vpn:linux_server

Install packages

apt install strongswan strongswan-pki libcharon-extra-plugins netfilter-persistent iptables-persistent

Generate CA and certificates

ipsec pki --gen --type ecdsa --outform pem > vpn_ca_key.pem
ipsec pki --self --in vpn_ca_key.pem --type ecdsa --dn "C=US, O=Testig Ltd., CN=Root CA" --ca --lifetime 3650 --outform pem > vpn_ca_cert.pem
ipsec pki --gen --type ecdsa --outform pem > vpn_server_key.pem
ipsec pki --pub --in vpn_server_key.pem --type ecdsa > vpn_server_pub_key.pem
ipsec pki --issue --in vpn_server_pub_key.pem --lifetime 3650 --cacert vpn_ca_cert.pem --cakey vpn_ca_key.pem --dn "CN=FQDN" --san="FQDN" --flag serverAuth --flag ikeIntermediate --outform pem > vpn_server_cert.pem

Move certs

mv vpn_ca_cert.pem /etc/ipsec.d/cacerts/
mv vpn_server_cert.pem /etc/ipsec.d/certs/
mv vpn_server_key.pem /etc/ipsec.d/private/

Change ipsec conf

# cat /etc/ipsec.conf 
 
config setup
        strictcrlpolicy=no
        uniqueids=no
 
conn ipsec-ikev2-vpn
        ike=aes256gcm16-aes192gcm16-chacha20poly1305-prfsha512-prfsha256-ecp521-ecp256,aes256-sha512-sha256-prfsha512-prfsha256-modp3072-modp2048-modp1024-ecp521!
        esp=aes256gcm16-aes192gcm16-chacha20poly1305-ecp521-ecp256-modp3072-modp2048,aes256-sha512-sha256-modp3072-modp2048!
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=@FQDN
        leftcert=vpn_server_cert.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightauth=eap-mschapv2
        rightsourceip=172.16.15.2/24
        rightdns=1.1.1.1,8.8.8.8
        rightsendcert=always
        eap_identity=%identity

Change ipsec secrets conf

# cat /etc/ipsec.secrets
: ECDSA vpn_server_key.pem
USER1 : EAP "PASSWORD1"
USER2 : EAP "PASSWORD2"
...

Add changes to sysctl

net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1

Iptables rules

iptables -t nat -A POSTROUTING -s 172.16.15.0/24 ! -d 172.16.15.0/24 -j SNAT --to-source SERVER_IP
iptables -t mangle -A FORWARD -s 172.16.15.0/24 -o SERVER_MAIN_ETH -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

Clients must connect to FQDN with vpn_ca_cert.pem and credentials.