Root CA (self-signed, 10yr validity) ├── Server certificate (signed by Root CA, for VPN server) └── Client certificates (signed by Root CA, one per device/user)
Root CA (self-signed, 10yr validity) ├── Server certificate (signed by Root CA, for VPN server) └── Client certificates (signed by Root CA, one per device/user)
Root CA (self-signed, 10yr validity) ├── Server certificate (signed by Root CA, for VPN server) └── Client certificates (signed by Root CA, one per device/user)
# Generate root CA key and self-signed certificate
openssl genrsa -out root-ca.key 4096
openssl req -x509 -new -key root-ca.key -sha256 -days 3650 \ -out root-ca.crt -subj "/CN=VPN Root CA/O=MyOrg" # Generate server key and CSR
openssl genrsa -out server.key 2048
openssl req -new -key server.key \ -out server.csr -subj "/CN=vpn.example.com/O=MyOrg" # Sign server certificate with root CA
openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out server.crt -days 825 -sha256 \ -extfile <(echo "subjectAltName=DNS:vpn.example.com") # Generate client certificate (repeat per device)
openssl genrsa -out client-device1.key 2048
openssl req -new -key client-device1.key \ -out client-device1.csr -subj "/CN=device1/O=MyOrg"
openssl x509 -req -in client-device1.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out client-device1.crt -days 825 -sha256
# Generate root CA key and self-signed certificate
openssl genrsa -out root-ca.key 4096
openssl req -x509 -new -key root-ca.key -sha256 -days 3650 \ -out root-ca.crt -subj "/CN=VPN Root CA/O=MyOrg" # Generate server key and CSR
openssl genrsa -out server.key 2048
openssl req -new -key server.key \ -out server.csr -subj "/CN=vpn.example.com/O=MyOrg" # Sign server certificate with root CA
openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out server.crt -days 825 -sha256 \ -extfile <(echo "subjectAltName=DNS:vpn.example.com") # Generate client certificate (repeat per device)
openssl genrsa -out client-device1.key 2048
openssl req -new -key client-device1.key \ -out client-device1.csr -subj "/CN=device1/O=MyOrg"
openssl x509 -req -in client-device1.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out client-device1.crt -days 825 -sha256
# Generate root CA key and self-signed certificate
openssl genrsa -out root-ca.key 4096
openssl req -x509 -new -key root-ca.key -sha256 -days 3650 \ -out root-ca.crt -subj "/CN=VPN Root CA/O=MyOrg" # Generate server key and CSR
openssl genrsa -out server.key 2048
openssl req -new -key server.key \ -out server.csr -subj "/CN=vpn.example.com/O=MyOrg" # Sign server certificate with root CA
openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out server.crt -days 825 -sha256 \ -extfile <(echo "subjectAltName=DNS:vpn.example.com") # Generate client certificate (repeat per device)
openssl genrsa -out client-device1.key 2048
openssl req -new -key client-device1.key \ -out client-device1.csr -subj "/CN=device1/O=MyOrg"
openssl x509 -req -in client-device1.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out client-device1.crt -days 825 -sha256
# /etc/ipsec.conf
config setup charondebug="ike 1, knl 1, cfg 0" conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes # Always use UDP/4500 (better NAT compatibility) # Server side left=%any [email protected] leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 # Route all client traffic through VPN # Client side right=%any rightid=%any rightauth=pubkey rightsourceip=10.8.0.0/24 # Virtual IP pool rightdns=10.8.0.1 ike=aes256-sha256-ecp256,aes256-sha1-modp2048! esp=aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no
