diff --git a/how-to-configure-borg-client-on-macos-using-command-line/README.md b/how-to-configure-borg-client-on-macos-using-command-line/README.md index f6c738b..cff7226 100644 --- a/how-to-configure-borg-client-on-macos-using-command-line/README.md +++ b/how-to-configure-borg-client-on-macos-using-command-line/README.md @@ -47,22 +47,22 @@ Enter same passphrase again: Your identification has been saved in borg. Your public key has been saved in borg.pub. The key fingerprint is: -SHA256:b4YxePgBjP9hB/wPFz7MkzM5fDYEBtbtOBd7kxRTicY borg +SHA256:9DzU/jDPyR/vGe8k2Yn1p31wF8UxLzCmYEj//D6+oYk borg The key's randomart image is: +---[RSA 3072]----+ -| oo+..o=| -| o . . ..Eoo.| -| . o o oooo.| -| . + o =o=+o.| -| + S + #o+..| -| = O + O . | -| + + . | -| o | -| | +| ...o + +.| +| .o . + o =| +| o o . . o| +| . * . o | +| S * + ..| +| o B++=| +| o.O**| +| . +.. *O| +| E o.+o.+O| +----[SHA256]-----+ $ cat borg.pub -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClMqEv1xTTWrz9cRGFsjtQ5ieK7sMs2eUMyROg1emhblUmGd6cMMfQDFDlwXUXk7ZPDHIkN3k9recff1oa3tvW+9D2oqGSyG0WOXqbZNHXZUSEhb9giOlVij0kOjfVbMR37zMZn+e6cVzq75Kn5B/ZSm9pfpWI5p4sHEn9S8TvoSgvCCu67bWc3UHHedd9dK5kJUPHNHvZUf+ebNo69iZuKE9HSP7eifGx5DszkU5cs6DPivAvRGgGer7Um2piQ+T7q+XcKo0JcaXVaObDZSGTZwiF8xAFDF1bfCl9jna26ZqqPKHdJJTEl8gaj9MQH6vlsAZ40xeFyCxiG0AhVpQ6SeeIN2qkf6k7EDyUQNcCmwY23THhFhEjfjuq6mbsuCK52tUx7bDMF8wed0lQ5k7OLuQuwyxDUinz3aBwboUQxxHfzImgKXzIrZ0hPge3fIgtFUBiUwFUv5xnTzBIStP5BFf5Ca5oxRq4rJDORnD0wMuMTWSyGZFVU5iEVml0Jhk= borg +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwCdu7RCOmISZQ5cr43lDRPrFoxCXcVfCREYsdTIBEoQrIwyg1jZyzQMf9kORIGcNe5+olIj1aK9qVg0hCEeDSJosSsMP5o8tQJzNu5aYCtnADlZ+AuCgp5CpL1vECMaQsfQV9nju3ScE/+0C/MSYVvDx5sbRvi1XuutBbCAZtlUa7Rn7S8/X08XLFasM7KhFz7AH2Hvvi1i3Cg1WqkRKzpXE/uxntZ/qZxBdpa2WEN/phD4LgmmCbzKJYflhJNKJnYQZxGveGsdexdrDpEbajVECBw/0ntS5/YYaLxzqCrNGyCRdAajIccuOLQjRGzr9U5mdzVpHhkCLjbIDQ1JHxtb9nHxNgvGep7z0UCqawdcJN2nEr1D7Khu7Mh8mryR7iBxqEdPfdARuQn3kMFH+YA5NASTus9p/MR1cavJmBq3u88oNje8q+szkBsQDb1h0n0eAzjjDXRSxgm8bdtpi07TjTNCc+AmhYiym+MYXmbxqMO6pnjjE1I+ht3a8zUU0= borg ``` ### Step 2: create `borg-append-only` SSH key pair (if using BorgBase or rsync.net) @@ -82,22 +82,22 @@ Enter same passphrase again: Your identification has been saved in borg-append-only. Your public key has been saved in borg-append-only.pub. The key fingerprint is: -SHA256:xR8BvPMujEM955VubA/TWVlqt/Nt2INNX4UIw3wtssw borg-append-only +SHA256:Se6MQbWpFg0lWI2+fJ1IVPtUCs/ZRYrgtpz4F3hi2ow borg-append-only The key's randomart image is: +---[RSA 3072]----+ -| +.... | -| .B o.. | -| ooB.o ..| -| .E.....+| -| S. o. oo+| -| . o o.o+=| -| . o = +**+| -| o o o.*=B| -| . . o o=| +| o++o.+ ..o| +| . .=o+ * * o | +| .o.= + B o | +| ..=.= * | +| .+oSoB.+ | +| .o=oBoo . | +| ..E + . | +| . | +| | +----[SHA256]-----+ $ cat borg-append-only.pub -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsEfUNEZToWjefcGr8Dy/d+6ILuklWjC18E3ziaCZPNzKZAMfZTXm0CqKYgwRH5UXgYz//3gLPLNLtlHNeluVXSzLO1pxc+2Au19JOfzgcy86A3y4Gx8lFh80VyHhm33LjHsKsgacF2C0tKDBaJ/WqwDpX0m+E1WHCF0xZ7QdgGEoqj31yJ34WCeOXOro1yJfrV98iVWKuokCMHboaQoXTNu4+AMzGw/1MPUgmkT1nGnBpN5lP1v+kwAXAemC+A+Aw8gLf3pq84uAOhiTficH57PiyasJtwll5loDinkhnBtYhPHO9qN+M+n0by3rmIhsEIukdpwiI5Qm4LNTm6i53NiX1rfN2ln4SvqwVG7mmkqP9PbJXsgtD6mNjXOhncHvHeTbEb8IAHg28hGpq1rn8284+2jvviw9FMAzIgkeLRmAHz+XVAOmZDkn0128H4bYXAOeLISxTbgY1WAWzGnW+kCYbmQV3e8wAyOrp8mfZ1LgMvfc2/o0D9828Zy5UP4c= borg-append-only +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2cmGUEKwopEN0vpHl2yNoV/wvm21D1hOP/8V886iCawgYpP5SUNpuVTDEgZEFJSvTMtfPaBicln0ULx8bp5NAiOQ8uPIvJD3xaacwISwvCVSYXY8jnQG3eRuhbKCU0aVFLONjnAvo288+NWbVcLw8Y166MPyk+tVz76plmv0LGefrZ0yPG99MngR3E5BLQk1EWQoH1kWGGHNFecFtMLq3usX23Ee4e605gfkWWoj7xSgpujfCHi/re6u7B25cn5t2eR7Ee0qRe/O2Sid2yIma7zK2l9NA0+k7pGngyXUTnGx9bI4+xM5qY0ZJcOQk03UJh52Gx8zXFASOxdGO71FiHvYKz60yyd5dUetPcBOYUygdejdBeBS36bh6SisXE/iI6aOfB/ViZd2ZNne1Fb7ijakyNsDCVEAWkMGJxnN8ZCapGsfG9YhKk/fU92Yxjos+AB1IC3M9Qjq5p8fZGsKdRtzJ3zxtTyk5dQEziAbmBVIJYyFohx/aCUB+MVF9xaM= borg-append-only ``` ### Step 3: configure SSH keys and create repo (if using BorgBase) @@ -380,7 +380,7 @@ Backup completed ```shell mkdir -p ~/Library/LaunchAgents -cat << EOF > ~/Library/LaunchAgents/local.borg-wrapper.plist +cat << "EOF" > ~/Library/LaunchAgents/local.borg-wrapper.plist diff --git a/how-to-configure-hardened-debian-server/README.md b/how-to-configure-hardened-debian-server/README.md index c2c25ce..80012d3 100644 --- a/how-to-configure-hardened-debian-server/README.md +++ b/how-to-configure-hardened-debian-server/README.md @@ -212,9 +212,9 @@ See [https://en.wikipedia.org/wiki/List_of_tz_database_time_zones](https://en.wi timedatectl set-timezone America/Montreal ``` -### Step 15: configure sysctl (if server is IPv4-only) +### Step 15: configure sysctl (if network is IPv4-only) -> Heads-up: only run the following if server is IPv4-only. +> Heads-up: only run the following if network is IPv4-only. ```shell cp /etc/sysctl.conf /etc/sysctl.conf.backup @@ -257,7 +257,7 @@ iptables -P INPUT DROP iptables -P OUTPUT DROP ``` -If server is IPv4-only, run: +If network is IPv4-only, run: ```shell ip6tables -P FORWARD DROP @@ -265,7 +265,7 @@ ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ``` -If server is dual stack (IPv4 + IPv6) run: +If network is dual stack (IPv4 + IPv6) run: ```shell ip6tables -A INPUT -i lo -j ACCEPT diff --git a/how-to-configure-hardened-raspberry-pi-os-server/README.md b/how-to-configure-hardened-raspberry-pi-os-server/README.md index a6226da..3b046ff 100644 --- a/how-to-configure-hardened-raspberry-pi-os-server/README.md +++ b/how-to-configure-hardened-raspberry-pi-os-server/README.md @@ -57,14 +57,14 @@ The key's randomart image is: +----[SHA256]-----+ $ cat pi.pub -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqEWjWQZY8HoLQEF7SmU/7f8dJuy/4r7/X6PbwrDzASym+5vCLz3QJIlLuJuQL557FsTzsz/sLFoTJnDkiQ3lZtFOofynyYQQiRDkZPy9nGz/j+rTHm6vfp17o8k1LeADKRq2mHpAljlf6/ywkKbzmGhXwnVsvxA0RvvNoujnpiLoSZFrq0wsfzIOi67ZzySlzxKmL0/Uxs9LJ+XFyKlVOILD+TMCayB6UNJ38PkghDZ/8spSSH44jkhmElPdqsqaJ/hqYYXT8q4sSB7Yp5RSYWDYIQiIs2cailho/gOCq/0AskREuGEuwPGL3ivOa2uBN544zrJHbegeliRwTwxSvFat9MoXjpWpEtTVpR5Skr2nGxwXZWYEGZ1u+iJc+Y67k7vabZYADAk1Q8VePAh2BOfhkhZfdAnBZJn9s/XISi/T8WxsLoG3twu1OMWtoiNMlwCUzeIzVRg5BMiFJjEtsANiETdrCuH/Ms9G/EMRo9gKh7moVbfwI+Urf0StIx3k= pi +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCzQpX9uqDP8L2gSZNJxYEi04Y1pZWz28v4zANY5dU6M35OFzXZcRcBqi2ZxiQofgxRrX9QlAcmcPFz8/CkpPw2WgQTflm+46ZrVEZcwwGwJsJwm7QVLQLd44/xtejEvMjzsuYDjJ1q4WhEvMSleTfOrix4yP0mjn83Zk1l6AMxR5J8DDumiHsGSYfcp+1XS9x4r4HP0mS2RpIy3rcoxLoJaYEKvVTj9qdvPMK7SDymZcvuBsgObEARVr77q4qhUfTP+xR91hHNEYD9FnCHF3qQBzlTlmTwpwhH6vOdWE3uUXCug9Ugw42Zj3PW0zd5rQ7EEpD9SDLbUqajpn2M5AlhkS9OrLpnIptocetRKNI9HzyAV1KqdNiQeL7/59d4y+HuZ9y032SaNzR1fw0nYMoHzTN9d+zPvziDZ183/pwtEXZNVVGzYO1r56n3S4vLx8YCpYqiHYVQVDF8aweoHYs3dAGAfPxmQ85+45UKpFR18XSGCqCO2fwbyTGDhkxCzU= pi ``` ### Step 2: generate heredoc (the output of following command will be used at [step 10](#step-10-configure-pi-ssh-authorized-keys)) ```shell cat << EOF -cat << _EOF > /home/pi/.ssh/authorized_keys +cat << "_EOF" > /home/pi/.ssh/authorized_keys $(cat ~/.ssh/pi.pub) _EOF EOF @@ -168,8 +168,8 @@ mkdir -p /home/pi/.ssh #### Create `/home/pi/.ssh/authorized_keys` using heredoc generated at [step 2](#step-2-generate-heredoc-the-output-of-following-command-will-be-used-at-step-10) ```shell -cat << _EOF > /home/pi/.ssh/authorized_keys -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqEWjWQZY8HoLQEF7SmU/7f8dJuy/4r7/X6PbwrDzASym+5vCLz3QJIlLuJuQL557FsTzsz/sLFoTJnDkiQ3lZtFOofynyYQQiRDkZPy9nGz/j+rTHm6vfp17o8k1LeADKRq2mHpAljlf6/ywkKbzmGhXwnVsvxA0RvvNoujnpiLoSZFrq0wsfzIOi67ZzySlzxKmL0/Uxs9LJ+XFyKlVOILD+TMCayB6UNJ38PkghDZ/8spSSH44jkhmElPdqsqaJ/hqYYXT8q4sSB7Yp5RSYWDYIQiIs2cailho/gOCq/0AskREuGEuwPGL3ivOa2uBN544zrJHbegeliRwTwxSvFat9MoXjpWpEtTVpR5Skr2nGxwXZWYEGZ1u+iJc+Y67k7vabZYADAk1Q8VePAh2BOfhkhZfdAnBZJn9s/XISi/T8WxsLoG3twu1OMWtoiNMlwCUzeIzVRg5BMiFJjEtsANiETdrCuH/Ms9G/EMRo9gKh7moVbfwI+Urf0StIx3k= pi +cat << "_EOF" > /home/pi/.ssh/authorized_keys +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCzQpX9uqDP8L2gSZNJxYEi04Y1pZWz28v4zANY5dU6M35OFzXZcRcBqi2ZxiQofgxRrX9QlAcmcPFz8/CkpPw2WgQTflm+46ZrVEZcwwGwJsJwm7QVLQLd44/xtejEvMjzsuYDjJ1q4WhEvMSleTfOrix4yP0mjn83Zk1l6AMxR5J8DDumiHsGSYfcp+1XS9x4r4HP0mS2RpIy3rcoxLoJaYEKvVTj9qdvPMK7SDymZcvuBsgObEARVr77q4qhUfTP+xR91hHNEYD9FnCHF3qQBzlTlmTwpwhH6vOdWE3uUXCug9Ugw42Zj3PW0zd5rQ7EEpD9SDLbUqajpn2M5AlhkS9OrLpnIptocetRKNI9HzyAV1KqdNiQeL7/59d4y+HuZ9y032SaNzR1fw0nYMoHzTN9d+zPvziDZ183/pwtEXZNVVGzYO1r56n3S4vLx8YCpYqiHYVQVDF8aweoHYs3dAGAfPxmQ85+45UKpFR18XSGCqCO2fwbyTGDhkxCzU= pi _EOF ``` @@ -299,9 +299,9 @@ See [https://en.wikipedia.org/wiki/List_of_tz_database_time_zones](https://en.wi timedatectl set-timezone America/Montreal ``` -### Step 23: configure sysctl (if server is IPv4-only) +### Step 23: configure sysctl (if network is IPv4-only) -> Heads-up: only run the following if server is IPv4-only. +> Heads-up: only run the following if network is IPv4-only. ```shell cp /etc/sysctl.conf /etc/sysctl.conf.backup @@ -344,7 +344,7 @@ iptables -P INPUT DROP iptables -P OUTPUT DROP ``` -If server is IPv4-only, run: +If network is IPv4-only, run: ```shell ip6tables -P FORWARD DROP @@ -352,7 +352,7 @@ ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ``` -If server is dual stack (IPv4 + IPv6) run: +If network is dual stack (IPv4 + IPv6) run: ```shell ip6tables -A INPUT -i lo -j ACCEPT diff --git a/how-to-configure-self-hosted-vpn-kill-switch-using-pf-firewall-on-macos/README.md b/how-to-configure-self-hosted-vpn-kill-switch-using-pf-firewall-on-macos/README.md index 926e47b..8a92f0b 100644 --- a/how-to-configure-self-hosted-vpn-kill-switch-using-pf-firewall-on-macos/README.md +++ b/how-to-configure-self-hosted-vpn-kill-switch-using-pf-firewall-on-macos/README.md @@ -453,7 +453,7 @@ Firewall disabled (press ctrl+c to enable) ### Step 16: make sure PF is set to strict at boot ```shell -cat << EOF | sudo tee /Library/LaunchDaemons/local.pf.plist +cat << "EOF" | sudo tee /Library/LaunchDaemons/local.pf.plist diff --git a/how-to-configure-strongswan-client-on-headless-debian-based-linux-computer/README.md b/how-to-configure-strongswan-client-on-headless-debian-based-linux-computer/README.md index 5c3d5a3..992f1a0 100644 --- a/how-to-configure-strongswan-client-on-headless-debian-based-linux-computer/README.md +++ b/how-to-configure-strongswan-client-on-headless-debian-based-linux-computer/README.md @@ -23,7 +23,7 @@ Listed: true ## Guide -### Step 1: create client certs using certificate authority from [How to self-host hardened strongSwan IKEv2/IPsec VPN server for iOS and macOS](../how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos) (using certificate authority computer). +### Step 1: create client key and cert using certificate authority from [How to self-host hardened strongSwan IKEv2/IPsec VPN server for iOS and macOS](../how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos) (on certificate authority computer). #### Navigate to `strongswan-certs` folder @@ -34,7 +34,7 @@ cd ~/Desktop/strongswan-certs #### Set client common name ```shell -STRONGSWAN_CLIENT_COMMON_NAME=bob@vpn-server.com +STRONGSWAN_CLIENT_NAME=bob ``` #### Update OpenSSL config file @@ -67,7 +67,7 @@ subjectAltName = DNS:vpn-server.com extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 [ client ] authorityKeyIdentifier = keyid -subjectAltName = email:$STRONGSWAN_CLIENT_COMMON_NAME +subjectAltName = email:$STRONGSWAN_CLIENT_NAME@vpn-server.com extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 EOF ``` @@ -75,15 +75,15 @@ EOF #### Generate client cert ``` -$ openssl genrsa -out bob.key 4096 +$ openssl genrsa -out $STRONGSWAN_CLIENT_NAME.key 4096 Generating RSA private key, 4096 bit long modulus -..............................++ -....................................................................................................++ +............................++ +...........++ e is 65537 (0x10001) -$ openssl req -new -config openssl.cnf -extensions client -key bob.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=$STRONGSWAN_CLIENT_COMMON_NAME" -out bob.csr +$ openssl req -new -config openssl.cnf -extensions client -key $STRONGSWAN_CLIENT_NAME.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=$STRONGSWAN_CLIENT_NAME@vpn-server.com" -out $STRONGSWAN_CLIENT_NAME.csr -$ openssl x509 -req -extfile openssl.cnf -extensions client -in bob.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out bob.crt +$ openssl x509 -req -extfile openssl.cnf -extensions client -in $STRONGSWAN_CLIENT_NAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out $STRONGSWAN_CLIENT_NAME.crt Signature ok subject=/C=US/O=Self-hosted strongSwan VPN/CN=bob@vpn-server.com Getting CA Private Key @@ -138,7 +138,7 @@ apt update ### Step 6: install strongSwan -If you are shown an “Old runlevel management superseded” warning, answer “Ok”. +Heads-up: if you are shown an “Old runlevel management superseded” warning, answer “Ok”. ```shell apt install -y strongswan libcharon-extra-plugins @@ -146,9 +146,16 @@ apt install -y strongswan libcharon-extra-plugins ### Step 7: configure strongSwan -#### Backup and override `/etc/ipsec.conf` +#### Set strongSwan client name and server IP environment variables -Replace `185.193.126.203` with IP of server. +Replace `185.193.126.203` with IP of strongSwan server. + +```shell +STRONGSWAN_CLIENT_NAME=bob +STRONGSWAN_SERVER_IP=185.193.126.203 +``` + +#### Backup and override `/etc/ipsec.conf` ```shell cp /etc/ipsec.conf /etc/ipsec.conf.backup @@ -160,11 +167,11 @@ conn ikev2 dpdaction=restart closeaction=restart keyingtries=%forever - leftid=bob@vpn-server.com + leftid=$STRONGSWAN_CLIENT_NAME@vpn-server.com leftsourceip=%config leftauth=eap-tls - leftcert=bob.crt - right=185.193.126.203 + leftcert=$STRONGSWAN_CLIENT_NAME.crt + right=$STRONGSWAN_SERVER_IP rightid=vpn-server.com rightsubnet=0.0.0.0/0 rightauth=pubkey @@ -175,8 +182,8 @@ EOF ```shell cp /etc/ipsec.secrets /etc/ipsec.secrets.backup -cat << "EOF" > /etc/ipsec.secrets -: RSA bob.key +cat << EOF > /etc/ipsec.secrets +: RSA $STRONGSWAN_CLIENT_NAME.key EOF ``` @@ -189,9 +196,9 @@ sed -i 's/load = no/load = yes/' ./eap-tls.conf ./aes.conf ./dhcp.conf ./farp.co cd - ``` -### Step 8: copy/paste content of `ca.crt`, `bob.key` and `bob.crt` to server and make private key root-only. +### Step 8: copy certs and key to client and make private folder root-only. -On certificate authority computer: run `cat ca.crt` + + +On certificate authority computer, run: + +```shell +cat << EOF +cat << "_EOF" > /etc/ipsec.d/cacerts/ca.crt +$(cat ca.crt) +_EOF +EOF +``` + +On client computer, run output from previous command: + +```shell +cat << "_EOF" > /etc/ipsec.d/cacerts/ca.crt +-----BEGIN CERTIFICATE----- +MIIFWzCCA0OgAwIBAgIJAIBFc1JHIb/zMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV +BAYTAlVTMSMwIQYDVQQKDBpTZWxmLWhvc3RlZCBzdHJvbmdTd2FuIFZQTjEXMBUG +A1UEAwwOdnBuLXNlcnZlci5jb20wHhcNMjAxMjA5MTYyMDA4WhcNMzAxMjA3MTYy +MDA4WjBLMQswCQYDVQQGEwJVUzEjMCEGA1UECgwaU2VsZi1ob3N0ZWQgc3Ryb25n +U3dhbiBWUE4xFzAVBgNVBAMMDnZwbi1zZXJ2ZXIuY29tMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAyYp9BcqpYob99NMEPbfpjRvBXujnoFA440MyF2kx +2uJZliBxgJbZZMEIg4dGgbHDIJ3Pz9WuJZczhw35xjbcTo2JFPQ0In4KcbV8qdyb +1KQgvbuES9H4pb+QJDn46l/Djqhc4KU9jGzxvgVZF8GkwsIOP6vMrdarpzH2vG+8 +dNvvgB9LMDjMU4grbkqBwrCr8hJVrcoo6GRlmUP9hnGirUd5cSE9ycIgJsPssPuc +eCOocoewKiYFLjLTPMZyElhu8K1Rcn09EizcOJeaaaaLQTG67r2tD6wMW9aAtmz+ +acdJ98s3yp5mJt4SnMGnEN3VoTTCOBm2jXBH2hSh1sM/INP6bLSrYme4SkTwvSMD +8ebipybd3tcvBoQnRc3lWgI4JKyB5lRJTyExB8di9euLQ+XExpxcRKNmsrcbrLwU +1+YX0JnQ6XZNhreSqm8HN6iUn57CPdD+wMFnqHeq+kVxdEkTObnIYhyw9CMmGVHO +/YhsMCbrw9w5lpPp2/FgXvxkkpL2hwoQF8YoGmXi1zXKE5DEGegeM9fZaExdIPJr +CXvf30Xq3+ntfv9PkMvWeFcH5Hxo30tZ5u1c3R8YM/32iVAVgo1d80XUnXo3/Y89 +hOTNL2+M8CBc6rsIEcvs4KUClb5hwliiIignMdShfdAdzOgQYAZW0aZJs2Eg4vp4 +hlsCAwEAAaNCMEAwHQYDVR0OBBYEFA6byRT0reX3U+qj3VP9H+3ggglNMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAX +9yWi8WWi1fn8NVaWTsspZahzN58h8JngEcl9YFJEw+K41gztfgFp6nl4T6HJP4dX ++gcRT9uSLjQsBR58bdiE8oXHVePhpl3UdEg4tdZ7mHbB09aKRhtSmPx1LDIp+Zxk +71xH4ZYw1IvdSNZv/autMkHL+SQToXRLzrq7UZtg0SJWnP6Z9CBlpDKUu8jQuWUl +Y5kkKj4kCRF7mETuRKk/eW86qVCmbScSlItrHkHf6Y+53/aKVs5bCHuHkEJZ8j0E +q3jHrNhvl2VkVxD+1zsjrYXeJxux5zZUSBJ6gj+Hb/0VHoDJ8JFp1ZEB1AeZUY5u +dc2ObiCfMCBx9iiPdVian93K37quaijeIROA+JVOLFB7tPXyRlyECD311Sjt4YjV +zp/rK3DOfjuvu3hOx2dixvypOdb3r3e0F9ni9iurn7kgBT8u/+Z+FXTUZ8FFNgKX +hTQUcwkFfgRe2N71oRAzkMpjaXr8IvGLJ+kZ1koRHd/D6JU5/bSmW0K/5LxnW6K8 +/W/oTUc1Uu5tZ2LgXXieOCUz/h8EQ1UA6t0h1czgwpz/gPESJuhV1Y/POP7FCYHD +i7SLtWmIrt4dbGFwascWBzEBOG+rx6ilEFnrqRpoBCcl5B6aj2iTAS8lmuJaYMTJ +JJAKOaEm18Vl0ntydZ1BSldekjJNYFCENvCNXp/vRg== +-----END CERTIFICATE----- +_EOF +``` + +On certificate authority computer, run: + +```shell +cat << EOF +cat << "_EOF" > /etc/ipsec.d/private/$STRONGSWAN_CLIENT_NAME.key +$(cat $STRONGSWAN_CLIENT_NAME.key) +_EOF +EOF +``` + +On client computer, run output from previous command: + +```shell +cat << "_EOF" > /etc/ipsec.d/private/bob.key +-----BEGIN RSA PRIVATE KEY----- +MIIJJwIBAAKCAgEAm7IuJck8H0xM9Fa07gh2ZDzSW9NNCUWavhmr+hse4ZcpFbNN +1D6uaa9sWBNReVzd9PRo7cJwzhTqMYsNF5nLrhdeAlIE9ans/maZlIf4EJ4fNZV8 +WqJ2ySWrPNhc7rcKXgyQPSzD3g+N+GmuzfvoQczFOVgT+H8LGeQIM+qjJRJk+UOY +mMov4UAV38SWbMy4vWid2uDVU9jJRSIbUU7CTV3uvZ/XQJRQxtBBxKpGiZiVoImx +iHKrP9cSHlvY5RqfCsS8OxO6YvyIyYE/no6wG0D+H9fd7g8U7jXRphL0mJK5XOAP +DRjYUfQms6dGeswtMoxhj7282ryOOLOt04IZsjUIqzIzSxvqhdLMBKuD2SJAzC/E +x+5rmGFFpHQbAatvHGffhinzQH842+Pi73Qdkx9NEGaXZJWkWC6S4SAR5olBZKxp +4H9lyhUUqMbluoRp0NngeQT8TEinRKiO2KtDx6DpWlIwIfxAzv76wyDbRBgzmaa3 +F31EM41Bu3/ch+BL7tnxVJhyugFFuESLYuIam3gm2XK9ZndWIuKyvH3/sLvuhxwf +sFvvOG/SObYenBQozYgS0LzNTzTLaoZIhkI/UsKQjGnPPCcc1hhB33mkNNwEtVyn +q3o5d1YVTN6q6LVx+BOHA1dJjCpMUME2bwql3WefVWRoD22WWizk6KcQfW0CAwEA +AQKCAgB4pvE/8tuWXWhdCDwZIZGtR7yzz+CoyLmLixVMMWwS4TLDUDmFujUqTPim +oAHJDIAr7KLLbJxB9s8tKVYx7cp61DzTi3+wZ8fxtMxa36sKJZ6FxZuiGLf4VCqI +chpCGrH8A7xay6/VCzS3Rh5iHU30f5xuPaTsMncFz0HUCYX3mnOI/iroa/YClcjd +qNfw5AxdKw74qLZnzVzbJ/0HWwMTNTFm3NDPiJ+4EXaF0nXq9sUsrMdYt5OhWyb9 +Q6umjqSkkaRUG4uaXZwamwAT/PrXg9vqDTw72JAdsLMQASxud3URVcgUHCa2C39a +RMxHKKX1v/dyjlQlJW0I36RafT0vOHMsqjxG919vLfiMFztn8AZejsYcMCe8qYMq +aybQQNMR3aW+f4OEbLidRxujmxN3hvVVkyEppr/J5qzgkFB51zb30ooDTp90SE2y +5ArXXI2N/e+JXh2R08ev1ScI32rSmRa/Xw33IfyO8XOnUepAvfB586XEUIa6CXNC +r2rJJ/OHgXEktyEGQfxJ6lORINPpx+qh74gg8YW7rLKKeKOJM1i85w8Trs/NHKB6 +Ok0sn2V0RsJT1csqA0SSRc1kRMmJxj6dBrWXbp2eeo/nNBfX7kwGoouK9pMYXZv/ +aNx/0ZuN3uC62kkvWvCotifRggjnHxCSBtNljwaRySGDByBIAQKCAQEAzpZyVJDN +KUyFps6+oTgAfo5xDyWTEZpFkrDMyA2eJ0cxHWSMdVnK5U858oTGWeAK2kNDnznI +cfDtgjsorZqYYqPK6SI3/iYKw6NqA1E7hMJF78aitXVxhj0OiCN2hpMoFmm9wdcE +4XRru9/bEbSmc2NGrL25gKvYJ+1CZ6QRMUhlW6P3JjKPcmopCKKTobxErLiyOjnY +G8ne7UvY4M8d9ElpdDfNHaVw0+wkGemw/8s82QhkTFagMv9cTH8rwoe4fcKWbhn0 +6QNxowLMVecdyhd5GAnxRb1ccFal58y0byivge4MtVeZlsvGuPjD4bXwMIUvcVS+ +XswhijwbtaUebQKCAQEAwO+XHFtxA9ByIFD66fJ84/HWGyoYP/hDpexrxJrLjJuP +i6Y23RtewVs7LFmj88i29xLUjJ3vp7syQ8iGxPz0hxd4i/QQI8Jed1lV+6eiQbv0 +eHRP7P7QlyhUpjT5KYVAn7vEA4r51vtIQ4aIawF2S29ZvZO+4PJFb/gyOmtz+mPO +6Ok25KgzVX22DgqGYVcETGasaCioob37QjOrSu9Bid2hrzmf+Et5SyhvyRKOSVAw +SxRUqp5tCp2P2h1Xn/BO7kCzypkRyhDRTqcEMuVdnBWEN4oceA+Xyzfq62VLCb/5 +z0sa7le46MWCNG+DaMLgZtwfCWDxQD/MQrT/luF7AQKCAQBGAtJoOlJtBpPcvf/4 +nwP738YM/gzjUEb3uZcMzSCl6wiID4VSV8XdBIZ82+ZkmvrSkS0fjvORObckBWx5 +uQSfmSaw73nOVZIcTwskaKklCrms0sJdgJmihpqgJHSMkt5pChjW0knDJjNEjk6t +p20peaF/9SQiqRouHcf9W6q/6ur+rYial1Pp0HRrir1BeI5FgqpT9Tp54GX+QVAU +j9x051QnoKmQvHqKN2LcrUfgyD2sx51GCa1s2wGqowZvfJNXe1SDp6RKO3KNbetV +yWddD6toLCZqHgxvvc2nysXzTfR8sfH4muFgK1sDYLrxiTkHGHvFipShh8huEoTJ +gFXZAoIBADOptHAOeFPKJFVM+fNdUF4Fawy5F+dBRnQOu8jYnnrXSPffGT/ZzWS/ +VjgJBOMJsxyz+SByRjNG6C3Ia3YiOiRWf5wSTaQVrxAMZv7NI6CwgMUkeCaBET/4 +t7oN405f9S8Qq2s7cq1DelVCmBL3QELw3TnrbyhzF27lKiYEkfjRcx1hHaba92wE +DpTx8ovsLiV7NN1rTcSJx9cxWMPnD0iohVwTdSeapi8e89gG1P0CsPvZxNYvOAmo +qVWBl+4m/ivEPaCZnm7aVAHYrUInswpRpKbun7LykfYD0i8YX6CLvIvqk5qQ+N2z +zarW1Xxe+pHwjYsIX3GR49NU/j/bvwECggEAXgBQQjW0i5sMU53zBcc7BYaDdLIz +kreFUV1+sfE5Z4tBtjks86ujnA11lrfpojN7alo0FbpkDqBiJCl2inCVryZWhHuM +jjSfmJmc3Yu7mkCP7ClLhBbuJYvAK8NNwoMhKzpz4SCncM7icsyKBomOCfWyJtCt +pnG3Kv8lcZdpmbaYxtbum2MMaTuZQPDJwIe+TXgwUWs5JpaVaoA+pxg7hVVm/etl +Q792SFlYfocvqZ7NVNQ29YizcUHCoUmYNbBaRWJBFDF5TKywv+rBx+k8lfYz2AZC +ImQBryT2Ndf0PcKX0yKfUfd78Cg5+X9mt8LTfHN8HDoMirMCANbpMFRgHQ== +-----END RSA PRIVATE KEY----- +_EOF +``` + +On certificate authority computer, run: + +```shell +cat << EOF +cat << "_EOF" > /etc/ipsec.d/certs/$STRONGSWAN_CLIENT_NAME.crt +$(cat $STRONGSWAN_CLIENT_NAME.crt) +_EOF +EOF +``` + +On client computer, run output from previous command: + +```shell +cat << "_EOF" > /etc/ipsec.d/certs/bob.crt +-----BEGIN CERTIFICATE----- +MIIFfjCCA2agAwIBAgIJAN19ZfXadJDLMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV +BAYTAlVTMSMwIQYDVQQKDBpTZWxmLWhvc3RlZCBzdHJvbmdTd2FuIFZQTjEXMBUG +A1UEAwwOdnBuLXNlcnZlci5jb20wHhcNMjAxMjEwMTE1MjU3WhcNMzAxMjA4MTE1 +MjU3WjBPMQswCQYDVQQGEwJVUzEjMCEGA1UECgwaU2VsZi1ob3N0ZWQgc3Ryb25n +U3dhbiBWUE4xGzAZBgNVBAMMEmJvYkB2cG4tc2VydmVyLmNvbTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAJuyLiXJPB9MTPRWtO4IdmQ80lvTTQlFmr4Z +q/obHuGXKRWzTdQ+rmmvbFgTUXlc3fT0aO3CcM4U6jGLDReZy64XXgJSBPWp7P5m +mZSH+BCeHzWVfFqidsklqzzYXO63Cl4MkD0sw94Pjfhprs376EHMxTlYE/h/Cxnk +CDPqoyUSZPlDmJjKL+FAFd/ElmzMuL1ondrg1VPYyUUiG1FOwk1d7r2f10CUUMbQ +QcSqRomYlaCJsYhyqz/XEh5b2OUanwrEvDsTumL8iMmBP56OsBtA/h/X3e4PFO41 +0aYS9JiSuVzgDw0Y2FH0JrOnRnrMLTKMYY+9vNq8jjizrdOCGbI1CKsyM0sb6oXS +zASrg9kiQMwvxMfua5hhRaR0GwGrbxxn34Yp80B/ONvj4u90HZMfTRBml2SVpFgu +kuEgEeaJQWSsaeB/ZcoVFKjG5bqEadDZ4HkE/ExIp0SojtirQ8eg6VpSMCH8QM7+ ++sMg20QYM5mmtxd9RDONQbt/3IfgS+7Z8VSYcroBRbhEi2LiGpt4JtlyvWZ3ViLi +srx9/7C77occH7Bb7zhv0jm2HpwUKM2IEtC8zU80y2qGSIZCP1LCkIxpzzwnHNYY +Qd95pDTcBLVcp6t6OXdWFUzequi1cfgThwNXSYwqTFDBNm8Kpd1nn1VkaA9tllos +5OinEH1tAgMBAAGjYTBfMB8GA1UdIwQYMBaAFA6byRT0reX3U+qj3VP9H+3ggglN +MB0GA1UdEQQWMBSBEmJvYkB2cG4tc2VydmVyLmNvbTAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUIAgIwDQYJKoZIhvcNAQEFBQADggIBAF7fnx51tOGfdKKx3FiL +UwdVBs9gW/Ox4MjqjawinUgab0+5T5r4C8SbunBFUiLx+GdbqlhXDQBkqK94xYM4 +/aQ7sUScDfgOm7E/wryZ7zQLow223lD0SHGeGAvGDtX/uyraWYEPL7RXyQwkScpk +Qp+hpsJJdYD4lEpNLfm7UwZcimqoT2kae0T7veDGmoyL9ii2OWvdj/pNOmFjPa1w +Cfe8J9TfPXdvzT25VpiMZlUSxlbfK9IP/UePfhA+tyFwhE6c9XPlz2yYuh/U9HLb +iscVXqIJGbj7YrDADPII0JG+Ayu7vD7sKlDMhseJh4B8sR2XediAYIEHh1J9nDf0 +kxrjrQb/1kwriB1rk8vmSGuQ21vIoIVFDcB1RzW4nx+fOz91C5x1IubvQrn2P4oU +wn99CZo10YMFxG8ThhEI0VkPMj77h8SJ14ymslbKigQlbxnAgqdhMCRjK6hNHi7s +BI/ZS+hXP2C3A/6R7kt05ycoYI4xXzTKV2PIZXfgOt81xayidTeE8470Hc0B8+iU +zHyJhIjephqU6Pf4bjfJlu2/adjQNsAz9E+7UBeHJHlFHUxdtd63weD01IcBm+ZT +BxnbLQPPagoNdg6xVBEXi9OtBWWY+wHOb8ak1lTmGWrdFvOOxHszJl88yX+TNkLW +UpTExBlA0rjkNBDdlkNfRSRF +-----END CERTIFICATE----- +_EOF +``` + +On client computer, run `chmod -R 600 /etc/ipsec.d/private` ### Step 9: restart strongSwan @@ -218,51 +392,62 @@ $ ipsec status Security Associations (1 up, 0 connecting): ikev2[1]: ESTABLISHED 3 minutes ago, 10.0.1.69[bob@vpn-server.com]...185.193.126.203[vpn-server.com] ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3fcabed_i c2b0c4cd_o - ikev2{1}: 10.0.2.199/32 === 0.0.0.0/0 + ikev2{1}: 10.0.2.171/32 === 0.0.0.0/0 ``` ESTABLISHED 👍 -> Heads-up: use following steps to assign static IP to strongSwan client +### Step 11: confirm client computer public IP matches strongSwan server IP -### Step 11: log in to server +```console +curl https://checkip.amazonaws.com +185.193.126.203 +``` -Replace `185.193.126.203` with IP of server. +185.193.126.203 + +👍 + +> Heads-up: use following steps to assign static private IP to strongSwan client + +### Step 12: log in to server + +Replace `185.193.126.203` with IP of strongSwan server. ```shell ssh vpn-server-admin@185.193.126.203 -i ~/.ssh/vpn-server ``` -### Step 12: switch to root +### Step 13: switch to root ```shell su - ``` -### Step 13: get virtual MAC address assigned to strongSwan client +### Step 14: get virtual MAC address assigned to strongSwan client -> Heads-up: run `ipsec status` as root on headless Debian-based Linux computer to see which IP was assigned to strongSwan client (`10.0.2.199` in the following example). +Replace `10.0.2.171` with private IP assigned to strongSwan client by strongSwan server (see [step 10](#step-10-confirm-strongswan-client-is-connected)). ```shell -$ cat /var/lib/misc/dnsmasq.leases | grep "10.0.2.199" | awk '{print $2}' -7a:a7:3b:4b:77:16 +$ cat /var/lib/misc/dnsmasq.leases | grep "10.0.2.171" | awk '{print $2}' +7a:a7:9f:c0:9d:b0 ``` -### Step 14: assign static IP to strongSwan client +### Step 15: assign static IP to strongSwan client ```shell -echo "dhcp-host=7a:a7:3b:4b:77:16,10.0.2.2" >> /etc/dnsmasq.d/01-dhcp-strongswan.conf +echo "dhcp-host=7a:a7:9f:c0:9d:b0,10.0.2.2" >> /etc/dnsmasq.d/01-dhcp-strongswan.conf ``` -### Step 15: restart dnsmasq +### Step 16: restart dnsmasq ```shell systemctl restart dnsmasq ``` -### Step 16: log in to client computer +### Step 17: log in to client computer Replace `pi@10.0.1.69` with SSH destination of client computer and `~/.ssh/pi` with path to associated private key. @@ -270,26 +455,26 @@ Replace `pi@10.0.1.69` with SSH destination of client computer and `~/.ssh/pi` w ssh pi@10.0.1.69 -i ~/.ssh/pi ``` -### Step 17: switch to root +### Step 18: switch to root ```shell su - ``` -### Step 18: restart strongSwan +### Step 19: restart strongSwan ```shell systemctl restart strongswan ``` -### Step 19: confirm strongSwan client has IP `10.0.2.2` +### Step 20: confirm strongSwan client has IP `10.0.2.2` ```shell $ ipsec status Security Associations (1 up, 0 connecting): ikev2[1]: ESTABLISHED 3 minutes ago, 10.0.1.69[bob@vpn-server.com]...185.193.126.203[vpn-server.com] ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3fcabed_i c2b0c4cd_o - ikev2{1}: 10.0.2.5/32 === 0.0.0.0/0 + ikev2{1}: 10.0.2.2/32 === 0.0.0.0/0 ``` 10.0.2.2/32 diff --git a/how-to-self-host-hardened-borg-server/README.md b/how-to-self-host-hardened-borg-server/README.md index a30c575..7442d92 100644 --- a/how-to-self-host-hardened-borg-server/README.md +++ b/how-to-self-host-hardened-borg-server/README.md @@ -43,22 +43,22 @@ Enter same passphrase again: Your identification has been saved in borg. Your public key has been saved in borg.pub. The key fingerprint is: -SHA256:b4YxePgBjP9hB/wPFz7MkzM5fDYEBtbtOBd7kxRTicY borg +SHA256:9DzU/jDPyR/vGe8k2Yn1p31wF8UxLzCmYEj//D6+oYk borg The key's randomart image is: +---[RSA 3072]----+ -| oo+..o=| -| o . . ..Eoo.| -| . o o oooo.| -| . + o =o=+o.| -| + S + #o+..| -| = O + O . | -| + + . | -| o | -| | +| ...o + +.| +| .o . + o =| +| o o . . o| +| . * . o | +| S * + ..| +| o B++=| +| o.O**| +| . +.. *O| +| E o.+o.+O| +----[SHA256]-----+ $ cat borg.pub -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClMqEv1xTTWrz9cRGFsjtQ5ieK7sMs2eUMyROg1emhblUmGd6cMMfQDFDlwXUXk7ZPDHIkN3k9recff1oa3tvW+9D2oqGSyG0WOXqbZNHXZUSEhb9giOlVij0kOjfVbMR37zMZn+e6cVzq75Kn5B/ZSm9pfpWI5p4sHEn9S8TvoSgvCCu67bWc3UHHedd9dK5kJUPHNHvZUf+ebNo69iZuKE9HSP7eifGx5DszkU5cs6DPivAvRGgGer7Um2piQ+T7q+XcKo0JcaXVaObDZSGTZwiF8xAFDF1bfCl9jna26ZqqPKHdJJTEl8gaj9MQH6vlsAZ40xeFyCxiG0AhVpQ6SeeIN2qkf6k7EDyUQNcCmwY23THhFhEjfjuq6mbsuCK52tUx7bDMF8wed0lQ5k7OLuQuwyxDUinz3aBwboUQxxHfzImgKXzIrZ0hPge3fIgtFUBiUwFUv5xnTzBIStP5BFf5Ca5oxRq4rJDORnD0wMuMTWSyGZFVU5iEVml0Jhk= borg +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwCdu7RCOmISZQ5cr43lDRPrFoxCXcVfCREYsdTIBEoQrIwyg1jZyzQMf9kORIGcNe5+olIj1aK9qVg0hCEeDSJosSsMP5o8tQJzNu5aYCtnADlZ+AuCgp5CpL1vECMaQsfQV9nju3ScE/+0C/MSYVvDx5sbRvi1XuutBbCAZtlUa7Rn7S8/X08XLFasM7KhFz7AH2Hvvi1i3Cg1WqkRKzpXE/uxntZ/qZxBdpa2WEN/phD4LgmmCbzKJYflhJNKJnYQZxGveGsdexdrDpEbajVECBw/0ntS5/YYaLxzqCrNGyCRdAajIccuOLQjRGzr9U5mdzVpHhkCLjbIDQ1JHxtb9nHxNgvGep7z0UCqawdcJN2nEr1D7Khu7Mh8mryR7iBxqEdPfdARuQn3kMFH+YA5NASTus9p/MR1cavJmBq3u88oNje8q+szkBsQDb1h0n0eAzjjDXRSxgm8bdtpi07TjTNCc+AmhYiym+MYXmbxqMO6pnjjE1I+ht3a8zUU0= borg ``` ### Step 2: create `borg-append-only` SSH key pair (on computer) @@ -76,7 +76,7 @@ Enter same passphrase again: Your identification has been saved in borg-append-only. Your public key has been saved in borg-append-only.pub. The key fingerprint is: -SHA256:xR8BvPMujEM955VubA/TWVlqt/Nt2INNX4UIw3wtssw borg-append-only +SHA256:Se6MQbWpFg0lWI2+fJ1IVPtUCs/ZRYrgtpz4F3hi2ow borg-append-only The key's randomart image is: +---[RSA 3072]----+ | +.... | @@ -91,7 +91,7 @@ The key's