Setup a private VPN on OpenWRT 15.05.01 using StrongSwan

This is a guide that I’ve put together using various different articles and tutorials I’ve found and put them all together in one package.

The end result is your very own private VPN server running off of your OpenWRT 15.05.01 router using RSA certificates for authentication. With a few small tweaks you can use username/password log authentication but I preferred to go the certificates route. These steps should work fine with most modern clients – I have personally tested this with Windows 10 (Version 1607 OS Build 14393.10) and on iOS 9.3.4 both with and without certificates and it works great.

Let’s begin!

First and foremost, you need to be running OpenWRT (https://openwrt.org/) on your router. Installing OpenWRT is out of the scope for this guide, so please do your research for getting it onto your device – it’s very straight forward.

Also, make sure that you have enough space on router’s flash memory, most routers do not come with very much now a days, but if you have a USB port, you can easily add an extra 8GB (or more) as storage.

Install strongswan-full and openssl-util

We will need to install both StrongSwan and OpenSSL (to generate certificates) onto the router. SSH into your router and run the following command:

This will refresh your software repository lists. Once that has completed, install strongswan-full and openssl-util by running the following command in your shell:

Let’s run a quick test to make sure StrongSwan install correctly:

You should see:

Looking good!

Generating Your Certificates

The tricky part with setting up StrongSwan is in the generation of your certificates. I’ve tried to make this as easy and compatible as possible.

CA Root Certificate/Key

  • The commands below will generate a self-signed CA certificate (CA_CERT.pem) and a CA private key (CA_KEY.pem).
  • You should change the country (C), organization (O) and common name (CN) to your own values.
  • This certificate will be valid for 10 years, but you can adjust that by changing the --lifetime 3650 value to something else, in days.

Server (router) Certificate/Key

  • The commands below will generate a server (i.e. your router) certificate (SERVER_CERT.pem) and a server private key (SERVER_KEY.pem).
  • Important note: the command name (CN=) must be either the hostname or IP of your VPN server. If you do not set this correctly, the VPN connection will not be established. You will also need to adjust the --san value to match what you enter in the CN.
  • This certificate is valid for 2 years, which can be changed by adjusting the --lifetime 730 value.

Client Certificate/Key

  • The commands below will generate a client certificate (CLIENT_CERT.pem) and a server private key (CLIENT_KEY.pem)
  • The --san CLIENT@vpn.nicktamm.com value needs to be named after the name of the device you are generating your certificate for. For example, if my machine name is GHOST I will need to adjust the san setting to --san GHOST@vpn.nicktamm.com. This is especially important for iOS devices.
  • The CN value should also be changed to match whatever you entered for the san
  • You will need to repeat these steps for each client that you want to connect to your VPN.

PKCS12 Certificate

  • This is the last certificate that we will need to generate. This will be the certificate that you deliver to each client that is going to connect to your VPN.
  • This will contain the client certificate, client key and the CA certificate in one package. Again, you will need to generate this for each client.
  • For added security, you will need to add a password when generating this certificate. This password will be asked for when importing the certificate on your client.

Ok! Now we have all our certificates generated. One VERY important thing you need to do is to copy the CA_KEY.pem to a safe location and delete it from the router, located in etc/ipsec.d/private. If someone were to get a hold of your CA key, they could generate their own certificates for use on your VPN essentially compromising the entire security of your VPN/network.

VPN Server Configuration

Now we will begin configuring the server (router in this case) to work with the VPN as well as make the necessary adjustments to the firewall.

There are 2 main files that we will be working with, ipsec.conf which handles the main configuration settings for our VPN and ipsec.secrets which contains any username/passwords and private key information. These files can be located in the etc/ folder.

ipsec.conf

Below is the ipsec.conf file that we are going to use.
There is a lot here, but I will be reviewing the important parts that need to be changed. For more information on these options, see https://libreswan.org/man/ipsec.conf.5.html

Ok, let’s look at that we need to adjust.

