Overview
The Linux VPN Policy lets you automatically configure VPN profiles on managed Linux devices using Swif. It supports both:
OpenVPN profiles (importing a full
.ovpnconfiguration), andIPsec (strongSwan) configurations via
swanctl.confand related files.
This policy works for both BYOD (personally owned) and company-owned Linux devices.
Supported platforms
Operating system: Linux
Ownership models: Company-owned and BYOD
Policy type:
LINUX_VPN_POLICYDisplay name: Linux VPN Policy
What the Linux VPN Policy does
When you assign a Linux VPN Policy to a device:
For OpenVPN:
Swif installs/uses OpenVPN on the device.
It creates one or more OpenVPN profiles exactly as defined in the policy.
Users can then connect to your VPN using those profiles.
For IPsec:
Swif writes out swanctl configuration files for one or more IPsec connections.
It configures connections, authentication, traffic selectors, and CA/secret material.
Profiles created by Swif are removed when the policy is removed from the device.
When you delete or unassign the policy from a device, Swif cleans up the VPN configurations that it created.
Fields in the Linux VPN Policy
The Linux VPN Policy has two top-level configuration sections:
openVpnConfigurationList– list of OpenVPN profilesipsecConfigurationList– list of IPsec configurations (for strongSwan/swanctl)
You can set one or both, and each is an array, so multiple VPN profiles can be delivered to the same device.
OpenVPN configuration
Field: openVpnConfigurationList
Display name: OpenVPN Profile List
Type: Array of dictionaries
Description: The OpenVPN configurations to be used.
Each entry in openVpnConfigurationList contains:
1. name
Display name: Name
Type: String
Required: Yes
Description: A human-readable name for the OpenVPN configuration (e.g.
Engineering VPNorcorp-openvpn-primary).
2. ovpnProfile
Display name: OpenVPN Profile
Type: String
Required: Yes
Description: The full OpenVPN profile content, typically what you would find in a
.ovpnfile.
This field should contain a complete OpenVPN configuration, including directives and any inline certificates/keys, for example:
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
Swif passes this profile directly to the Linux device and uses it to configure OpenVPN.
IPsec configuration (strongSwan / swanctl)
Field: ipsecConfigurationList
Display name: IPsec Configuration List
Type: Array of dictionaries
Description: IPsec configurations for
swanctlconfiguration files (strongSwan).
Each IPsec configuration entry can include:
A name for the configuration
One or more IKE connections (
ipsecConnectionList)Secrets (
ipsecSecrets)CA certificates (
ipsecCACerts)
This maps to the standard strongSwan swanctl.conf and certificate/secret layout.
1. IPsec configuration root
name
Display name: Name
Type: String
Required: Yes
Description: A logical name for the IPsec configuration (e.g.
corp-ipsec).
2. IKE connections: ipsecConnectionList
Display name: IPsec Connection List
Type: Array of dictionaries
Description: Defines one or more IKE connections (equivalent to
connections { ... }inswanctl.conf).
Each entry represents an IKE connection and includes:
a. connectionName
Display name: Connection Name
Type: String
Required: Yes
Description: The unique name of the IPsec connection (e.g.
corp-ikev2).
b. version
Display name: Version
Type: String
Description: IKE major version to use:
1– IKEv1 (ISAKMP)2– IKEv2
If not specified, strongSwan defaults are used.
c. remoteAddrs
Display name: Remote Addresses
Type: String
Description: Comma-separated list of remote addresses used for IKE communication.
Accepts IPv4/IPv6, DNS names, CIDR subnets, or IP ranges.
Example:
vpn1.example.com, vpn2.example.com
d. remotePort
Display name: Remote Port
Type: Integer
Default:
500Description: Remote UDP port for IKE communication. Typically 500 (and 4500 for NAT-T if negotiated).
e. localAddrs
Display name: Local Addresses
Type: String
Description: Comma-separated list of local addresses for IKE communication.
Accepts IPv4/IPv6, DNS names, CIDR, or IP ranges.
Leave empty to use the system’s default interface/address.
f. localPort
Display name: Local Port
Type: Integer
Default:
500Description: Local UDP port for IKE communication.
g. vips
Display name: Virtual IP Addresses
Type: String
Description: Comma-separated list of virtual IPs to request from the VPN server (IKEv2 configuration payloads or IKEv1 ModeConfig).
Often used to assign a tunnel (inner) IP to the client.
h. proposals
Display name: Proposals
Type: String
Description: Algorithms to use for IKE.
