hwdsl2
6e596825e2
Improve VPN ciphers
...
- Improve security by removing support for modp1536 (DH group 5),
which is less secure and rarely used by VPN clients. To do this,
we specify modp2048 on the "ike=" line in ipsec.conf.
2022-09-30 01:11:18 -05:00
hwdsl2
025387df91
Improve VPN ciphers
...
- Improve security by removing support for modp1024 (DH group 2),
which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
Android users should instead connect using IKEv2 mode (recommended).
2022-09-29 22:52:40 -05:00
hwdsl2
cc99e18123
Cleanup
2022-09-24 18:56:27 -05:00
hwdsl2
32faed40d5
Improve IP check
...
- Instead of finding the server's public IP, use the IP address
on the default route if it is not a private IP. This makes VPN
setup slightly faster by skipping IP detection.
- Add a fallback URL for finding the server's public IP.
- Cleanup
2022-09-24 00:58:16 -05:00
hwdsl2
c5df950ea2
Improve VPN setup
...
- Continue VPN setup (instead of exiting) if fail2ban fails to install.
2022-09-09 23:53:13 -05:00
hwdsl2
db54638f5e
Check kernel version
...
- Only enable TCP BBR congestion control if the server's Linux kernel
version is 4.20 or newer.
- BBR requires the "fq" qdisc for older kernels < 4.20. That setting
may not take effect on existing network interfaces without a reboot.
- References:
https://github.com/google/bbr/blob/master/Documentation/bbr-quick-start.md
0bb9d90
2022-09-08 00:29:18 -05:00
hwdsl2
6a525c6c10
Optimize TCP buffers
...
- Improve VPN performance by tuning TCP buffer sizes.
2022-09-07 23:29:10 -05:00
hwdsl2
0bb9d90668
Enable TCP BBR
...
- Improve VPN performance by enabling the TCP BBR congestion control
algorithm on supported systems (e.g. Ubuntu 18.04+, Debian 10+,
CentOS 8+) during VPN setup.
References:
https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/bbr.md
2022-09-07 02:32:12 -05:00
hwdsl2
d2e9b5ff91
Cleanup
2022-08-27 21:51:19 -05:00
hwdsl2
56078b0a1e
Add an option to skip IKEv2 setup
...
- Add an option to skip IKEv2 setup when installing the IPsec VPN.
Example: sudo VPN_SKIP_IKEV2=yes sh vpn.sh
- This allows users to set up an IKEv1-only VPN, or install IKEv2
interactively using "sudo ikev2.sh" after VPN setup.
2022-08-27 15:59:43 -05:00
hwdsl2
4995ec03f5
Improve OS support
...
- Make the VPN setup scripts work on Kali Linux (based on Debian).
- Update IKEv2 helper script to check for OpenSSL 3 first when
exporting the .p12 file.
2022-08-10 23:25:58 -05:00
hwdsl2
d36c435c95
Improve IPsec config
...
- IKEv2 mode uses retransmit-timeout instead of dpdtimeout.
- Increase timeouts from 120s to 300s, so that the VPN server can
keep the VPN connection open if the client's network is unstable.
2022-06-15 00:28:21 -05:00
hwdsl2
0e24f8b086
Cleanup
2022-06-09 13:44:16 -05:00
hwdsl2
593f726c80
Cleanup
2022-06-07 22:48:40 -05:00
hwdsl2
41d37e808e
Cleanup
2022-06-07 00:37:31 -05:00
hwdsl2
7b9813d562
Cleanup
2022-05-27 01:12:37 -05:00
hwdsl2
5f1f444a8f
New Libreswan version
...
- Use new Libreswan version 4.7.
Ref: https://lists.libreswan.org/pipermail/swan-announce/2022/000047.html
2022-05-25 23:57:30 -05:00
hwdsl2
ffb22c4858
Cleanup
2022-05-23 22:08:30 -05:00
hwdsl2
c2a01e966c
Cleanup
2022-05-22 00:36:47 -05:00
hwdsl2
a0f2345c3b
Improve subnet check
...
- Improve check for custom VPN subnets.
Ref: 95d9fc4
2022-05-16 21:43:56 -05:00
hwdsl2
857c6b9bea
Add LXC check
2022-05-10 09:02:46 -05:00
hwdsl2
95d9fc4e03
Add subnet check
...
- Add a check for custom VPN subnets. Those can only be specified
during initial VPN install.
Ref: 1834b79
2022-05-10 08:47:59 -05:00
hwdsl2
eed8e236a3
Cleanup
2022-05-08 02:43:47 -05:00
hwdsl2
0425be8c4a
Remove xl2tpd workaround
...
