How to Setup IKEv2 VPN Server on Ubuntu 20.04 with Automated Script
In this tutorial, we'll use a Bash script created by George MacKerron, which will take Ubuntu Server 22.04, 20.04 or 18.04 LTS from clean install and setup production-ready IKEv2 VPN with strongSwan.
1. Get a domain name for your VPN server and add appropriate A record in your DNS manager, to point the domain name to your server's IP address. Make sure that domain name already resolves to the correct IP address. Let's Encrypt needs this in order to create your server certificate. If you don't want to use any domain name, we can provide you with the Reverse DNS name for your service, just let us know.
3. Optionally, set up key-based SSH authentication or go with basic Password Authentication option. Setting up the key authentication may require you to run some or all of the following commands, with appropriate substitutions, on the machine you're going to be logging in from:
4. On your new server installation, login as root, download the VPN installation script, give it executable permissions, and run it:
5. You'll be prompted to enter all the necessary details after the software updates and installation complete. If you are not using key-based SSH authentication, you must pick a really strong password for the login user when prompted, or your server may be compromised.
6. Follow the on-screen instructions once the setup script launched. Once the installation completed, use these SSH commands to display some information what's going on on the server:
On the client side: make sure you created the connection using the newly emailed .mobileconfig file, AppleScript or PowerShell commands. Setting it up manually via the OS GUI will not work, since it will default to insecure ciphers which the server has not been configured to support. Also note that .mobileconfig files generated with earlier iterations of this script may no longer be compatible, since the configured ciphers have changed from time to time.
On the server side: check that network ingress for UDP on ports 500 and 4500 is enabled. Also check that packet forwarding is enabled. You can find more information how to configure UFW and IPTABLES firewall from here.
Check the server logs on strongSwan startup and when you try to connect, and the client logs when you try to connect.
The setup script is now more or less idempotent — you should be able to run it repeatedly with no ill effects - so, when you've fixed any issues, simply run it again.
Connect VPN Users
To add or change VPN users, run the following command:
Edit usernames and passwords as you see fit (but don't touch the first line, which specifies the server certificate). The line format for each user is:
someusername : EAP "somepassword"
Save and exit, apply changes to StrongSwan with:
Published on: 28-10-2022