How to Setup IKEv2 VPN Server on Ubuntu 20.04 with Automated Script

1. Get a domain name for your VPN server and add appropriate A record in your DNS manager, to point the domain name to your server's IP address. Make sure that domain name already resolves to the correct IP address. Let's Encrypt needs this in order to create your server certificate. If you don't want to use any domain name, we can provide you with the Reverse DNS name for your service, just let us know.

2. Start with a clean Ubuntu Server installation. We can offer cheapest, but very stable VPS, VDS or dedicated server for your VPN service.

3. Optionally, set up key-based SSH authentication or go with basic Password Authentication option. Setting up the key authentication may require you to run some or all of the following commands, with appropriate substitutions, on the machine you're going to be logging in from:

ssh-keygen -t ed25519 -C "me@my-domain.tld"      # if you need a new key, ed25519 is the latest and possibly most secure option
ssh-keygen -t rsa -b 4096 -C "me@my-domain.tld"  # alternatively, use RSA and go (4,096 bits) large

ssh root@myvpn.example.net  # Test SSH connection to the VPN server
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@myvpn.example.net  # copy your public key to the VPN server
ssh root@myvpn.example.net  # log back in to the server for the next step ...

4. On your new server installation, login as root, download the VPN installation script, give it executable permissions, and run it:

wget https://raw.githubusercontent.com/jawj/IKEv2-setup/master/setup.sh

chmod u+x setup.sh  

./setup.sh

5. You'll be prompted to enter all the necessary details after the software updates and installation complete. If you are not using key-based SSH authentication, you must pick a really strong password for the login user when prompted, or your server may be compromised.

6. Follow the on-screen instructions once the setup script launched. Once the installation completed, use these SSH commands to display some information what's going on on the server:

 sudo ipsec statusall           # status, who's connected, etc.
 sudo iptables -L -v            # how much traffic has been forwarded, dropped, etc.?
 sudo tail -f /var/log/syslog   # real-time logs of (dis)connections etc.

• On the client side: make sure you created the connection using the newly emailed .mobileconfig file, AppleScript or PowerShell commands. Setting it up manually via the OS GUI will not work, since it will default to insecure ciphers which the server has not been configured to support. Also note that .mobileconfig files generated with earlier iterations of this script may no longer be compatible, since the configured ciphers have changed from time to time.

• On the server side: check that network ingress for UDP on ports 500 and 4500 is enabled. Also check that packet forwarding is enabled. You can find more information how to configure UFW and IPTABLES firewall from here.

• Check the server logs on strongSwan startup and when you try to connect, and the client logs when you try to connect.

• The setup script is now more or less idempotent — you should be able to run it repeatedly with no ill effects - so, when you've fixed any issues, simply run it again.

   

To add or change VPN users, run the following command:

sudo nano /etc/ipsec.secrets

Edit usernames and passwords as you see fit (but don't touch the first line, which specifies the server certificate). The line format for each user is:

someusername : EAP "somepassword"

Save and exit, apply changes to StrongSwan with:

sudo ipsec secrets