Algorithms within a proposal are separated by dashes.
Multiple proposals are separated by commas.
Example:
aes256-sha256-modp2048,aes128-sha256-modp1024.
3. Local and remote connection settings
Each IKE connection can also define local and remote connection-specific settings.
Field: localConnection
Display name: Local Connection
Type: Array of dictionaries (typically a single object)
Description: Local endpoint configuration.
Subfields:
authDisplay name: auth
Type: String
Description: Local authentication method (e.g.
psk,pubkey, oreap).
idDisplay name: id
Type: String
Description: IKE identity to use for local authentication (e.g.
user@example.comorCN=myclient).
certsDisplay name: certs
Type: String
Description: Comma-separated list of certificate candidates for local authentication.
pubkeysDisplay name: pubkeys
Type: String
Description: Comma-separated list of raw public key candidates for local authentication.
Field: remoteConnection
Display name: Remote Connection
Type: Array of dictionaries (typically a single object)
Description: Remote endpoint configuration.
Subfields:
authDisplay name: auth
Type: String
Description: Authentication method expected from the remote side.
idDisplay name: id
Type: String
Description: Expected IKE identity from the remote side.
certsDisplay name: certs
Type: String
Description: Comma-separated list of allowed remote certificates.
cacertsDisplay name: cacerts
Type: String
Description: Comma-separated list of CA certificates to trust for remote authentication.
pubkeysDisplay name: pubkeys
Type: String
Description: Comma-separated list of raw public keys to accept for authentication.
4. Child connections: childConnectionList
Display name: Child Connection
Type: Array of dictionaries
Description: Child SAs for IPsec (equivalent to
children { ... }inswanctl.conf).These define which traffic is protected by the VPN.
Subfields:
a. childName
Display name: Child Connection Name
Type: String
Required: Yes
Description: Name of the child connection (e.g.
corp-internal-net).
b. remoteTs
Display name: Remote Traffic Selectors
Type: String
Description: Comma-separated list of remote traffic selectors for the CHILD_SA.
Example:
10.0.0.0/16,10.10.0.0/24.
c. localTs
Display name: Local Traffic Selectors
Type: String
Description: Comma-separated list of local traffic selectors for the CHILD_SA.
Each selector is a CIDR subnet, optionally followed by
proto/port.Example:
0.0.0.0/0,::/0(for full-tunnel) or192.168.1.0/24[tcp/443].
d. startAction
Display name: Start Action
Type: String
Default:
noneAllowed values:
none,start,trap,trap|startDescription: Action to perform after loading the configuration:
none– only load configuration, no automatic connection.start– immediately bring up the child connection.trap– install trap policies and establish on traffic.trap|start– combination of the two behaviors.
5. IPsec secrets: ipsecSecrets
Display name: IPsec Secrets
Type: Array of dictionaries
Description: Secrets used for IPsec authentication (e.g. pre-shared keys, private keys).
Subfields:
a. secretName
Display name: Secret Name
Type: String
Required: Yes
Description: Name of the secret section. The prefix usually indicates the secret type (e.g.
ike-1,rsa-1).
b. id
Display name: ID
Type: String
Description: Identifier used for this secret (e.g. IKE identity or key reference).
c. secret
Display name: Secret
Type: String
Description: Actual secret value (for example, a pre-shared key or similar).
Handle this field with care; treat it as sensitive information.
6. IPsec CA certificates: ipsecCACerts
Display name: IPsec CA Certs
Type: Array of dictionaries
Description: CA certificates to be placed under
/etc/swanctl/x509ca/.
Subfields:
a. cacertName
Display name: CA Cert Filename
Type: String
Description: Filename for the CA certificate (e.g.
corp-root-ca.pem).
b. cacertContent
Display name: CA Cert Content
Type: String
Description: The full PEM-encoded content of the CA certificate.
Example:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Behavior when assigning and removing the policy
Assigning the policy
Swif pushes the VPN configurations to the Linux agent.
OpenVPN and/or IPsec (strongSwan) are configured according to the policy.
Users on the device gain access to the VPN endpoints you defined.
Removing the policy (or unassigning the device)
Swif removes VPN profiles that were created by this policy, without touching unrelated, user-managed VPN configurations.
Security considerations
Secrets and private keys
Store secrets, private keys, and CA content only where necessary.
Limit access to admins who must manage network/VPN configuration.
Certificates
Make sure certificates and CAs you configure match your VPN server side.
Testing
Always test new VPN policies with a small number of devices before rolling them out widely.