Configure Certificate-Based VPN With Smallstep

strongSwan

Configure strongSwan with a Server TLS Certificate

1. Add a Virtual Machine Collection in Smallstep, for your VPN servers

2. Install step-agenton a VPN server, and make sure it is running as a service and is connected to Smallstep.

3. Add a Workload Collection for your strongSwan server, selecting Custom Client and Server as the Workload Type.

4. When creating the Workload Collection, use Advanced Settings to select the following:

   • Key Type: 2048-bit RSA (for maximum compatibility)
   • Server certificate location: /etc/swanctl/x509/vpn.crt
   • Server key location: /etc/swanctl/private/vpn.key
   • Reload method: systemd
   • Unit name: strongswan.service

   You may need to adjust the user, group, or file locations to match your specific OS and distribution.

5. Deploy the new Workload Collection.

6. Confirm that the Smallstep-managed certificate and private key for strongSwan appear on the VM, in /etc/swanctl/x509/vpn.crt and /etc/swanctl/private/vpn.key. These will be managed and renewed by the step-agent process.

7. The vpn.crt file is a PEM bundle containing the server certificate and the Workloads Intermediate CA certificate. strongSwan will only read the first certificate in vpn.crt. So, the Intermediate CA certificate to be separately configured.

   Run the following to separate the two certificates:

   sudo cat /etc/swanctl/x509/vpn.crt | sudo awk 'split_after==1{n++;split_after=0}
          /-----END CERTIFICATE-----/{split_after=1}
         n==1{print > "/etc/swanctl/x509ca/intermediate.crt"}'
   

   Run step certificate inspect to confirm that your Intermediate CA certificate was written to /etc/swanctl/x509ca/intermediate.crt.

8. Now let’s configure strongSwan to use your new server TLS certificate. In /etc/swanctl/swanctl.conf, your connections.<conn>.local section should look like:

       local {
         auth = eap-tls
         certs = vpn.crt
         cacerts = intermediate.crt
         id = vpn.example.com
       }
   

   The cacerts file is the Workload Intermediate CA certificate, for strongSwan to send in the TLS handshake. This allows the client to complete a trust chain back to the Workloads Root CA, which must be trusted by all clients (this is handled by Smallstep’s agent app).

   The id value should match the Subject Common Name in your server certificate.

9. Restart strongSwan, and you should now have server authentication.

Configure strongSwan to accept Smallstep-issued Client Certificates

1. In Smallstep, under Mobile Devices, create (or go to) the Device Collection for the devices that will be VPN clients.

2. Under the Accounts tab, add a VPN Account.

   • For Connection Type, choose IKEv2 with IPSec
   • For Key Type, choose RSA_2048
   • Add your Remote Address and Remote ID
   • Choose Save

3. Once you’ve created the VPN Account, download the Root CA Certificate from the VPN Settings page. This is the CA your clients will get certificates from.

4. Copy the Root CA certificate you just downloaded into /etc/swanctl/x509ca/accounts_root_ca.crt on your strongSwan servers.

5. In /etc/swanctl/swanctl.conf, update the connections.<conn>.remote section to look like:

      remote {
         id = %any
         cacerts = accounts_root_ca.crt
         auth = eap-tls
       }
   

   You can constraint the IKE id to match a subject name from the certificate, if you wish. See the strongSwan documentation for details.

6. Restart strongSwan. You now have client EAP-TLS authentication for your VPN!