strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

codelabs

strongSwan VPN Client for Android 4+

The free strongSwan VPN Client for Android 4 and newer can be installed as a normal app without the need for rooting the Android device.


strongSwan VPN Client for Android 4 and newer  is an easy to use, free VPN client for Android based devices.  It was written by Tobias Brunner based on the initial work by HSR students Giuliano Grassi and Ralf Sager as part of their bachelor thesis (PDF, German).

The App uses the VpnService API provided by Android 4 and newer that allows it to work on non-rooted devices.  Since strongSwan usually relies on the IPsec stack of the Linux kernel, which can only be accessed with root permission, the creation of a library that can handle ESP encryption and decryption in userland was required. The initial code for this library also originated from the above bachelor thesis.

Key Features

  • It uses the IKEv2 key exchange protocol.
  • User authentication is either based on username/password EAP authentication (namely EAP-MSCHAPv2, EAP-MD5, EAP-GTC) or RSA certificate authentication (using the default Android KeyChain).
  • VPN gateway certificates are verified against the CA certificates installed on the system. Users may install CA certificates manually from downloads or emails, or from external storage via the Security system settings.
  • Full support for changed connectivity and mobility through MOBIKE. This means that a running VPN tunnel survives a change of the network interface (e.g. from UMTS to WLAN and back again).

Limitations

  • Because the App requires the VpnService API, it will not work on devices by some manufacturers that lack support for it.
  • IKEv1 is not supported at the moment.
  • Split tunneling has to be enforced by the gateway (the app will propose 0.0.0.0/0 as remote traffic selector).
  • The passwords (if stored with a profile) are stored as cleartext in the database.
  • libipsec only supports the AES and SHA1/SHA2 algorithms at the moment.

Gateway Configuration

The Windows 7 example configuration we provide on our wiki can also be used with this app. But please note that the host name configured with a VPN profile in the app must be contained in the gateway certificate as subjectAltName.

Download and Installation

The app may be installed directly from Google Play.

Feature Requests, Bugs

Please submit feature requests and bug reports to our issue tracker.