randomart image is: +----[SHA256]-----+ $ cat borg-append-only.pub -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsEfUNEZToWjefcGr8Dy/d+6ILuklWjC18E3ziaCZPNzKZAMfZTXm0CqKYgwRH5UXgYz//3gLPLNLtlHNeluVXSzLO1pxc+2Au19JOfzgcy86A3y4Gx8lFh80VyHhm33LjHsKsgacF2C0tKDBaJ/WqwDpX0m+E1WHCF0xZ7QdgGEoqj31yJ34WCeOXOro1yJfrV98iVWKuokCMHboaQoXTNu4+AMzGw/1MPUgmkT1nGnBpN5lP1v+kwAXAemC+A+Aw8gLf3pq84uAOhiTficH57PiyasJtwll5loDinkhnBtYhPHO9qN+M+n0by3rmIhsEIukdpwiI5Qm4LNTm6i53NiX1rfN2ln4SvqwVG7mmkqP9PbJXsgtD6mNjXOhncHvHeTbEb8IAHg28hGpq1rn8284+2jvviw9FMAzIgkeLRmAHz+XVAOmZDkn0128H4bYXAOeLISxTbgY1WAWzGnW+kCYbmQV3e8wAyOrp8mfZ1LgMvfc2/o0D9828Zy5UP4c= borg-append-only +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2cmGUEKwopEN0vpHl2yNoV/wvm21D1hOP/8V886iCawgYpP5SUNpuVTDEgZEFJSvTMtfPaBicln0ULx8bp5NAiOQ8uPIvJD3xaacwISwvCVSYXY8jnQG3eRuhbKCU0aVFLONjnAvo288+NWbVcLw8Y166MPyk+tVz76plmv0LGefrZ0yPG99MngR3E5BLQk1EWQoH1kWGGHNFecFtMLq3usX23Ee4e605gfkWWoj7xSgpujfCHi/re6u7B25cn5t2eR7Ee0qRe/O2Sid2yIma7zK2l9NA0+k7pGngyXUTnGx9bI4+xM5qY0ZJcOQk03UJh52Gx8zXFASOxdGO71FiHvYKz60yyd5dUetPcBOYUygdejdBeBS36bh6SisXE/iI6aOfB/ViZd2ZNne1Fb7ijakyNsDCVEAWkMGJxnN8ZCapGsfG9YhKk/fU92Yxjos+AB1IC3M9Qjq5p8fZGsKdRtzJ3zxtTyk5dQEziAbmBVIJYyFohx/aCUB+MVF9xaM= borg-append-only ``` ### Step 3: generate SSH authorized keys heredoc (on computer) @@ -106,7 +106,7 @@ BORG_STORAGE_QUOTA="10G" ```shell cat << EOF -cat << _EOF > /home/borg/.ssh/authorized_keys +cat << "_EOF" > /home/borg/.ssh/authorized_keys command="borg serve --restrict-to-repository /home/borg/backup --storage-quota $BORG_STORAGE_QUOTA",restrict $(cat ~/.ssh/borg.pub) command="borg serve --append-only --restrict-to-repository /home/borg/backup --storage-quota $BORG_STORAGE_QUOTA",restrict $(cat ~/.ssh/borg-append-only.pub) _EOF @@ -178,9 +178,9 @@ mkdir -p /home/borg/.ssh #### Create `/home/borg/.ssh/authorized_keys` using heredoc generated at [step 2](#generate-heredoc-the-output-of-following-command-will-be-used-at-step-8) ```shell -cat << _EOF > /home/borg/.ssh/authorized_keys -command="borg serve --restrict-to-repository /home/borg/backup --storage-quota 10G",restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClMqEv1xTTWrz9cRGFsjtQ5ieK7sMs2eUMyROg1emhblUmGd6cMMfQDFDlwXUXk7ZPDHIkN3k9recff1oa3tvW+9D2oqGSyG0WOXqbZNHXZUSEhb9giOlVij0kOjfVbMR37zMZn+e6cVzq75Kn5B/ZSm9pfpWI5p4sHEn9S8TvoSgvCCu67bWc3UHHedd9dK5kJUPHNHvZUf+ebNo69iZuKE9HSP7eifGx5DszkU5cs6DPivAvRGgGer7Um2piQ+T7q+XcKo0JcaXVaObDZSGTZwiF8xAFDF1bfCl9jna26ZqqPKHdJJTEl8gaj9MQH6vlsAZ40xeFyCxiG0AhVpQ6SeeIN2qkf6k7EDyUQNcCmwY23THhFhEjfjuq6mbsuCK52tUx7bDMF8wed0lQ5k7OLuQuwyxDUinz3aBwboUQxxHfzImgKXzIrZ0hPge3fIgtFUBiUwFUv5xnTzBIStP5BFf5Ca5oxRq4rJDORnD0wMuMTWSyGZFVU5iEVml0Jhk= borg -command="borg serve --append-only --restrict-to-repository /home/borg/backup --storage-quota 10G",restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsEfUNEZToWjefcGr8Dy/d+6ILuklWjC18E3ziaCZPNzKZAMfZTXm0CqKYgwRH5UXgYz//3gLPLNLtlHNeluVXSzLO1pxc+2Au19JOfzgcy86A3y4Gx8lFh80VyHhm33LjHsKsgacF2C0tKDBaJ/WqwDpX0m+E1WHCF0xZ7QdgGEoqj31yJ34WCeOXOro1yJfrV98iVWKuokCMHboaQoXTNu4+AMzGw/1MPUgmkT1nGnBpN5lP1v+kwAXAemC+A+Aw8gLf3pq84uAOhiTficH57PiyasJtwll5loDinkhnBtYhPHO9qN+M+n0by3rmIhsEIukdpwiI5Qm4LNTm6i53NiX1rfN2ln4SvqwVG7mmkqP9PbJXsgtD6mNjXOhncHvHeTbEb8IAHg28hGpq1rn8284+2jvviw9FMAzIgkeLRmAHz+XVAOmZDkn0128H4bYXAOeLISxTbgY1WAWzGnW+kCYbmQV3e8wAyOrp8mfZ1LgMvfc2/o0D9828Zy5UP4c= borg-append-only +cat << "_EOF" > /home/borg/.ssh/authorized_keys +command="borg serve --restrict-to-repository /home/borg/backup --storage-quota 10G",restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwCdu7RCOmISZQ5cr43lDRPrFoxCXcVfCREYsdTIBEoQrIwyg1jZyzQMf9kORIGcNe5+olIj1aK9qVg0hCEeDSJosSsMP5o8tQJzNu5aYCtnADlZ+AuCgp5CpL1vECMaQsfQV9nju3ScE/+0C/MSYVvDx5sbRvi1XuutBbCAZtlUa7Rn7S8/X08XLFasM7KhFz7AH2Hvvi1i3Cg1WqkRKzpXE/uxntZ/qZxBdpa2WEN/phD4LgmmCbzKJYflhJNKJnYQZxGveGsdexdrDpEbajVECBw/0ntS5/YYaLxzqCrNGyCRdAajIccuOLQjRGzr9U5mdzVpHhkCLjbIDQ1JHxtb9nHxNgvGep7z0UCqawdcJN2nEr1D7Khu7Mh8mryR7iBxqEdPfdARuQn3kMFH+YA5NASTus9p/MR1cavJmBq3u88oNje8q+szkBsQDb1h0n0eAzjjDXRSxgm8bdtpi07TjTNCc+AmhYiym+MYXmbxqMO6pnjjE1I+ht3a8zUU0= borg +command="borg serve --append-only --restrict-to-repository /home/borg/backup --storage-quota 10G",restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2cmGUEKwopEN0vpHl2yNoV/wvm21D1hOP/8V886iCawgYpP5SUNpuVTDEgZEFJSvTMtfPaBicln0ULx8bp5NAiOQ8uPIvJD3xaacwISwvCVSYXY8jnQG3eRuhbKCU0aVFLONjnAvo288+NWbVcLw8Y166MPyk+tVz76plmv0LGefrZ0yPG99MngR3E5BLQk1EWQoH1kWGGHNFecFtMLq3usX23Ee4e605gfkWWoj7xSgpujfCHi/re6u7B25cn5t2eR7Ee0qRe/O2Sid2yIma7zK2l9NA0+k7pGngyXUTnGx9bI4+xM5qY0ZJcOQk03UJh52Gx8zXFASOxdGO71FiHvYKz60yyd5dUetPcBOYUygdejdBeBS36bh6SisXE/iI6aOfB/ViZd2ZNne1Fb7ijakyNsDCVEAWkMGJxnN8ZCapGsfG9YhKk/fU92Yxjos+AB1IC3M9Qjq5p8fZGsKdRtzJ3zxtTyk5dQEziAbmBVIJYyFohx/aCUB+MVF9xaM= borg-append-only _EOF ``` diff --git a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/README.md b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/README.md index de72117..6b72adf 100644 --- a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/README.md +++ b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/README.md @@ -12,7 +12,7 @@ Listed: true [![How to self-host hardened strongSwan IKEv2/IPsec VPN server for iOS and macOS - YouTube](how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos.png)](https://www.youtube.com/watch?v=HY3F_vHuTFQ "How to self-host hardened strongSwan IKEv2/IPsec VPN server for iOS and macOS - YouTube") -> Heads-up: when following this guide on IPv4-only servers (which is totally fine if one knows what one is doing), it’s likely IPv6 traffic will leak on iOS when clients are connected to carriers or ISPs running dual stack (IPv4 + IPv6) infrastructure. Leaks can be mitigated on iOS (cellular-only) and on macOS by following this [guide](../how-to-disable-ipv6-on-ios-cellular-only-and-macos). +> Heads-up: when following this guide on servers with upstream IPv4-only networks (which is totally fine if one knows what one is doing), it’s likely IPv6 traffic will leak on iOS when clients are connected to carriers or ISPs running dual stack (IPv4 + IPv6) networks. Leaks can be mitigated on iOS (cellular-only) and on macOS by following this [guide](../how-to-disable-ipv6-on-ios-cellular-only-and-macos). ## Requirements @@ -48,22 +48,22 @@ Enter same passphrase again: Your identification has been saved in vpn-server. Your public key has been saved in vpn-server.pub. The key fingerprint is: -SHA256:4On7WymZIcM5p8SbsybwJpaFIUrnTUMf/1fdAhI1WPY vpn-server +SHA256:KJ8pRZUCVtFh5JEUprW+iFolSYJoA4KxdIcK2puBQaE vpn-server The key's randomart image is: +---[RSA 3072]----+ -| .== | -| . . o..o | -| . o o . .E o| -|.... * = . ..o| -|o.ooo % S . .. | -|. o..+ O + o . | -| = * + o . | -| + + .+ o | -| . o oo.o. | +|*=..++o=@= | +|Xo.o. .B+o | +|E*o . o.o | +|+.