It has been a while since I last setup NordVPN on a Debian Linux using StrongSwan. StrongSwan is now using 'native' files rather than the now deprecated ipsec files. NordVPN Example: How to connect to NordVPN with IKEv2/IPSec on Linux refers to the old format. Here is a new format.
Here is my take on a successful installation.
apt install \ --no-install-recommends \ strongswan \ libstrongswan-standard-plugins \ libstrongswan-extra-plugins \ libcharon-extra-plugins wget https://downloads.nordcdn.com/certificates/root.pem -O /etc/swanctl/x509ca/NordVPN.pem sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/constraints.conf
An example /etc/swanctl/swanctl.conf file:
connections { nordvpn { version = 2 proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default rekey_time = 0s fragmentation = yes dpd_delay = 300s local_addrs = %defaultroute remote_addrs =vips=0.0.0.0,:: local { auth = eap-mschapv2 eap_id = "<username>" } remote { auth = pubkey cacerts = /etc/swanctl/x509ca/NordVPN.pem id = %any } children { nordvpn { remote_ts = 0.0.0.0/0,::/0 rekey_time = 0s dpd_action = clear esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default } } } } secrets { eap-nordvpn { id = "<username>" secret = "<password>" } }
If you have a local network to which you need access when the vpn is up, StrongSwan using route table 220 for forwarding. Use the following command to see current settings:
# ip rule list 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default # ip route list table 220 default via 192.168.1.10 dev eth0 proto static src
To add your local network to the route table. Additional subnets are added in a similar way. Change the interface name to suit your local circumstances. Use the updown Plugin for better control of the local routing.
ip route add table 192.168.1.0/24 dev wlan0
This may be required for changes made:
# systemctl restart strongswan
Tunnel related state and status commands:
sudo swanctl --load-conns sudo swanctl --list-conns sudo swanctl --list-certs sudo swanctl --list-sas sudo swanctl --initiate --child nordvpn sudo swanctl --terminate --child nordvpn sudo swanctl --reload-settings
References:
- How to Setup an IKEv2 VPN Connection on Arch Linux (Example: NordVPN) - primary configuration template
- Allow Strongswan roadwarrior to access local LAN - keeping local traffic out of the vpn