with apologies

Updating Cambridge VPN configuration

· 1 min read · March 03, 2026 · #nixos #linux #tech #cambridge

UIS recently rolled over the certificate for the University’s VPN service, and the same update was applied to the Computer Lab’s service at the same time. This was a bit of a pain as the (as close as we get to) supported Linux distribution is Ubuntu, but I use NixOS.

It took me too long to figure this out and was, as is often the case, much simpler in retrospect than I was trying to make it. So here’s the answer :)

I should note that the original version of this module was produced by Andrew Jeffery and has really only been lightly edited by me.

Set CRSID and HOSTNAME appropriately.

{ pkgs, config, ... }:
let
  crsid = "CRSID";
  hostname = "HOSTNAME";
in
{
  environment.systemPackages = with pkgs; [ strongswan ];

  services = {
    strongswan = {
      enable = true;
      # Passwords per
      # https://help.uis.cam.ac.uk/service/network-services/remote-access/uis-vpn/ubuntu1604#password-file
      secrets = [ "/etc/secrets/ipsec.secrets" ];

      connections."%default" = {
        keyexchange = "ikev2";
        ikelifetime = "60m";
        keylife = "20m";
        rekeymargin = "3m";
        keyingtries = "1";
      };
      connections.UCAM = {
        # Setup instructions:
        # https://help.uis.cam.ac.uk/service/network-services/remote-access/uis-vpn/ubuntu2004
        # Password from https://tokens.uis.cam.ac.uk/
        left = "%any";
        leftid = "${crsid}+${hostname}_ucamvpn@cam.ac.uk";
        leftauth = "eap";
        leftsourceip = "%config";
        leftfirewall = "yes";
        right = "vpn.uis.cam.ac.uk";
        rightid = ''"CN=vpn.uis.cam.ac.uk"'';
        rightca = ''"C=US, O=Internet Security Research Group, CN=ISRG Root X1"'';
        rightsubnet = "0.0.0.0/0";
        auto = "add";
      };

      # Setup instructions: https://www.cst.cam.ac.uk/local/sys/vpn2/linux
      # Password from https://vpnpassword.cl.cam.ac.uk/
      connections.CUCL = {
        reauth = "no";
        left = "%any";
        leftid = "${crsid}-${hostname}";
        leftauth = "eap";
        leftsourceip = "%config4,%config6";
        leftfirewall = "yes";
        right = "vpn2.cl.cam.ac.uk";
        rightid = "%any";
        rightsendcert = "never";
        rightsubnet = builtins.concatStringsSep "," [
          "10.128.0.0/9"
          "10.64.0.0/10"
          "128.232.0.0/16"
          "129.169.0.0/16"
          "131.111.0.0/16"
          "172.16.0.0/13"
          "172.24.0.0/14"
          "172.28.0.0/15"
          "172.30.0.0/16"
          "192.18.195.0/24"
          "193.60.80.0/20"
          "193.63.252.0/23"
          "2001:630:210::/44"
          "2a05:b400::/32"
        ];
        auto = "add";
      };

      ca.CUCL = {
        auto = "add";
        cacert = "${./isrgrootx1.pem}";
      };
    };
  };
}