- Use default key size (2048 bits) when generating key pairs using
certutil. This significantly reduces IKEv2 setup time on servers
with less powerful CPUs, such as Raspberry Pis, while still providing
sufficient security.
- Update docs
- Add variables VPN_DNS_SRV1 and VPN_DNS_SRV2, for specifying custom DNS
servers when running the IKEv2 script in auto mode. Example:
VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
- Add a variable VPN_DNS_NAME, which can be defined when running the
IKEv2 script in auto mode, to set up IKEv2 using a DNS name instead
of an IP address for the VPN server. The DNS name must be a fully
qualified domain name (FQDN). Example:
VPN_DNS_NAME=vpn.example.com bash ikev2.sh --auto
- Minor cleanup
- Improve output for the VPN setup and upgrade scripts. The outputs
of the scripts are now significantly reduced and only include the
most useful information for users.
- Other minor cleanup
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
- Fix an issue where multiple IKEv2 clients behind the same NAT cannot
connect simultaneously to the VPN server. Note that before this fix,
this issue only occurs when using an IP address (instead of a DNS name)
for IKEv2 for the VPN server.
- This issue is found to be related to Libreswan's matching of local IDs
when checking connections. A local ID with '@' prefix has type ID_FQDN,
which does not match the ID_IPV4_ADDR type that the peer expects. This
prevents connection switching from working correctly for the scenario
above. Removing the prefix fixed the issue.
- Fixes#924
- Improvement: If the script is run using sudo, export the VPN client
config files to the user's home directory instead of "/root", and set
owner/group so that users can more easily download the config files.