Heads-up: when following this guide on servers with upstream IPv4-only networks (which is totally fine if one knows what one is doing), it’s likely IPv6 traffic will leak on iOS when clients are connected to carriers or ISPs running dual stack (IPv4 + IPv6) networks. Leaks can be mitigated on iOS (cellular-only) and on macOS by following this guide.
$
, strip out $
as this character is not part of the commandcat << "EOF"
, select all lines at once (from cat << "EOF"
to EOF
inclusively) as they are part of the same (single) commandWhen asked for file in which to save key, enter vpn-server
.
When asked for passphrase, use output from openssl rand -base64 24
(and store passphrase in password manager).
Use vpn-server.pub
public key when setting up server.
Heads-up: replace
185.193.126.203
with IP of server.
Heads-up: when asked for passphrase, enter passphrase from step 1.
When asked for password, use output from openssl rand -base64 24
(and store password in password manager).
When asked for password, use output from openssl rand -base64 24
(and store password in password manager).
All other fields are optional, press enter to skip them and then press Y.
authorized_keys
file to vpn-server-admin home directoryHeads-up: replace
185.193.126.203
with IP of server.
Heads-up: when asked for passphrase, enter passphrase from step 1.
When asked, enter root password.
See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for available timezones.
Heads-up: only run the following if network is dual stack (IPv4 + IPv6).
Shout out to Andrew Ho for ulagen.py
.
The following command downloads and runs ulagen.py (PGP signature, PGP public key).
When asked to save current IPv4 or IPv6 rules, answer “Yes”.
If network is IPv4-only, run:
If network is dual stack (IPv4 + IPv6) run:
Heads-up: replace
185.193.126.203
with IP of server.
Heads-up: when asked for passphrase, enter passphrase from step 1.
When asked, enter root password.
If server is configured to use /etc/network/interfaces
, run:
If server is configured to use systemd-networkd, run:
Heads-up: ignore systemd address already in use error (if present).
Heads-up: if you are shown an “Old runlevel management superseded” warning, answer “Ok”.
Depending on server configuration, DNS nameserver(s) can be found using one of the following commands (ignore nameservers starting with 127
).
Fist, run:
If that does not output valid nameserver(s), run:
If that does not output valid nameserver(s), run:
Heads-up: replace
95.215.19.53
with server DNS nameserver(s).
Heads-up: separate nameservers using commas with no leading spaces (example:
93.95.224.28,93.95.224.29
).
/etc/ipsec.conf
If network is IPv4-only, run:
If network is dual stack (IPv4 + IPv6) run:
/etc/ipsec.secrets
/etc/strongswan.d/charon-logging.conf
/etc/strongswan.d/charon/dhcp.conf
/lib/systemd/system/strongswan.service
strongswan-certs
directoryHeads-up: for security reasons, steps 25 to 29 are done on Mac vs server.
Heads-up: store
strongswan-certs
folder in a safe place if you wish to issue additional certificates in the future.
When asked for export password, use output from openssl rand -base64 24
(and store password in password manager).
On Mac, run:
On server, run output from previous command:
On Mac, run:
On server, run output from previous command:
On Mac, run:
On server, run output from previous command:
On server, run chmod -R 600 /etc/ipsec.d/private
/etc/sysctl.conf
If network is IPv4-only, run:
If network is dual stack (IPv4 + IPv6) run:
Heads-up: when configuring strongSwan using certs and dnsmasq, two devices cannot use the same provisioning profile simultaneously.
Open “Apple Configurator 2”, then click “File”, then “New Profile”.
In “General”, enter “Self-hosted strongSwan VPN” in “Name”.
In “Certificates”, click “Configure” and select “ca.crt”. Then click “+” and select “alice.p12”. The password is the one from step 29.
In “VPN”, click “Configure” and enter the settings from the following screenshot (replace 185.193.126.203
with IP of server).
The “Child SA Params” are the same as “IKE SA Params”.
Finally, click “File”, then “Save”, and save file as “alice.mobileconfig”.
Unlock iPhone, connect it to Mac using USB cable and open Apple Configurator 2.
In “All Devices”, double-click on iPhone, then click “Add” and, finally, click “Profiles”.
Select “alice.mobileconfig” and follow instructions.
On iPhone, open “Settings”, then “Profile Downloaded” and tap “Install”.
If this steps fails (a recent update to Apple Configurator 2 has introduced a bug), please run the following and try again.
This step is super simple, simply double-click “alice.mobileconfig” and follow instructions.
If this steps fails (a recent update to Apple Configurator 2 has introduced a bug), please run the following and try again.
On iPhone, open “Settings”, then enable “VPN”.
On Mac, open “System Preferences”, click “Network”, then “Self-hosted strongSwan VPN” and, finally, click “Connect” and enable “Show VPN status in menu bar”.
Open Firefox and go to https://ipleak.net/.
Make sure listed IPv4, IPv6 (if network is dual stack) and DNS servers do not match the ones provided by ISP.
👍