Strongwan how to make even stronger?

E

ettaluni2021-02-02 15:39:23

VPN

ettaluni, 2021-02-02 15:39:23

Good day! Set up vpn channel through VPS. I use strongwan. What recommendations can you give to improve the security of the vpn channel?
The configs are the following.
Server

conn my-super-vpn
  auto=add
  compress=no
  type=tunnel  # defines the type of connection, tunnel.
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftauth=pubkey
  [email protected]    #If using IP, define it without the @ sign
  leftsourceip=18.18.18.18
  leftcert=vpn_server_cert.pem  #Reads the VPN server cert in /etc/ipsec.d/certs
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=10.0.1.0/24  #IP address Pool to be assigned to the clients
#	rightdns=8.8.8.8  
  rightsendcert=never
  eap_identity=%identity  #Defines the identity the client uses to reply to an EAP Identity request.

Customer:

conn my-super-vpn
  auto=start
  right=18.18.18.18
  rightid=my.super.vpn
  rightsubnet=0.0.0.0/0
  rightauth=pubkey
  leftsourceip=%config
  leftid=client1
  leftauth=eap-mschapv2
  eap_identity=%identity

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2021-02-03
@ettaluni

Go to full certificates. And of course, first you need to ask yourself the question "Who and how threatens my security" (the model of the offender is called), otherwise maybe a VPN is not needed either :)