VPN Server IKEv2 EAP-MSCHAPv2

After deploying this server using the Standalone AMI, you will get a fully functional VPN server with a single IP address used for both the Endpoint and Outbound traffic.

If you want to run the VPN server with separate IP addresses for the Endpoint and the Outbound connection - where the Endpoint IP is used by clients to connect to the VPN, and the Outbound IP is the address under which client traffic appears on the internet - you can deploy this server using a CloudFormation template. This configuration allows you, for example, to change or rotate the outbound IP address later simply by replacing the second Elastic IP, without needing to update the client configuration and without restarting the server.

Instructions for deploying the Server from the Standalone AMI:

Launch the server. If the Elastic IP was assigned to a running instance, the instance must be restarted.

Linux username: admin

User management Web Panel:

• http(s)://ipaddress/
• Please use "admin" as username and your instance ID as password.

When accessing the Web Panel using the HTTPS protocol, your web browser may display a warning about potential risks due to the use of IP address in the URL. In this case, you should proceed and accept the risks, as our goal is to encrypt traffic, and there is no reason to worry about using IP address in a web browser.

User authentication: certificate + username/password. The client certificate (.p12 file) can be downloaded for each client from the web panel directly or via a QR code.

WINDOWS-CLIENT SETUP

To set up the VPN client on Windows, you need to perform two main steps:

• 1. Install client certificates on Windows.
• 2. Create and configure an IKEv2 VPN connection with authentication protocol EAP-MSCHAP v2.

1. Installing certificates on Windows computers.

Unpack the previously downloaded ZIP archive into a separate folder and run the file "install-cert-win.bat". As a result, the client certificate "user@ec2-...amazonaws.com" will be installed to "Local Computer"->"Personal"->"Certificates" store, and the certificate "ADEO VPN root CA" will be installed to "Local Computer"->"Trusted Root Certification Authorities" store. You can check this using the MMC console (run the file "cert-console-win.msc").

2. Creating and configuring the IKEv2 VPN connection with Extended Authentication Protocol (EAP) EAP-MSCHAP v2.

The VPN connection must be created using standard Windows tools. It should include:

• Server address: public IP address of the instance on AWS
• VPN Type: IKEv2
• Extended Authentication Protocol (EAP): EAP-MSCHAP v2
• Credentials (username and password): see user info on the Web Panel.

ANDROID-CLIENT SETUP

To set up the VPN client on Android, you need to perform two main steps:

• 1. Install client certificates on your Android device.
• 2. Install and configure the "strongSwan VPN Client" application from Google Play.

1. Installing certificates on Android device.

Download the certificate (.p12 file) to your Android device with QR code and tap on it. Install the certificates using the password "vpn". The certificate will be named "Client's VPN Certificate".

2. Installing and configuring the "strongSwan VPN Client" application.

Download and install the "strongSwan VPN Client" application from Google Play. Then, create a new profile.

The profile for the "strongSwan VPN Client" should include:

• Server address: public IP address of the instance on AWS
• VPN Type: IKEv2 Certificate + EAP (login and password)
• User Certificate: select a certificate "Client's VPN Certificate" that you installed
• CA Certificate: select automatically

If you decide to use the standard Android VPN client instead of the "strongSwan VPN Client", then the settings should include:

• Server address: public IP address of the instance on AWS
• Type: IKEv2/IPSec MSCHAPv2
• Certificate: select a certificate "Client's VPN Certificate" that you installed