How to Build an IKEv2 VPN Server for Android (Ubuntu 22.04)
This guide walks you through setting up a strongSwan VPN server that is natively compatible with Android's built-in IKEv2/IPSec MSCHAPv2 client.
Step 1: Install Dependencies
Update your system and install strongSwan along with the EAP plugins required for Android authentication.
sudo apt update && sudo apt upgrade -y sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins -y
Step 2: Generate PKI Certificates
The server needs a Certificate Authority (CA) and a Server Certificate to prove its identity to your phone.
# 1. Create CA Key and Certificate ipsec pki --gen --type rsa --size 4096 --outform pem > ~/ca-key.pem ipsec pki --self --ca --lifetime 3650 --in ~/ca-key.pem --type rsa --dn "CN=VPN CA" --outform pem > ~/ca-cert.pem # 2. Create Server Key and Certificate # REPLACE YOUR_SERVER_IP with your actual server IP ipsec pki --gen --type rsa --size 4096 --outform pem > ~/server-key.pem ipsec pki --pub --in ~/server-key.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert ~/ca-cert.pem --cakey ~/ca-key.pem --dn "CN=YOUR_SERVER_IP" --san YOUR_SERVER_IP --flag serverAuth --outform pem > ~/server-cert.pem # 3. Move to system directories sudo cp ~/ca-cert.pem /etc/ipsec.d/cacerts/ sudo cp ~/server-cert.pem /etc/ipsec.d/certs/ sudo cp ~/server-key.pem /etc/ipsec.d/private/
Step 3: Configure strongSwan (ipsec.conf)
Edit /etc/ipsec.conf and replace its content with the following (update the IP address!):
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=yes
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=YOUR_SERVER_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8, 8.8.4.4
eap_identity=%identity
Step 4: Set Credentials (ipsec.secrets)
Define your server key and user login in /etc/ipsec.secrets:
: RSA "server-key.pem" your_username : EAP "your_password"
Step 5: Networking & Firewall
Enable IP forwarding and set up NAT so the VPN has internet access.
# Enable Forwarding echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf sudo sysctl -p # Open Ports sudo ufw allow 500/udp sudo ufw allow 4500/udp
Add the NAT rule to the top of /etc/ufw/before.rules (above *filter):
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT
Final Note: Remember to transfer
ca-cert.pem to your phone and install it as a "CA Certificate" in settings before connecting!

Comments