+o o o | +| ++ + S | +| o B + . | +| + = . | +| o . | +| . | +----[SHA256]-----+ $ cat vpn-server.pub -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCu4k9OcJlatGgUoo41m18Hekv+nSHq1w7qcuAuOZWLI8y5aYkLzyEgyp7EibB0rcmwiZfwx/RDb5zAvlr9KGsOWOYJ/gRIf4AwK1PdBPDo8jaa02J/H585NHV7T7XJ7Ycl/LeJh+oDXGs4OOspiFM/7NuleqCA0sSuJEnnuuTZsIDAlJwtWIJTM8lg4nWCQx2xAGkRyx4eNHE2vmlg+xHu3PbHg9kpSIaBWpx0WsysypyaB77+pkid6kYzxPXexoxFm4FnkoY7PZGb97wl4FwW1EK/yo9rnwbtEq5ny96JEHqeJdxeBGHYrsAoRro4jPWYXvdXZV2s27NYC6S3yHsJdaLfyfJXyTaygOyyaf39GcwqfJZpmVYwVyfZ2Go6ec9R/dFbKEA4Ue7aeCkDskSTiMuUZjYjfhezpa4Y0Jiy+lDZFVSv3tsBYu7Nxq0erZ2ygRJAXUMvvyFICJQGUhblRGXAOwYUt72CSUM0ZMsr84aOWsyzRwVQXzxETuDgnXk= vpn-server +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDACoPiTWsEeNyp/aGvCgeAU2qryRDPWr6MniXMLmZCSw0p68IkppYDLC+xDJCNIdwe8X4d892ROvEpCc7JVVfSDhF5lTS8qMJPMlmcJHjVRBwd/+VItD386LlltQMNtl0v8D2NY9ho+6yWJPuMBggu2zMe6ubnNaiJmdenqWktjawru0HsoRmz33jtNSk12e/yFw9xyXK9cYbrCBj17Gcts7mvhndHB0bfeSSozDx2cd/QRw3RE088AZpyUCVG3UpfyhcZK62btT/OaPTBkIYiLst7VuPtNwm7tAVDdy+JoFN+/mPlnQIG+Dmn36IFlK8gBTIu7ahR2omKYBuYfQwfqE24QTfHsVEYIR/fI1EHg0yAu+QTtyv8pUX7vs6qgQVYLVMdPsO510SOZyfNvLQfPmCCk5yif53V74x9Ft56ja92ktw/IXgal48LUNNybO4l0Q8Jf1j2DvTaq6VGBxqE3p6pcDlaNyWGFitdvBzPJrGc/hdJ7HLdDQS47xQM3SM= vpn-server ``` ### Step 2: log in to server as root @@ -215,7 +215,7 @@ See [https://en.wikipedia.org/wiki/List_of_tz_database_time_zones](https://en.wi timedatectl set-timezone America/Montreal ``` -### Step 15: detect network interface and save to environment variables +### Step 15: save default network interface as environment variable ```console $ ip -4 route | grep "default" | awk '{print "STRONGSWAN_INTERFACE="$5}' | tee -a ~/.bashrc @@ -224,9 +224,9 @@ STRONGSWAN_INTERFACE=eth0 $ source ~/.bashrc ``` -### Step 16: install cURL and Python, generate random IPv6 ULA and save to environment variables (if server is dual stack) +### Step 16: install cURL and Python, generate and save random IPv6 ULA as environment variable (if network is dual stack) -> Heads-up: only run the following if server is dual stack (IPv4 + IPv6). +> Heads-up: only run the following if network is dual stack (IPv4 + IPv6). #### Install cURL and Python @@ -234,7 +234,7 @@ $ source ~/.bashrc apt install -y curl python3 ``` -#### Generate random IPv6 ULA and save to environment variables +#### Generate and save random IPv6 ULA as environment variable Shout out to [Andrew Ho](https://gist.github.com/andrewlkho/31341da4f5953b8d977aab368e6280a8) for `ulagen.py`. @@ -286,7 +286,7 @@ iptables -P INPUT DROP iptables -P OUTPUT DROP ``` -If server is IPv4-only, run: +If network is IPv4-only, run: ```shell ip6tables -P FORWARD DROP @@ -294,7 +294,7 @@ ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ``` -If server is dual stack (IPv4 + IPv6) run: +If network is dual stack (IPv4 + IPv6) run: ```shell ip6tables -A INPUT -i lo -j ACCEPT @@ -405,7 +405,7 @@ systemctl restart systemd-networkd #### Install dnsmasq -Please ignore systemd port conflict error (if present). +> Heads-up: please ignore systemd address already in use error (if present). ```shell apt install -y dnsmasq @@ -429,7 +429,7 @@ systemctl restart dnsmasq ### Step 23: install strongSwan -If you are shown an “Old runlevel management superseded” warning, answer “Ok”. +> Heads-up: if you are shown an “Old runlevel management superseded” warning, answer “Ok”. ```shell apt install -y strongswan libcharon-extra-plugins @@ -463,7 +463,7 @@ $ systemd-resolve --status | grep "DNS Servers" | awk '{print $3}' 95.215.19.53 ``` -#### Set DNS nameserver(s) +#### Set DNS nameservers environment variable Replace `95.215.19.53` with server DNS nameserver(s). @@ -479,7 +479,7 @@ STRONGSWAN_DNS_NAMESERVERS=95.215.19.53 cp /etc/ipsec.conf /etc/ipsec.conf.backup ``` -If server is IPv4-only, run: +If network is IPv4-only, run: ```shell cat << EOF > /etc/ipsec.conf @@ -513,7 +513,7 @@ conn ikev2 EOF ``` -If server is dual stack (IPv4 + IPv6) run: +If network is dual stack (IPv4 + IPv6) run: ```shell cat << EOF > /etc/ipsec.conf @@ -562,16 +562,16 @@ EOF cp /etc/strongswan.d/charon-logging.conf /etc/strongswan.d/charon-logging.conf.backup cat << "EOF" > /etc/strongswan.d/charon-logging.conf charon { - filelog { - charon { - default = 1 - } + filelog { + charon { + default = 1 } - syslog { - auth { - default = 1 - } + } + syslog { + auth { + default = 1 } + } } EOF ``` @@ -582,11 +582,11 @@ EOF cp /etc/strongswan.d/charon/dhcp.conf /etc/strongswan.d/charon/dhcp.conf.backup cat << "EOF" > /etc/strongswan.d/charon/dhcp.conf dhcp { - force_server_address = yes - identity_lease = yes - interface = strongswan0 - load = yes - server = 10.0.2.1 + force_server_address = yes + identity_lease = yes + interface = strongswan0 + load = yes + server = 10.0.2.1 } EOF ``` @@ -610,7 +610,7 @@ systemctl daemon-reload ### Step 25: create `strongswan-certs` folder -> Heads-up: for security reasons, steps 23 to 27 are done on Mac vs server. +> Heads-up: for security reasons, steps 25 to 29 are done on Mac vs server. > Heads-up: store `strongswan-certs` folder in a safe place if you wish to issue additional certificates in the future. @@ -621,12 +621,10 @@ cd ~/Desktop/strongswan-certs ### Step 26: create OpenSSL config file -#### Set client common name - -Each client is configured using a unique common name ending with `@vpn-server.com`. +#### Set client name environment variable ```shell -STRONGSWAN_CLIENT_COMMON_NAME=alice@vpn-server.com +STRONGSWAN_CLIENT_NAME=alice ``` #### Create OpenSSL config file @@ -659,30 +657,30 @@ subjectAltName = DNS:vpn-server.com extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 [ client ] authorityKeyIdentifier = keyid -subjectAltName = email:$STRONGSWAN_CLIENT_COMMON_NAME +subjectAltName = email:$STRONGSWAN_CLIENT_NAME@vpn-server.com extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 EOF ``` -### Step 27: generate certificate authority cert +### Step 27: generate certificate authority key and cert ```console $ openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus -......................................++ -........................................................................................................................................................................................................................................................................................++ +.........................................................................................++ +........................................................................................................++ e is 65537 (0x10001) $ openssl req -x509 -new -nodes -config openssl.cnf -extensions ca -key ca.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=vpn-server.com" -days 3650 -out ca.crt ``` -### Step 28: generate server cert +### Step 28: generate server key, csr and cert ```console $ openssl genrsa -out server.key 4096 Generating RSA private key, 4096 bit long modulus -.................................................................................................................................................................................................................................................++ -................................................................................