# Linux strongSwan IPsec Clients (e.g., OpenWRT, Ubuntu Server, etc.) Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. ## Ubuntu Server example 1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan 2. `/etc/ipsec.d/certs`: copy `.crt` from `algo-master/configs//ipsec/.pki/certs/.crt` 3. `/etc/ipsec.d/private`: copy `.key` from `algo-master/configs//ipsec/.pki/private/.key` 4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs//ipsec/manual/cacert.pem` 5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. ` : ECDSA .key` 6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and ensure `leftcert` matches the `.crt` filename 7. `sudo ipsec restart`: pick up config changes 8. `sudo ipsec up `: start the ipsec tunnel 9. `sudo ipsec down `: shutdown the ipsec tunnel One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to `/etc/ipsec.conf`: conn lan-passthrough leftsubnet=192.168.1.1/24 # Replace with your LAN subnet rightsubnet=192.168.1.1/24 # Replace with your LAN subnet authby=never # No authentication necessary type=pass # passthrough auto=route # no need to ipsec up lan-passthrough To configure the connection to come up at boot time replace `auto=add` with `auto=start`. ## Notes on SELinux If you use a system with SELinux enabled you might need to set appropriate file contexts: ```` semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?" restorecon -R -v $(pwd) ```` See [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-328053950).