  • leftid=vpn.nicktamm.com – This needs to be changed to the IP/hostname of your server. This should match the --san value you entered for the CLIENT_CERT.pem certificate.
  • leftcert=SERVER_CERT.pem – Change this to match the named of your SERVER_CERT.pem file.
  • rightdns=10.2.3.4,8.8.8.8,8.8.4.4 – The first IP, 1.2.3.4 should be changed to match your router’s DNS IP address. This is necessary if you want to be able to access any resources on your LAN. IF you do not want to access your LAN, simply remove this entry.
  • rightsourceip=1.2.3.4/24 – You will need to adjust this to match the IP range that you want the VPN to use. A few things to note:
    • This IP range should be somewhere outside of your IP addresses on your LAN. For example, if you LAN is in the 1.1.1.0/24 range, you could change this to 10.2.1.0/24 range. This however will not allow you to resolve hostnames on your LAN when connected to the VPN.
    • If however you want seamless access on your LAN, you can enter your current assigned IP range but change the octet. For example, if you current IP range is 10.1.1.0/24, change it to 10.1.200./24. The only downside is that you may run into an IP conflict. An alternative to this would be to simply use a host file to map the IP(s) to hostname(s).

ipsec.secrets
This file is where the private keys are loaded. Simply modify the file to match your private keys as shown in the example files below:

Firewall Changes

Now it’s time to modify the firewall.
First, we need to allow the VPN to connect from the WAN. To do this, edit etc/config/firewall and add the following:

Next, you want to make sure the VPN is correctly routing the VPN tunnel. To do this, edit the etc/sysctl.conf and add the following:

Lastly, if you have a restrictive firewall, you can add these lines to the firewall.user file:

That should be it for the firewall! Go ahead and reboot your router now.
Once your router is back online, we can start to get everything up and running. Since we modified the ipsec.secrets file, let’s reload it. This is done by typing the following in your shell:

Now, we want to get the VPN actually working. We will turn it on but allow the output to be displayed on-screen. The command you want to run is:

We can now begin finalizing the setup and setting up our clients.

Client Setup

For this VPN, we will setup two clients – a Windows 10 PC and an iPhone. Let’s start with the PC.

Adding Certificates to the Certificate Store

First, we will need to import our certificates into the certificate store.

  • Right-click on the Start button and select Run. Type in mmc.exe and the press Enter.
  • Go to File > Add/Remove Snap-in....
  • Select Certificates then click on the Add > button.
  • Choose My user account followed by Finish then OK.
  • UnderConsole Root, expand Certificates - Current User > Personal > Certificates.
  • Right-click on Certificates and select All Tasks > Import...
  • Browse to the location where you saved you .p12 file then click on Next.
  • Here you will be asked to enter the password you created when generating your .p12 file. Also remember to check the Mark this key as exportable option in case you need to export it in the future then click Next.
  • You will be asked which store you want to place the certificates into – select Personal then click on Next> and finally Finish.
  • You will now have two certificates imported into the Personal store – your CA certificate and your client certificate with private key.
  • Drag the CA certificate to Trusted Root Certification Authorities > Certificates. You will be asked if you want to install the certificate here – click on Yes.
  • Now, close down your mmc console and open a new one, but this time select Computer account > Local computer.
  • Repeat the same steps as above, but when you have finished importing your certificates, delete the Client certificate and move the CA certificate into the Trusted Root Certification Authorities > Certificates.

Configuring the Windows 10 VPN Client

Almost done! We can now configure the Windows 10 VPN client and test our connection.

  • Click on the Start button and begin typing VPN to bring up the Change virtual private networks (VPN) option.
  • Click on Add a VPN connection and enter in the following settings:
    • VPN Provider: Windows (built-in)
    • Connection name: A name for your connection
    • Server name or address: The hostname/IP of your VPN server
    • VPN type: IKEv2
    • Type of sign-in info: Certificate
  • Click on the Start button and type Control Panel to open the Control Panel and navigate to Network and Sharing Center > Change adapter settings.
  • Look for the VPN connection you just created, right-click on it and select Properties.
  • Click on the Security tab and change the Data encryption option to Require then click on OK.
  • Click on the Networking tab and select Internet Protocol Version 4 (TCP/IPv4) then click on the Properties button.
  • Click on the Advanced... button. In the IP Settings tab, enable Use default gateway on remote network
  • Lastly, click on the OK button to close all open windows.

