hwdsl2
742e43ffcd
Cleanup
2022-03-18 21:52:20 -05:00
hwdsl2
d182d9651a
Improve VPN setup
...
- Download the add/delete VPN user helper scripts during setup,
so users can use them directly without manual download.
2022-03-13 15:03:28 -05:00
hwdsl2
beb756f1f2
Remove CentOS 8
...
- Remove support for CentOS Linux 8, which is EOL.
Ref: https://www.centos.org/centos-linux-eol/
2022-03-08 21:39:19 -06:00
hwdsl2
46a83e4f9f
Cleanup
2022-03-08 21:17:16 -06:00
hwdsl2
e5703d8aaa
Cleanup
2022-03-07 21:29:13 -06:00
hwdsl2
40859c5f7f
Improve VPN setup
...
- Display a message if IKEv2 is already set up on the VPN server.
2022-03-06 22:41:29 -06:00
hwdsl2
b6c54c316f
Improve VPN setup
...
- Skip Libreswan install if it has already been installed recently.
2022-03-06 22:36:20 -06:00
hwdsl2
6f4080bab4
Improve VPN setup
...
- Refactor VPN scripts to move IKEv2 setup inside vpnsetup_*.sh
2022-03-03 22:05:09 -06:00
hwdsl2
79a344ec46
Cleanup
2022-02-24 09:18:39 -06:00
hwdsl2
a4e452e9df
Cleanup
2022-02-23 00:08:45 -06:00
hwdsl2
06c5e27080
Fix for GCP MTU size
...
- This fix is specifically for Google Cloud Platform (GCP) VMs.
The default MTU size on GCP, 1460 bytes, could cause network issues
such as "cannot open websites" with IKEv2 VPN clients.
This issue was brought up multiple times in this repo, e.g. #1000 .
- The fix changes the MTU to 1500 (the default that is widely used),
and updates dhclient.conf so that it is not reverted to 1460 by DHCP.
- Refs: https://cloud.google.com/vpc/docs/vpc#mtu
https://cloud.google.com/compute/docs/instances/detect-compute-engine
https://linuxhint.com/how-to-change-mtu-size-in-linux/
https://git.io/ikev2#cannot-open-websites-after-connecting-to-ikev2
2022-02-23 00:07:33 -06:00
hwdsl2
86d4f2f93c
Improve VPN setup
...
- Retry certain 'apt-get' and 'yum' commands on failure
2022-02-08 23:24:46 -06:00
hwdsl2
2bb938416c
Cleanup
2022-01-29 12:35:51 -06:00
hwdsl2
c04d056be6
Cleanup
2022-01-29 01:28:56 -06:00
hwdsl2
5b1377dcf3
Cleanup
2022-01-22 21:34:53 -06:00
hwdsl2
9022caf9f4
Improve VPN setup
...
- Retrieve latest supported Libreswan version before install
- Cleanup
2022-01-22 21:31:55 -06:00
hwdsl2
2ffad259af
New Libreswan version
...
- Use new Libreswan version 4.6.
- Libreswan 4.6 contains a fix for CVE-2022-23094. See the following
links for more information.
https://lists.libreswan.org/pipermail/swan-announce/2022/000046.html
https://libreswan.org/security/
2022-01-11 22:20:57 -06:00
hwdsl2
c25baaf9a9
Cleanup
2022-01-04 23:01:14 -06:00
hwdsl2
c78b398057
Update year
2022-01-02 00:09:03 -06:00
hwdsl2
a47ced7899
Cleanup
2021-09-19 21:51:14 -05:00
hwdsl2
e2a9c4a0c3
Cleanup
2021-09-11 10:07:33 -05:00
hwdsl2
263ffe97cc
Cleanup
2021-09-07 09:02:22 -05:00
hwdsl2
df6c02bf95
Improve Libreswan install
...
- Skip downloading and installing Libreswan if the same version
is already installed.
