1
0
mirror of synced 2024-11-25 06:16:07 +03:00
Commit Graph

290 Commits

Author SHA1 Message Date
hwdsl2
a4e452e9df Cleanup 2022-02-23 00:08:45 -06:00
hwdsl2
06c5e27080 Fix for GCP MTU size
- This fix is specifically for Google Cloud Platform (GCP) VMs.
  The default MTU size on GCP, 1460 bytes, could cause network issues
  such as "cannot open websites" with IKEv2 VPN clients.
  This issue was brought up multiple times in this repo, e.g. #1000.
- The fix changes the MTU to 1500 (the default that is widely used),
  and updates dhclient.conf so that it is not reverted to 1460 by DHCP.
- Refs: https://cloud.google.com/vpc/docs/vpc#mtu
        https://cloud.google.com/compute/docs/instances/detect-compute-engine
        https://linuxhint.com/how-to-change-mtu-size-in-linux/
        https://git.io/ikev2#cannot-open-websites-after-connecting-to-ikev2
2022-02-23 00:07:33 -06:00
hwdsl2
86d4f2f93c Improve VPN setup
- Retry certain 'apt-get' and 'yum' commands on failure
2022-02-08 23:24:46 -06:00
hwdsl2
2bb938416c Cleanup 2022-01-29 12:35:51 -06:00
hwdsl2
c04d056be6 Cleanup 2022-01-29 01:28:56 -06:00
hwdsl2
5b1377dcf3 Cleanup 2022-01-22 21:34:53 -06:00
hwdsl2
9022caf9f4 Improve VPN setup
- Retrieve latest supported Libreswan version before install
- Cleanup
2022-01-22 21:31:55 -06:00
hwdsl2
2ffad259af New Libreswan version
- Use new Libreswan version 4.6.
- Libreswan 4.6 contains a fix for CVE-2022-23094. See the following
  links for more information.
  https://lists.libreswan.org/pipermail/swan-announce/2022/000046.html
  https://libreswan.org/security/
2022-01-11 22:20:57 -06:00
hwdsl2
c25baaf9a9 Cleanup 2022-01-04 23:01:14 -06:00
hwdsl2
c78b398057 Update year 2022-01-02 00:09:03 -06:00
hwdsl2
a47ced7899 Cleanup 2021-09-19 21:51:14 -05:00
hwdsl2
e2a9c4a0c3 Cleanup 2021-09-11 10:07:33 -05:00
hwdsl2
263ffe97cc Cleanup 2021-09-07 09:02:22 -05:00
hwdsl2
df6c02bf95 Improve Libreswan install
- Skip downloading and installing Libreswan if the same version
  is already installed.
2021-08-29 15:12:17 -05:00
hwdsl2
da7697a5b0 Cleanup
- Update scripts to use bash instead of sh
- Update docs
2021-08-27 23:35:31 -05:00
hwdsl2
c2236b6e34 New Libreswan version
- Use new Libreswan version 4.5
2021-08-22 11:50:14 -05:00
hwdsl2
9336c1c2c2 Improve VPN setup
- Refactor VPN setup scripts into functions
- Cleanup
2021-08-19 02:01:34 -05:00
hwdsl2
8e570129b2 Cleanup 2021-08-14 00:26:27 -05:00
hwdsl2
779a86f933 Cleanup 2021-08-13 02:11:31 -05:00
hwdsl2
2e17ef68ce Update OS detection 2021-07-27 00:59:15 -05:00
hwdsl2
a0409b4399 Cleanup
- In rare cases, if a parent process traps SIGPIPE, the 'tr'
  command in the VPN setup scripts could output an error
  'tr: write error: Broken pipe'. This is a cosmetic error
  that does NOT affect the functionality of the scripts. This
  commit hides the error in such cases.
2021-07-21 23:12:06 -05:00
hwdsl2
61025818bb Optimize binary size
- Use the gcc "-s" option when compiling Libreswan. This reduces
  binary size by ~80%.
