- Create a client config README file under certain circumstances,
such as when setting up IKEv2 automatically and users might not
see the script's output.
- Display a note if no password is required when importing client
config files.
- Advanced users can now define VPN_PROTECT_CONFIG=yes when setting up
IKEv2, if they want to protect client config files with a password.
- Add an option to protect IKEv2 client config files using a password,
which users can select when customizing IKEv2 or client options
Ref: dbc3527
- Change the default action to 'continue' when confirming IKEv2 setup
options
- Other minor improvements
- Simplify IKEv2 configuration import: Remove passwords for IKEv2
client config files. When importing, it is no longer required to
enter a config file password.
- For macOS and iOS, .mobileconfig files require a password to work.
The password is now included so there is no need to manually enter.
- Note: Client config files should be securely transferred from
the VPN server to VPN client device(s) for import.
- Fix IKEv2 "password is incorrect" issue when using Ubuntu 21.10
Fixes#1073. Ref: #1048.
- Note: Ubuntu 21.10 is NOT a supported OS for the VPN setup scripts.
Please use e.g. Ubuntu 20.04 instead.
Ref: https://github.com/hwdsl2/setup-ipsec-vpn#requirements
- Improve checking for MOBIKE support. Linux kernels on QNAP systems
do not support MOBIKE.
Ref: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/247
- Switch to use /etc/ipsec.d/.vpnconfig to store generated password
for IKEv2 client config files, instead of vpnclient.p12.password.
Migrate to use .vpnconfig if the older config file is found.
Ref: 45ee41d
- Improve IKEv2 setup: Save generated password for IKEv2 client
configuration files to vpnclient.p12.password, so that it can
be re-used for later runs of the helper script. Previously,
a different password is generated each time the script is run.
- In rare cases, if a parent process traps SIGPIPE, the 'tr'
command in the VPN setup scripts could output an error
'tr: write error: Broken pipe'. This is a cosmetic error
that does NOT affect the functionality of the scripts. This
commit hides the error in such cases.
- New: Revoke a client certificate using the helper script. Users can
also manually revoke a client certificate, see https://git.io/ikev2
- Check for certificate validity when exporting client configurations
- Delete CRL from IPsec database when removing IKEv2
- Cleanup
- Remove MODP1024 from IKEv2 ciphers for improved security. Windows users
will need to make a one-time registry change before connecting for the
first time. Refer to https://git.io/ikev2.
- Use default key size (2048 bits) when generating key pairs using
certutil. This significantly reduces IKEv2 setup time on servers
with less powerful CPUs, such as Raspberry Pis, while still providing
sufficient security.
- Update docs
- Add variables VPN_DNS_SRV1 and VPN_DNS_SRV2, for specifying custom DNS
servers when running the IKEv2 script in auto mode. Example:
VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
- Add a variable VPN_DNS_NAME, which can be defined when running the
IKEv2 script in auto mode, to set up IKEv2 using a DNS name instead
of an IP address for the VPN server. The DNS name must be a fully
qualified domain name (FQDN). Example:
VPN_DNS_NAME=vpn.example.com bash ikev2.sh --auto
- Minor cleanup
- Improve output for the VPN setup and upgrade scripts. The outputs
of the scripts are now significantly reduced and only include the
most useful information for users.
- Other minor cleanup
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
- Fix an issue where multiple IKEv2 clients behind the same NAT cannot
connect simultaneously to the VPN server. Note that before this fix,
this issue only occurs when using an IP address (instead of a DNS name)
for IKEv2 for the VPN server.
- This issue is found to be related to Libreswan's matching of local IDs
when checking connections. A local ID with '@' prefix has type ID_FQDN,
which does not match the ID_IPV4_ADDR type that the peer expects. This
prevents connection switching from working correctly for the scenario
above. Removing the prefix fixed the issue.
- Fixes#924
- Improvement: If the script is run using sudo, export the VPN client
config files to the user's home directory instead of "/root", and set
owner/group so that users can more easily download the config files.
- Add a command-line option to remove IKEv2
- Change the error to a warning when option '--auto' is specified after
IKEv2 setup
- Other minor improvements
- New: Users can now specify '--addclient [client name]' or
'--exportclient [client name]' command-line arguments to automatically
add or export an IKEv2 client using default options.
- Show script usage when '-h' or '--help' is specified.
- Other minor improvements
- For the Ubuntu 18.04 NSS bug fix, use mirrors.kernel.org, which
is an Ubuntu mirror that supports HTTPS, instead of HTTP-only
security.ubuntu.com
- Minor fix: When uninstalling IKEv2, delete keys in addition to
certificates from the IPsec database
- New feature: Export configuration for an existing IKEv2 client
- If IKEv2 has already been set up, users can now choose from a menu to
either add a new client or export configuration for an existing client
- New feature: The IKEv2 helper script can now be run in "auto mode",
which sets up IKEv2 using default options, no user input needed.
To use this mode, add command-line parameter "--auto"
- Refactor entire script to remove duplicate code, improve structure
and make it easier to read and maintain
- Add check for Libreswan version
- Update tests
- New feature: For macOS and iOS clients, the IKEv2 helper script
can now create .mobileconfig files to simplify client setup
and improve VPN performance with ciphers such as AES-GCM.
- New feature: VPN On Demand is now supported on macOS and iOS.
See https://git.io/ikev2 for more details.
- The script no longer exports the IKEv2 VPN CA certificate, since
.mobileconfig support has been added.
- A random password is now generated for the .p12 and .mobileconfig
files, and displayed on the screen when finished. User input is
no longer required for this password.