Skip to main content

Deploying a strongSwan IKEv2 VPN Server for Native Android 12+ Connectivity


How to Build an IKEv2 VPN Server for Android (Ubuntu 22.04)

This guide walks you through setting up a strongSwan VPN server that is natively compatible with Android's built-in IKEv2/IPSec MSCHAPv2 client.

Step 1: Install Dependencies

Update your system and install strongSwan along with the EAP plugins required for Android authentication.

sudo apt update && sudo apt upgrade -y
sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins -y

Step 2: Generate PKI Certificates

The server needs a Certificate Authority (CA) and a Server Certificate to prove its identity to your phone.

# 1. Create CA Key and Certificate
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/ca-key.pem
ipsec pki --self --ca --lifetime 3650 --in ~/ca-key.pem --type rsa --dn "CN=VPN CA" --outform pem > ~/ca-cert.pem

# 2. Create Server Key and Certificate
# REPLACE YOUR_SERVER_IP with your actual server IP
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/server-key.pem
ipsec pki --pub --in ~/server-key.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert ~/ca-cert.pem --cakey ~/ca-key.pem --dn "CN=YOUR_SERVER_IP" --san YOUR_SERVER_IP --flag serverAuth --outform pem > ~/server-cert.pem

# 3. Move to system directories
sudo cp ~/ca-cert.pem /etc/ipsec.d/cacerts/
sudo cp ~/server-cert.pem /etc/ipsec.d/certs/
sudo cp ~/server-key.pem /etc/ipsec.d/private/

Step 3: Configure strongSwan (ipsec.conf)

Edit /etc/ipsec.conf and replace its content with the following (update the IP address!):

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids=yes

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=YOUR_SERVER_IP
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8, 8.8.4.4
    eap_identity=%identity

Step 4: Set Credentials (ipsec.secrets)

Define your server key and user login in /etc/ipsec.secrets:

: RSA "server-key.pem"
your_username : EAP "your_password"

Step 5: Networking & Firewall

Enable IP forwarding and set up NAT so the VPN has internet access.

# Enable Forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Open Ports
sudo ufw allow 500/udp
sudo ufw allow 4500/udp

Add the NAT rule to the top of /etc/ufw/before.rules (above *filter):

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
Final Note: Remember to transfer ca-cert.pem to your phone and install it as a "CA Certificate" in settings before connecting!

Comments

Popular posts from this blog

Setup a Multi-Protocol VPN Server Using SoftEther on Centos7

  Introduction This article explains how to install and configure a multi-protocol VPN server using the SoftEther package. We enable and configure OpenVPN and L2TP over IPSec and SSTP VPN Servers on Linux. What is SoftEther SoftEther VPN is one of the world’s most powerful and easy-to-use multi-protocol VPN software, made by the good folks at the University of Tsukuba, Japan. It runs on Windows, Linux, Mac, FreeBSD and Solaris and is freeware and open-source. You can use SoftEther for any personal or commercial use free of charge. Step 1: Create a Virtual Server First, you need to create a DigitalOcean Droplet. As mentioned in SoftEther’s website, SoftEther will work on almost every Linux distro with kernel v2.4 or above,; however it’s recommended to choose one of these distributions: CentOS, Fedora, or Red Hat Enterprise Linux. Personally I have tried it on Ubuntu, CentOS and Fedora, both 32 and 64 bit editions, and it has worked perfectly. Step 2: Update your Server Software Usin...

Setting Up MariaDB MaxScale Binlog Proxy for backup/failover

  Setting Up MariaDB MaxScale Binlog Proxy MariaDB MaxScale Binlog Server acts as an intermediate master replication proxy. By storing binary logs and serving them to replicas, it enables scalable replication architectures, reduces primary database load, and accelerates disaster recovery. Step 1: Install MariaDB MaxScale Install MaxScale using the package manager appropriate for your Linux distribution, then verify the installation. On Ubuntu/Debian: sudo apt-get update sudo apt-get install maxscale On RHEL/CentOS: sudo yum install maxscale Verify the installation: maxscale --version Step 2: Configure MaxScale as a Binlog Proxy Open MaxScale's core configuration file to establish the routing properties and specify your database backend configuration. sudo nano /etc/maxscale.cnf Add the following configurations for the moni...

Deploying a laravel app using nginx alias

  server { listen 80; server_name subdomian.example.com; root /var/www/mainapp/; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; index index.html index.htm index.php; charset utf-8; error_log /var/log/nginx/error.log warn; location / { try_files $uri $uri/ /index.php?$query_string; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } error_page 404 /index.php; location ~ \.php$ { fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; include fastcgi_params; } location /laravelapp { alias /var/www/mainapp/laravelapp/public; index index.php index.html in...