2021-07-10 01:57:11 -05:00
hwdsl2
02b6d05c82 Update IPTables rules
- Allow traffic from IKEv2 and IPsec/XAuth ("Cisco IPsec") clients to
  IPsec/L2TP clients. Ref: #983
- Cleanup
- Update docs
2021-06-20 15:02:33 -05:00
hwdsl2
de2d49d3a6 Improve IKEv2 setup
- Add a link to /usr/bin for the IKEv2 helper script
2021-05-24 01:14:32 -05:00
hwdsl2
293e5d999a Improve IP detection 2021-05-11 09:59:18 -05:00
hwdsl2
c55bdd7d13 Update permissions
- Set executable bit for ikev2.sh
2021-04-26 22:55:32 -05:00
hwdsl2
ac0bde54bb New Libreswan version
- Use new Libreswan version 4.4
- Support updating to Libreswan 4.4
- Other small improvements and cleanup
2021-04-24 16:15:05 -05:00
hwdsl2
d90c6121b6 Improve OS detection 2021-04-20 00:09:00 -05:00
hwdsl2
28b02f28db Fix for CentOS 8
- Minor fix for IPTables FORWARD rules on CentOS 8
- Cleanup
2021-04-19 00:38:50 -05:00
hwdsl2
804856064b Minor fix and cleanup
- Minor fix for CentOS 8 for the uncommon scenario where the server has
  "nftables" service enabled
- Cleanup
2021-04-01 23:06:36 -05:00
hwdsl2
cec1dde5e4 Improve setup
- To make it easier for users to set up IKEv2, the IKEv2 helper script
  is now downloaded during VPN setup.
- Cleanup
2021-03-28 23:39:29 -05:00
hwdsl2
f6dd26abba Improve setup
- Install uuid-runtime/util-linux, which is required for IKEv2 setup.
2021-03-13 14:39:05 -06:00
hwdsl2
1972501725 New Libreswan version
- Use new Libreswan version 4.3
- Support updating to Libreswan 4.3
- Other small improvements
- Update tests
2021-02-21 23:54:37 -06:00
hwdsl2
5779b2e6c8 Improve output
- Improve output for the VPN setup and upgrade scripts. The outputs
  of the scripts are now significantly reduced and only include the
  most useful information for users.
- Other minor cleanup
2021-02-05 21:49:35 -06:00
hwdsl2
1808095bb7 New Libreswan version
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
  scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
2021-02-04 01:47:04 -06:00
hwdsl2
2b6586cf1b Increase IKE lifetime
- Set both "ikelifetime" and "salifetime" to 24 hours, which is
  recommended since we have "rekey=no" on the server. VPN clients will
  normally initiate rekey with a shorter interval.
  Ref: https://github.com/libreswan/libreswan/issues/405#issuecomment-765109809
       https://libreswan.org/man/ipsec.conf.5.html
2021-01-21 23:24:41 -06:00
hwdsl2
3b90d2d394 Cleanup 2021-01-07 12:02:44 -06:00
hwdsl2
a5a1f4adb1 Cleanup 2021-01-03 14:05:13 -06:00
hwdsl2
dabf765978 Update year 2021-01-03 00:35:24 -06:00
hwdsl2
de7a529c6c Cleanup
- Remove Debian 8 from VPN upgrade script, which is EOL on 06/30/2020
- Include OS arch when checking Libreswan version
- Other minor improvements
2021-01-02 14:25:50 -06:00
hwdsl2
b3ad82fd48 Cleanup 2020-12-31 23:09:58 -06:00
hwdsl2
cac5191155 Add version check
- Check for latest supported Libreswan version, and remind users who use
  a non-latest version of the VPN scripts that they can upgrade
- Other minor improvements
2020-12-31 18:24:41 -06:00
hwdsl2
74b2c4885e Improve l2tp_ppp fix
- Improve fix for l2tp_ppp: Instead of commenting out ExecStartPre,
  ignore the return code with the '-' prefix
2020-12-24 14:25:38 -06:00
hwdsl2
dbb5d0576d Minor cleanup 2020-12-24 01:51:25 -06:00
hwdsl2
c1fb45f942 Fix for CentOS 8
- The repository ID "powertools" is now lower case in the latest
  CentOS release. Update to work in both cases.
