Webmail Website Panel VPS Panel Client Panel
Client Services
Webmail Website Panel VPS Panel Client Panel
VPN

How to Configure a Modern strongSwan VPN with swanctl on Ubuntu

The legacy ipsec.conf is dead. Learn how to deploy a native, enterprise-grade strongSwan VPN tunnel on CLOUD HIVE DC using the modern vici interface and swanctl.

How to Configure a Modern strongSwan VPN with swanctl on Ubuntu

The Shift to Modern Enterprise Security

The modern standard for strongSwan utilizes the versatile IKE configuration interface (vici) and the swanctl command. As outlined in the official repository (strongSwan GitHub), the legacy stroke interface is deprecated. You log into your KVM VPS via SSH, ready to build a tunnel. If your server is completely fresh, lock down your firewall using our Securing Your Server manual.

Generating the Cryptographic Certificates

We will configure a Roadwarrior setup with Virtual IPs. First, you must act as your own Certificate Authority. You generate an elliptic Edwards-Curve key and a self-signed root certificate. The terminal text scrolls rapidly as the keys are forged:

pki --gen --type ed25519 --outform pem > strongswanKey.pem
pki --self --ca --lifetime 3652 --in strongswanKey.pem --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > strongswanCert.pem

Next, you generate the server end-entity certificate, adding your server domain or IP as a Subject Alternative Name (SAN):

pki --gen --type ed25519 --outform pem > moonKey.pem
pki --req --type priv --in moonKey.pem --dn "C=CH, O=strongswan, CN=moon.strongswan.org" --san moon.strongswan.org --outform pem > moonReq.pem
pki --issue --cacert strongswanCert.pem --cakey strongswanKey.pem --type pkcs10 --in moonReq.pem --serial 01 --lifetime 1826 --outform pem > moonCert.pem

You must move these PEM files into the respective /etc/swanctl/x509ca, /etc/swanctl/x509, and /etc/swanctl/private directories to ensure the charon daemon can read them.

Defining the swanctl Configuration

You open the modern configuration file. The blank editor window waits for your input. You define a connection profile for roadwarriors, assigning virtual IP pools from the 10.3.0.0/16 subnet.

sudo nano /etc/swanctl/swanctl.conf

Paste the following configuration block carefully:

connections {
    rw {
        pools = rw_pool
        local {
            auth = pubkey
            certs = moonCert.pem
            id = moon.strongswan.org
        }
        remote {
            auth = pubkey
        }
        children {
            net-net {
                local_ts  = 10.1.0.0/16
            }
        }
    }
}

pools {
    rw_pool {
        addrs = 10.3.0.0/16
    }
}

Loading Credentials and Connections

Unlike the old starter daemon, swanctl loads configurations and certificates directly into the charon daemon via vici. You execute the load commands. The terminal returns a clean confirmation that your pools, credentials, and connections are loaded. Your modern VPN is now standing guard on CLOUD HIVE DC.

swanctl --load-creds
swanctl --load-pools
swanctl --load-conns
Back to Blog
Recent Posts
Important Notice About Pricing
Important Notice About Pricing
Dedicated Server Addons
Dedicated Server Addons
IP Price
IP Price
Search
Categories
All Posts 37 News 1 Server Addons 2 Tutorials 11 Security 2 Guides 5 Technology 2 E-commerce 0 Infrastructure 3 Architecture 2 Gaming 2 Artificial Intelligence 1 Business 1 Development 2 VPN 3
Most Popular
  1. 1 Important Notice About Pricing
  2. 2 Dedicated Server Addons
  3. 3 IP Price
  4. 4 Making Your Website Accessible from Restricted Regions
  5. 5 Centralized CrowdSec Management with Web UI
AI
AI
CLOUD HIVE DC AI
Welcome aboard!
Ask me anything about CLOUD HIVE DC services. 🚀
I'm still learning, so please be patient with me 😊😋
👨‍💻 An operator has joined the chat