I set up an openVPN server on my vhost and learned to appreciate the benefit of
having a secure connection to the internet from anywhere, any time. Anywhere
but Windows Phone.
The Windows Phone 8.1 update however came out packed with the much needed
feature: native VPN support. Of course Microsoft only supports IPsec tunnels so
that’s what needs to be set up on the server.
I found a great article
on www.zeitgeist.se that explains how to set up an
IPsec server on a linux box. However, I bumped into a few problems specific to
Windows Phone. Those were the motivation to write this blog post for any of you
that consider setting up an IPsec VPN for your Windows Phone 8.1 device.
I decided to ruthlessly copy most of the instructions from the article
mentioned above and add my comments and WP-specific instructions in between to
have everything in one place.
Strongswan is an OpenSource IPSec VPN server for
linux and other unix based operating systems. It has a very rich documentation
but I felt overwhelmed by most of it. It turns out that setting up a strongswan
VPN isn’t harder than, say, openVPN.
1. Install Strongswan
The article on zeitgeist.se
covers installing strongswan on Debian systems. On ArchLinux you can find
strongswan in the AUR
so it’s just a matter of installing it with the aur helper of your choice.
# This file holds shared secrets or RSA private keys for authentication.# RSA private key for this host, authenticating it to any other host# which knows the public part. Suitable public keys, for ipsec.conf, DNS,# or configuration of other implementations, can be extracted conveniently# with "ipsec showhostkey".: RSA vpn_host.key
'Windows Phone\username' : EAP 'topsecretpassword'
Now, this part is important: You need to use 'Windows Phone\<username>' for
all users connecting from a Windows Phone device. Also note the single quotes.
If strongswan was already running you need to run ipsec rereadsecrets to load
the new credentials.
4. Importing the Root CA on your Windows Phone Device
One thing remains to do on the server. For your device to accept your (self
signed) VPN host certificate, you need to import the root CA.
Windows Phone only supports DER formatted certificates, so you have to convert
your PEM formatted certificate to DER with the following command:
openssl x509 -outform der -in cacerts/vpn_ca.crt -out vpn_ca.cer
No, it’s not a typo, you need the .cer extension for WP to recognize it’s a
Attach the cer file to an email and send it to an account you have access to on
your device. On the device just download the attachment and import it by
clicking it after it’s downloaded.
5. Set up the connection on your device
Now comes the fun part: Setting up the connection. In your settings go to VPN
and add a new profile. Enter your FQDN (fully qualified domain name). This has
to match the one you previously assigned to the PKI_FQDN-variable of course.
Enter your username without the ‘Windows Phone\’ prefix and your password.
Click on save and cross your fingers when your device connects.