2020-12-07 11:37:48 -06:00
hwdsl2
00f9d2ba86 Clean up build flags
- Clean up build flags for Libreswan. In Libreswan 4.1, these flags are
  now set automatically based on Ubuntu/Debian versions, and no longer
  needed for CentOS/RHEL 7 and 8.
- Ref: https://github.com/libreswan/libreswan/blob/main/mk/defaults/linux.mk
       https://github.com/libreswan/libreswan/commit/c01ffcc1
2020-12-04 23:36:53 -06:00
hwdsl2
41142ee915 Remove CentOS 6
- CentOS 6 was EOL as of Nov. 30, 2020, and the default yum repos are
  no longer available for installing new packages
  Ref: https://wiki.centos.org/About/Product
2020-12-02 23:40:54 -06:00
hwdsl2
7674810559 Clean up sysctl settings 2020-11-28 11:54:49 -06:00
hwdsl2
5a13026701 Apply Libreswan fix
- Fix detection for sysvinit initsystem:
  cfe4dabab4
2020-11-11 23:05:29 -06:00
hwdsl2
afb8a7acce New Libreswan version
- Upgrade Libreswan from 3.32 to 4.1
2020-11-11 00:27:44 -06:00
hwdsl2
4fa17ce958 Fix for EPEL repo
- Remove workaround for EPEL repo issues (bff3fe5)
- "yum makecache" may have higher disk space requirements that could
  cause issues on systems with low free disk space
2020-09-30 22:49:49 -05:00
hwdsl2
f8f97e014a Cleanup 2020-08-09 14:49:02 -05:00
hwdsl2
6c88c7fd27 Fix for CentOS/RHEL 8
- Fix firewalld detection when the setup script is run again
2020-07-11 20:19:11 -05:00
hwdsl2
bff3fe5a4b Fix for EPEL repo
- Add workaround for EPEL repo issues
2020-07-06 23:03:13 -05:00
hwdsl2
8283bdb32f CentOS/RHEL 8 fix
- Fix fail2ban rules for nftables on CentOS/RHEL 8
2020-07-02 17:52:13 -05:00
hwdsl2
3faa8fd86e Improve DNS check 2020-06-12 11:05:42 -05:00
hwdsl2
b7293e95da Cleanup 2020-06-05 11:00:23 -05:00
hwdsl2
e1e1b67afd Improve IKEv2 setup
- Use /etc/ipsec.d/ikev2.conf for IKEv2 configuration
- Allow running from inside a container, so that it can be used with:
  https://github.com/hwdsl2/docker-ipsec-vpn-server
2020-05-30 23:09:32 -05:00
hwdsl2
71d67ae690 CentOS/RHEL fixes
- Use nftables only if firewalld is active (CentOS/RHEL 8)
- Fix RHEL 7 server-optional repo names. See:
  https://access.redhat.com/articles/4599971
- Fix an issue where the codeready-builder repo cannot be enabled
  on EC2 (RHEL 8). Fixes #804.
