Key Knowledge Areas:

  • Understand the principles of bridged and routed VPNs
  • Understand the principles and major differences of the OpenVPN, IPsec, IKEv2 and WireGuard protocols
  • Configure and operate OpenVPN servers and clients
  • Configure and operate IPsec servers and clients using strongSwan
  • Configure and operate WireGuard servers and clients
  • Awareness of L2TP

Partial list of the used files, terms and utilities:

  • /etc/openvpn/
  • openvpn
  • /etc/strongswan.conf
  • /etc/strongswan.d/
  • /etc/swanctl/swanctl.conf
  • /etc/swanctl/
  • swanctl
  • /etc/wireguard/
  • wg
  • wg-quick
  • ip

Files

/etc/openvpn/

Directory to store OpenVPN connection profiles. Filenames should end in .conf.

/etc/strongswan.conf

Default configuration file for strongSwan.

/etc/strongswan.d/

The strongswan.conf file can be split into multiple files inside /etc/strongswan.d/.

/etc/swanctl/swanctl.conf

Configuration file for swanctl which provides connections, secrets, and IP address pools.

/etc/swanctl/

Configuration hierarchy for swanctl. Its sub-directories contain file-based credentials, such as certificate-key pairs.

/etc/wireguard/

Directory to store WireGuard interface configurations and keys.

Utilities

openvpn

OpenVPN provides point-to-point or site-to-site connectivity in routed or bridged mode. The openvpn command implements both server and client.

swanctl

The swanctl utility configures, controls, and monitors the Internet Key Exchange (IKE) daemon.

wg

The wg utility provides a series of sub-commands for changing WireGuard-specific aspects of WireGuard interfaces. The interfaces themselves can be added and removed using ip link and their IP addresses and routing tables can be set using ip address and ip route.

wg-quick

Running up adds a WireGuard interface, brings up the interface with the supplied IP addresses, sets up mtu and routes, and optionally runs pre/post up scripts. Running down optionally saves the current configuration, removes the WireGuard interface, and optionally runs pre/post down scripts. Running save saves the configuration of an existing interface without bringing the interface down. Use strip to output a configuration file suitable for use with wg.

ip

Part of the iproute2 collection of utilities. It controls both IPv4 and IPv6 configuration. It is commonly used to assign IP addresses to network interfaces, and manage IP routing.

Notes

Bridged vs Routed VPN

The OpenVPN community wiki describes bridged and routed VPNs. These modes are strongly related to virtual network device types (TUN/TAP): TAP supports bridging and routing, while TUN only supports routing. A bridged network forwards Layer 2 traffic over the tunnel, whereas a routed network forwards Layer 3 traffic.

Internet Key Exchange (IKE)

The protocol to set up a security association (SA) in the IPsec protocol suite.

L2TP

Layer 2 Tunneling Protocol (L2TP) provides a tunnel for Layer 2 which may be transported over Layer 3. L2TP only encrypts its own control messages not the tunneled content. It can be combined with (encrypted) Layer 3 protocols like IPsec.

IPsec

Internet Protocol Security (IPsec) is a protocol suite which authenticates and encrypts packets in an Internet Protocol (IP) network.