Strongswan IPSec VPN snap package

I made an initial attempt to package strongswan, I got it to a point where everything builds and runs fine in devmode, the charon service starts on install with the default configuration shipped by upstream.

Since I’m not super familiar with IPSec VPNs and their setup, I’m asking for some help here from someone more knowledgeable than me to finish the snap…

The whole configuration lives in /var/snap/strongswan/current/etc after install in case you want to help and tinker with it.

Scripts and tools are shipped as:

  • strongswan-ogra.pki
  • strongswan-ogra.ipsec
  • strongswan-ogra.swanctl

The service can be controlled via systemctl as:


The code can be found at:

UPDATE: I had to rename the experimental snap to strongswan-ogra since the strongswan name is already registered.

UPDATE2: the package is now in the store in the edge channel, you can install it via:
snap install --devmode --edge strongswan-ogra
any feedback in this thread is appreciated.

I have been able to install the strongswan-ogra snap from the edge channel and I am starting to work with it. I have access to a fairly large lab and I have been attempting to setup some complex route based VPN scenarios with the quagga snap. One item I have ran into with the snap was after you renamed it from strongswan to strongswan-ogra. I found that some of the paths in the wrappers contained in the snap still had paths referencing /var/snap/strongswan/ and that the snapcraft.yaml needed some additional prepare statements . On github another user jehos has done a pull request with the fixes but they have not been approved and bundled into the snap.

whoops, sorry, i’ll try to get to merging the PR tomorrow (that somehow went under my radar)

the pull request is merged now, sorry that it took so long …

This snap has finally been moved to strict confinement, a core18 base and been bumped to the 5.8.1 upstream version …

please run

sudo snap connect strongswan-ogra:network-control

right after installation, to give the charon daemon access to the necessary capabilities, the daemon should start automatically after this …

the snap is still not in the stable channel since i want to gather some feedback first.

How to load the connections automatically after reboot?

edit the /var/snap/strongswan-ogra/current/etc/strongswan.conf file and add the charon.start-scripts section

charon {
     start-scripts {
            load-all = $SNAP/usr/sbin/swanctl --load-all --noprompt
1 Like