hwdsl2
e1e1b67afd
Improve IKEv2 setup
...
- Use /etc/ipsec.d/ikev2.conf for IKEv2 configuration
- Allow running from inside a container, so that it can be used with:
https://github.com/hwdsl2/docker-ipsec-vpn-server
2020-05-30 23:09:32 -05:00
hwdsl2
71d67ae690
CentOS/RHEL fixes
...
- Use nftables only if firewalld is active (CentOS/RHEL 8)
- Fix RHEL 7 server-optional repo names. See:
https://access.redhat.com/articles/4599971
- Fix an issue where the codeready-builder repo cannot be enabled
on EC2 (RHEL 8). Fixes #804 .
2020-05-24 15:07:08 -05:00
hwdsl2
a087be669f
Cleanup
2020-05-24 00:14:05 -05:00
hwdsl2
d457ebd16d
CentOS 8 fixes
...
- Use nftables instead of iptables-services for CentOS 8
- Existing firewalld rules are now preserved during VPN setup,
which will be saved as part of nftables rules
2020-05-24 00:10:35 -05:00
hwdsl2
b293aa3081
New Libreswan version
...
- Upgrade Libreswan to 3.32
2020-05-11 10:59:08 -05:00
hwdsl2
207fb6574d
Update links
...
- Add a link to IKEv2 how-to guide
2020-05-11 01:19:03 -05:00
hwdsl2
dae0c03356
Improve output
...
- Inhibit warning messages from Libreswan compilation
2020-04-29 11:00:25 -05:00
hwdsl2
5983c79904
Fix IKEv2
...
- Apply fix for an IKEv2 regression in Libreswan
- Ref: https://github.com/libreswan/libreswan/commit/90f8a09
https://github.com/libreswan/libreswan/issues/333
https://github.com/libreswan/libreswan/issues/329
2020-04-26 16:27:00 -05:00
hwdsl2
2c660bb914
New Libreswan version
...
- Upgrade Libreswan to 3.31
- "USE_DH2=true" is required for keeping Windows clients compatibility
Ref: https://github.com/libreswan/libreswan/commit/8fcbbc7
- "USE_XFRM_INTERFACE_IFLA_HEADER=true" is required for compilation on
older Linux distributions
Ref: https://github.com/libreswan/libreswan/commit/c21909c
2020-04-11 17:11:12 -05:00
hwdsl2
4360737eaf
Improve OS detection
2020-01-13 00:07:39 -08:00
hwdsl2
99e194e683
Add CentOS 8
...
- Add support for CentOS/RHEL 8
2019-11-01 13:31:23 -07:00
hwdsl2
3353888ee9
Set sha2-truncbug to no
...
- This fixes VPN connection issues on iOS 13
- Android 6.x and 7.x users may require sha2-truncbug=yes. Will note
this in the documentation
- Fixes #638
2019-09-22 20:37:23 -07:00
hwdsl2
609f24257d
New Libreswan version
...
- Upgrade Libreswan to 3.29
2019-06-10 21:05:51 -05:00
hwdsl2
f69a0a9c97
New Libreswan version
...
- Upgrade Libreswan to 3.28
- Patches applied for Debian and CentOS 6. See 1659d03
2019-06-09 00:15:11 -05:00
hwdsl2
da20e723e8
Remove xl2tpd workaround
2019-06-02 22:44:12 -05:00
hwdsl2
dfa607eef8
Improve route detection
...
- Limit Number of default routes returned to 1
- Fixup for commit 323e7cf
(#541 )
2019-03-09 13:13:42 -06:00
hwdsl2
6fb35e25cb
Update year
2019-01-12 11:34:10 -06:00
hwdsl2
997cacdaeb
Cleanup
2019-01-12 01:08:04 -06:00
hwdsl2
ed5cbb865f
Clean up network detection
...
- Clean up default network interface detection and remove VPN_NET_IFACE
2019-01-12 00:44:23 -06:00
hwdsl2
ddaa0ee99c
Improve DNS servers
...
- Improve modecfgdns format
- Better parsing of DNS servers in upgrade scripts
- Add usage of DNS server variables to README and allow users to specify
only one or both alternative DNS servers
2018-12-17 00:07:04 -06:00
hwdsl2
ff82c3fb6e
Improve VPN ciphers
...