++ +.............................................................................................................................................................................................++ +....................................................................................................................................++ e is 65537 (0x10001) $ openssl req -new -config openssl.cnf -extensions server -key server.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=vpn-server.com" -out server.csr @@ -693,44 +691,197 @@ subject=/C=US/O=Self-hosted strongSwan VPN/CN=vpn-server.com Getting CA Private Key ``` -### Step 29: generate client cert +### Step 29: generate client key, csr, cert and pkcs12 When asked for export password, use output from `openssl rand -base64 24` (and store password in password manager). ```console -$ openssl genrsa -out alice.key 4096 +$ openssl genrsa -out $STRONGSWAN_CLIENT_NAME.key 4096 Generating RSA private key, 4096 bit long modulus -.........++ -............................................................................++ +....................................................................................................................................................................................++ +...........................................++ e is 65537 (0x10001) -$ openssl req -new -config openssl.cnf -extensions client -key alice.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=$STRONGSWAN_CLIENT_COMMON_NAME" -out alice.csr +$ openssl req -new -config openssl.cnf -extensions client -key $STRONGSWAN_CLIENT_NAME.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=$STRONGSWAN_CLIENT_NAME@vpn-server.com" -out $STRONGSWAN_CLIENT_NAME.csr -$ openssl x509 -req -extfile openssl.cnf -extensions client -in alice.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out alice.crt +$ openssl x509 -req -extfile openssl.cnf -extensions client -in $STRONGSWAN_CLIENT_NAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out $STRONGSWAN_CLIENT_NAME.crt Signature ok subject=/C=US/O=Self-hosted strongSwan VPN/CN=alice@vpn-server.com Getting CA Private Key -$ openssl pkcs12 -in alice.crt -inkey alice.key -certfile ca.crt -export -out alice.p12 +$ openssl pkcs12 -in $STRONGSWAN_CLIENT_NAME.crt -inkey $STRONGSWAN_CLIENT_NAME.key -certfile ca.crt -export -out $STRONGSWAN_CLIENT_NAME.p12 Enter Export Password: Verifying - Enter Export Password: ``` -### Step 30: copy/paste content of `ca.crt`, `server.key` and `server.crt` to server and make private key root-only. +### Step 30: copy certs and key to server and make private folder root-only. -On Mac: run `cat ca.crt` +On Mac, run: -On server: run `vi /etc/ipsec.d/cacerts/ca.crt`, press i, paste output from previous step in window, press esc and press shift+z+z +```shell +cat << EOF +cat << "_EOF" > /etc/ipsec.d/cacerts/ca.crt +$(cat ca.crt) +_EOF +EOF +``` -On Mac: run `cat server.key` +On server, run output from previous command: -On server: run `vi /etc/ipsec.d/private/server.key`, press i, paste output from previous step in window, press esc and press shift+z+z +```shell +cat << "_EOF" > /etc/ipsec.d/cacerts/ca.crt +-----BEGIN CERTIFICATE----- +MIIFWzCCA0OgAwIBAgIJANPds/Etli3LMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV +BAYTAlVTMSMwIQYDVQQKDBpTZWxmLWhvc3RlZCBzdHJvbmdTd2FuIFZQTjEXMBUG +A1UEAwwOdnBuLXNlcnZlci5jb20wHhcNMjAxMjA4MjE1OTUxWhcNMzAxMjA2MjE1 +OTUxWjBLMQswCQYDVQQGEwJVUzEjMCEGA1UECgwaU2VsZi1ob3N0ZWQgc3Ryb25n +U3dhbiBWUE4xFzAVBgNVBAMMDnZwbi1zZXJ2ZXIuY29tMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAqVjPlFA8RzUbJVAoAlL/g+d78TrfDsX0yiFna2nc +hB2uN2RfTur1p0rF2Ea9lm4Z3TTopuBDDs6B+of1o6yM0wf9/gqXPEaKmgHxHEEO +9olovjH9mD/hvaAwJO52uIbUi1sMfxHspyOUmhxU61Ri3v1hQrBl7d5XK6n3thCF +03um9uMLnxDr0N4fV7lT41CYITPpKeLFMX+IT2saHbAnhQS+6jGpLiuwXbejlVO7 +5+RECO/8bSNGr1NrnHw5FNc9ugtLoRvvsAoGsCCpXX41T5mITm0fdo+K/vRK9hr2 +NDcy5WKGWV43eBAr2BqmDESmDR9WbtOCAIcW5bhZeK18/oDd9frswmsDPIhCKIVg +VBc9te+oVnFQCq8dtd0ofqtF27AtnL0qQKtNqtbc1FPCGmcabq1Vqts/1vtsu13W +33V4s/q2+gvlDB8aCcDxppHji/lh9sgFHud/md2b66Lb24UK8c/VP5oUY0AfLhD1 +SAeP++j0H9g54yubDcqasSLwrGqLPzEykeSgPWk1la4u8qv4V+In5RHksLaQHV8r +hWPwfc955IDQER9qCiLgatzW9RO/hegmmK7ftK6UXzMhG2NgtkrftQVMCiFT0Y7f +y0EotceuqMqqGWCixnI/YilGnLDVegNclq1lOtA18npHNfZTuuV4UAXXClV9BDty +JW0CAwEAAaNCMEAwHQYDVR0OBBYEFEPDTIrkb2mgz3vsioEMyb4s4GFOMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA1 +bqXeP2ngjGlki4TomYCAKXJJdOoHDIeXzFrPpaDpfza+JP5/VNVuTH0gM774oWgO +JqpD/2ZIVfBdwLjsAGB0vx5of19Y+HpCoTfC4onoG40LJS+2w6OWg14dgiyxOpU8 +PhTGqY7Josfo9RwmNeVot0AYqrOIQLERmWm04uJ8ojYherH7qGX0pSU9rHptnG8J +kagP6V9/auH6MXqdgEbstKa66yZKKI84mgDMIu5ExPTC7EXmjCkiAsRu+gJAxCi2 +B01xcCT7fYVGSgC+abziFhDJIuaGGgiWPdMiZ+709Pm1XeXAjyTj0JCU8+HsS8oS +olK9ZInvY6qKqA0pnzgohp5NGkmIRZahgZLu40va7wZBhu52cGTfOa2A8nMoltJ+ +uxtTS8SaLI1eXdNl/IegN6uy+1BwHhCa1uTwG8tt0ld+UI9S1c6YVum7o5m3dRyj ++UJFTltK9rKMXHLEzMKE/rZEKailY8lADpur4sEsp9vVPmUqUr7Yd5P2p4yDNb+d +ECJH7z7TGc0jK3RteSjEWpZ/rc1yrnJaNrVgwxe6nni58kxd7awdmMGVyL14HGWh +HePRFQM4zSD3SiazdYVPtVX0XyQKL/9rGN2tR2sGilTKC0yBkQ/gHIYOBIJGyzrh +wuMHH9d46B2ks8UzUf7w304bk6RaOqU6794WXoEE0Q== +-----END CERTIFICATE----- +_EOF +``` -On Mac: run `cat server.crt` +On Mac, run: -On server: run `vi /etc/ipsec.d/certs/server.crt`, press i, paste output from previous step in window, press esc and press shift+z+z +```shell +cat << EOF +cat << "_EOF" > /etc/ipsec.d/private/server.key +$(cat server.key) +_EOF +EOF +``` -On server: run `chmod -R 600 /etc/ipsec.d/private` +On server, run output from previous command: + +```shell +cat << "_EOF" > /etc/ipsec.d/private/server.key +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAviBI5I0qkJfLYiXS8cMjAx7LxkHnygkXSs4jCZVjwPB+eoBr +4lGrKLe6pwcS4+0xADeVwfR1VGJcpjlGs7epoUxcCGobMJWP87evb93U/A/3S7la +tv+BjC/Dl6PumDgan7GrBaWwUWit5COjKm5BcTkR4aav9WWKuuzrG969Onw8ZaMe +QPvqqGHOjKAntCE6X+BGJN7nPnn7d3JXQWbOVrIgMduZsPX1ikzxLb2Gs0QHOdnn +lWrZrbJZ5z5rgDZQ5FYChnBNS2i63ptO6eggyjX4fb/wd0hOPVwlqIIPxt1qDyWA +V5CzlH7cAUFfoq8GP1b3ZPmLiCAYwccZEMldpqWOz0xaGDYEsT26q2cbdgNV2Qgk +vmLO7AGhf1Cr+XuKwgCESzN0T3gZXdtRm3urxilQCPl9Hbr4EubqOIQaJUQbauaX +adUkqHPhwpI5AiW1qpbQIw9Yq1hLrjuN4iYgPqJ7D0LJ0R+2qQMbkTW8sCXPcWSu +7gA7g+D9/764GV/nAvBxaFyVnNqW8nJM4pCS+26A+gXcPVUCZYfBaih8xdeYlRiJ +BSxyQiw1AR1gN9/L//P2kM6YterUg28MiDlyDCF3lvTrqwPzaHsxPkQdiErHje8M +gTJxXoOMk/1WBptzfWngvrM87nXziV7hG8vijWJ4rXFJduYFfRuUK15kuzMCAwEA +AQKCAgB10sAZkzo7nTZXPqV5WbrK5jzWQmWImRWsMA8ak0/cc62N8SPqfz4Y37N2 +azXTtlxVjBzss7g6cTKFeJ1OJpWi9hVayZbMBwPMv5qjMtAY3TQd42JKYhFAdSE7 +SkZEYxBswsf/meyopryM02D8nJNFvV5NfuUwqJrOuKADB4gxRGiRfAL1tqh3bRV5 +pI62XJk2bWBK3TBlUWb7YQqd5z4cEAtPmo2mUua1rHUSKY/ebFwmB9oyiKMZt5tr +aQ1pyT9cIcky00mzX9XeulSvNEGNzuCN3XMCGPcTo5Va1i88yF4/wLfGjFAdyHhC +9uZzhQ/UFOr/0n4b//gXrnDkLEYyO6CMyq8IrhyL1es9rRzM0fYlIOq+ztv90Pa3 +nVaRviz40PG7IJRfo8+2a2ijsgDBHwfWMhI6iqHE3RZYBr1L+Lb9yefPP7GDbFAH +hXKg8nNMfMMp9vzMbFc4mWBIRBKjyE7IVPnY/9OdCxzn/xg2lBkkN6hVzo6Y0BP8 +yF1HgyJVh01xmzvlDWrF7YdmnT0amn9tNKhIGf6xKkRY0wmNu1qc1Frpech2y3Mc +pTkD/ecrxo7TW2klrcDUuN8hsPOeMNlpHgjuBx/JpnhWVKu0iwK+mqfwJiOgHEZi +70Hf0AEpPVCDyGt2ftvs2rVIZpN1Tcn6FFKqjAKE5akNqVimgQKCAQEA8ApZpLwD +d4Wr8JPgwWn8aqiioNhBObE71W1aUqhy1hDBHXJ8YmUEDH8VAAJOmrAhWahYShQE +mPxaNTkjsv8TrEHrxle7WU3n+rtab6Gocs8cj2cZG/ojMMJldkx0wguZEJrExdpb +iVsrCkLTQx9A+xc5aNyC5j8TzcpLt9DEw9c9+1Dbire1Q4IkJaZ2AZCtAr75MkQ8 +37eFAHmQtzztyN0oFluWkosWbJzHPjTD5AwWoKA+aZ/6kWd+uY90zAOHvckMdRXr +eOqjZ6wmbbtobFI/GhKWYf0ULrySp18pgRjEz0KCKQ9Ob1p1AmRpaGOEfhdQP1Nc +DGO/+0rQ/M8c4QKCAQEAysRb97HtevSaDhZK0LDlQELesYbO6ot/wfpgvyTgPGwU +Y8dD510gLcwQ8JhvqzAxc1Togd+Lfk+vEejR+GrDMX3OcLsq4AfL8j0jJ9wai85r +iYYq+ozW1kOz/2DocM64LwMxvjXuBOmWQpuHzYZ+FBFIE77ee6vV+0uGKY747r+g +L8qoBTQeXqSjLu2f5p0AZuEBJCPNkGQ1c8tKVl62YUCGI8aASKEc7HlthLhmCOqF +/PQn2JUiOad/NUTVtJ/6UfWniRzvya1Uf6iQDyZs07wO2F0s+P+HCDzRGwlWisKk +JAFURZqKFqS0W95W95+V4A+S70skjYhEmCY8UyXmkwKCAQBcNh2pwvAyAg/DI4u7 +wVNORenzkB++Ye9yVcfU6RD0WwtUnJ5bziJ4CnmuvzQjCHZHUvxXuMjrXEXrHEAy +ivqruccxMpKuA9eR4lcjex6SvC1kiV6D+Nt757HCeCyCPqJWVp4ww2lWosct8e3m +YyM7Ufij59IBUUnyTDw6KODtusn8uVsdNuVTQbNRI1lB0Kol2+cvADfCWWWmgQyu +16EhAJRdwmFdekDrCG8h3nNCL8Khge139hTztqZf8lQT62dB6PH4KKuEj96l/OPm +U5ARzKahBXLvwaD3M0nDMjNnfHReilYmH9Mpw74fZSN5DoHfTmVtbkB2IfumNV+D +Pq0BAoIBAQCDSn+OM8xkV+tEgdSxqkjWwjW112c1YVw4+ukX+0Wiegz9ynHCZn9G +iCLT1rA/tTXfyrO+HEQTZn8iZpFGe8Kl0iMQxXBunT3GPSX9UjxyGBdzdcdwci9N +j4sGKfZ3zLJf5n6X/g1/asxblp9pSdNrJQF5n5Ypl8s3KuDVGfk/hh6vs1X2AJhF +ie8LnNtzlGdFNh3qC7C39NrTfmdE45DOCdyRX5+C56d1yu5KCKgwz8IwVttSFsaR +dE4e7NI/YXLRDPINCwqMmMnk2v1kgennc5ZdLH/JPpNtlwuCqRo7QOrNUXsCkp0l +KkKKVb4UGmYOLadjgFFLv1dC+UcIQ7s3AoIBAEw4WSORIykzSfxGTYDQ8DE0CEQC +4VaDp73DWm15qfx5JDIT7UxwYKLLxss7u0PoX3IGH3KIwW7wJHsDWaXdYDHTzZ+U +Uq4hPHOSKGO6gTadhxU7g6mC9/M0VssQUHwarimXGhdEbx6giXmcumyaJroKS9vV +7Jy7eW2jTBh8OVf0JrU0HyamjgBOwThdUvROytX4jNRQ4ykZRvAeW5rriORgoNeh +W8f2MIdq4QdYo2/BY3uymlJtPQDYlz9HXSlpUyKeS2WSNynf5PIgyVAFGAh4e2za +T5DeQg/LK+0Xe4cilPIqo7uU4l4Z+ALHT+884i0XhwwDfBO3Mhmxndv50c4= +-----END RSA PRIVATE KEY----- +_EOF +``` + +On Mac, run: + +```shell +cat << EOF +cat << "_EOF" > /etc/ipsec.d/certs/server.crt +$(cat server.crt) +_EOF +EOF +``` + +On server, run output from previous command: + +```shell +cat << "_EOF" > /etc/ipsec.d/certs/server.crt +-----BEGIN CERTIFICATE----- +MIIFdjCCA16gAwIBAgIJANL3OkwHc0s+MA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV +BAYTAlVTMSMwIQYDVQQKDBpTZWxmLWhvc3RlZCBzdHJvbmdTd2FuIFZQTjEXMBUG +A1UEAwwOdnBuLXNlcnZlci5jb20wHhcNMjAxMjA4MjIwMDAyWhcNMzAxMjA2MjIw +MDAyWjBLMQswCQYDVQQGEwJVUzEjMCEGA1UECgwaU2VsZi1ob3N0ZWQgc3Ryb25n +U3dhbiBWUE4xFzAVBgNVBAMMDnZwbi1zZXJ2ZXIuY29tMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAviBI5I0qkJfLYiXS8cMjAx7LxkHnygkXSs4jCZVj +wPB+eoBr4lGrKLe6pwcS4+0xADeVwfR1VGJcpjlGs7epoUxcCGobMJWP87evb93U +/A/3S7latv+BjC/Dl6PumDgan7GrBaWwUWit5COjKm5BcTkR4aav9WWKuuzrG969 +Onw8ZaMeQPvqqGHOjKAntCE6X+BGJN7nPnn7d3JXQWbOVrIgMduZsPX1ikzxLb2G +s0QHOdnnlWrZrbJZ5z5rgDZQ5FYChnBNS2i63ptO6eggyjX4fb/wd0hOPVwlqIIP +xt1qDyWAV5CzlH7cAUFfoq8GP1b3ZPmLiCAYwccZEMldpqWOz0xaGDYEsT26q2cb +dgNV2QgkvmLO7AGhf1Cr+XuKwgCESzN0T3gZXdtRm3urxilQCPl9Hbr4EubqOIQa +JUQbauaXadUkqHPhwpI5AiW1qpbQIw9Yq1hLrjuN4iYgPqJ7D0LJ0R+2qQMbkTW8 +sCXPcWSu7gA7g+D9/764GV/nAvBxaFyVnNqW8nJM4pCS+26A+gXcPVUCZYfBaih8 +xdeYlRiJBSxyQiw1AR1gN9/L//P2kM6YterUg28MiDlyDCF3lvTrqwPzaHsxPkQd +iErHje8MgTJxXoOMk/1WBptzfWngvrM87nXziV7hG8vijWJ4rXFJduYFfRuUK15k +uzMCAwEAAaNdMFswHwYDVR0jBBgwFoAUQ8NMiuRvaaDPe+yKgQzJvizgYU4wGQYD +VR0RBBIwEIIOdnBuLXNlcnZlci5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG +AQUFCAICMA0GCSqGSIb3DQEBBQUAA4ICAQCKzJgEz7WM+Wg8AKk/q3gT45in50yG +YF9i1jbbtgq2QKA261BI6Y8hUSNoRHNNPD8fll3hDbDTxboKFM3zP3BHBTm89uY5 +b+bE2mLwvNTYcStw/rhi3I1eYNhIa05LIz+EEcl7EG5lzsOD1jSF7SwN3qGJhOCg +2B71rmyCqLYMELtFLXq46/MNuqg/gGV27Wijg84RsltDIqFK8DrmrnZEa56gPOIs +3zpLs2rxg5ufh8L2eX39gxT7ocNHHlSfbGGoIIvYywY95GuO6WYmmBdbVA7JZlQj +QMYaYs2HQTcYDesqXgdJEN2OPadxwlo9xDezy8UUaqvbXa8emsRCL/BOI6O7yHT/ +6Yso0iVlAjSPWB1WYxKfwDJR4G5yvgOk8hdOEo82X5Pkt4BP8fXDuIzysityl0FG +nHgiRCl4AsXC+1502FuwvqBIjPwBtTBS1CvxeH3CBSMwuCqMly+AUkwUaOw8yTIS +UYsVvM7cE3t1EYj70tcGAOZjy4QcodgHE5jXKiKzEw8cZ3tPxd3pOiGEm0l8q2oJ +uWt8HPc++++4v1feUx3Qf2roTTDnK0KNY16wDx/UbHkSNitr62aT+Z+EnvthJ70V +XPO3OQ496jhylWgBapWIQGD8nZgdPgVp3PdrIqzpCF1+NYQl4as8AmJwCKDpu230 +uEErfEZ7mAYftQ== +-----END CERTIFICATE----- +_EOF +``` + +On server, run `chmod -R 600 /etc/ipsec.d/private` ### Step 31: restart strongSwan @@ -749,7 +900,7 @@ sed -i -E 's/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_re sed -i -E 's/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/' /etc/sysctl.conf ``` -If server is IPv4-only, run: +If network is IPv4-only, run: ```shell cat << "EOF" >> /etc/sysctl.conf @@ -759,7 +910,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1 EOF ``` -If server is dual stack (IPv4 + IPv6) run: +If network is dual stack (IPv4 + IPv6) run: ```shell sed -i -E 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf @@ -781,7 +932,7 @@ In “General”, enter “Self-hosted strongSwan VPN” in “Name”. ![apple-configurator-general](apple-configurator-general.png?shadow=1) -In “Certificates”, click “Configure” and select “ca.crt”. Then click “+” and select “alice.p12”. The password is the one from [step 29](#step-29-generate-client-cert). +In “Certificates”, click “Configure” and select “ca.crt”. Then click “+” and select “alice.p12”. The password is the one from [step 29](#step-29-generate-client-key-csr-cert-and-pkcs12). ![apple-configurator-certificates](apple-configurator-certificates.png?shadow=1) @@ -829,10 +980,10 @@ On Mac, open “System Preferences”, click “Network”, then “Self-hosted Open Firefox and go to [https://ipleak.net/](https://ipleak.net/). -Make sure listed IPv4, IPv6 (if server is dual stack) and DNS servers do not match the ones supplied by client ISP. +Make sure listed IPv4, IPv6 (if network is dual stack) and DNS servers do not match the ones provided by ISP. ### Step 38: create additional provisioning profiles -Repeat steps [26](#step-26-create-openssl-config-file), [29](#step-29-generate-client-cert) and [33](#step-33-create-vpn-profile-for-ios-and-macos-using-apple-configurator-2). +Repeat steps [26](#step-26-create-openssl-config-file), [29](#step-29-generate-client-key-csr-cert-and-pkcs12) and [33](#step-33-create-vpn-profile-for-ios-and-macos-using-apple-configurator-2). 👍 diff --git a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-certificates.png b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-certificates.png index 3d6db49..d0f16c2 100644 Binary files a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-certificates.png and b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-certificates.png differ diff --git a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-general.png b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-general.png index 9d9ff72..060e82a 100644 Binary files a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-general.png and b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-general.png differ diff --git a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-vpn.png b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-vpn.png index c7c71f9..32564bd 100644 Binary files a/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-vpn.png and b/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/apple-configurator-vpn.png differ