Experiences with strongSwan

Posted on December 21, 2016

I’ll be on the road during Christmas, which means a lot of airport and public WiFi. To protect myself I need a VPN that allows road warrior connections. I selected strongSwan because it offers a lot of useful features such as automatic NAT traversal, automatic firewall rules, etc. and it’s easy to configure (no need L2TP).

I’m using my own CentOS 7 VPN and followed this tutorial with some minor changes. It boils down to the following steps.

  • Create a self-signed root CA.
  • Create and sign the host certificate with the root CA, make sure --san or the CN field matches the domain name or IP address of the host.
  • Create and sign the client certificate(s) with the root CA.
  • Configure IPSec (ipsec.conf), use leftfirewall = yes to allow strongSwan to automatically configure firewall rules.
  • Add VPN user accounts and secrets in ipsec.secrets.
  • Configure firewall if necessary, see below.
  • Allow packet forwarding, directly editing /etc/sysctl.conf appears to be deprecated, put new configurations in /etc/sysctl.d/, e.g. /etc/sysctl.d/10-strongswan.conf.
  • Start strongSwan, clients should be able to connect to it with their certificate.

If strongSwan does not take care of the firewall configuration, then make sure iptables has the following (not guaranteed to be secure).

-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-t nat -A POSTROUTING -j MASQUERADE

If the client fails to connect and timeouts, then most likely it’s a firewall issue. Stop iptables and try again to verify.

I’m overall pretty happy with my current setup. My VPS shows almost no CPU usage when I’m running network intensive tasks. In the future I hope to investigate in ways to use strongSwan with LetsEncrypt. There is a lot of information here, but I suspect it needs more maintanance in the long run because the certificate need to be renewed.