2021-08-29 15:12:17 -05:00
hwdsl2
da7697a5b0
Cleanup
...
- Update scripts to use bash instead of sh
- Update docs
2021-08-27 23:35:31 -05:00
hwdsl2
c2236b6e34
New Libreswan version
...
- Use new Libreswan version 4.5
2021-08-22 11:50:14 -05:00
hwdsl2
9336c1c2c2
Improve VPN setup
...
- Refactor VPN setup scripts into functions
- Cleanup
2021-08-19 02:01:34 -05:00
hwdsl2
8e570129b2
Cleanup
2021-08-14 00:26:27 -05:00
hwdsl2
779a86f933
Cleanup
2021-08-13 02:11:31 -05:00
hwdsl2
2e17ef68ce
Update OS detection
2021-07-27 00:59:15 -05:00
hwdsl2
a0409b4399
Cleanup
...
- In rare cases, if a parent process traps SIGPIPE, the 'tr'
command in the VPN setup scripts could output an error
'tr: write error: Broken pipe'. This is a cosmetic error
that does NOT affect the functionality of the scripts. This
commit hides the error in such cases.
2021-07-21 23:12:06 -05:00
hwdsl2
61025818bb
Optimize binary size
...
- Use the gcc "-s" option when compiling Libreswan. This reduces
binary size by ~80%.
2021-07-10 01:57:11 -05:00
hwdsl2
02b6d05c82
Update IPTables rules
...
- Allow traffic from IKEv2 and IPsec/XAuth ("Cisco IPsec") clients to
IPsec/L2TP clients. Ref: #983
- Cleanup
- Update docs
2021-06-20 15:02:33 -05:00
hwdsl2
de2d49d3a6
Improve IKEv2 setup
...
- Add a link to /usr/bin for the IKEv2 helper script
2021-05-24 01:14:32 -05:00
hwdsl2
293e5d999a
Improve IP detection
2021-05-11 09:59:18 -05:00
hwdsl2
c55bdd7d13
Update permissions
...
- Set executable bit for ikev2.sh
2021-04-26 22:55:32 -05:00
hwdsl2
ac0bde54bb
New Libreswan version
...
- Use new Libreswan version 4.4
- Support updating to Libreswan 4.4
- Other small improvements and cleanup
2021-04-24 16:15:05 -05:00
hwdsl2
d90c6121b6
Improve OS detection
2021-04-20 00:09:00 -05:00
hwdsl2
28b02f28db
Fix for CentOS 8
...
- Minor fix for IPTables FORWARD rules on CentOS 8
- Cleanup
2021-04-19 00:38:50 -05:00
hwdsl2
804856064b
Minor fix and cleanup
...
- Minor fix for CentOS 8 for the uncommon scenario where the server has
"nftables" service enabled
- Cleanup
2021-04-01 23:06:36 -05:00
hwdsl2
cec1dde5e4
Improve setup
...
- To make it easier for users to set up IKEv2, the IKEv2 helper script
is now downloaded during VPN setup.
- Cleanup
2021-03-28 23:39:29 -05:00
hwdsl2
f6dd26abba
Improve setup
...
- Install uuid-runtime/util-linux, which is required for IKEv2 setup.
2021-03-13 14:39:05 -06:00
hwdsl2
1972501725
New Libreswan version
...
- Use new Libreswan version 4.3
- Support updating to Libreswan 4.3
- Other small improvements
- Update tests
2021-02-21 23:54:37 -06:00
hwdsl2
5779b2e6c8
Improve output
...
- Improve output for the VPN setup and upgrade scripts. The outputs
of the scripts are now significantly reduced and only include the
most useful information for users.
- Other minor cleanup
2021-02-05 21:49:35 -06:00
hwdsl2
1808095bb7
New Libreswan version
...
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
2021-02-04 01:47:04 -06:00
hwdsl2
2b6586cf1b
Increase IKE lifetime
...
