Because I’ve spent hours trying to understand all the details I need to get this working perfectly, I’ve decided to share the information so you don’t have to waste your time.
Most common use I can think of: access your home network using the most secure (sort of), fastest and well supported method - IPSEC/IKE2 with certificates (AKA digital signature) VPN server.
This guide based on RouterOS 6.48.3.
VPN Server setup
# Create CA certificate and sign it
/certificate add name="Home CA" common-name="Home CA" key-size=4096 days-valid=7300 key-usage=key-cert-sign,crl-sign
/certificate sign "Home CA"
# Create server certificate and sign it (Replace "XXXXXXXXXXX.sn.mynetname.net" with your DNS from "/ip cloud" otherwise some IKE2 clients would fail to connect)
/certificate add name="Home server" common-name="Home server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" key-size=4096 days-valid=3650 key-usage=tls-server
/certificate sign "Home server" ca="Home CA"
# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA)
/certificate add name="Home client1" common-name="Home client1" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "Home client1" ca="Home CA"
/certificate export-certificate "Home client1" file-name="Home client1" type=pkcs12 export-passphrase=1234567890
# Create IP pool for VPN users
/ip pool add name=vpn ranges=10.22.22.10-10.22.22.20
# Add firewall rules for IKE2 VPN
#
# Add this rule before action=drop rule in INPUT chain
/ip firewall filter add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
#
# Add these 2 rules before "fasttrack" rule in FORWARD chain
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
#
# OPTIONAL - allow access to router from "10.22.22.10-10.22.22.20" IPs and masquerade traffic coming from VPN clients, so devices on your LAN sees that traffic is coming from the router IP rather than VPN IP
/ip firewall address-list add address=10.22.22.10-10.22.22.20 comment=VPN list=allowed_to_router
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade VPN traffic so devices see connections made from router IP" src-address=10.22.22.10-10.22.22.20
# Configure IPSEC settings (below used profile/proposal are compatible with Windows 10 IKE2 ciphers)
/ip ipsec mode-config add address-pool=vpn name=vpn
/ip ipsec policy group add name=vpn
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client1" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client1"
/ip ipsec policy add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 template=yes
Additional VPN Client
In case you ever need it…
# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA)
/certificate add name="Home client2" common-name="Home client2" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "Home client2" ca="Home CA"
/certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890
# Create IPSEC identity
/ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client2" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client2"
VPN Client setup
Windows 10/11 (Native)
- Download .p12 certificate to your Windows PC
- Double click, pop up opens
- Select “Local Machine” and click “Next”.
- Nothing to change, click “Next”.
- Enter .p12 password (in above steps I used “1234567890”) and (important) check “Mark this key as exportable”, then click “Next”.
- Select “Place all certificates in the following store”, browse and select “Personal”. Then click “Next”.
- Finally click “Finish” and pop up will close.
- In Windows search, find “Manage computer certificates” program and open it.
- Move your “CA” certificate from “Personal/Certificates” folder to “Trusted Root Certification Authorities/Certificates” folder by simply drag & drop.
- Right-click on your “CA” certificate (which you just moved), then “All Tasks”, then “Export”. Pop up will appear.
- Click “Next”.
- First option “DER” will be selected. so just click “Next”.
- Enter location where to save this “CA” certificate. Suggestion would be “c:\vpn\home_ca.cer”.
- Click “Finish” and pop up will close.
- Open powershell and create VPN profile using below command:
Add-VpnConnection `
-Name Home `
-ServerAddress XXXXXXXXXXX.sn.mynetname.net `
-TunnelType IKEv2 `
-AuthenticationMethod MachineCertificate `
-EncryptionLevel maximum `
-MachineCertificateIssuerFilter 'C:\vpn\home_ca.cer'
Linux (Strongswan plugin for NetworkManager)
Most of Linux desktop distros uses Network manager by default and Strongswan (for IKE2 functionality) plugin for Network Manager is readily available in official repositories:
- Arch Linux: networkmanager-strongswan
- Debian: network-manager-strongswan
- Fedora: strongswan-charon-nm
Below guide is based on Fedora 34, Gnome DE using integrated IKE2 (Strongswan) support in Gnome:
- Prepare certificates (Gnome/NetworkManager accepts only PEM certificates and not PKCS12)
# Become root
sudo su
# Create directory "/opt/vpn/home"
mkdir -p /opt/vpn/home
# Upload .p12 file to "/opt/vpn/home" directory...
# Change cwd to "/opt/vpn/home"
cd /opt/vpn/home/
# Extract PEM certificates (private key, certificate and CA)
openssl pkcs12 -in "Home client1.p12" -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > "Home client1 key.pem"
openssl pkcs12 -in "Home client1.p12" -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 cert.pem"
openssl pkcs12 -in "Home client1.p12" -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 CA.pem"
# Enforce permissions (to make sure strongswan/networkmanager can read these files)
chmod -R 755 /opt/vpn
chown -R root:root /opt/vpn
- Go to Gnome settings → Network → VPN → “+” button → “IPsec/IKEv2 (strongswan)” choice.
- Enter/Select the following details:
- Server->Name: Home
- Server->Address: XXXXXXXXXXX.sn.mynetname.net
- Server->Certificate: Select “Home client1 CA.pem” file
- Server->Identity: Empty
- Client->Port: Empty
- Client->Authentication: Certificate
- Client->Certificate: Certificate/private key
- Client->Certificate file: Select “Home client1 cert.pem” file
- Client->Private key: Select “Home client1 key.pem” file
- Client->Identity: Empty
- Options->Request an inner IP address: Checked
- Options->Enforce UDP encapsulation: Unchecked
- Options->Use IP compression: Unchecked
- Cipher proposals->Enable custom proposals: Checked
- Cipher proposals->IKE: aes256-sha256-prfsha256-modp1024
- Cipher proposals->ESP: aes256-sha1
-
Click Save.
Android (Strongswan)
Below steps were tested on Android 11, OnePlus 8 Pro device. -
Download .p12 file to your smartphone.
-
Go to Android settings → “Security & Lock screen” → “Encryption & credentials” → “Install a certificate” → “VPN & app user certificate”
-
Select your downloaded .p12 certificate, Android will guide you through installation steps (all I had to do is to enter password and click “ok”/“next”).
-
Download “Strongswan” from Google play. Included native IKE2 VPN likely not going to work due to unknown reasons…
-
Open “Strongswan” application.
-
Select “ADD VPN PROFILE”
-
Enter the following details (what is missing should be left as it is):
- Server: XXXXXXXXXXX.sn.mynetname.net
- VPN Type: IKEv2 Certificate
- User certificate: Select your recently imported VPN certificate (it will appear in the shown list)
- Profile name: Home
- Advanced settings: Checked
- IKEv2 Algorithms: aes256-sha256-prfsha256-modp1024
- IPsec/ESP Algorithms: aes256-sha1
- Click “SAVE”.
Apple devices
I do not have any Apple device, so I can’t provide any instructions. Feel free to provide someone in the comments, so I can update.
Fix for websites that are randomly not loading
If some of the websites (most notably https://speedtest.net/), then you are facing MSS/MTU issues. As per strongswan (IPSEC/IKE2 server for Linux) documentation, you should add these rules to your Mikrotik router:
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=1360 passthrough=yes protocol=tcp src-address=10.22.22.10-10.22.22.20 tcp-flags=syn tcp-mss=!0-1360
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" dst-address=10.22.22.10-10.22.22.20 new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