- Optimize order of VPN ciphers for performance
2018-11-24 10:30:42 -06:00
hwdsl2
f1c8c06af1
Improve VPN ciphers
...
- Replace "aes_gcm256-null,aes_gcm128-null" with "aes_gcm-null" to
improve compatibility with some Linux kernels
- Ref: https://libreswan.org/wiki/FAQ#Using_aes_gcm_or_aes_ctr_results_in_ERROR:_netlink_response_for_Add_SA_esp.XXXXXXXX.40IPADDRESS_included_errno_22:_Invalid_argument
2018-11-02 01:54:49 -05:00
hwdsl2
5f75a7306a
Improve VPN ciphers
...
- Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with
Android versions 6.x and 7.x.
- Remove aes128-sha2_512 algorithm
- Ref: 732ad1e
2018-10-28 00:33:42 -05:00
hwdsl2
e8723245f0
Improve VPN config
...
- Increase auto-generated IPsec PSK length to 20 characters
- Add a note to README
2018-10-27 15:22:53 -05:00
hwdsl2
732ad1e941
Improve VPN ciphers
...
- Optimize VPN ciphers and their order for improved security and
compatibility with different OS. Remove 3DES algorithm
- Change 'sha2-truncbug' from 'yes' to 'no'
- Update docs
2018-10-27 00:53:19 -05:00
hwdsl2
9db710090d
Improve VPN ciphers
...
- Add AES-GCM cipher for Chromebook compatibility and performance
2018-10-25 01:25:35 -05:00
hwdsl2
804211c101
Cleanup
2018-10-21 00:20:54 -05:00
hwdsl2
a04d2d32e8
New Libreswan version
...
- Upgrade Libreswan to 3.27
- Cleanup
2018-10-09 12:32:28 -05:00
hwdsl2
b803f32b71
New Libreswan version
...
- Upgrade to new Libreswan version 3.26
- Ref: https://github.com/libreswan/libreswan/issues/202
- Cleanup
2018-09-21 23:47:17 -05:00
hwdsl2
95c8a178e7
Improve variables
...
- Move SWAN_VER to the top of the scripts
- Add check for Libreswan version
- Cleanup
2018-09-18 00:57:03 -05:00
hwdsl2
2fe44b172e
Improve Libreswan versions
...
- Add compilation workarounds specific to Libreswan 3.23/3.25 to the VPN
setup scripts, so that users may install those versions by modifying
SWAN_VER before running the scripts
- Cleanup
2018-09-11 00:03:04 -05:00
hwdsl2
8d90a3877c
Add version note
2018-09-10 01:26:31 -05:00
hwdsl2
1227a0ed5d
Improve xl2tpd workaround
...
- Exclude Ubuntu from xl2tpd 1.3.12 workaround (Ref: 3f8e79b
), because
updated xl2tpd packages are now available for Ubuntu 16.04 and 18.04
See: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796
- Add Linux kernel 4.16 to the list of kernels to work around
- Cleanup
2018-09-04 23:11:59 -05:00
hwdsl2
b8088d3934
Improve EPEL repo
...
- Improve handling of the EPEL repository. Although uncommon, some systems
can have epel-release installed but disabled in /etc/yum.repos.d/epel.repo
- Fixes #210
2018-07-04 20:07:32 -05:00
hwdsl2
59f817575c
Create rundir
...
- Create /run/pluto which is used as rundir in Libreswan 3.22 and newer
- Fixes #407
2018-06-10 16:08:12 -05:00
hwdsl2
1ff393b91c
Use Libreswan 3.22
...
- Use Libreswan 3.22 instead of 3.23 due to an issue with connecting
multiple IPsec/XAuth VPN clients from behind the same NAT
- Ref: c982502
0cf01c0
2018-06-06 00:40:09 -05:00
hwdsl2
f838fcfe12
Fix IP parsing
...
- Fix parsing private IP on some systems such as Ubuntu 18.04
2018-06-03 23:24:37 -05:00
hwdsl2
3452926759
Use xl2tpd 1.3.12
...
