Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
IPSEC VPN on Ubuntu 16.04 with StrongSwan
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

IPSEC VPN on Ubuntu 16.04 with StrongSwan

This is a guide on setting up an IPSEC VPN server on Ubuntu 16.04 using StrongSwan as the IPsec server and for authentication. It has a detailed explanation with every step. We choose the IPSEC protocol stack because of vulnerabilities found in pptpd VPNs and because it is supported on all recent operating systems by default.

Why a VPN?

More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.

A VPN (virtual private network) creates a secure, encrypted tunnel through which all of your online data passes back and forth. Any application that requires an internet connection works with this self hosted VPN, including your web browser, email client, and instant messaging program, keeping everything you do online hidden from prying eyes while masking your physical location and giving you unfettered access to any website or web service no matter where you happen to live or travel to.

This tutorial is available for the following platforms:

This tutorial was written and tested on a Digital Ocean VPS. If you like this tutorial and want to support my website, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212. You will get $10 free credit, which is equal to two months of a free $5 VPS.

IPSEC encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. It also provides a tunnel to send data to the server.

This VPN setup is called a road-warrior setup, because clients can connect from anywhere. Another much used VPN setup is called site-to-site, where two VPN servers connect two networks with one another. In a road warrior setup your local network isn't shared, but you do get access to the server's network.

To work trough this tutorial you should have:

  • 1 Ubuntu 16.04 server with at least 1 public IP address and root access
  • 1 (or more) clients running an OS that support IPsec IKEv2 vpns (Ubuntu, Mac OS, Windows 7+, Android 4+).
  • Ports 4500/UDP, 500/UDP, 51/UDP and 50/UDP opened in the firewall.

I do all the steps as the root user. You should do to, but only via sudo -i or su -.

Read on over at raymii.org

Thanked by 1JustAMacUser
Quis custodiet ipsos custodes?
https://raymii.org - https://cipherli.st

Comments

  • netomxnetomx Member, Moderator

    Question: Why not softether?

  • SplitIceSplitIce Member, Provider
    edited September 2016

    IMHO 99% of the time IPSec is a pain in the proverbial particularly for VPN applications. For transport level encryption (especially passive / transparent applications) its usable, but even so not advisable for the faint of heart.

    I recommend considering Softether, Tinc or OpenVPN

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • Effort appreciated, in spite of some inconsistencies in this tuto (UDP port 50/51? really?). Better double check each and every setting.

    Providing less than /64 means "we are clueless about IPv6". My geekbench results. I haz BuyVM, OneProv, Veesp.

  • mehargagsmehargags Member
    edited October 2016

    @SplitIce said:
    I recommend considering Softether, Tinc or OpenVPN

    Which one is most :

    1. easy to configure (on Debian)

    2. lightweight on resources (can be tweaked to log less and reduce disk/CPU usage)

    3. easy to configure / access from firefox/chrome on (mostly) Windows client Machines

    Thanks...

  • netomxnetomx Member, Moderator

    @mehargags said:

    @SplitIce said:
    I recommend considering Softether, Tinc or OpenVPN

    Which one is most :

    1. easy to configure (on Debian)

    2. lightweight on resources (can be tweaked to log less and reduce disk/CPU usage)

    3. easy to configure / access from firefox/chrome on (mostly) Windows client Machines

    Thanks...

    Softether

    Thanked by 1mehargags
  • @netomx said:

    Softether

    I tend to agree because I do use this much and it never let me down.

    but if you and/or your users already know how to use L2TP/IPsec on windows with the native network connections this https://github.com/hwdsl2/setup-ipsec-vpn might be a very good alternative... really recommended!

    Thanked by 2howardsl2 mehargags

    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • MikePTMikePT Member, Provider

    Thank you for the tutorial. It looks like some people only blame instead of being thankful. The tutorial is great, this one is for IPSec, if anyone else wants a softether tutorial then google it or write your own.

    Raynii has contributed a lot with his knowledge and I am happy to see such a member in LET.

    Thanked by 1netomx
  • netomxnetomx Member, Moderator

    @MrGeneral said:
    Thank you for the tutorial. It looks like some people only blame instead of being thankful. The tutorial is great, this one is for IPSec, if anyone else wants a softether tutorial then google it or write your own.

    Raynii has contributed a lot with his knowledge and I am happy to see such a member in LET.

    We're not saying it isnt

    Thanked by 2Falzo mehargags
  • SplitIceSplitIce Member, Provider

    @mehargags said:

    @SplitIce said:
    I recommend considering Softether, Tinc or OpenVPN

    Which one is most :

    1. easy to configure (on Debian)

    2. lightweight on resources (can be tweaked to log less and reduce disk/CPU usage)

    3. easy to configure / access from firefox/chrome on (mostly) Windows client Machines

    Thanks...

    IMHO:

    1. Tinc, Softether, OpenVPN (that order)

    2. Tinc, Softether, OpenVPN

    3. Softether, then both Tinc & OpenVPN

    Softether is quite user friendly. More steps to configure but quite powerful. Softether is quite good at beating restrictive firewalls too.

    Tinc is really high performance & lightweight with some nifty features and easy no bullshit configuration.

    OpenVPN is the old mainstay, does everything... Just IMHO is pretty heavy.

    IPSec is fast (in kernel) but difficult to debug and complex to setup.

    Another new player I've become aware of is Wireguard. It feels alot like Tinc (configuration simplicity), with the performance of IPSec (in kernel). But no windows driver/client yet.

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • mehargagsmehargags Member
    edited October 2016

    Thanks for the inputs...everyone.

    So lets say I just need it for private use... just me and 4-5 other friends who would be using the VPN, which one to choose as lowest resource hog between:

    Tinc | Softether | setup-ipsec-vpn

    Please consider there is no commercial use here, purely private individual use.

    Or Can I just pull this off using a Squid Proxy ? as the primary need is just browsing and downloading torrent files (not from torrents themselves)

    @Raymii I hope you don't mind me carrying your thread a bit away...!

  • miaumiau Member
    edited October 2016

    @mehargags said:
    Thanks for the inputs...everyone.

    So lets say I just need it for private use... just me and 4-5 other friends who would be using the VPN, which one to choose as lowest resource hog between:

    Tinc | Softether | setup-ipsec-vpn

    Please consider there is no commercial use here, purely private individual use.

    Or Can I just pull this off using a Squid Proxy ? as the primary need is just browsing and downloading torrent files (not from torrents themselves)

    @Raymii I hope you don't mind me carrying your thread a bit away...!

    Given your requirement, It would be wiser to use SOCKS5 instead of VPN.
    I would recommend Shadowsocks. Its lot simpler (less than 5 lines in config to get you up and secure), faster than openVPN in TCP mode (ymmv).

    Thanked by 1mehargags
  • I can't connect Windows 10 to this server. I follow process but ... nothing
    all do is working on Android but mac and win can't connect.
    Is there someone who can help?

    I have Softether on one VPS and is very stable (sometimes cpu go to 100% for 5 min but is only when I disconnect from VPN)

    I test bandwidth on Android phone connected to
    Ikev2 on Strongswan it's much faster then L2TP over IPSec on Softether
    and cpu is not making problems.

  • If Android works, but Mac and Windows don't, one possibility is that you may not have installed the certificates correctly on Mac and Windows.

Sign In or Register to comment.