[strongSwan] Build a complete strongSwan configuration in 30 minutes!

bls s bls3427 at outlook.com
Sat Jan 18 20:27:46 CET 2020

[Posting this for others who may be interested in getting started with strongSwan with a near-zero learning curve]

Looking for a quick and easy way to set up a strongSwan VPN for testing, proof-of-concepts, etc? pistrong may be what you need. It's not a solution for corporate VPN implementations, or for many of the complex configurations that people write about on this DL, but some potential strongSwan users may find this to be an attractive way to get started with strongSwan.

pistrong WILL make the simple Roadwarrior and site-to-site VPN configuration (with strongSwan on both ends) trivial.

pistrong is a command-line management tool for strongSwan. It is:

* Easy to Install - A separate Install script installs strongSwan and required Python modules if needed. Zero to connected Client in way less than an hour.

* Easy to Configure - A Certificate Authority supporting iOS, Windows, and Linux Clients can be built in just a few minutes. (NOTE: MacOS and Android devices both work with strongSwan. I don't mention them here since I don't have any to use for testing. Any volunteers to help test and document MacOS and Android?)

* Easy to be Secure - Easy to configure, implement, and manage secure certificate-based authentication

* Easy to Use - Standard command line parsing with lots of help and complete documentation

* Easy to Install Certs onto Client Devices

  * pistrong can send email with links to the cert files, or you can get them via a file transfer mechanism (samba, ftp, rsync, USB stick, etc).
  * Simple and fully documented client Cert installation for iOS, Linux, and Windows systems
  * pistrong Linux VPN Cert Packs are easy to create and install on a Linux Client VPN system
  * Flexible but prescriptive naming conventions minimize frustration and maximize sanity retention and success

Creating a Cert for a new device is super-simple:

  vpnserver/usr/local/bin# pistrong add bls --dev ipad --remoteid ios.mydomain.net --mail bls at mydomain.net
  % Copying '/etc/swanctl/p12/bls-ipad-vpnserver.p12' to '/var/www/html/vpn/bls-ipad-vpnserver.p12'
  % Copying '/etc/swanctl/x509ca/strongSwanCACert.pem' to '/var/www/html/vpn/strongSwanCACert.pem'
  % Mail sent to bls at mydomain.net
  % Added bls-ipad with Remote ID 'ios.mydomain.net' using CA Cert strongSwan

And here's the email content that was sent:

  Root CA cert:             http://vpnserver.mydomain.net/vpn/strongSwanCACert.pem
  Your device certificate:  http://vpnserver.mydomain.net/vpn/bls-ipad-vpnserver.p12

  iOS devices: Browse the links to install both certificates (Install CA Cert first).
    Then create a new IKEV2 VPN connection using the iOS profile bls-ipad-vpnserver at myvpn.net
    and this information:
          Server:    vpnserver.mydomain.net
          Remote ID: ios.mydomain.net
          Local ID:  bls-ipad-vpnserver at myvpn.net
    And select the newly-installed device certificate.

  Other devices: See the CertInstall.md guide at https://github.com/gitbls/pistrong
  for details on importing the certificate onto your device and creating the VPN configuration

  The password for this certificate is in a separate email message

To be clear, the password referred to is the password required to install the Certificate. Once the Cert is successfully installed onto the device, no further password is needed to use the VPN.

In the interest of full disclosure, pistrong has a couple of shortcomings:

* Although I tried, I couldn't completely eliminate ALL config file editing. A minimal bit of config file editing is necessary to set up the required firewall rules. Linux firewall configuration can be done in many ways, so the Installer doesn't try to divine how your system firewall is configured. But it does build a file with the rules, making it more-or-less a cut-and-paste edit.

* No GUI. If you've typed any commands at the Linux command line, you'll likely be successful in implementing a strongSwan/pistrong VPN. A robust command line simplifies scripting, for instance, batch building Certs for many users.

* Minimal connection monitoring/management. I've been focusing on building robust and secure connections, and relying on the system journal/log for monitoring. fail2ban can be used to monitor and block failed connection attempts and alert on successful connections. I will share my fail2ban configuration additions if there's interest.

* Many distros don't carry the correct version of strongSwan. The Install script will install strongSwan from source (which is where most of the Install time is spent). The installer takes about 10 minutes to build and install strongSwan on a Raspberry Pi4. If the correct version of strongSwan is already installed, you don't need to reinstall it.

* Your router still needs to be configured to forward UDP ports 500 and 4500 to your VPN server.

* If using an external IP address instead of a DNS name to access the VPN and the external IP address changes, all the Certs must be recreated/reinstalled. This can be easily avoided by using dynamic DNS service (or a static external IP address)

A litle more info about pistrong

pistrong consists of four scripts. Three of them are installation and configuration scripts that you'll rarely use. 

* InstallPiStrong - Installs strongSwan and the required Python modules

* makeMyCA - Configures and Builds a Certificate Authority (CA) for client devices

* makeTunnel - Configures and Builds a site-to-site or host-to-host Tunnel configuration to connect two Linux hosts together with (site-to-site) or without (host-to-host) remote LAN access (Coming soon!)

* pistrong - VPN Certificate manager

Still reading? Awesome!

I recently helped a friend of mine build a site-to-site strongSwan/pistrong tunnel between his home and a site in the mountains, connected via HughesNet Gen 5 satellite internet. It took less than an hour to install, configure, and test, and it works great!

Read more about pistrong and grab it at https://github.com/gitbls/pistrong

More information about the Users mailing list