- Install xl2tpd 1.3.12 for CentOS 6 with Linux kernel 4.14/4.15
- This version fixes an xl2tpd issue under the above Linux kernels
- Remove Linux kernel check which is no longer needed
- Ref: 3f8e79b
(fix for Ubuntu/Debian)
2018-05-23 20:40:58 -05:00
hwdsl2
95bcadb2c2
Improve VPN ciphers
...
- Add back aes256-sha2_512 to phase2alg, required on some Android systems
- Fixes #391
2018-05-23 19:54:37 -05:00
hwdsl2
8e15eb683c
Cleanup
2018-05-23 01:39:53 -05:00
hwdsl2
e3fe8b05bf
Improve workaround
...
- Specify "left=" in ipsec.conf for servers with 'src' in default route
- Ref: https://github.com/libreswan/libreswan/issues/177
2018-05-21 00:58:24 -05:00
hwdsl2
3b7039ef78
Update Linux kernel check
2018-05-16 22:34:33 -05:00
hwdsl2
f2f6524201
Re-add Android workaround
...
- VPN on Android 6.0, 7.0 and 7.1.1 requires sha2-truncbug=yes to work
- Android 5.1, 8.0 and 8.1 also connect OK with this setting
- Ref: https://libreswan.org/wiki/FAQ#Configuration_Matters
2018-05-08 00:39:52 -05:00
hwdsl2
102ccbc17d
Clean up VPN ciphers
...
- Remove aes256-sha2_512
- Change sha2-truncbug to no for newer Android versions
- Fixes #303
2018-05-05 18:51:24 -05:00
hwdsl2
0c6cb4b8a9
Update year
2018-05-05 18:49:38 -05:00
hwdsl2
240a0187f6
Update Linux kernel check
2018-05-04 03:16:58 -05:00
hwdsl2
3c9c3d25a7
Add check for Linux kernel 4.15
2018-05-03 00:52:14 -05:00
hwdsl2
632165685a
Add iptables dependency
...
- Closes #363
- Thanks @rocboronat!
2018-05-02 02:58:45 -05:00
hwdsl2
fa5abe7825
Remove unneeded check on CentOS
2018-02-03 16:10:09 -06:00
hwdsl2
0cf01c0eb8
Update ipsec.conf
...
- Switch to new keyword 'modecfgdns' in Libreswan 3.23
2018-01-29 02:11:16 -06:00
hwdsl2
c982502ad4
Upgrade Libreswan to 3.23
...
- Remove 'docker-targets.mk' from Makefile to avoid git errors
during compilation
2018-01-29 01:22:24 -06:00
hwdsl2
cc64a29c01
Re-add RPi workaround
...
- Libreswan 3.22 may fail to compile on Raspberry Pi w/ Raspbian 9
- Use version 3.21 instead of 3.22 for Raspbian systems
- Ref: d472c65
2017-12-06 04:55:22 -06:00
hwdsl2
3f39255f84
Bug fix for RHEL 6/7
...
- Fix compatibility with Red Hat Enterprise Linux (RHEL) 6 and 7
- Ref: #273
2017-11-20 00:33:36 -06:00
hwdsl2
2dfa587a71
Fix Libreswan 3.22 bug
...
- This bug causes Libreswan 3.22 fail to start on a Raspberry Pi
- Apply fix from Libreswan GitHub repo: libreswan/libreswan@e154ae7
- Ref: https://lists.libreswan.org/pipermail/swan/2017/002338.html
2017-11-12 23:51:53 -06:00
hwdsl2
7190577c99
Minor clean up
2017-11-01 22:15:56 -05:00
hwdsl2
70c6d6b540
Various clean up
2017-11-01 01:01:49 -05:00
hwdsl2
16e437f58e
Minor clean up
...
- Wrap the scripts in a big function which is only called at the very end,
to protect against the possibility of connection interruptions
- Clean up some variables names
2017-10-29 19:53:35 -05:00
hwdsl2
05c2cb911b
Improve sysctl settings
...
- Fix kernel.shmmax and kernel.shmall on 32-bit Linux. Thanks @komanshidaruma!