- Set both "ikelifetime" and "salifetime" to 24 hours, which is
recommended since we have "rekey=no" on the server. VPN clients will
normally initiate rekey with a shorter interval.
Ref: https://github.com/libreswan/libreswan/issues/405#issuecomment-765109809
https://libreswan.org/man/ipsec.conf.5.html
2021-01-21 23:24:41 -06:00
hwdsl2
3b90d2d394
Cleanup
2021-01-07 12:02:44 -06:00
hwdsl2
a5a1f4adb1
Cleanup
2021-01-03 14:05:13 -06:00
hwdsl2
dabf765978
Update year
2021-01-03 00:35:24 -06:00
hwdsl2
de7a529c6c
Cleanup
...
- Remove Debian 8 from VPN upgrade script, which is EOL on 06/30/2020
- Include OS arch when checking Libreswan version
- Other minor improvements
2021-01-02 14:25:50 -06:00
hwdsl2
b3ad82fd48
Cleanup
2020-12-31 23:09:58 -06:00
hwdsl2
cac5191155
Add version check
...
- Check for latest supported Libreswan version, and remind users who use
a non-latest version of the VPN scripts that they can upgrade
- Other minor improvements
2020-12-31 18:24:41 -06:00
hwdsl2
74b2c4885e
Improve l2tp_ppp fix
...
- Improve fix for l2tp_ppp: Instead of commenting out ExecStartPre,
ignore the return code with the '-' prefix
2020-12-24 14:25:38 -06:00
hwdsl2
dbb5d0576d
Minor cleanup
2020-12-24 01:51:25 -06:00
hwdsl2
c1fb45f942
Fix for CentOS 8
...
- The repository ID "powertools" is now lower case in the latest
CentOS release. Update to work in both cases.
2020-12-07 11:37:48 -06:00
hwdsl2
00f9d2ba86
Clean up build flags
...
- Clean up build flags for Libreswan. In Libreswan 4.1, these flags are
now set automatically based on Ubuntu/Debian versions, and no longer
needed for CentOS/RHEL 7 and 8.
- Ref: https://github.com/libreswan/libreswan/blob/main/mk/defaults/linux.mk
https://github.com/libreswan/libreswan/commit/c01ffcc1
2020-12-04 23:36:53 -06:00
hwdsl2
41142ee915
Remove CentOS 6
...
- CentOS 6 was EOL as of Nov. 30, 2020, and the default yum repos are
no longer available for installing new packages
Ref: https://wiki.centos.org/About/Product
2020-12-02 23:40:54 -06:00
hwdsl2
7674810559
Clean up sysctl settings
2020-11-28 11:54:49 -06:00
hwdsl2
5a13026701
Apply Libreswan fix
...
- Fix detection for sysvinit initsystem:
cfe4dabab4
2020-11-11 23:05:29 -06:00
hwdsl2
afb8a7acce
New Libreswan version
...
- Upgrade Libreswan from 3.32 to 4.1
2020-11-11 00:27:44 -06:00
hwdsl2
4fa17ce958
Fix for EPEL repo
...
- Remove workaround for EPEL repo issues (bff3fe5
)
- "yum makecache" may have higher disk space requirements that could
cause issues on systems with low free disk space
2020-09-30 22:49:49 -05:00
hwdsl2
f8f97e014a
Cleanup
2020-08-09 14:49:02 -05:00
hwdsl2
6c88c7fd27
Fix for CentOS/RHEL 8
...
- Fix firewalld detection when the setup script is run again
2020-07-11 20:19:11 -05:00
hwdsl2
bff3fe5a4b
Fix for EPEL repo
...
- Add workaround for EPEL repo issues
2020-07-06 23:03:13 -05:00
hwdsl2
8283bdb32f
CentOS/RHEL 8 fix
...
