Sep 4, 2024 3 min read

StrongSwan: Simplifying Self-Hosting

StrongSwan: Simplifying Self-Hosting
Table of Contents

StrongSwan is a powerful, open-source IPsec-based VPN solution designed for secure communications over untrusted networks. Ideal for developers and system administrators, StrongSwan offers robust encryption, flexibility, and full control over your VPN infrastructure. In this guide, we’ll cover the steps to deploy, configure, and manage StrongSwan effectively, whether through Docker or manual installation, and explore advanced features like logging, backups, updates, and custom configurations.

Installing StrongSwan

πŸ“¦ Docker/Docker Compose Setup

Using Docker is an efficient way to deploy StrongSwan, ensuring portability and easy management. Below is a docker-compose.yml file tailored for StrongSwan deployment.


version: '3.8'

services:

strongswan:

image: strongswan/strongswan

container_name: strongswan

ports:

- "500:500/udp"    # IKE

- "4500:4500/udp"  # NAT-T

volumes:

- ./strongswan/ipsec.conf:/etc/ipsec.conf  # Main configuration file

- ./strongswan/ipsec.secrets:/etc/ipsec.secrets  # Shared secrets

- ./strongswan/logs:/var/log

restart: unless-stopped

To deploy this setup:


mkdir -p strongswan/logs

touch strongswan/ipsec.conf strongswan/ipsec.secrets

docker-compose up -d

This will launch StrongSwan with default ports and map configuration files for customization.

πŸš€ Manual Installation

For those preferring a non-containerized setup, here's how to manually install StrongSwan on a Linux server (Ubuntu in this example):


sudo apt update

sudo apt install -y strongswan strongswan-pki

Verify the installation:


ipsec version

This ensures StrongSwan is installed and ready for configuration.

Configuring Nginx as a Reverse Proxy

🌐 Nginx Configuration

If you wish to route traffic to StrongSwan via Nginx, create an Nginx server block like this:


server {

listen 80;

server_name vpn.example.com;

location / {

proxy_pass http://127.0.0.1:5000;  # Adjust based on StrongSwan's API or management interface

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

}

Save this configuration as /etc/nginx/sites-available/strongswan and enable it:


ln -s /etc/nginx/sites-available/strongswan /etc/nginx/sites-enabled/

nginx -t && systemctl reload nginx

πŸ”’ SSL/TLS Setup

Secure traffic with Let’s Encrypt:


sudo apt install -y certbot python3-certbot-nginx

sudo certbot --nginx -d vpn.example.com

This enables HTTPS and sets up automated SSL certificate renewal.

πŸ› οΈ Testing and Reloading Nginx

After configuring Nginx, test the setup:


nginx -t

sudo systemctl reload nginx

Access StrongSwan through https://vpn.example.com.

Logging and Debugging StrongSwan

πŸ—ƒοΈ Enabling Debug Logs

To enable debug-level logging, modify /etc/strongswan/strongswan.d/logging.conf:


charon {

filelog {

path = /var/log/strongswan.log

time_format = %b %e %T

ike_name = yes

append = no

default = 2

control = 2

}

}

Reload the StrongSwan service:


sudo systemctl restart strongswan

πŸ“„ Viewing Logs

For Docker installations:


docker logs strongswan

For manual installations:


cat /var/log/strongswan.log

πŸ› οΈ Troubleshooting Common Issues

Identify common errors by looking for:

  • NO_PROPOSAL_CHOSEN: Mismatched encryption algorithms.

  • AUTHENTICATION_FAILED: Incorrect credentials or certificates.

Debug failed connections with:


ipsec statusall

πŸ“€ Exporting Logs

To send logs to external systems like an ELK stack, use Filebeat to ship /var/log/strongswan.log.

Backup and Restore

πŸ—‚οΈ File-Based Backups

Backup key configuration files:


tar -czvf strongswan-config-backup.tar.gz /etc/ipsec.conf /etc/ipsec.secrets

Restore:


tar -xzvf strongswan-config-backup.tar.gz -C /

πŸ“… Automated Backup Scripts

Create a cron job for periodic backups:


echo "0 2 * * * tar -czvf /backup/strongswan-$(date +\%F).tar.gz /etc/ipsec.conf /etc/ipsec.secrets" | crontab -

This ensures daily backups at 2 AM.

Updating and Upgrading StrongSwan

⬆️ Updating Docker Images

For Docker setups, pull the latest version:


docker-compose pull

docker-compose up -d

πŸ› οΈ Manual Updates

On a manually installed server:


sudo apt update

sudo apt upgrade -y strongswan

πŸ” Checking for Updates

Check the installed StrongSwan version:


ipsec version

Visit StrongSwan’s GitHub for recent releases.

Leveraging StrongSwan’s Unique Features

πŸ”§ Enabling APIs

To enable the VICI API for management, configure /etc/strongswan/strongswan.d/charon.conf:


charon {

plugins {

vici {

load = yes

}

}

}

Restart StrongSwan:


sudo systemctl restart strongswan

Interact with the API:


vici-client

🌟 Advanced Configurations

Enable advanced features like certificate-based authentication:


sudo ipsec pki --gen --outform pem > caKey.pem

sudo ipsec pki --self --in caKey.pem --dn "C=US, O=VPN, CN=VPN CA" --ca --outform pem > caCert.pem

Update ipsec.conf to use the generated CA.

Wrapping Up

This guide walked you through deploying, configuring, and managing StrongSwan, from installation to advanced features. Self-hosting StrongSwan empowers you with full control and unmatched security for VPN solutions. By following the provided steps, you can customize StrongSwan to suit your unique infrastructure needs and ensure seamless, secure connectivity.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Selfhosted Ninja.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.