# /etc/ipsec.conf
config setup charondebug="ike 1, knl 1, cfg 0" conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes # Always use UDP/4500 (better NAT compatibility) # Server side left=%any [email protected] leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 # Route all client traffic through VPN # Client side right=%any rightid=%any rightauth=pubkey rightsourceip=10.8.0.0/24 # Virtual IP pool rightdns=10.8.0.1 ike=aes256-sha256-ecp256,aes256-sha1-modp2048! esp=aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no
# /etc/ipsec.conf
config setup charondebug="ike 1, knl 1, cfg 0" conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes # Always use UDP/4500 (better NAT compatibility) # Server side left=%any [email protected] leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 # Route all client traffic through VPN # Client side right=%any rightid=%any rightauth=pubkey rightsourceip=10.8.0.0/24 # Virtual IP pool rightdns=10.8.0.1 ike=aes256-sha256-ecp256,aes256-sha1-modp2048! esp=aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no
# /etc/ipsec.secrets — certificate-based auth needs no shared secrets
: RSA server.key
# /etc/ipsec.secrets — certificate-based auth needs no shared secrets
: RSA server.key
# /etc/ipsec.secrets — certificate-based auth needs no shared secrets
: RSA server.key
# Import root CA to machine trust store
Import-Certificate -FilePath root-ca.crt -CertStoreLocation Cert:\LocalMachine\Root # Import client cert to personal store
Import-PfxCertificate -FilePath client-device1.pfx -CertStoreLocation Cert:\CurrentUser\My # Add VPN connection
Add-VpnConnection -Name "OrgVPN" -ServerAddress "vpn.example.com" ` -TunnelType IKEv2 -AuthenticationMethod MachineCertificate ` -EncryptionLevel Required -RememberCredential $false
# Import root CA to machine trust store
Import-Certificate -FilePath root-ca.crt -CertStoreLocation Cert:\LocalMachine\Root # Import client cert to personal store
Import-PfxCertificate -FilePath client-device1.pfx -CertStoreLocation Cert:\CurrentUser\My # Add VPN connection
Add-VpnConnection -Name "OrgVPN" -ServerAddress "vpn.example.com" ` -TunnelType IKEv2 -AuthenticationMethod MachineCertificate ` -EncryptionLevel Required -RememberCredential $false
# Import root CA to machine trust store
Import-Certificate -FilePath root-ca.crt -CertStoreLocation Cert:\LocalMachine\Root # Import client cert to personal store
Import-PfxCertificate -FilePath client-device1.pfx -CertStoreLocation Cert:\CurrentUser\My # Add VPN connection
Add-VpnConnection -Name "OrgVPN" -ServerAddress "vpn.example.com" ` -TunnelType IKEv2 -AuthenticationMethod MachineCertificate ` -EncryptionLevel Required -RememberCredential $false
nmcli connection add type vpn vpn-type libreswan \ con-name "OrgVPN" vpn.data \ "right=vpn.example.com,[email protected],\ leftcert=client-device1.crt,leftkey=client-device1.key,\ rightca=root-ca.crt,ikev2=insist"
nmcli connection add type vpn vpn-type libreswan \ con-name "OrgVPN" vpn.data \ "right=vpn.example.com,[email protected],\ leftcert=client-device1.crt,leftkey=client-device1.key,\ rightca=root-ca.crt,ikev2=insist"
nmcli connection add type vpn vpn-type libreswan \ con-name "OrgVPN" vpn.data \ "right=vpn.example.com,[email protected],\ leftcert=client-device1.crt,leftkey=client-device1.key,\ rightca=root-ca.crt,ikev2=insist"
openssl ca -revoke client-device1.crt -config openssl.cnf
openssl ca -gencrl -out crl.pem -config openssl.cnf
openssl ca -revoke client-device1.crt -config openssl.cnf
openssl ca -gencrl -out crl.pem -config openssl.cnf
openssl ca -revoke client-device1.crt -config openssl.cnf
openssl ca -gencrl -out crl.pem -config openssl.cnf
# strongswan.conf
charon { crl_strict = yes
}
# strongswan.conf
charon { crl_strict = yes
}
# strongswan.conf
charon { crl_strict = yes
}
