In recent months due to the Covid-19 crisis, the need for remote work has knocked on the door of many companies. In order to keep their teams functioning they adapted to safety measures by urgently transitioning to work from home. They have started communicating mainly through Skype, Zoom, Webex, Google Meet and more while getting organised through Trello, Jira or Asana. At the same time, security should always be number one priority that’s where VPN comes in.
In order to protect its systems and communications, a company should allow admission exclusively to its employees, excluding everyone else. This can be achieved through VPN! What is VPN and how can a company create a basic VPN service while using exclusively free software? Read this blog post to find out all you need to know.
What is a VPN
Imagine a virtual bridge which connects the user (employee) with the company (system). To be able to cross this bridge, you need a username and a password while all the communication is encrypted. This network is called VPN (Virtual Private NetWork).
The majority of domestic networks (where we mainly work these days) don’t support a static IP -it constantly changes. Consequently, a company cannot allow or exclude from its firewall a specific IP or network. In order for someone to be able to work remotely, there are huge compromises concerning security.
VPN step by step
If you’ve got some technical skills, this manual will help you create a small VPN server with a static IP, so that each one of your employees can work remotely as securely as possible. A VPN’s ingredients are a client, a proxy server and a domain.
We picked the strongSwan IKEv2 because its client is compatible with Windows και MacOS and can be easily installed to all linux distributions.
As far as a proxy server is concerned, we need a small VPS such as a NASH with Centos 8. Finally, we need a domain or a subdomain. Our domain or our subdomain makes things easier since we can activate a Let’s Encrypt and avoid issuing certificates ourselves.
But let us get things in the right order.
- VPS with Centos 8
- Root access
- with A record on its VPS’ IP
- Install strongSwan IKEv2
- Issue certificates
- Set strongSwan
- Set NAT Firewall
- Set Port Portwarding
- Certificates auto renewa
Installing strongSwan IKEv2
At first, we install the epel repo included in strongSwan and then we install the strongSwan plan itself.
dnf install epel-release dnf install strongswan
Once we own a domain or a subdomain, we can use Let’s Encrypt in order to issue certificates. If this is not the case, we will need to issue and sign our own certificates ourselves while also installing the CA certificate to our local computer.
wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto chmod +x /usr/local/bin/certbot-auto
We set the firewall to accept http and https connections so that it can confirm the Let’s encrypt domain or subdomain.
firewall-cmd --add-service=http --permanent firewall-cmd --add-service=https --permanent firewall-cmd --reload
We issue a certificate. For example our domain in this case would be ikev2.mydomain.tld
certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email email@example.com -d ikev2.mydomain.tld
Then, we copy the certificates to the respective strongSwan files
cp /etc/letsencrypt/live/ikev2.mydomain.tld/fullchain.pem /etc/strongswan/ipsec.d/certs/ cp /etc/letsencrypt/live/ikev2.mydomain.tld/privkey.pem /etc/strongswan/ipsec.d/private/ cp /etc/letsencrypt/live/ikev2.mydomain.tld/chain.pem /etc/strongswan/ipsec.d/cacerts/
First, we keep a copy of the service’s default settings
cd /etc/strongswan/ mv ipsec.conf ipsec.conf.bak
Then, we open the empty ipsec.conf file
And inside it, we copy the below
config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no #define new ipsec connection conn my-vpn auto=add compress=no type=tunnel keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any firstname.lastname@example.org # ← Προσοχή εδώ να μπει το domain leftcert=fullchain.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.255.250.0/24 rightdns=126.96.36.199,188.8.131.52 rightsendcert=never eap_identity=%identity
Following that, we open the ipsec.secrets file and we add the following lines with the users that we want.
: RSA "privkey.pem" user1 : EAP "password1" user2 : EAP “password2”
By choosing to keep the users into a text file, locally, makes things easier and faster. StrongSwan though has extra plugins for a radius and a mysql connection. They can be used for the connection of the service to centralised systems of users administration.
We activate the service in the boot and we run it so it gets the above settings.
systemctl enable strongswan systemctl restart strongswan
Setting NAT Firewall
We activate the nat and set the respective firewall
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept' firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept' firewall-cmd --zone=public --permanent --add-port=500/udp firewall-cmd --zone=public --permanent --add-port=4500/udp firewall-cmd --zone=public --permanent --add-service="ipsec" firewall-cmd --zone=public --permanent --add-masquerade firewall-cmd --reload
Setting Port Portwarding
We activate the port forward to the core by adding to the file /etc/sysctl.conf the following lines,
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
We then run the following command so that the changes pass in the core
Then, we restart our service
systemctl restart strongswan
Everything is now ready and our service is running with the possibility of accepting connections. We can verify it by running at first,
systemctl status strongswan
dnf install net-tools netstat -plntu
There we are expecting to see the 68, 4500 and 500 udp gates open.
Certificates auto renewal
The Let’s Encrypt certificates expire every 3 months. Ιn order for it to be renewed automatically but also update the service when needed, we will create a cron job. We open the file /etc/crontab and add the line below,
* */12 * * * /usr/local/bin/certbot-auto renew --post-hook "/usr/local/bin/renew.sh" --quiet
We then create the file /usr/local/bin/renew.sh and add the below,
#!/bin/bash cp -f /etc/letsencrypt/live/ikev2.mydomain.tld/fullchain.pem /etc/strongswan/ipsec.d/certs/ cp -f /etc/letsencrypt/live/ikev2.mydomain.tld/privkey.pem /etc/strongswan/ipsec.d/private/ cp -f /etc/letsencrypt/live/ikev2.mydomain.tld/chain.pem /etc/strongswan/ipsec.d/cacerts/ systemctl restart strongswan
To finish, we make the file executable so that cron can run it.
chmod +x /usr/local/bin/renew.sh
A few words
Creating a VPN is very important especially if your team is working and communicating remotely. We hope that this manual is helpful and that you will enjoy creating your own VPN with free software!