DigitalOcean

Report this

What is the reason for this report?
Question

Step 3 (NOTE): What IPs are to be placed here - "san @IP_address --san IP_address"?

Posted on March 8, 2022
Ubuntu 20.04
MassiveDarkBlueDolphin

By MassiveDarkBlueDolphin

Connected Tutorial(This question is a follow-up to this tutorial):

How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 20.04

Hi,

I have an Ubuntu Server 20.04 for Minecraft (no GUI). I connect to it via PowerShell and my Linux laptop with the server’s private IP. I would like a little extra security by spoofing or hiding the IP address of my server. I am a bit nervous to test this out as I am brand new to Linux.

A VPN service recommended this tutorial for what I am trying to accomplish.

I get stumped on step 3, particularly the “Note” (–dn “CN=IP address” --san @IP_address --san IP_address ).

First, I run this:

pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem

Then, I run this but change one line:

pki --pub --in ~/pki/private/server-key.pem --type rsa
| pki --issue --lifetime 1825
–cacert ~/pki/cacerts/ca-cert.pem
–cakey ~/pki/private/ca-key.pem
–dn “CN=server_domain_or_IP” --san server_domain_or_IP
–flag serverAuth --flag ikeIntermediate --outform pem
> ~/pki/certs/server-cert.pem

The line I will replace is “–dn[…]”. Since I am using an IP instead of DNS, I would need to place my device’s private IP here - “CN=IP address” - but I am not sure what the other two san ones are for? Are they random IPs or is it just my device’s IP two more times?

My other questions:

  1. Will I be able to use this VPN and find my server on Minecraft Java?
  2. Will it slow down the connection?
  3. I set the UFW rate limit rule to open the 25565/TCP port.
  4. Will I be able to connect to my server from one of my approved (publickey) devices?

Thanks and regards, Josh



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
December 5, 2024

Hi Josh,

I believe that you’re on the right track! When using an IP address instead of a domain name for your VPN server, you need to include your server’s IP address in all three places: the Common Name (CN) and both Subject Alternative Name (SAN) entries.

Here’s how you should modify the command:

pki --pub --in ~/pki/private/server-key.pem --type rsa \
| pki --issue --lifetime 1825 \
    --cacert ~/pki/cacerts/ca-cert.pem \
    --cakey ~/pki/private/ca-key.pem \
    --dn "CN=YOUR_SERVER_IP" --san @YOUR_SERVER_IP --san YOUR_SERVER_IP \
    --flag serverAuth --flag ikeIntermediate --outform pem \
>  ~/pki/certs/server-cert.pem

Replace YOUR_SERVER_IP with the actual IP address of your VPN server.

Explanation:

  • --dn "CN=YOUR_SERVER_IP": Sets the Common Name in the certificate to your server’s IP address.
  • --san @YOUR_SERVER_IP: Adds your server’s IP as an IP type SAN. The @ symbol indicates that it’s an IP address.
  • --san YOUR_SERVER_IP: Adds your server’s IP as a DNS type SAN. Some clients require the IP address to be listed as a DNS SAN as well.

Including both SAN entries ensures compatibility with various clients that might handle certificate verification differently.

Regarding your other questions:

  1. Will I be able to use this VPN and find my server on Minecraft Java?

    Yes, once connected to the VPN, your devices will be on the same virtual network, allowing you to connect to your Minecraft server using its private IP address.

  2. Will it slow down the connection?

    There might be a slight overhead due to encryption, but IKEv2 is efficient and generally offers high performance, so any impact on your connection speed should be minimal.

  3. I set the UFW rate limit rule to open the 25565/TCP port. Will I be able to connect to my server from one of my approved (publickey) devices?

    Yes, as long as the firewall is correctly configured to allow traffic on port 25565/TCP and your devices are connected to the VPN, you should be able to connect without issues.

- Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.