- Clean up other sysctl settings
2017-10-28 15:40:24 -05:00
hwdsl2
ef90b6ff19
Upgrade Libreswan to 3.22
2017-10-26 01:48:15 -05:00
hwdsl2
47e1c92051
Clean up ipsec.conf
...
- Remove unneeded option nhelpers=0
2017-10-26 01:48:15 -05:00
hwdsl2
9cd6cb50b7
Clean up packages
...
- Remove libunbound-dev / unbound-devel (these packages are not needed
because we are not enabling DNSSEC)
Ref: https://github.com/libreswan/libreswan/issues/117
2017-10-02 20:33:24 -05:00
hwdsl2
23c4a287d3
Use parallel make
...
- Speed up Libreswan compilation using parallel make ("-j" option)
2017-09-28 01:11:03 -05:00
hwdsl2
f46e18cffc
Skip building manpages
...
- Skip building manpages for Libreswan
- No longer need/install "xmlto" package
- Reduce Libreswan compilation time by ~30%
2017-09-28 00:15:08 -05:00
hwdsl2
536ac8f54b
Update ipsec.conf
...
- Replace obsolete keyword "virtual_private" with "virtual-private"
2017-09-27 21:41:24 -05:00
hwdsl2
82da3121b1
Enable MS-CHAP v2
...
- Allow MS-CHAP v2 for better compatibility with the built-in Windows 10
VPN client. Thanks @remini1998!
2017-09-25 00:28:10 -05:00
hwdsl2
caf9293b8a
New Libreswan version 3.21
2017-08-20 10:52:28 -05:00
hwdsl2
8ac1573106
Minor clean up
2017-06-21 11:59:07 -05:00
hwdsl2
cf595eaee7
Improve services on boot
...
- Systemd may run rc.local early during system boot
- Insert delay so that services can start correctly
2017-06-21 00:02:03 -05:00
hwdsl2
5e3689198f
Improve network interfaces
...
- Better detection of default network interface when the 'route'
command is not available
2017-06-20 23:59:13 -05:00
hwdsl2
47a9015135
Improve VPN ciphers
...
- Add 3des-sha2 to allowed VPN ciphers, and clean up
2017-06-02 14:24:55 -05:00
DL6ER
748d89bb4b
Add 3des-sha2 to both ike= and phase2alg= lines. Fixes #154
2017-06-02 18:20:23 +02:00
hwdsl2
8fb4bf7897
Minor clean up
2017-05-22 11:46:28 -05:00
hwdsl2
d711e2aee6
Improve network interfaces
...
- Try to auto detect server's default network interface
- Display a warning if the default interface is wlan*
2017-05-17 17:24:19 -05:00
hwdsl2
cf75c2bb86
Improve network interfaces
...
- Use eth0 instead of eth+ throughout for consistency
- Improve error messages when eth0 is unavailable
2017-04-30 17:16:33 -05:00
hwdsl2
cebf9f4361
Minor clean up
2017-04-12 10:38:57 -05:00
hwdsl2
f58afbc84b
Update VPN ciphers
...
- Add aes256-sha2_512 to the list of allowed ciphers
- Required for Android 7.1.x and (possibly) Chromebook
2017-04-12 10:17:08 -05:00
hwdsl2
67474fddc9
Improve VPN variables
...
- Check VPN credentials for non-ASCII characters
- Ref: #130
2017-04-07 13:55:46 -05:00
hwdsl2
222acbf5ae
New Libreswan version
...
- New Libreswan version 3.20
- Use GitHub as primary download source
2017-03-23 13:55:51 -05:00
hwdsl2
6f1dc6db1c
Remove fail2ban workaround
...
- The fail2ban bug on CentOS 7 has been fixed. Remove workaround.
- Ref: 320e17a
, https://bugzilla.redhat.com/show_bug.cgi?id=1422500
2017-03-06 11:03:33 -06:00
hwdsl2
347f3fdbfe
Improve IPTables rules
...
- Improve blocking of unencrypted L2TP without IPsec
- Closes #116 . Thanks @ryt51V!
2017-02-18 08:53:00 -06:00
hwdsl2
43d11fe35a
Fix xl2tpd on CentOS 7 for Linode
...
