Jeff M Belt

© 2018 - All Rights Reserved

Raspberry Pi IKEv2 VPN Server

Parts List

Sourced from http://www.adafruit.com

    •    Raspberry Pi 3 - Model B - ARMv8 with 1G RAM

    •    5V 2.4A Switching Power Supply with 20AWG MicroUSB Cable

    •    Pi Model B+ / Pi 2 / Pi 3 Case Base - Smoke Gray

    •    Raspberry Pi Model B+ / Pi 2 / Pi 3 Case Lid - Smoke Gray

    •    8GB SD Card with Raspbian Jessie Operating System

NOTE: Performance for a personal VPN with one or two connections runs perfectly well on the original Raspberry Pi 1

​

Setting Up

Download and install raspbian-ua-netinst from here, flash your SD Card, and follow the instructions from the site to install a minimal Raspberry Pi OS. Once the card flashing is complete, do the following:

​

Install raspi-copies-and-fills for improved memory management performance

​

# apt-get install raspi-copies-and-fills

​

OPTIONAL: Create a swap file

​

# dd if=/dev/zero of=/swap bs=1M count=512 && mkswap /swap && chmod 600 /swap

​

This example creates a 512MB file. Once done, enable it on boot by appending

​

/swap none swap sw 0 0

​

to /etc/fstab.

​

Leverage hardware randomization capabilities by installing and enabling bcm2708-rng kernel module

​

# apt-get install rng-tools

​

then add bcm2708-rng to /etc/modules

​

# echo 'bcm2708-rng' >> /etc/modules

​

Additionally, I recommend commenting out the snd-bcm2835 module from /etc/modules to decrease memory and resource usage.

​

# sed -i -e 's/^snd-bcm2835/# snd-bcm2835/' /etc/modules

​

Update the /etc/network/interfaces file to have a static IP address. Here is an example:

​

auto lo

​

iface lo inet loopback

​

auto br0

iface br0 inet static

    bridge_ports eth0

    bridge_stp off

    bridge_waitport 0

    bridge_maxwait 0

    bridge_fd 0

    post-up ip link set br0 address {MAC address of physical interface}

    address {vpn server ip address}

    netmask {vpn server netmask}

    network {vpn server network}

    broadcast {vpn server broadcast address}

    gateway {vpn server gateway address}

​

allow-hotplug eth0

iface eth0 inet manual

​

When done, reboot your Pi, then Update the Pi to be running the latest patches and updates.

​

# apt-get update && apt-get dist-update

​

Install VPN Software Packages:

​

# apt-get install strongswan libcharon-extra-plugins

​

Setup certificates

See my write-up on Becoming your own X.509 Certificate Authority to generate certificate files:

​

/etc/ipsec.d/private/root-ca.key                # Root CA private key

/etc/ipsec.d/private/intermediate-ca.key        # Intermediate CA priavte Key

/etc/ipsec.d/cacerts/rootca.crt                 # Root CA certificate

/etc/ipsec.d/cacerts/intermediate.crt           # Root CA intermediate certificate

/etc/ipsec.d/certs/vpn-host-certificate.crt     # VPN host certificate

​

Configuring StrongSwan IPSec

update /etc/ipsec.conf by removing all existing text and replacing it with the following. Change leftid and rightid as appropriate.

​

# ipsec.conf - strongSwan IPsec configuration file

​

Configuration Setup

​

    #  Allows few simultaneous connections with one user account.

    #  By default only one active connection per user allowed.

    #  This option also usefull if you have limited rightsourceip pool and want to kick your ghost connection while reconnecting.

    uniqueids=no

​

    # Increase debug level

    # charondebug = ike 3, cfg 3

​

conn %default

​

    # More advanced ciphers. Uncomment if you need it.

    # Default ciphers will works on most platforms.

    # ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

    # esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

​

    # Dead peer detection will ping clients and terminate sessions after timeout

    dpdaction=clear

    dpddelay=35s

    dpdtimeout=2000s

​

    keyexchange=ikev2

    auto=add

    rekey=no

    reauth=no

    fragmentation=yes

    #compress=yes

​

    # left - local (server) side

    leftcert=vpn-host-certificate.crt # Filename of certificate located at /etc/ipsec.d/certs/

    leftsendcert=always

    # Routes pushed to clients.

    leftsubnet=0.0.0.0/0

​

    # right - remote (client) side

    eap_identity=%identity

    # ipv4 subnets that assigns to clients.

    rightsourceip=10.1.1.0/24

    rightdns=8.8.8.8

​

# Windows and BlackBerry clients usually goes here

conn ikev2-mschapv2

    rightauth=eap-mschapv2

​

# Apple clients usually goes here

conn ikev2-mschapv2-apple

    rightauth=eap-mschapv2

    leftid={public domain or IP address}

​

Setting Connection Credentials

​

Update the /etc/ipsec.secrets file to reflect your configuration and accounts

​

# This file holds shared secrets or RSA private keys for authentication.

​

# RSA private key for this host, authenticating it to any other host

# which knows the public part.

​

# this file is managed with debconf and will contain the automatically created private key

include /var/lib/strongswan/ipsec.secrets.inc

​

# This is the private key located at /etc/ipsec.d/private/privatekey.pem

{vpn server ip} : RSA /etc/ipsec.d/private/vpn-privatekey.key

​

# Users

username : EAP "super secret password here"

​

Setup VPN Network Communications

Configure the system to forward packets by updating or adding the follwing to /etc/sysctl.conf

net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

Active the changes

​

# sysctl -p

Setup firewall to accept and forward VPN traffic.

# iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source {ip address of VPN server}

# iptables -A INPUT -p udp --dport 500 -j ACCEPT

# iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# iptables -A INPUT -p esp -j ACCEPT

​

NOTE: I know there is a right way to make these rules persist across reboots, but I cheated and added them to /etc/rc.local. Will get back to doing it the right way later when I have more time.

​

Externally Accessibility

Lastly, which you must research how to do on your own, set up your router to forward ESP (Protocol 50), 4500udp, and 500udp from your ISP's router to your Raspberry Pi