- The fixed xl2tpd package is now in the Ubuntu repos. This workaround
is no longer necessary.
Ref: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832
2022-05-08 02:26:17 -05:00
hwdsl2
3937eddebc
Fix xl2tpd on Ubuntu 22.04
...
- Fix xl2tpd on Ubuntu 22.04 by installing a newer version.
Before this fix, IPsec/L2TP mode may not work on Ubuntu 22.04
with errors like "Can not find tunnel".
Ref: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832
2022-05-03 22:27:15 -05:00
hwdsl2
c66ca577f3
Update links
...
- Update links due to git.io deprecation.
Ref: https://github.blog/changelog/2022-04-25-git-io-deprecation/
2022-04-29 22:32:22 -05:00
hwdsl2
b2626dc921
Cleanup
2022-04-27 00:05:45 -05:00
hwdsl2
24ce5bedd8
Cleanup
2022-04-23 00:30:26 -05:00
hwdsl2
9458735d2c
Improve Libreswan check
2022-04-23 00:07:46 -05:00
hwdsl2
a1ab13d9a9
Improve VPN setup
...
- Add fallback URLs for improved reliability
2022-04-11 22:36:43 -05:00
hwdsl2
742e43ffcd
Cleanup
2022-03-18 21:52:20 -05:00
hwdsl2
d182d9651a
Improve VPN setup
...
- Download the add/delete VPN user helper scripts during setup,
so users can use them directly without manual download.
2022-03-13 15:03:28 -05:00
hwdsl2
46a83e4f9f
Cleanup
2022-03-08 21:17:16 -06:00
hwdsl2
e5703d8aaa
Cleanup
2022-03-07 21:29:13 -06:00
hwdsl2
40859c5f7f
Improve VPN setup
...
- Display a message if IKEv2 is already set up on the VPN server.
2022-03-06 22:41:29 -06:00
hwdsl2
b6c54c316f
Improve VPN setup
...
- Skip Libreswan install if it has already been installed recently.
2022-03-06 22:36:20 -06:00
hwdsl2
6f4080bab4
Improve VPN setup
...
- Refactor VPN scripts to move IKEv2 setup inside vpnsetup_*.sh
2022-03-03 22:05:09 -06:00
hwdsl2
79a344ec46
Cleanup
2022-02-24 09:18:39 -06:00
hwdsl2
a4e452e9df
Cleanup
2022-02-23 00:08:45 -06:00
hwdsl2
06c5e27080
Fix for GCP MTU size
...
- This fix is specifically for Google Cloud Platform (GCP) VMs.
The default MTU size on GCP, 1460 bytes, could cause network issues
such as "cannot open websites" with IKEv2 VPN clients.
This issue was brought up multiple times in this repo, e.g. #1000 .
- The fix changes the MTU to 1500 (the default that is widely used),
and updates dhclient.conf so that it is not reverted to 1460 by DHCP.
- Refs: https://cloud.google.com/vpc/docs/vpc#mtu
https://cloud.google.com/compute/docs/instances/detect-compute-engine
https://linuxhint.com/how-to-change-mtu-size-in-linux/
https://git.io/ikev2#cannot-open-websites-after-connecting-to-ikev2
2022-02-23 00:07:33 -06:00
hwdsl2
86d4f2f93c
Improve VPN setup
...
- Retry certain 'apt-get' and 'yum' commands on failure
2022-02-08 23:24:46 -06:00
hwdsl2
2bb938416c
Cleanup
2022-01-29 12:35:51 -06:00
hwdsl2
c04d056be6
Cleanup
2022-01-29 01:28:56 -06:00
hwdsl2
5b1377dcf3
Cleanup
2022-01-22 21:34:53 -06:00
hwdsl2
9022caf9f4
Improve VPN setup
...
- Retrieve latest supported Libreswan version before install
- Cleanup
2022-01-22 21:31:55 -06:00
hwdsl2
2ffad259af
New Libreswan version
...
- Use new Libreswan version 4.6.
- Libreswan 4.6 contains a fix for CVE-2022-23094. See the following
links for more information.
https://lists.libreswan.org/pipermail/swan-announce/2022/000046.html
https://libreswan.org/security/
2022-01-11 22:20:57 -06:00
hwdsl2
c25baaf9a9
Cleanup
2022-01-04 23:01:14 -06:00
hwdsl2
c78b398057
Update year
2022-01-02 00:09:03 -06:00
hwdsl2
a47ced7899
Cleanup
2021-09-19 21:51:14 -05:00
hwdsl2
4a8e24a61c
Cleanup
2021-09-18 14:58:06 -05:00