- Fix fail2ban rules for nftables on CentOS/RHEL 8
2020-07-02 17:52:13 -05:00
hwdsl2
3faa8fd86e
Improve DNS check
2020-06-12 11:05:42 -05:00
hwdsl2
b7293e95da
Cleanup
2020-06-05 11:00:23 -05:00
hwdsl2
e1e1b67afd
Improve IKEv2 setup
...
- Use /etc/ipsec.d/ikev2.conf for IKEv2 configuration
- Allow running from inside a container, so that it can be used with:
https://github.com/hwdsl2/docker-ipsec-vpn-server
2020-05-30 23:09:32 -05:00
hwdsl2
71d67ae690
CentOS/RHEL fixes
...
- Use nftables only if firewalld is active (CentOS/RHEL 8)
- Fix RHEL 7 server-optional repo names. See:
https://access.redhat.com/articles/4599971
- Fix an issue where the codeready-builder repo cannot be enabled
on EC2 (RHEL 8). Fixes #804 .
2020-05-24 15:07:08 -05:00
hwdsl2
a087be669f
Cleanup
2020-05-24 00:14:05 -05:00
hwdsl2
d457ebd16d
CentOS 8 fixes
...
- Use nftables instead of iptables-services for CentOS 8
- Existing firewalld rules are now preserved during VPN setup,
which will be saved as part of nftables rules
2020-05-24 00:10:35 -05:00
hwdsl2
b293aa3081
New Libreswan version
...
- Upgrade Libreswan to 3.32
2020-05-11 10:59:08 -05:00
hwdsl2
207fb6574d
Update links
...
- Add a link to IKEv2 how-to guide
2020-05-11 01:19:03 -05:00
hwdsl2
dae0c03356
Improve output
...
- Inhibit warning messages from Libreswan compilation
2020-04-29 11:00:25 -05:00
hwdsl2
5983c79904
Fix IKEv2
...
- Apply fix for an IKEv2 regression in Libreswan
- Ref: https://github.com/libreswan/libreswan/commit/90f8a09
https://github.com/libreswan/libreswan/issues/333
https://github.com/libreswan/libreswan/issues/329
2020-04-26 16:27:00 -05:00
hwdsl2
2c660bb914
New Libreswan version
...
- Upgrade Libreswan to 3.31
- "USE_DH2=true" is required for keeping Windows clients compatibility
Ref: https://github.com/libreswan/libreswan/commit/8fcbbc7
- "USE_XFRM_INTERFACE_IFLA_HEADER=true" is required for compilation on
older Linux distributions
Ref: https://github.com/libreswan/libreswan/commit/c21909c
2020-04-11 17:11:12 -05:00
hwdsl2
4360737eaf
Improve OS detection
2020-01-13 00:07:39 -08:00
hwdsl2
99e194e683
Add CentOS 8
...
- Add support for CentOS/RHEL 8
2019-11-01 13:31:23 -07:00
hwdsl2
3353888ee9
Set sha2-truncbug to no
...
- This fixes VPN connection issues on iOS 13
- Android 6.x and 7.x users may require sha2-truncbug=yes. Will note
this in the documentation
- Fixes #638
2019-09-22 20:37:23 -07:00
hwdsl2
609f24257d
New Libreswan version
...
- Upgrade Libreswan to 3.29
2019-06-10 21:05:51 -05:00
hwdsl2
f69a0a9c97
New Libreswan version
...
- Upgrade Libreswan to 3.28
- Patches applied for Debian and CentOS 6. See 1659d03
2019-06-09 00:15:11 -05:00
hwdsl2
da20e723e8
Remove xl2tpd workaround
2019-06-02 22:44:12 -05:00
hwdsl2
dfa607eef8
Improve route detection
...
- Limit Number of default routes returned to 1
- Fixup for commit 323e7cf
(#541 )
2019-03-09 13:13:42 -06:00
hwdsl2
6fb35e25cb
Update year
2019-01-12 11:34:10 -06:00
hwdsl2
997cacdaeb
Cleanup
2019-01-12 01:08:04 -06:00
hwdsl2
ed5cbb865f
Clean up network detection
...
