1
0
mirror of synced 2024-11-22 04:56:03 +03:00
Commit Graph

1379 Commits

Author SHA1 Message Date
hwdsl2
3dc675ba37 Add client validity option
- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
  the client certificate validity period (in months). Must be an integer
  between 1 and 120. Default value is 120. Users can define it as an
  environment variable when setting up IKEv2 in auto mode, or when
  adding a new IKEv2 client using "--addclient".
2022-10-16 00:45:45 -05:00
hwdsl2
0d4934c439 Update docs 2022-10-14 23:35:22 -05:00
hwdsl2
ad2883fa74 Update tests 2022-10-14 01:24:39 -05:00
hwdsl2
194d188313 Update docs 2022-10-14 00:36:09 -05:00
hwdsl2
e12ffa2222 Update docs 2022-10-10 08:54:52 -05:00
hwdsl2
ed359619bb Cleanup 2022-10-10 00:29:25 -05:00
hwdsl2
bd291e91a1 Cleanup 2022-10-07 00:19:00 -05:00
hwdsl2
3bf17a75db Improve interface check
- Install iproute (for the "ip" command) in the unlikely cases that
  both "route" and "ip" commands are unavailable.
2022-10-04 22:52:37 -05:00
hwdsl2
6e596825e2 Improve VPN ciphers
- Improve security by removing support for modp1536 (DH group 5),
  which is less secure and rarely used by VPN clients. To do this,
  we specify modp2048 on the "ike=" line in ipsec.conf.
2022-09-30 01:11:18 -05:00
hwdsl2
4b15a5d2f9 Update docs 2022-09-30 01:04:50 -05:00
hwdsl2
025387df91 Improve VPN ciphers
- Improve security by removing support for modp1024 (DH group 2),
  which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
  IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
  Android users should instead connect using IKEv2 mode (recommended).
2022-09-29 22:52:40 -05:00
hwdsl2
8ae26b832f Update docs 2022-09-25 14:33:51 -05:00
hwdsl2
c87dfdb0d8 Improve VPN setup
- When uninstalling the VPN, remove the two TCP BBR related lines
  from /etc/sysctl.conf, if they were added during VPN setup.
2022-09-25 10:43:15 -05:00
hwdsl2
28a7b595ec Update docs 2022-09-24 18:56:38 -05:00
hwdsl2
cc99e18123 Cleanup 2022-09-24 18:56:27 -05:00
hwdsl2
32faed40d5 Improve IP check
- Instead of finding the server's public IP, use the IP address
  on the default route if it is not a private IP. This makes VPN
  setup slightly faster by skipping IP detection.
- Add a fallback URL for finding the server's public IP.
- Cleanup
2022-09-24 00:58:16 -05:00
hwdsl2
6ba4618351 Update docs 2022-09-23 00:34:42 -05:00
hwdsl2
7827f75785 Update docs 2022-09-17 00:02:11 -05:00
hwdsl2
f248738154 Update docs 2022-09-16 01:48:56 -05:00
hwdsl2
310161044c Update docs 2022-09-15 19:41:36 -05:00
hwdsl2
9e3135745b Update tests 2022-09-11 10:04:46 -05:00
hwdsl2
608fca101c Update docs 2022-09-11 00:54:45 -05:00
hwdsl2
8912e6ec8e Update IKEv2 script
- Cleanup
2022-09-11 00:17:26 -05:00
hwdsl2
1edac55430 Update tests 2022-09-10 09:53:40 -05:00
hwdsl2
4202a88804 Update docs 2022-09-09 23:53:53 -05:00
hwdsl2
c5df950ea2 Improve VPN setup
- Continue VPN setup (instead of exiting) if fail2ban fails to install.
2022-09-09 23:53:13 -05:00
hwdsl2
098a6b4e5d Update IKEv2 script
- When revoking or deleting an existing client, remove previously
  generated client config files for the client.
