Jeffrey Belt

Another Computer Geek

Raspberry - Pi IKEv2 VPN Server

Parts List

Sourced from

    •    Raspberry Pi 3 - Model B - ARMv8 with 1G RAM

    •    5V 2.4A Switching Power Supply with 20AWG MicroUSB Cable

    •    Pi Model B+ / Pi 2 / Pi 3 Case Base - Smoke Gray

    •    Raspberry Pi Model B+ / Pi 2 / Pi 3 Case Lid - Smoke Gray

    •    8GB SD Card with Raspbian Jessie Operating System

NOTE: Performance for a personal VPN with one or two connections runs perfectly well on the original Raspberry Pi 1

Setting Up

Download and install raspbian-ua-netinst from here, flash your SD Card, and follow the instructions from the site to install a minimal Raspberry Pi OS. Once the card flashing is complete, do the following:

Install raspi-copies-and-fills for improved memory management performance

# apt-get install raspi-copies-and-fills

OPTIONAL: Create a swap file

# dd if=/dev/zero of=/swap bs=1M count=512 && mkswap /swap && chmod 600 /swap

This example creates a 512MB file. Once done, enable it on boot by appending

# echo '/swap none swap sw 0 0' >> /etc/modules

to /etc/fstab.

Leverage hardware randomization capabilities by installing and enabling bcm2708-rng kernel module

# apt-get install rng-tools

then add bcm2708-rng to /etc/modules

# echo 'bcm2708-rng' >> /etc/modules

Additionally, I recommend commenting out the snd-bcm2835 module from /etc/modules to decrease memory and resource usage.

# sed -i -e 's/^snd-bcm2835/# snd-bcm2835/' /etc/modules

Update the /etc/network/interfaces file to have a static IP address. Here is an example:

auto lo

iface lo inet loopback

auto br0

iface br0 inet static

    bridge_ports eth0

    bridge_stp off

    bridge_waitport 0

    bridge_maxwait 0

    bridge_fd 0

    post-up ip link set br0 address {MAC address of physical interface}

    address {vpn server ip address}

    netmask {vpn server netmask}

    network {vpn server network}

    broadcast {vpn server broadcast address}

    gateway {vpn server gateway address}

allow-hotplug eth0

iface eth0 inet manual

When done, reboot your Pi, then Update the Pi to be running the latest patches and updates.

# apt-get update && apt-get dist-update

Install VPN Software Packages:

# apt-get install strongswan libcharon-extra-plugins

Setup certificates

See my write-up on Becoming your own X.509 Certificate Authority to generate certificate files:

/etc/ipsec.d/private/root-ca.key             # Root CA private key

/etc/ipsec.d/private/intermediate-ca.key     # Intermediate CA priavte Key

/etc/ipsec.d/cacerts/rootca.crt              # Root CA certificate

/etc/ipsec.d/cacerts/intermediate.crt        # Root CA intermediate certificate

/etc/ipsec.d/certs/vpn-host-certificate.crt  # VPN host certificate

Configuring StrongSwan IPSec

update /etc/ipsec.conf by removing all existing text and replacing it with the following. Change leftid and rightid as appropriate.

# ipsec.conf - strongSwan IPsec configuration file

Configuration Setup

#  Allows few simultaneous connections with one user account.

#  By default only one active connection per user allowed.

#  This option also usefull if you have limited rightsourceip pool 

#  and want to kick your ghost connection while reconnecting.


# Increase debug level

# charondebug = ike 3, cfg 3

conn %default

# More advanced ciphers. Uncomment if you need it.

# Default ciphers will works on most platforms.

# ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

# esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

# Dead peer detection will ping clients and terminate sessions after timeout










# left - local (server) side

leftcert=vpn-host-certificate.crt # Filename of certificate located at /etc/ipsec.d/certs/


# Routes pushed to clients.


# right - remote (client) side


# ipv4 subnets that assigns to clients.



# Windows and BlackBerry clients usually goes here

conn ikev2-mschapv2


# Apple clients usually goes here

conn ikev2-mschapv2-apple


    leftid={public domain or IP address}

Setting Connection Credentials

Update the /etc/ipsec.secrets file to reflect your configuration and accounts

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key

include /var/lib/strongswan/

# This is the private key located at /etc/ipsec.d/private/privatekey.pem

{vpn server ip} : RSA /etc/ipsec.d/private/vpn-privatekey.key

# Users

username : EAP "super secret password here"

Setup VPN Network Communications

Configure the system to forward packets by updating or adding the follwing to /etc/sysctl.conf


net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

Active the changes

# sysctl -p

Setup firewall to accept and forward VPN traffic.

# iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source {VPN server IP}

# iptables -A INPUT -p udp --dport 500 -j ACCEPT

# iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# iptables -A INPUT -p esp -j ACCEPT

NOTE: I know there is a right way to make these rules persist across reboots, but I cheated and added them to /etc/rc.local. Will get back to doing it the right way later when I have more time.

Externally Accessibility

Lastly, which you must research how to do on your own, set up your router to forward  from your ISP's router to your Raspberry Pi

Home        Services        Contact       How To’s        GitHub

Copyright - Jeffrey Belt - All Rights Reserved