Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

IPSEC VPN with CentOS 7
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

IPSEC VPN with CentOS 7

RaymiiRaymii Member
in Tutorials

This is a guide on setting up an IPSEC VPN server with CentOS 7 using StrongSwan as the IPsec server and for authentication. It has a detailed explanation with every step. We choose the IPSECP protocol stack because of recent vulnerabilities found in pptpd VPNs and because it is supported on all recent operating systems by default. More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.

Why a VPN?

More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.

A VPN (virtual private network) creates a secure, encrypted tunnel through which all of your online data passes back and forth. Any application that requires an internet connection works with this self hosted VPN, including your web browser, email client, and instant messaging program, keeping everything you do online hidden from prying eyes while masking your physical location and giving you unfettered access to any website or web service no matter where you happen to live or travel to.

This tutorial is available for the following platforms:

This tutorial was written and tested on a Digital Ocean VPS. If you like this tutorial and want to support my website, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212. You will get $10 free credit, which is equal to two months of a free $5 VPS.

IPSEC encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. It also provides a tunnel to send data to the server.

To work trough this tutorial you should have:

  • 1 CentOS 7 server with at least 1 public IP address and root access
  • 1 (or more) clients running an OS that support IPsec IKEv2 vpns (Ubuntu, Mac OS, Windows 7+, Android 4+).
  • Ports 4500/UDP, 500/UDP, 51/UDP and 50/UDP opened in the firewall.

I do all the steps as the root user. You should do to, but only via * -i* or * su -*.

No L2TP?

The previous tutorials all used L2TP to set up the VPN tunnel and use IPSEC only for the encryption. With the IKEv2 protocol and recent operating systems (like OS X 10.8+, Android 4+, iOS 6+ and Windows 7+) supporting IKEv2 we can also use IPSEC to set up the tunnel, before we used IPSEC to do that.

This VPN will therefore not work out of the box on older operating systems. See my other tutorials with L2TP on how to do that.

Overview

The tutorial consists out of the following steps:

  • Install packages
  • Generate certificates
  • Configure IPSEC
  • Configure Firewall

Android and Windows client configuration is covered at the end of the tutorial.

Install EPEL 7:

Strongswan packages are available in the EPEL. The CentOS/RHEL repo's only ship Libreswan, which is not what we'll use in this tutorial. You can read more about the EPEL here: https://fedoraproject.org/wiki/EPEL, packages can be found here: http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/repoview/epel-release.html

Install and enable the EPEL using Yum:

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/e/epel-release-7-5.noarch.rpm

Install Strongswan

After the EPEL is enabled we can install StrongSwan. StrongSwan is a descendant of FreeS/WAN, just like Openswan or Libreswan. Strongswan however has a very active community and is actively developed, whereas the other ones are less. You can read more about Strongswan on wikipedia or their website.

yum install strongswan

Read on over at Raymii.org: https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html

Thanked by 5shivoham souen VPNsh Blanoz georgejin110

Comments

  • bertanbertan Member
    edited December 2014

    Hi, Remy, it's a good tutorial and I'm happy to give you a link, but I don't think your firewall will work. It has to be protocol 50, not port 50. Actually, there is a prebuilt service named "ipsec" on the CentOS 7 firewall that does most of the work for you. See my page http://members.shaw.ca/bertan

  • VPNshVPNsh Member, Host Rep

    Great to see tutorials for CentOS 7 :)

  • RaymiiRaymii Member

    @bertan said:
    Hi, Remy, it's a good tutorial and I'm happy to give you a link, but I don't think your firewall will work. It has to be protocol 50, not port 50. Actually, there is a prebuilt service named "ipsec" on the CentOS 7 firewall that does most of the work for you. See my page http://members.shaw.ca/bertan

    Howdy,

    The tutorial was tested extensively before use wit both Android and Windows before publishing. I did not experience any firewall trouble. Thanks for the mention though, after a look through the documentation it seems you are right. I've also updated the ikev1 configuration according to your page and the StrongSwan Wiki on iOS, and added a link back to your guide.

  • 4n0nx4n0nx Member

    said: recent vulnerabilities found in pptpd VPNs

    I think they are not recent at all, just the discovery that our beloved NSA decrypted VPNs. :0 (?)

    Kudos for making a how-to for so many platforms. It's so short and to the point,too. :)

  • RaymiiRaymii Member

    @4n0nx said:
    I think they are not recent at all, just the discovery that our beloved NSA decrypted VPNs. :0 (?)

    Wikipedia shows me that there have been known issues since 1999.Most of the issues were uncovered in 2012: http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

  • 4n0nx4n0nx Member

    Yeah :D that's not very recent right? By the way, is this the most secure VPN you can use that is supported out of the box by OS's?

  • RaymiiRaymii Member

    @4n0nx said:
    Yeah :D that's not very recent right? By the way, is this the most secure VPN you can use that is supported out of the box by OS's?

    I'm not sure how backdoored it is, I think you're better of with OpenVPN, but that requires a seperate client to be installed.

  • bertanbertan Member

    Whew! After three weeks' work, I finally got IKEv2 working for iOS 8, including the mysterious configuration profiles. Anyone who wants to try it, here's what I did: http://members.shaw.ca/bertan

  • alizeealizee Member

    hi, bertan, my server only have IP address without domain name, could you give some advice on generating certificates and mobileconfig file? besides, I want to use username and password in mobileconfig to authenticate client. I'm a Chinese, thank you for helping me bypass the Great Firewall of China.

    @bertan said:
    Whew! After three weeks' work, I finally got IKEv2 working for iOS 8, including the mysterious configuration profiles. Anyone who wants to try it, here's what I did: http://members.shaw.ca/bertan

Sign In or Register to comment.