Now try connecting to your VPN. You will be asked if you want to trust the certificate (which you will say yes to) during the connection process. You should now have a successful VPN connection. Congratulations!

To verify that your VPN is working connect to a different network (such as a mobile hot-spot – basically anything not connected to your home internet connection) and go to any website that shows you your IP address, such as https://ipleak.net/. You should see the public IP address of your home internet connection.

If you look at your shell, you should now see your connection attempt being logged and what the server is responding with. /if your connection failed, you can check here for any error messages and troubleshoot accordingly.
Once your connection has been established, you will want to stop and start the VPN connection one final time as we started it the with --nofork switch earlier.

To restart it, type the following in your shell:

Let’s take a look at setting up our iOS client.

Configuring the iOS VPN Client
Since this is another client device, I’ve gone ahead and generated a new set of certificates/keys and a new .p12 file for this device. You should also do the same thing for each device you want to connect to your VPN.

Note: I have tested this on iOS 9.3.4. It should still work on any iOS 9.x device.

  • E-mail your CA root certificate and your .p12 file to your iOS device.
  • Once the email arrives, click on the CA root certificate and you will be prompted to install it on your device. Follow the on-screen steps.
  • Do the same for your .p12 file as well. Note that you will also need to input the password that you created when you generated your .p12 file.
  • These certificates will be available in Settings > General > Profiles.
  • Go to Settings > VPN > Add VPN Configuration... and enter in the following settings:
    • Type: IKEv2
    • Description: A name for your VPN connection.
    • Server: The hostname/IP of your VPN server.
    • Remote ID: The value you entered in --san when setting up your SERVER_CERT.pem certificate. In this example, vpn.nicktamm.com.
    • Local ID:The value you entered in --san when setting up your CLIENT_CERT.pem certificate. In this example, CLIENT@vpn.nicktamm.com.
    • User Authentication: Certificate
    • Certificate: Tap here and select your client certificate.

Save your settings and try connect to the VPN. You should now have established a successful connection.
Again, congratulations!

Please feel free to leave any comments or questions.

11 Replies to “Setup a private VPN on OpenWRT 15.05.01 using StrongSwan”

  1. Thank you for sharing. It’s so great!
    But after connected by Win7, I found that Win7 couldn’t access the internet. Why?

    1. What happens when you try to ping? Likely you need to check the rightdns setting in the IPSec.conf file. Make sure that the DNS is the same as your routers IP if you want to access your LAN followed by a public DNS like Google, or else just use the public DNS.

      1. Thank you for your reply.

        The IPSec.conf copied from a normal IKEv2/IPSec server based on CenterOS. So it should be right. I don’t think it’s the problem of DNS because I still couldn’t ping 8.8.8.8 on the client side. I can ping the address of client(10.31.2.1) from the server.

        Thank you once more

          1. I totally used your ipsec.conf, just modified the domain name and cert name. Now it become worse, even couldn’t connect to server. It says:

            Verifying user name and password…

            Error 812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

          2. I found that “rightauth=eap-tls” must be changed to rightauth=”eap-mschapv2″. Otherwise Win7 couldn’t connect. But even when Win7 is connected, it still unable to access the internet.

    1. The error message is complaining about user name/passwords not matching. Im not exactly sure on how you have setup your router but it sounds like it’s different from my guide. I know you said you copied my example config files and tweaked then slightly, so could you post the file you are using to take a look? The one you provided as an example does not match mine. Also, you can take a look at http://zhmail.com/2016/02/15/configuring-ipsec-ikev2-in-openwrt-15-05/

      1. I’m sure that username matches the password. The error only happened when I used your ipsec.conf. I didn’t change anything in ipsec.secret.

        I also referred to the link you posted and the comment by “hunhun” is also by me :-D. But that guide didn’t work. Only your guide works. You can have a look at my configuration from
        http://155.254.33.86/IKEv2config/

        Please tell me if you need my more configuration.

Leave a Reply

Your email address will not be published.