Building the strongSwan VPN Client for Android

This describes how to build the strongSwan VPN Client for Android.

Architecture Overview

The App consists of a Java part, the native strongSwan libraries (libstrongswan, libcharon, etc.) and the libandroidbridge library to glue these two parts together. The Java part and the libraries communicate by means of the Java Native Interface (JNI). Since the App has no access to the IPsec stack provided by the Linux kernel, a userland IPsec implementation is provided by the libipsec library.

The code for the App can be found in the src/frontends/android directory of the strongSwan repository.


To build the app the Android SDK and NDK are required. The steps needed to set up a build environment for Android Apps can be found in the documentation provided by Google, so these won’t be replicated here.

The strongSwan Sources

Since commit 1bd213db79 of the strongSwan repository and version 1.6.0 of the app, the default is to use the strongSwan sources of the current Git tree.

They have to be prepared properly first, otherwise the build will fail. In the root of the strongSwan sources run the following to create the required files. Building from the Git repository like this has some external dependencies, see HACKING for details.

./ && ./configure && make dist

This creates several pre-built source files, the tarball that is also created can be deleted afterwards.

It is also possible to use the sources from a different directory (e.g. an extracted tarball, which already contains the required files) by setting strongswan_DIR in

The openssl Directory

The libstrongswan library depends on an Android module called libcrypto_static that provides OpenSSL’s libcrypto and header files.

To simplify this, we ship a script since commit 7e5c4bbb32 that statically builds libcrypto for all ABIs supported by the NDK and puts them, the headers and an appropriate file in the src/frontends/android/app/src/main/jni/openssl directory (if this directory already exists, e.g. if it contains the BoringSSL sources we used previously, make sure to delete it first).

The script expects the path to the Android NDK in the ANDROID_NDK_ROOT environment variable. For standalone NDKs that will be something like /path/to/android-ndk-<ver>, and for side-by-side NDKs something like /path/to/android-sdk/ndk/<ver>. The path to the OpenSSL source tree is expected in the OPENSSL_SRC environment variable (works with OpenSSL 1.1.1 and OpenSSL 3). For instance, it may be invoked like this:

ANDROID_NDK_ROOT=~/android-ndk-<ver> \
OPENSSL_SRC=~/openssl-<ver> \

By default, the script uses Docker to compile the library. However, if the necessary build dependencies (jq, make, perl) are installed on the host, this can be disabled by defining the NO_DOCKER environment variable. The dependency on jq may furthermore be avoided by manually defining a space-separated list of target ABIs via ABIS environment variable.

Building the App

The src/frontends/android directory can directly be opened as an existing project in Android Studio. The initial build will fail if the NDK directory is not known. In that case set it via File → Project Structure…​ or manually in (ndk.dir=/path/to/ndk). Afterwards the build should complete successfully.

Building via ./gradlew build is also possible.