- Use %defaultroute and iptables MASQUERADE, no need to detect private IP
- Use %any for the first field of ipsec.secrets, instead of public IP
- As a result, the VPN server should now better adapt to IP changes.
- Improve IKEv2 docs. The strongSwan Android VPN client requires
an "IP address" in the VPN server certificate's subjectAltName field
in addition to "DNS name", when connecting using the server's IP.
The certutil commands have been updated to add this field.
- Other improvements to docs
- Windows 8.x and 10 require the IKEv2 machine certificate to have
"Client Auth" EKU in addition to "Server Auth". Otherwise it gives
"Error 13806: IKE failed to find valid machine certificate..."
- The IKEv2 documentation has been updated to fix this issue
- Also, this Libreswan wiki page may need to be updated. @letoams
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
- Ref: #106. Thanks @evil-shrike!
- Libreswan 3.19 removed MODP1024 from the ike= default list,
which breaks compatibility with Android 5.x and others
- This commit explicitly adds MODP1024 back to the ike= list
- Fixes#101. Thanks @keijodputt!
- In xl2tpd version 1.3.8, which was pushed to the EPEL repository
in Dec. 2016, the options "crtscts" and "lock" are no longer
recognized in "/etc/ppp/options.xl2tpd" and generates an error.
- This commit fixes the VPN on CentOS by removing those options.
- Ref: https://github.com/xelerance/xl2tpd/issues/108
- On Raspberry Pis /etc/rc.local can run early during boot
- If the network is not ready, IPsec may fail to start
- A delay has been added as a workaround. Ref: #76
- Add option "noipdefault" to fix Linux clients behind NAT
- Specify VPN username and password in the config file
- Combine the Ubuntu/Debian and CentOS/Fedora sections
- [ci skip]
