Avoiding local internet restrictions on strongSwan

The setup:

1. Make sure you have all the required dependencies on your device. To do this, run the following command:

sudo apt-get update && sudo apt-get upgrade

2. Next, get the following packages:

sudo apt-get install strongswan libcharon-extra-plugins libcharon-standard-plugins

Note: For Arch-based distributions and others, you might not have libcharon packages, as they are in the strongswan package. Simply run: pacman -S strongswan and that should be enough.
 

3. Open ipsec.secrets 

(Please note: copy-pasting the command may lead to issues. It would be best to type out by hand)

sudo nano /etc/ipsec.secrets​

 

4. Now, change the fields Username and your password for your NordVPN username and password as found below.

You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:

1. Click Set up NordVPN manually.
   
   
    
2. You will receive a verification code in your email that you use for NordVPN services. Type the code in: 
   
   
    
3. Copy the credentials using the “Copy” buttons on the right:
   
   
    

Your password must be wrapped inside double-quotes. Also, notice the spaces after Username, “:” and EAP.
To save the changes, press CTRL+O, and then exit nano editor by pressing CTRL+X.

5. Once again, use the preferred text editor to enter /etc/ipsec.conf file. Do not forget root privileges since the file is write-protected from anyone except root.

 

sudo nano /etc/ipsec.conf

6. Copy-paste this into the config:

conn NordVPN
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        eap_identity="USERNAME"
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=SERVER_IP
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%SERVER_HOSTNAME
        rightca=/etc/ipsec.d/cacerts/NordVPN.pem
        type=tunnel
        auto=add

7. Change USERNAME to your NordVPN service username from above, SERVER_IP to the IP from the list of servers below, for example 172.105.20.56, and SERVER_HOSTNAME to the hostname of the server from the list below:

8. Enter /etc/strongswan.d/charon/constraints.conf file.

sudo nano /etc/strongswan.d/charon/constraints.conf

Inside the file change load = yes to load = no.
 

9. Download the NordVPN RSA certificate.

sudo wget https://downloads.nordcdn.com/certificates/root.pem -O /etc/ipsec.d/cacerts/NordVPN.pem

10. Now let’s restart ipsec in order to reload all configuration files.

sudo ipsec restart

If you’ve made any typos in /etc/ipsec.conf file you’ll be notified when the service will begin starting.
 

11. After it’s done, you can connect by launching this command:

sudo ipsec up NordVPN

This command should show the output “Connection NordVPN has been established successfully”.

12. To disconnect, simply type:

sudo ipsec down NordVPN

 

 

Changing the server:

1. Edit the file /etc/ipsec.conf:

sudo nano /etc/ipsec.conf

2. Change the right and rightid fields with ones that correspond with a different server and save the file. For example:

right=45.79.113.73
rightid=us5733.nordvpn.com

3. Run the commands:

sudo ipsec restart

sudo ipsec up NordVPN

 

Common errors and their solutions:

No config named 'NordVPN':
If you are receiving No config named 'NordVPN' error after running the ipsec up NordVPN command, please refer to this article.
 

Error "generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]":

1. Run the command:

sudo rm /etc/ipsec.sec*

 

2. Create a new ipsec.secret file using the command:

sudo nano /etc/ipsec.secrets​

 

3. Enter the credentials as described in the step 4 of the main guide, and save the file.

4. Run the commands:

sudo ipsec restart

sudo ipsec up NordVPN