A Comprehensive Guide to Building Your Own IPSec VPN on CentOS 8
In an era of increasing digital surveillance and data privacy concerns, securing your internet traffic has never been more critical. A Virtual Private Network (VPN) creates an encrypted tunnel for your data, protecting it from prying eyes on public networks. While many commercial VPN services exist, building your own provides ultimate control and privacy.
This guide will walk you through setting up a robust and secure IPSec VPN server using Libreswan on CentOS 8. IPSec (Internet Protocol Security) is a mature and highly secure protocol suite perfect for creating a stable VPN connection for remote employees, traveling staff, or personal use.
Prerequisites
Before we begin, ensure you have the following:
- A server running a fresh installation of CentOS 8.
- Root or sudo privileges to install packages and modify system configurations.
- A static public IP address for your server.
Step 1: Install the Libreswan Software
Libreswan is a widely-used, open-source implementation of IPSec for Linux. It is a continuation of the Openswan project and is included in the default CentOS 8 repositories, making installation straightforward.
First, update your system’s package index to ensure you have the latest versions available:
sudo yum update -y
Next, install the Libreswan package using the yum package manager:
sudo yum install libreswan -y
With this single command, all the necessary components are installed on your system.
Step 2: Configure Your Firewall Rules
For the VPN to function, you must allow specific traffic through your server’s firewall. IPSec uses specific ports and protocols to establish and maintain its secure connection.
We will use firewalld, the default firewall management tool on CentOS 8, to create the necessary exceptions.
Execute the following commands to open the required ports and services:
sudo firewall-cmd --permanent --add-service="ipsec"
sudo firewall-cmd --permanent --add-port=4500/udp
sudo firewall-cmd --permanent --add-port=500/udp
The first command enables the built-in ipsec service in firewalld, which handles protocol ESP (Encapsulating Security Payload) and AH (Authentication Header). The subsequent commands open UDP ports 500 (for IKE, the key exchange protocol) and 4500 (for NAT traversal).
To apply these changes, you must reload the firewall:
sudo firewall-cmd --reload
Your server is now ready to accept IPSec VPN traffic.
Step 3: Configure the IPSec VPN
The core of your VPN server configuration lies in the /etc/ipsec.conf file. This file defines the connection parameters, encryption protocols, and authentication methods.
Open the configuration file with your preferred text editor, such as nano or vim:
sudo nano /etc/ipsec.conf
Replace the existing content with the following configuration. This setup is designed for a “road warrior” scenario, where individual clients connect from dynamic IP addresses.
config setup
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
Key Configuration Points:
authby=secret: This specifies that we will use a Pre-Shared Key (PSK) for authentication.auto=add: This directive tells Libreswan to load the connection automatically when the service starts.left=%defaultroute: This defines the server (the “left” side) as the machine with the default network route.right=%any: This allows any client (the “right” side) from any IP address to connect.
Save and close the file after adding the configuration.
Step 4: Create a Strong Pre-Shared Key
The Pre-Shared Key (PSK) is essentially the master password for your VPN. It is critical that you use a long, complex, and unique string of characters for this key to ensure your server’s security.
The PSK is stored in the /etc/ipsec.secrets file. Open it for editing:
sudo nano /etc/ipsec.secrets
Add the following line to the file, replacing the placeholder values with your server’s public IP and your chosen secret key:
Your_Server_IP %any: PSK "YourSuperStrongSecretKeyHere"
- Replace
Your_Server_IPwith your server’s actual public IP address. - Replace
YourSuperStrongSecretKeyHerewith a very strong, randomly generated key. Avoid using common words or phrases.
Actionable Tip: Use a password generator to create a key of at least 20 characters, including letters, numbers, and symbols.
Save and close the secrets file. Ensure the file permissions are secure, as it contains sensitive credentials.
Step 5: Start and Verify the VPN Service
With all the configurations in place, it’s time to start the Libreswan service and enable it to launch automatically on boot.
sudo systemctl start ipsec
sudo systemctl enable ipsec
To confirm that everything is configured correctly and the service is running without errors, use Libreswan’s built-in verification tool:
sudo ipsec verify
Review the output carefully. You may see a few warnings or notifications about disabled services (like opportunistic encryption), which can typically be ignored. The most important thing is to ensure there are no fatal errors and that the key components are running correctly.
Final Thoughts
Congratulations! You have successfully deployed a secure and private IPSec VPN server on CentOS 8. Your clients can now configure their devices (Windows, macOS, Linux, iOS, or Android) using the server’s IP address, the Pre-Shared Key you created, and their user credentials to establish a secure connection.
By managing your own VPN, you gain full control over your data privacy and network security, creating a trusted channel for all your internet activities. Remember to keep your server’s software updated and periodically review logs to maintain a secure and reliable service.
Source: https://kifarunix.com/setup-ipsec-vpn-server-with-libreswan-on-centos-8/
