How to Set Up an IKEv2 VPN Server with FreeRADIUS and Let’s Encrypt on Ubuntu 22.04

Introduction

Internet Key Exchange v2, or IKEv2, is a protocol that allows for direct IPSec tunnelling between the server and client. In IKEv2 VPN implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms such as iOS, macOS, Android and Windows 10/11) with no additional applications necessary, and it handles client hiccups quite smoothly.

In this tutorial, you’ll set up an IKEv2 VPN server using StrongSwan on an Ubuntu 22.04 server authenticating over FreeRADIUS.

STEP 1)

Make sure the OS is all up to date.

sudo apt-get update

STEP 2)

Now install the software required using the command below.

sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins iptables-persistent

STEP 3)

Create the certificate IKEv2 will use for the connection, first, we install certbot.

sudo apt-get install certbot

STEP 4)

Now, we need to set the key size and the renewal hook. The renewal hook will run when the current certificate expires. The Let’s Encrypt Certs have a maximum of 90 days validity.

mkdir -p /etc/letsencrypt 

echo 'rsa-key-size = 4096
pre-hook = /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
post-hook = /sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets ' > /etc/letsencrypt/cli.ini

STEP 5)

Generate the certificate to use with the connection. Note: The hostname must resolve to this machine to enable the Let’s Encrypt certificate setup.

certbot certonly --non-interactive --agree-tos --standalone --preferred-challenges http --email [email protected] -d your.domain.com

ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/cert.pem /etc/ipsec.d/certs/cert.pem
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/chain.pem /etc/ipsec.d/cacerts/chain.pem

echo "/etc/letsencrypt/archive/YOUR.DOMAIN.COM/* r, " >> /etc/apparmor.d/local/usr.lib.ipsec.charon

aa-status --enabled && invoke-rc.d apparmor reload

STEP 6)

You may need to set up your firewall – To do so using iptables, use the rules below.

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
iptables -P FORWARD ACCEPT
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

STEP 7)

Enable forwarding.

echo '
# vpnforward
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
' >> /etc/sysctl.conf

And now save those changes.

sysctl -p

STEP 8)

Set up the config for IKEv2 and Strongswan.

echo "YOUR.DOIMAN.COM : RSA \"privkey.pem\"
" > /etc/ipsec.secrets
echo "config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384
  esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384

  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  [email protected]
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius # this uses radius authentication 
  eap_identity=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  rightsendcert=never

" > /etc/ipsec.conf

STEP 9)

Open the file strongswan.conf and replace all with the below contents, making sure you add your RADIUS server IP address and secret to the file.

charon {
    load_modular = yes
         plugins {
                  include strongswan.d/charon/*.conf
    eap-radius {
          accounting = yes
         servers {
    server-a {
      address = YOUR_RADIUS_SERVER_IP
      secret = RADIUS_SECRET!
      auth_port = 1812   # default
      acct_port = 1813   # default

    }
  }
  }
  }
  include strongswan.d/*.conf
  }

STEP 10)

Now, start the Strongswan service.

ipsec restart

Your IKEv2 VPN server is now ready to connect to – for setup guides to connect over various platforms, We will update this guide with those shortly.

Leave a reply:

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.