Set Up IKEv2 VPN for iOS and macOS With Local DNS Cache and Dnscrypt
Since IKEv2 VPN supports MOBIKE and is natively supported by iOS 9, OS X 10.11 and newer, it’s a good choice for iOS and macOS. In my setup, I use Debian Stretch, unbound for DNS cache and dnscrypt-proxy for dnscrypt protocol.
Set up DNS service
Set up a network interface for DNS listening
An network interface file with name 10-loopback-services.cfg should be added to folder /etc/network/interfaces.d with the following content.
auto lo:100
iface lo:100 inet static
address 172.16.0.1
netmask 255.255.255.255
Then we need to restart networking service.
$ sudo service networking restart
Set up dnscrypt-proxy
Install dnscrypt-proxy
$ wget https://download.dnscrypt.org/dnscrypt-proxy/binaries/linux/dnscrypt-proxy-x86_64-linux-musl.tar.gz
$ tar zxf dnscrypt-proxy-x86_64-linux-musl.tar.gz
$ cd dnscrypt-proxy-x86_64-linux-musl
$ sudo sh installer.sh
Now we need to replace the dnscrypt-proxy configuration, which located in /opt/dnscrypt-proxy/x86_64-linux-musl/etc/dnscrypt-proxy.conf, with the following content.
ResolverName cisco
Daemonize no
PidFile /var/run/dnscrypt-proxy.pid
LocalAddress 127.0.0.1:5353
LocalCache off
EphemeralKeys off
BlockIPv6 no
Set up auto start script
A auto start script with name dnscrypt-proxy.service should be add to folder /etc/systemd/system with the following content.
[Unit]
Description=DNSCrypt client proxy
After=network.target
Before=nss-lookup.target
[Service]
Type=simple
ExecStart=/opt/dnscrypt-proxy/x86_64-linux-musl/bin/dnscrypt-proxy /opt/dnscrypt-proxy/x86_64-linux-musl/etc/dnscrypt-proxy.conf
[Install]
WantedBy=multi-user.target
Then start dnscrypt-proxy service.
$ sudo systemctl start dnscrypt-proxy.service
$ sudo systemctl enable dnscrypt-proxy.service
Set up unbound
$ sudo apt-get install unbound -y
$ sudo wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints
Then the following content should be added to /etc/unbound/unbound.conf.
server:
num-threads: 2
interface: 127.0.0.1
interface: 172.16.0.1
so-rcvbuf: 4m
so-sndbuf: 4m
so-reuseport: yes
msg-cache-size: 64m
rrset-cache-size: 128m
cache-max-ttl: 3600
outgoing-num-tcp: 256
incoming-num-tcp: 1024
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
tcp-upstream: no
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
root-hints: "/etc/unbound/root.hints"
hide-identity: yes
hide-version: yes
harden-glue: yes
module-config: "iterator"
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
minimal-responses: yes
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
Then restart unbound service.
$ sudo service unbound restart
Set up IKEv2 VPN
Set up strongswan
Since strongswan in Debian Stretch is not the latest version, we compile from source.
$ sudo apt-get install -y --no-install-recommends build-essential libgmp-dev libssl-dev
$ wget https://download.strongswan.org/strongswan-5.5.3.tar.gz
$ tar zxf strongswan-5.5.3.tar.gz
$ cd strongswan-5.5.3
$ ./configure --prefix=/usr --sysconfdir=/etc \
--enable-aes \
--enable-gcm \
--enable-hmac \
--enable-kernel-netlink \
--enable-nonce \
--enable-openssl \
--enable-pem \
--enable-pgp \
--enable-pkcs12 \
--enable-pkcs7 \
--enable-pkcs8 \
--enable-pubkey \
--enable-random \
--enable-revocation \
--enable-sha2 \
--enable-socket-default \
--enable-stroke \
--enable-x509
$ make
$ sudo make install
Create certificates
Create CA
$ ipsec pki --gen --type ecdsa --size 384 --outform pem > ca-key.pem
$ ipsec pki --self --ca --lifetime 3650 --in ca-key.pem --type ecdsa --dn "C=NL, O=Example Company, CN=strongSwan Root CA" --outform pem > ca-cert.pem
Create server certificate
Repacle <server ip> with your current server ip address.
$ ipsec pki --gen --type ecdsa --size 384 --outform pem > server-key.pem
$ ipsec pki --pub --in server-key.pem --type ecdsa | ipsec pki --issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=NL, O=Example Company, CN=<server ip>" --san <server ip> --san @<server ip> --flag serverAuth --outform pem > server-cert.pem
Create client certificate
$ ipsec pki --gen --type ecdsa --size 384 --outform pem > client-key.pem
$ ipsec pki --pub --in client-key.pem --type ecdsa | ipsec pki --issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=NL, O=Example Company, CN=client" --san "client" --flag clientAuth --outform pem > client-cert.pem
Then copy certificates to necessary folders.
$ sudo cp server-key.pem /etc/ipsec.d/private
$ sudo cp server-cert.pem /etc/ipsec.d/certs
$ sudo cp ca-cert.pem /etc/ipsec.d/cacerts
Configure IPsec
Replace /etc/ipsec.conf with following content, do replace <server ip> with your server ip address.
config setup
uniqueids=never # allow multiple connections per user
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
fragmentation=yes
rekey=no
dpdaction=clear
keyexchange=ikev2
compress=yes
dpddelay=35s
ike=aes256gcm16-prfsha512-ecp384!
esp=aes256gcm16-ecp384!
left=%any
leftauth=pubkey
leftid=<server ip>
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightauth=pubkey
rightsourceip=10.0.0.0/24
rightdns=172.16.0.1
conn ikev2-pubkey
auto=add
Add the following line to file /etc/ipsec.secrets
: ECDSA server-key.pem
Then start IKEv2 VPN service.
$ sudo ipsec start
Configure iptables
$ iptables -A INPUT -p udp --dport 500 --j ACCEPT
$ iptables -A INPUT -p udp --dport 4500 --j ACCEPT
$ iptables -A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
$ iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -m policy --pol none --dir out -j MASQUERADE
$ iptables -A FORWARD -m conntrack --ctstate NEW -s 10.0.0.0/24 -m policy --pol ipsec --dir in -j ACCEPT
Set up mobileconfig for iOS and macOS
Since we cannot configure details like cipher in iOS and macOS GUI, we have to use mobileconfig. I use Apple Configurator 2 on macOS. You can just change certificate’s file extension to crt for use with Apple Configurator 2. We use AES-256-GCM for encryption algorithm, SHA2-512 for Integrity Algorithm and 20 for Diffie-Hellman Group. Or a mobileconfig template at Strongswan website can be used for modification.
blackgiulia
放眼四野直至星穹,追溯时光直至永恒,需要思考的事情太多,每个生命的时间太少