2020-05-24 15:07:08 -05:00
hwdsl2
a087be669f Cleanup 2020-05-24 00:14:05 -05:00
hwdsl2
d457ebd16d CentOS 8 fixes
- Use nftables instead of iptables-services for CentOS 8
- Existing firewalld rules are now preserved during VPN setup,
  which will be saved as part of nftables rules
2020-05-24 00:10:35 -05:00
hwdsl2
b293aa3081 New Libreswan version
- Upgrade Libreswan to 3.32
2020-05-11 10:59:08 -05:00
hwdsl2
207fb6574d Update links
- Add a link to IKEv2 how-to guide
2020-05-11 01:19:03 -05:00
hwdsl2
dae0c03356 Improve output
- Inhibit warning messages from Libreswan compilation
2020-04-29 11:00:25 -05:00
hwdsl2
5983c79904 Fix IKEv2
- Apply fix for an IKEv2 regression in Libreswan
- Ref: https://github.com/libreswan/libreswan/commit/90f8a09
  https://github.com/libreswan/libreswan/issues/333
  https://github.com/libreswan/libreswan/issues/329
2020-04-26 16:27:00 -05:00
hwdsl2
2c660bb914 New Libreswan version
- Upgrade Libreswan to 3.31
- "USE_DH2=true" is required for keeping Windows clients compatibility
  Ref: https://github.com/libreswan/libreswan/commit/8fcbbc7
- "USE_XFRM_INTERFACE_IFLA_HEADER=true" is required for compilation on
  older Linux distributions
  Ref: https://github.com/libreswan/libreswan/commit/c21909c
2020-04-11 17:11:12 -05:00
hwdsl2
4360737eaf Improve OS detection 2020-01-13 00:07:39 -08:00
hwdsl2
99e194e683 Add CentOS 8
- Add support for CentOS/RHEL 8
2019-11-01 13:31:23 -07:00
hwdsl2
3353888ee9 Set sha2-truncbug to no
- This fixes VPN connection issues on iOS 13
- Android 6.x and 7.x users may require sha2-truncbug=yes. Will note
  this in the documentation
- Fixes #638
2019-09-22 20:37:23 -07:00
hwdsl2
609f24257d New Libreswan version
- Upgrade Libreswan to 3.29
2019-06-10 21:05:51 -05:00
hwdsl2
f69a0a9c97 New Libreswan version
- Upgrade Libreswan to 3.28
- Patches applied for Debian and CentOS 6. See 1659d03
2019-06-09 00:15:11 -05:00
hwdsl2
da20e723e8 Remove xl2tpd workaround 2019-06-02 22:44:12 -05:00
hwdsl2
dfa607eef8 Improve route detection
- Limit Number of default routes returned to 1
- Fixup for commit 323e7cf (#541)
2019-03-09 13:13:42 -06:00
hwdsl2
6fb35e25cb Update year 2019-01-12 11:34:10 -06:00
hwdsl2
997cacdaeb Cleanup 2019-01-12 01:08:04 -06:00
hwdsl2
ed5cbb865f Clean up network detection
- Clean up default network interface detection and remove VPN_NET_IFACE
2019-01-12 00:44:23 -06:00
hwdsl2
ddaa0ee99c Improve DNS servers
- Improve modecfgdns format
- Better parsing of DNS servers in upgrade scripts
- Add usage of DNS server variables to README and allow users to specify
  only one or both alternative DNS servers
2018-12-17 00:07:04 -06:00
hwdsl2
ff82c3fb6e Improve VPN ciphers
- Optimize order of VPN ciphers for performance
2018-11-24 10:30:42 -06:00
hwdsl2
f1c8c06af1 Improve VPN ciphers
- Replace "aes_gcm256-null,aes_gcm128-null" with "aes_gcm-null" to
  improve compatibility with some Linux kernels
- Ref: https://libreswan.org/wiki/FAQ#Using_aes_gcm_or_aes_ctr_results_in_ERROR:_netlink_response_for_Add_SA_esp.XXXXXXXX.40IPADDRESS_included_errno_22:_Invalid_argument
2018-11-02 01:54:49 -05:00
hwdsl2
5f75a7306a Improve VPN ciphers
- Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with
  Android versions 6.x and 7.x.
