From 089bf64c91f5d239c9a4825cc890f9aeb26d2c70 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 10:00:57 -0400 Subject: [PATCH] Update README.md --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 9002b1b..1a9b19a 100644 --- a/README.md +++ b/README.md @@ -130,21 +130,21 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransf ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) +Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. + #### Ubuntu Server 16.04 example -1. Install Strongswan: `sudo apt-get install strongswan strongswan-plugin-openssl` Plugin required per [StrongSwan Documentation](https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites), as the ECP_256 DH group is supported by the openssl plugin. -2. `/etc/ipsec.d/certs`: copy `user.crt` here from `algo-master/configs//pki/certs`. -3. `/etc/ipsec.d/private`: copy `user.key` here from `algo-master/configs//pki/private`. -4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` here from `algo-master/configs//cacert.pem`. -5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`, like in `ipsec_user.secrets` but matching the `user.key` filename. -6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` to match the `user.crt` filename. +1. `sudo apt-get install strongswan strongswan-plugin-openssl`: install strongSwan +2. `/etc/ipsec.d/certs`: copy `user.crt` from `algo-master/configs//pki/certs` +3. `/etc/ipsec.d/private`: copy `user.key` from `algo-master/configs//pki/private` +4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs//cacert.pem` +5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` +6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update `leftcert` to match the `user.crt` filename 7. `sudo ipsec restart`: pick up config changes 8. `sudo ipsec up `: start the ipsec tunnel 9. `sudo ipsec down `: shutdown the ipsec tunnel -## LAN Passthrough - -To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf`, replacing `192.168.1.1/24` with whatever subnet your LAN uses: +One common use case is to let your computer access your local LAN without going through the VPN. To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf` and replace `192.168.1.1/24` with the subnet your LAN uses: conn lan-passthrough leftsubnet=192.168.1.1/24