strongSwan VPN Client

The Description of strongSwan VPN Client

Site Editorial Commentary：An easy to use IKEv2/IPsec-based VPN client.

Official Android port of the popular strongSwan vpn solution, providing a robust and secure VPN client for your Android device.

# FEATURES AND LIMITATIONS #

* Utilizes the VpnService API, a standard feature in Android 4 and later. Please be aware that due to manufacturer-specific implementations, strongSwan VPN Client may not be compatible with all devices.
* Employs the IKEv2 key exchange protocol for secure and efficient VPN connection establishment.
* Secures data traffic using IPsec, ensuring confidentiality and integrity.
* Offers full support for seamless connectivity transitions and mobility through MOBIKE (or reauthentication), maintaining a stable VPN connection as you move between networks.
* Supports a variety of username/password EAP authentication methods, including EAP-MSCHAPv2, EAP-MD5, and EAP-GTC. It also supports RSA/ECDSA private key/certificate authentication for user verification. EAP-TLS with client certificates is also supported for enhanced security.
* Enables combined RSA/ECDSA and EAP authentication through two authentication rounds, as defined in RFC 4739, providing an extra layer of security.
* Verifies VPN server certificates against pre-installed or user-installed CA certificates. The CA or server certificates used to authenticate the server can be directly imported into the app for simplified management.
* Supports IKEv2 fragmentation (if the VPN server supports it, available in strongSwan since version 5.2.1) to handle large packets effectively.
* Split-tunneling functionality allows you to selectively route traffic through the VPN, excluding specific apps or traffic for customized usage.
* Per-app VPN lets you restrict the VPN connection to specific applications or prevent certain apps from using the VPN, giving you granular control over your network traffic.
* The IPsec implementation currently supports the AES-CBC, AES-GCM, ChaCha20/Poly1305, and SHA1/SHA2 algorithms, offering a range of encryption options.
* Passwords are currently stored as cleartext in the database (only if stored with a profile). exercise caution when storing profiles.
* VPN profiles can be imported from files, simplifying the setup process.
* Supports managed configurations via enterprise mobility management (EMM) for easy deployment and management in corporate environments.

Details and a changelog are available on our documentation site: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html

# PERMISSIONS #

* READ_EXTERNAL_STORAGE: Required on some Android versions to import VPN profiles and CA certificates from external storage.
* QUERY_ALL_PACKAGES: Required on Android 11+ to select apps to include or exclude in VPN profiles and for the optional EAP-TNC use case.

# EXAMPLE SERVER CONFIGURATION #

Example server configurations can be found in our documentation: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html#_server_configuration

Please ensure that the hostname (or IP address) configured in the VPN profile *must be* included in the server certificate as a subjectAltName extension.

# FEEDBACK #

For bug reports and feature requests, please use GitHub: https://github.com/strongswan/strongswan/issues/new/choose

When submitting feedback, please include details about your device (manufacturer, model, OS version, etc.).

The log file generated by the key exchange service can be sent directly from within the application.