- Clean up default network interface detection and remove VPN_NET_IFACE
2019-01-12 00:44:23 -06:00
hwdsl2
ddaa0ee99c
Improve DNS servers
...
- Improve modecfgdns format
- Better parsing of DNS servers in upgrade scripts
- Add usage of DNS server variables to README and allow users to specify
only one or both alternative DNS servers
2018-12-17 00:07:04 -06:00
hwdsl2
ff82c3fb6e
Improve VPN ciphers
...
- Optimize order of VPN ciphers for performance
2018-11-24 10:30:42 -06:00
hwdsl2
f1c8c06af1
Improve VPN ciphers
...
- Replace "aes_gcm256-null,aes_gcm128-null" with "aes_gcm-null" to
improve compatibility with some Linux kernels
- Ref: https://libreswan.org/wiki/FAQ#Using_aes_gcm_or_aes_ctr_results_in_ERROR:_netlink_response_for_Add_SA_esp.XXXXXXXX.40IPADDRESS_included_errno_22:_Invalid_argument
2018-11-02 01:54:49 -05:00
hwdsl2
5f75a7306a
Improve VPN ciphers
...
- Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with
Android versions 6.x and 7.x.
- Remove aes128-sha2_512 algorithm
- Ref: 732ad1e
2018-10-28 00:33:42 -05:00
hwdsl2
e8723245f0
Improve VPN config
...
- Increase auto-generated IPsec PSK length to 20 characters
- Add a note to README
2018-10-27 15:22:53 -05:00
hwdsl2
732ad1e941
Improve VPN ciphers
...
- Optimize VPN ciphers and their order for improved security and
compatibility with different OS. Remove 3DES algorithm
- Change 'sha2-truncbug' from 'yes' to 'no'
- Update docs
2018-10-27 00:53:19 -05:00
hwdsl2
9db710090d
Improve VPN ciphers
...
- Add AES-GCM cipher for Chromebook compatibility and performance
2018-10-25 01:25:35 -05:00
hwdsl2
804211c101
Cleanup
2018-10-21 00:20:54 -05:00
hwdsl2
a04d2d32e8
New Libreswan version
...
- Upgrade Libreswan to 3.27
- Cleanup
2018-10-09 12:32:28 -05:00
hwdsl2
b803f32b71
New Libreswan version
...
- Upgrade to new Libreswan version 3.26
- Ref: https://github.com/libreswan/libreswan/issues/202
- Cleanup
2018-09-21 23:47:17 -05:00
hwdsl2
95c8a178e7
Improve variables
...
- Move SWAN_VER to the top of the scripts
- Add check for Libreswan version
- Cleanup
2018-09-18 00:57:03 -05:00
hwdsl2
2fe44b172e
Improve Libreswan versions
...
- Add compilation workarounds specific to Libreswan 3.23/3.25 to the VPN
setup scripts, so that users may install those versions by modifying
SWAN_VER before running the scripts
- Cleanup
2018-09-11 00:03:04 -05:00
hwdsl2
8d90a3877c
Add version note
2018-09-10 01:26:31 -05:00
hwdsl2
1227a0ed5d
Improve xl2tpd workaround
...
- Exclude Ubuntu from xl2tpd 1.3.12 workaround (Ref: 3f8e79b
), because
updated xl2tpd packages are now available for Ubuntu 16.04 and 18.04
See: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796
- Add Linux kernel 4.16 to the list of kernels to work around
- Cleanup
2018-09-04 23:11:59 -05:00
hwdsl2
b8088d3934
Improve EPEL repo
...
- Improve handling of the EPEL repository. Although uncommon, some systems
can have epel-release installed but disabled in /etc/yum.repos.d/epel.repo
- Fixes #210
2018-07-04 20:07:32 -05:00