====== VPN - Server configuration ======

===== IPsec / strongswan =====

==== Requirements ====

Please install strongswan and check that the version matches the one installed in the Wirnet™ gateway. For example, on firmware 3.4.3, the ipsec version is:

<code bash>
ipsec --version
Linux strongSwan U5.5.2/K4.1.15-klk
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
</code>

A server with root access is required. This guide was written with Debian 8.

It is assumed that the PKI was set up, if not, please see the [[.:pki| PKI configuration]] page.

==== Configuration ====

The main configuration file describes the VPN connection:

<code file /etc/ipsec.conf>
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default
	keyexchange=ikev2
	ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
	esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
	dpdaction=clear
	dpddelay=300s
	rekey=no
	auto=add

conn kerlink
        leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld"
        leftsubnet=your_server_subnet
        leftcert=vpncert.pem
        rightid="C=FR, O=Kerlink, CN=klk-wifc-XXXXXX"
        rightsubnet=your_network_subnet
</code>

Most of the parameters are defined in the default section, but they can also be defined under the //kerlink// connection, should the server have more than one VPN connection.

==== Secrets ====

The ''ipsec.secrets'' file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate):

<code file /etc/ipsec.secrets>
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

: RSA vpnkey.pem

</code>

The syntax is ''identifier : type <parameters>''.

  * When the ''identifier'' is empty, it is assumed that it describes the server. Hence, ''type'' is ''RSA'' and the ''parameters'' is the RSA key file name, relative to ''/etc/ipsec.d/private''.
  * Otherwise, this can identify clients. In this case, we identify the certificate in the ''identifier'', and the private RSA key.

===== OpenVPN =====

Here is a simple server side configuration file:

<code conf /etc/openvpn/server-openvpn.conf>

port 1194
proto udp
dev tun

#tls-version-min "1.0"
#tls-version-max "1.0"

# CA certificate
ca ca.crt

# Server and Private Server key # This file should be kept secret
pkcs12 server.12

# Diffie-Hellman parameters
dh dh2048.pem

# LAN information and network configuration
topology subnet

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 86400
mssfix 1200
push "route 172.17.0.0 255.255.0.0"
push "route 172.18.0.0 255.255.0.0"
push "dhcp-option DNS 10.8.0.1"
 
# Connection management
comp-lzo
keepalive 15 120
cipher AES-256-CBC
 
# Daemon configuration
user nobody
group nogroup
 
# Persist across restarts
persist-key
persist-tun
persist-local-ip
persist-remote-ip
 
# Management options
status openvpn-status.log
verb 4
management localhost 6666
script-security 2

client-to-client

</code>

Start OpenVPN with the following command:

<code bash>
# sudo openvpn /etc/openvpn/server-openvpn.conf
</code>

Note: if you set a passphrase to access your private key, just add the following line in your configuration file :

<code bash>
askpass pass.txt
</code>

fill the pass.txt file with your password and chmod 600 it.