate using this command:

$ strongswan pki --pub --in ~/pki/private/server-key.pem --type rsa \
| strongswan pki --issue --lifetime 1825 \
        --cacert ~/pki/cacerts/ca-cert.pem \
        --cakey ~/pki/private/ca-key.pem \
        --dn "CN=vpn.mysite.com" --san vpn.mysite.com --san <IP Address> --san @<IP Address> \
        --flag serverAuth --flag ikeIntermediate --outform pem \
    >  ~/pki/certs/server-cert.pem

Output:

generate certificate vpn

Remember to replace ‘vpn.mysite.com’ with your own domain and <IP address> with your IP address (do this without the angle brackets). Now you can copy the certificate to the correct directory with this:

$ sudo cp -r ~/pki/* /etc/strongswan/ipsec.d/

Change the permission for the certificates by running this command:

$ sudo chmod -R 775 /etc/strongswan/ipsec.d/

Configure Security Gateways

To configure the security gateways, edit the /etc/strongswan/ipsec.conf file in a text editor. You can make a copy just to be safe. To do that, use this command:

$ sudo cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.main

Now open the file in a text editor and make the following changes:

config setup
       
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

        strictcrlpolicy=no

        uniqueids=no

conn ikev2-vpn

    auto=add

    compress=no

    type=tunnel  # defines the type of connection, tunnel

    keyexchange=ikev2

    fragmentation=yes

    forceencaps=yes

    dpdaction=clear

    dpddelay=300s

    rekey=no

    left=%any

    [email protected] # if using IP, define it without the @ sign

    leftcert=server-cert.pem  # reads the VPN server cert in /etc/strongswan/ipsec.d/certs

    leftsendcert=always

    leftsubnet=<IP Address subnet>

    right=%any

    rightid=%any

    rightauth=eap-mschapv2

    rightsourceip=<IP Address subnet>

    rightdns=<IP Address>,8.8.8.8 #DNS to be assigned to clients

    rightsendcert=never

    eap_identity=%identity  # defines the identity the client uses to reply to an EAP Identity request.

    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!

    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

Configure PSK for Peer-to-Peer Authentication

In this step, you need to configure the credentials for client-server authentication. Start by generating a password with this command:

$ head -c 24 /dev/urandom | base64

Output:

generate base64 password

Add this password to /etc/strongswan/ipsec.secrets. Also, add the following lines:

: RSA "server-key.pem"
vpnsecure : EAP "your-secure-password"

Once done, start StrongSwan and check the status with these commands:

$ sudo strongswan start

Output:

How to Install StrongSwan VPN Server on Rocky Linux 9

Change your firewall settings so that the required ports can be used. Use these commands:

$ sudo firewall-cmd --add-port=500/udp --permanent

$ sudo firewall-cmd --add-port=4500/udp --permanent

$ sudo firewall-cmd --permanent --add-service="ipsec"

$ sudo firewall-cmd --permanent --add-masquerade

$ sudo firewall-cmd --reload

Output:

firewall configuration

Configure StrongSwan VPN Client

For the last step, we must do some small configuring work. First, copy your CA cert with this command:

$ sudo scp <user>@<IP Address>:/etc/strongswan/ipsec.d/cacerts/ca-cert.pem ~/

Then copy it to the /etc/strongswan/ipsec.d/cacerts/ directory using this command:

$ sudo mv ~/ca-cert.pem /etc/strongswan/ipsec.d/cacerts/

Set SELinux to the permissive mode by running this command:

$ sudo setenforce 0

Restart StrongSwan and check the service status with these commands:

$ sudo systemctl restart strongswan-starter
$ systemctl status strongswan-starter

Lastly, check StrongSwan status using this command:

$ sudo strongswan status

If everything goes well, you should see a connection established between the two devices.

Final Thoughts

This guide shows you how to install StrongSwan VPN server on Rocky Linux 9. It’s a very technical guide where you must pay attention to each command. A single mistake can heavily mess up your process. So, we recommend you follow every step we mentioned in this tutorial so you may set up your server in no time.

If this guide helped you, please share it.

Related Posts