Create your own VPN: how to work from home securely

In recent months due to the Covid-19 crisis, the need for remote work has knocked on the door of many companies. In order to keep their teams functioning they adapted to safety measures by urgently transitioning to work from home. They have started communicating mainly through Skype, Zoom, Webex, Google Meet and more while getting organised through Trello, Jira or Asana. At the same time, security should always be number one priority that’s where VPN comes in.

In order to protect its systems and communications, a company should allow admission exclusively to its employees, excluding everyone else. This can be achieved through VPN! What is VPN and how can a company create a basic VPN service while using exclusively free software? Read this blog post to find out all you need to know.

What is a VPN

Imagine a virtual bridge which connects the user (employee) with the company (system). To be able to cross this bridge, you need a username and a password while all the communication is encrypted. This network is called VPN (Virtual Private NetWork).
The majority of domestic networks (where we mainly work these days) don’t support a static IP -it constantly changes. Consequently, a company cannot allow or exclude from its firewall a specific IP or network. In order for someone to be able to work remotely, there are huge compromises concerning security.

VPN step by step

If you’ve got some technical skills, this manual will help you create a small VPN server with a static IP, so that each one of your employees can work remotely as securely as possible. A VPN’s ingredients are a client, a proxy server and a domain.
We picked the strongSwan IKEv2 because its client is compatible with Windows και MacOS and can be easily installed to all linux distributions.
As far as a proxy server is concerned, we need a small VPS such as a NASH with Centos 8. Finally, we need a domain or a subdomain. Our domain or our subdomain makes things easier since we can activate a Let’s Encrypt and avoid issuing certificates ourselves.

But let us get things in the right order.

Requirements:

• VPS with Centos 8
• Root access
• with A record on its VPS’ IP

Steps:

• Install strongSwan IKEv2
• Issue certificates
• Set strongSwan
• Set NAT Firewall
• Set Port Portwarding
• Certificates auto renewa

Installing strongSwan IKEv2

At first, we install the epel repo included in strongSwan and then we install the strongSwan plan itself.

dnf install epel-release
dnf install strongswan

Issuing certificates

Once we own a domain or a subdomain, we can use Let’s Encrypt in order to issue certificates. If this is not the case, we will need to issue and sign our own certificates ourselves while also installing the CA certificate to our local computer.

wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto
chmod +x /usr/local/bin/certbot-auto

We set the firewall to accept http and https connections so that it can confirm the Let’s encrypt domain or subdomain.

firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

We issue a certificate. For example our domain in this case would be ikev2.mydomain.tld

certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email [email protected] -d ikev2.mydomain.tld

Then, we copy the certificates to the respective strongSwan files

cp /etc/letsencrypt/live/ikev2.mydomain.tld/fullchain.pem /etc/strongswan/ipsec.d/certs/
cp /etc/letsencrypt/live/ikev2.mydomain.tld/privkey.pem /etc/strongswan/ipsec.d/private/
cp /etc/letsencrypt/live/ikev2.mydomain.tld/chain.pem /etc/strongswan/ipsec.d/cacerts/

Setting strongSwan

First, we keep a copy of the service’s default settings

cd /etc/strongswan/
mv ipsec.conf ipsec.conf.bak

Then, we open the empty ipsec.conf file

vim ipsec.conf

And inside it, we copy the below

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

#define new ipsec connection
conn my-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!

fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]  # ← Προσοχή εδώ να μπει το domain 
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.255.250.0/24
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity

Following that, we open the ipsec.secrets file and we add the following lines with the users that we want.

: RSA "privkey.pem"
user1 : EAP "password1"
user2 : EAP “password2”

By choosing to keep the users into a text file, locally, makes things easier and faster. StrongSwan though has extra plugins for a radius and a mysql connection. They can be used for the connection of the service to centralised systems of users administration.
We activate the service in the boot and we run it so it gets the above settings.

systemctl enable strongswan
systemctl restart strongswan

Setting NAT Firewall

We activate the nat and set the respective firewall

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload	

Setting Port Portwarding

We activate the port forward to the core by adding to the file /etc/sysctl.conf the following lines,

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

We then run the following command so that the changes pass in the core

sysctl -p

Then, we restart our service

systemctl restart strongswan

Everything is now ready and our service is running with the possibility of accepting connections. We can verify it by running at first,

systemctl status strongswan

And then

dnf install net-tools
netstat -plntu

There we are expecting to see the 68, 4500 and 500 udp gates open.

Certificates auto renewal

The Let’s Encrypt certificates expire every 3 months. Ιn order for it to be renewed automatically but also update the service when needed, we will create a cron job. We open the file /etc/crontab and add the line below,

* */12 * * * /usr/local/bin/certbot-auto renew --post-hook "/usr/local/bin/renew.sh" --quiet

We then create the file /usr/local/bin/renew.sh and add the below,

#!/bin/bash
cp -f /etc/letsencrypt/live/ikev2.mydomain.tld/fullchain.pem /etc/strongswan/ipsec.d/certs/
cp -f /etc/letsencrypt/live/ikev2.mydomain.tld/privkey.pem /etc/strongswan/ipsec.d/private/
cp -f /etc/letsencrypt/live/ikev2.mydomain.tld/chain.pem /etc/strongswan/ipsec.d/cacerts/
systemctl restart strongswan

To finish, we make the file executable so that cron can run it.

chmod +x /usr/local/bin/renew.sh

A few words

Creating a VPN is very important especially if your team is working and communicating remotely. We hope that this manual is helpful and that you will enjoy creating your own VPN with free software!