- Improve the optional VPN On Demand feature on macOS and iOS.
Connect only on WiFi networks (instead of any network), with
captive portal detection. This is the most common use case.
- Support upgrading to Libreswan 4.9.
- Compilation of Libreswan 4.9 on Ubuntu 18.04 requires newer
versions of NSS packages. They are installed in a similar way
as apply_ubuntu1804_nss_fix in ikev2setup.sh.
Ref: https://github.com/libreswan/libreswan/issues/892
- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
the client certificate validity period (in months). Must be an integer
between 1 and 120. Default value is 120. Users can define it as an
environment variable when setting up IKEv2 in auto mode, or when
adding a new IKEv2 client using "--addclient".
- Improve security by removing support for modp1536 (DH group 5),
which is less secure and rarely used by VPN clients. To do this,
we specify modp2048 on the "ike=" line in ipsec.conf.
- Improve security by removing support for modp1024 (DH group 2),
which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
Android users should instead connect using IKEv2 mode (recommended).
- Instead of finding the server's public IP, use the IP address
on the default route if it is not a private IP. This makes VPN
setup slightly faster by skipping IP detection.
- Add a fallback URL for finding the server's public IP.
- Cleanup
- Add an option to skip IKEv2 setup when installing the IPsec VPN.
Example: sudo VPN_SKIP_IKEV2=yes sh vpn.sh
- This allows users to set up an IKEv1-only VPN, or install IKEv2
interactively using "sudo ikev2.sh" after VPN setup.
- Make the VPN setup scripts work on Kali Linux (based on Debian).
- Update IKEv2 helper script to check for OpenSSL 3 first when
exporting the .p12 file.
- IKEv2 mode uses retransmit-timeout instead of dpdtimeout.
- Increase timeouts from 120s to 300s, so that the VPN server can
keep the VPN connection open if the client's network is unstable.
- Improve IPTables rules for IPsec VPN setup on systems such as CentOS 8.
Do not add a DROP rule to the IPTables FORWARD chain if firewalld is
active, so that existing firewalld FORWARD rules can continue to work.