- Remove aes128-sha2_512 algorithm
- Ref: 732ad1e
2018-10-28 00:33:42 -05:00
hwdsl2
e8723245f0 Improve VPN config
- Increase auto-generated IPsec PSK length to 20 characters
- Add a note to README
2018-10-27 15:22:53 -05:00
hwdsl2
732ad1e941 Improve VPN ciphers
- Optimize VPN ciphers and their order for improved security and
  compatibility with different OS. Remove 3DES algorithm
- Change 'sha2-truncbug' from 'yes' to 'no'
- Update docs
2018-10-27 00:53:19 -05:00
hwdsl2
9db710090d Improve VPN ciphers
- Add AES-GCM cipher for Chromebook compatibility and performance
2018-10-25 01:25:35 -05:00
hwdsl2
804211c101 Cleanup 2018-10-21 00:20:54 -05:00
hwdsl2
a04d2d32e8 New Libreswan version
- Upgrade Libreswan to 3.27
- Cleanup
2018-10-09 12:32:28 -05:00
hwdsl2
b803f32b71 New Libreswan version
- Upgrade to new Libreswan version 3.26
- Ref: https://github.com/libreswan/libreswan/issues/202
- Cleanup
2018-09-21 23:47:17 -05:00
hwdsl2
95c8a178e7 Improve variables
- Move SWAN_VER to the top of the scripts
- Add check for Libreswan version
- Cleanup
2018-09-18 00:57:03 -05:00
hwdsl2
2fe44b172e Improve Libreswan versions
- Add compilation workarounds specific to Libreswan 3.23/3.25 to the VPN
  setup scripts, so that users may install those versions by modifying
  SWAN_VER before running the scripts
- Cleanup
2018-09-11 00:03:04 -05:00
hwdsl2
8d90a3877c Add version note 2018-09-10 01:26:31 -05:00
hwdsl2
1227a0ed5d Improve xl2tpd workaround
- Exclude Ubuntu from xl2tpd 1.3.12 workaround (Ref: 3f8e79b), because
  updated xl2tpd packages are now available for Ubuntu 16.04 and 18.04
  See: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796
- Add Linux kernel 4.16 to the list of kernels to work around
- Cleanup
2018-09-04 23:11:59 -05:00
hwdsl2
b8088d3934 Improve EPEL repo
- Improve handling of the EPEL repository. Although uncommon, some systems
  can have epel-release installed but disabled in /etc/yum.repos.d/epel.repo
- Fixes #210
2018-07-04 20:07:32 -05:00
hwdsl2
59f817575c Create rundir
- Create /run/pluto which is used as rundir in Libreswan 3.22 and newer
- Fixes #407
2018-06-10 16:08:12 -05:00
hwdsl2
1ff393b91c Use Libreswan 3.22
- Use Libreswan 3.22 instead of 3.23 due to an issue with connecting
  multiple IPsec/XAuth VPN clients from behind the same NAT
- Ref: c982502 0cf01c0
2018-06-06 00:40:09 -05:00
hwdsl2
f838fcfe12 Fix IP parsing
- Fix parsing private IP on some systems such as Ubuntu 18.04
2018-06-03 23:24:37 -05:00
hwdsl2
3452926759 Use xl2tpd 1.3.12
- Install xl2tpd 1.3.12 for CentOS 6 with Linux kernel 4.14/4.15
- This version fixes an xl2tpd issue under the above Linux kernels
- Remove Linux kernel check which is no longer needed
- Ref: 3f8e79b (fix for Ubuntu/Debian)
2018-05-23 20:40:58 -05:00
hwdsl2
95bcadb2c2 Improve VPN ciphers
- Add back aes256-sha2_512 to phase2alg, required on some Android systems
- Fixes #391
2018-05-23 19:54:37 -05:00
hwdsl2
8e15eb683c Cleanup 2018-05-23 01:39:53 -05:00
hwdsl2
e3fe8b05bf Improve workaround
- Specify "left=" in ipsec.conf for servers with 'src' in default route
- Ref: https://github.com/libreswan/libreswan/issues/177
2018-05-21 00:58:24 -05:00
hwdsl2
3b7039ef78 Update Linux kernel check 2018-05-16 22:34:33 -05:00
hwdsl2
f2f6524201 Re-add Android workaround
- VPN on Android 6.0, 7.0 and 7.1.1 requires sha2-truncbug=yes to work
- Android 5.1, 8.0 and 8.1 also connect OK with this setting
- Ref: https://libreswan.org/wiki/FAQ#Configuration_Matters
2018-05-08 00:39:52 -05:00