- Fix xl2tpd on CentOS 7 for providers such as Linode,
where kernel module "l2tp_ppp" is unavailable
- Closes : #114
2017-02-16 12:39:21 -06:00
hwdsl2
320e17a61d
Workaround for fail2ban bug
...
- Temporary workaround for fail2ban bug on CentOS 7
- Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1422500
2017-02-16 12:14:13 -06:00
hwdsl2
08e08c6924
Improve customization
...
- Use variables for easier customization of VPN subnets and DNS
- Other minor improvements
2017-02-11 21:36:37 -06:00
hwdsl2
03007079e6
Improve VPN IPs
...
- Use %defaultroute and iptables MASQUERADE, no need to detect private IP
- Use %any for the first field of ipsec.secrets, instead of public IP
- As a result, the VPN server should now better adapt to IP changes.
2017-02-10 18:00:29 -06:00
hwdsl2
63697214b4
Improve VPN ciphers
...
- Consolidate VPN ciphers for "ike=" and "phase2alg=" in ipsec.conf.
2017-01-18 23:01:09 -06:00
hwdsl2
e40dd6219b
Bugfix
...
- Libreswan 3.19 removed MODP1024 from the ike= default list,
which breaks compatibility with Android 5.x and others
- This commit explicitly adds MODP1024 back to the ike= list
- Fixes #101 . Thanks @keijodputt!
2017-01-18 20:10:43 -06:00
hwdsl2
2727f1a1a0
Update year
2017-01-16 22:13:13 -06:00
hwdsl2
85ac19fc70
Minor fix
...
- Use the "fixed strings" option in "grep" commands for "swan_ver",
so that the "." in this variable is treated literally.
2017-01-16 17:31:38 -06:00
hwdsl2
2dbdee1287
Upgrade to Libreswan 3.19
...
- Upgrade to new Libreswan version 3.19
- Some changes are required in the VPN config files
- Ref:
https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html
2017-01-16 12:30:37 -06:00
hwdsl2
ad8295721d
Minor clean up
2017-01-09 10:39:26 -06:00
hwdsl2
ba0fbb3860
Improve script outputs
2017-01-09 02:50:03 -06:00
hwdsl2
9500da3231
Bugfix
...
- Fix commit ca84aa7
to avoid a possible race condition
when starting ipsec and xl2tpd services on boot
2017-01-06 00:51:59 -06:00
hwdsl2
ca84aa7a13
Improve services on boot
2017-01-04 02:21:09 -06:00
hwdsl2
89d75f7243
Bugfix for Android 6 and 7
...
- Add "sha2-truncbug=yes" to /etc/ipsec.conf to fix VPN connections
on Android 6 (Marshmallow) and 7 (Nougat)
- Ref: https://libreswan.org/wiki/FAQ#Configuration_Matters
2017-01-03 22:40:48 -06:00
hwdsl2
3dbf3a9c09
Remove xl2tpd workaround
...
- Updated xl2tpd package is now available in EPEL
- This workaround is no longer needed
- Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1406360
- Ref: 8cc1362
2016-12-31 16:36:04 -06:00
hwdsl2
261e472e3e
Bugfix
...
- In xl2tpd version 1.3.8, which was pushed to the EPEL repository
in Dec. 2016, the options "crtscts" and "lock" are no longer
recognized in "/etc/ppp/options.xl2tpd" and generates an error.
- This commit fixes the VPN on CentOS by removing those options.
- Ref: https://github.com/xelerance/xl2tpd/issues/108
2016-12-30 00:56:38 -06:00
hwdsl2
b59389a03f
Use L2TP kernel support
...
- Use L2TP kernel support on CentOS 6
- This could improve L2TP performance
2016-12-29 00:53:30 -06:00
hwdsl2
8cc1362d17
Workaround for xl2tpd bug
...
- Temporary workaround for an xl2tpd bug which affects CentOS 7
- Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1406360
2016-12-28 13:23:27 -06:00
hwdsl2
6479212c45
Improve workaround
...
- Improve workaround for non-eth0 network interfaces
- Fixed an issue where it cannot be used with sudo
2016-11-28 13:11:57 -06:00
hwdsl2
61bd1254ed
Minor clean up
2016-11-10 13:02:04 -06:00