A script to take Ubuntu Server 16.10 from clean install to production-ready IKEv2 VPN with strongSwan. The server is appropriately firewalled and configured for unattended upgrades.
- VPN server identifies itself with a Let's Encrypt certificate (no need to install private certs)
- VPN users authenticate simply with username and password (EAP-MSCHAPv2)
- A
.mobileconfig
profile is generated for Mac and iOS, to set up secure ciphers and Connect on demand support
Comments and pull requests welcomed.
- The VPN configuration is tested working with OS X 10.12, Windows 10, iOS 10, and the Android strongSwan client.
- The script is tested working on VPSs from OVH and Linode.
- The script will not work unmodified on 16.04 LTS because the
certbot
package is outdated (and found under the nameletsencrypt
). - It's also not recommended to use this unmodified on a server you use for anything else, as it does as it sees fit with various wider settings that may conflict with what you're doing.
Run ./setup.sh
as root and you'll be prompted to enter all the necessary details. You must use a strong password for the login user, or your server will be compromised.
We use a similar setup as a corporate VPN at PSYT. And I use this to bounce my personal web browsing via Europe, in the hope of giving Theresa May's Investigatory Powers Bill the finger.
- Fair security
- Built-in clients for latest iOS, Mac and Windows (+ free install on Android)
- Connect on demand support on iOS and Mac
- Robust to connection switching and interruptions via MOBIKE
More at https://www.cl.cam.ac.uk/~mas90/resources/strongswan/ and https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/