- Improve handling of the EPEL repository. Although uncommon, some systems
can have epel-release installed but disabled in /etc/yum.repos.d/epel.repo
- Fixes#210
- Use %defaultroute and iptables MASQUERADE, no need to detect private IP
- Use %any for the first field of ipsec.secrets, instead of public IP
- As a result, the VPN server should now better adapt to IP changes.
- Improve IKEv2 docs. The strongSwan Android VPN client requires
an "IP address" in the VPN server certificate's subjectAltName field
in addition to "DNS name", when connecting using the server's IP.
The certutil commands have been updated to add this field.
- Other improvements to docs
- Windows 8.x and 10 require the IKEv2 machine certificate to have
"Client Auth" EKU in addition to "Server Auth". Otherwise it gives
"Error 13806: IKE failed to find valid machine certificate..."
- The IKEv2 documentation has been updated to fix this issue
- Also, this Libreswan wiki page may need to be updated. @letoams
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
- Ref: #106. Thanks @evil-shrike!
- Libreswan 3.19 removed MODP1024 from the ike= default list,
which breaks compatibility with Android 5.x and others
- This commit explicitly adds MODP1024 back to the ike= list
- Fixes#101. Thanks @keijodputt!
- Add option "noipdefault" to fix Linux clients behind NAT
- Specify VPN username and password in the config file
- Combine the Ubuntu/Debian and CentOS/Fedora sections
- [ci skip]