- Cleanup
2022-09-09 23:03:07 -05:00
hwdsl2
949790a5d9 Update docs 2022-09-08 09:06:16 -05:00
hwdsl2
db54638f5e Check kernel version
- Only enable TCP BBR congestion control if the server's Linux kernel
  version is 4.20 or newer.
- BBR requires the "fq" qdisc for older kernels < 4.20. That setting
  may not take effect on existing network interfaces without a reboot.
- References:
  https://github.com/google/bbr/blob/master/Documentation/bbr-quick-start.md
  0bb9d90
2022-09-08 00:29:18 -05:00
hwdsl2
6a525c6c10 Optimize TCP buffers
- Improve VPN performance by tuning TCP buffer sizes.
2022-09-07 23:29:10 -05:00
hwdsl2
0bb9d90668 Enable TCP BBR
- Improve VPN performance by enabling the TCP BBR congestion control
  algorithm on supported systems (e.g. Ubuntu 18.04+, Debian 10+,
  CentOS 8+) during VPN setup.
  References:
  https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster
  https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/bbr.md
2022-09-07 02:32:12 -05:00
hwdsl2
b4770c4507 Update docs 2022-08-29 20:57:20 -05:00
hwdsl2
05d1e62f14 Update docs 2022-08-28 22:55:20 -05:00
hwdsl2
2d4cf2cb8f Update docs
- Update instructions for customizing IKEv2 options during VPN setup.
- Ref: 56078b0
2022-08-28 00:09:30 -05:00
hwdsl2
d2e9b5ff91 Cleanup 2022-08-27 21:51:19 -05:00
hwdsl2
56078b0a1e Add an option to skip IKEv2 setup
- Add an option to skip IKEv2 setup when installing the IPsec VPN.
  Example: sudo VPN_SKIP_IKEV2=yes sh vpn.sh
- This allows users to set up an IKEv1-only VPN, or install IKEv2
  interactively using "sudo ikev2.sh" after VPN setup.
2022-08-27 15:59:43 -05:00
hwdsl2
5525c407c5 Update docs
- Update split tunneling instructions in advanced usage.
- Ref: #1218
2022-08-27 00:09:14 -05:00
hwdsl2
5d469239a0 Update docs 2022-08-16 09:01:15 -05:00
hwdsl2
71f9d97870 Update docs
- Add instructions for connecting using the native IKEv2 client
  on Android 12 and above.
2022-08-16 00:51:58 -05:00
hwdsl2
a1e761a067 Update docs 2022-08-11 09:14:17 -05:00
hwdsl2
6a872207f4 Update IKEv2 script
- Add a note about changing IKEv2 server address.
2022-08-11 00:02:42 -05:00
hwdsl2
4995ec03f5 Improve OS support
- Make the VPN setup scripts work on Kali Linux (based on Debian).
- Update IKEv2 helper script to check for OpenSSL 3 first when
  exporting the .p12 file.
2022-08-10 23:25:58 -05:00
hwdsl2
e2f211c678 Improve OS detection
- Improve OS detection and clean up
2022-08-10 22:41:55 -05:00
hwdsl2
8973b8d6c0 Update tests 2022-08-09 19:35:32 -05:00
hwdsl2
1dbf897500 Cleanup
- Fix OS checking: Don't show errors for /etc/redhat-release.
- Fixes #1211.
2022-08-09 19:34:32 -05:00
hwdsl2
d22b32d4c6 Update docs
- Ref: #1209
2022-08-05 12:02:29 -05:00
Uros Radovanovic
44b39cb2ed
Update README.md with note about external firewalls (#1209) 2022-08-05 11:51:52 -05:00
hwdsl2
95be4b83fb Fix NSS config
- Update NSS config on e.g. AlmaLinux 9 to allow the SHA1 signature
  algorithm. This fixes the issue where IKEv2 clients cannot connect.
- Fixes #1206.
2022-07-31 23:40:09 -05:00
hwdsl2
0fe30b0479 Update tests 2022-07-31 00:05:10 -05:00
hwdsl2
9088681e89 Update tests 2022-07-30 23:17:53 -05:00