Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| strongswan_certificates [2018/10/13 16:35] – [/etc/ipsec.d/mk_server.sh] oskarirauta | inbox:strongswan_certificates [2019/05/12 12:40] – [Client configuration] marcolabreu | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| [[https:// | [[https:// | ||
| - | ====== Read me first ====== | + | ===== Read me first ===== |
| This is a tested example which should allow anyone to easily setup a secure and working VPN server. | This is a tested example which should allow anyone to easily setup a secure and working VPN server. | ||
| - | In these examples lan is 192.168.0.0/ | + | In these examples lan is 192.168.0.0/ |
| / | / | ||
| Line 39: | Line 39: | ||
| Otherwise, you just could copy & paste ;) | Otherwise, you just could copy & paste ;) | ||
| Connectivity has been tested on Mac OS X and iPhone, and there should not be any problems with Android and Windows either. | Connectivity has been tested on Mac OS X and iPhone, and there should not be any problems with Android and Windows either. | ||
| - | ====== Connectivity issue with dynamic IP address | + | |
| + | ===== Connectivity issue with dynamic IP address ===== | ||
| In case that you have a dynamic IP, you might face some connectivity issues after IP address has changed/ | In case that you have a dynamic IP, you might face some connectivity issues after IP address has changed/ | ||
| - | ====== Packages | + | ===== Packages ===== |
| Install necessary packages. | Install necessary packages. | ||
| opkg update | opkg update | ||
| - | opkg install strongswan-default strongswan-pki ipset strongswan-mod-openssl strongswan-mod-curl strongswan-mod-dhcp strongswan-mod-eap-tls strongswan-mod-eap-identity strongswan-mod-kernel-libipsec kmod-tun openssl-util strongswan-mod-test-vectors strongswan-mod-farp | + | opkg install |
| - | ====== / | + | |
| + | Also, for dynamic DHCP to work, you need to use full version of dnsmasq. | ||
| + | / | ||
| + | opkg remove dnsmasq | ||
| + | opkg install dnsmasq-full | ||
| + | / | ||
| + | |||
| + | |||
| + | ===== / | ||
| Define ipsec interface | Define ipsec interface | ||
| Line 59: | Line 68: | ||
| option peerdns ' | option peerdns ' | ||
| option ipv6 ' | option ipv6 ' | ||
| - | ====== / | + | |
| + | ===== / | ||
| Append policy rules. | Append policy rules. | ||
| Line 67: | Line 77: | ||
| iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT | iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT | ||
| iptables -I OUTPUT | iptables -I OUTPUT | ||
| - | ====== / | + | |
| + | ===== / | ||
| Create vpn zone | Create vpn zone | ||
| Line 139: | Line 150: | ||
| option family ' | option family ' | ||
| option target ' | option target ' | ||
| - | ====== / | + | |
| + | ===== / | ||
| Replace init script contents with following simple script (provided script uses / | Replace init script contents with following simple script (provided script uses / | ||
| Line 181: | Line 193: | ||
| procd_close_instance | procd_close_instance | ||
| } | } | ||
| - | ====== / | + | |
| + | ===== / | ||
| # / | # / | ||
| : RSA host-vpn.der | : RSA host-vpn.der | ||
| - | ====== / | + | ===== / |
| # ipsec.conf - strongSwan IPsec configuration file | # ipsec.conf - strongSwan IPsec configuration file | ||
| Line 219: | Line 232: | ||
| forceencaps = yes | forceencaps = yes | ||
| auto = add | auto = add | ||
| - | ====== / | + | |
| + | ===== / | ||
| # strongswan.conf - strongSwan configuration file | # strongswan.conf - strongSwan configuration file | ||
| Line 234: | Line 248: | ||
| dhcp { | dhcp { | ||
| force_server_address = yes | force_server_address = yes | ||
| + | # | ||
| + | # uncomment the line above if log shows that DHCP | ||
| + | # offer can't be accepted | ||
| identity_lease = yes | identity_lease = yes | ||
| server = 192.168.255.255 | server = 192.168.255.255 | ||
| Line 255: | Line 272: | ||
| include strongswan.d/ | include strongswan.d/ | ||
| - | ====== Tools for certificates | + | |
| + | ===== Tools for certificates ===== | ||
| Following scripts are provided for certificate operations: | Following scripts are provided for certificate operations: | ||
| Line 264: | Line 282: | ||
| After generating server certificates, | After generating server certificates, | ||
| - | ====== / | + | ===== / |
| #!/bin/sh | #!/bin/sh | ||
| rm / | rm / | ||
| - | ====== / | + | |
| + | ===== / | ||
| #!/bin/sh | #!/bin/sh | ||
| Line 279: | Line 298: | ||
| COUNTRY=" | COUNTRY=" | ||
| ORG=" | ORG=" | ||
| + | #Change above to your org and country code | ||
| VALIDDAYS=" | VALIDDAYS=" | ||
| Line 296: | Line 316: | ||
| ipsec pki --pub --in private/ | ipsec pki --pub --in private/ | ||
| ipsec pki --print --in certs/ | ipsec pki --print --in certs/ | ||
| - | ====== / | + | |
| + | ===== / | ||
| #!/bin/sh | #!/bin/sh | ||
| Line 302: | Line 323: | ||
| COUNTRY=" | COUNTRY=" | ||
| ORG=" | ORG=" | ||
| + | |||
| LIFETIME=" | LIFETIME=" | ||
| Line 330: | Line 352: | ||
| openssl x509 -inform DER -in certs/ | openssl x509 -inform DER -in certs/ | ||
| openssl pkcs12 -export -inkey private/ | openssl pkcs12 -export -inkey private/ | ||
| - | ====== Client configuration | + | |
| + | ===== Client configuration ===== | ||
| Create client certificate with client.sh ( or manually if you want to.. ). Needed certificates: | Create client certificate with client.sh ( or manually if you want to.. ). Needed certificates: | ||
| Line 336: | Line 359: | ||
| - p12/ | - p12/ | ||
| - | Where USERID is what you entered when using **mk-client.sh** | + | Where SRVNAME is what was used on **mk-server.sh**, |
| Copy these certificates to client device somehow (mail them, scp them, etc..) and install them (as trusted). | Copy these certificates to client device somehow (mail them, scp them, etc..) and install them (as trusted). | ||
| Line 342: | Line 365: | ||
| VPN Type: | VPN Type: | ||
| - | Server Address: | + | Server Address: |
| - | Remote ID: server domain | + | Remote ID: SRVNAME |
| Local ID: USERID | Local ID: USERID | ||