1
0
mirror of synced 2024-12-01 09:06:04 +03:00
Commit Graph

288 Commits

Author SHA1 Message Date
hwdsl2
651c404bf6 Improve sysctl settings
- For enabling TCP BBR congestion control, add a check to make sure
  tcp_congestion_control exists.
2022-11-20 15:01:44 -06:00
hwdsl2
4174ffa3ef Improve VPN setup
- Improve download of VPN helper scripts during setup.
  Note: https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/...
  redirects to
  https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/...
  Use the latter directly so that Wget can reuse the same connection
  for all 3 helper scripts.
- For Ubuntu 18.04, improve download of NSS packages and add fallback URLs.
2022-10-22 23:55:06 -05:00
hwdsl2
28d1f494f0 New Libreswan version
- Use new Libreswan version 4.9.
- Compilation of Libreswan 4.9 on Ubuntu 18.04 requires newer
  versions of NSS packages. They are installed in a similar way
  as apply_ubuntu1804_nss_fix in ikev2setup.sh.
  Ref: https://github.com/libreswan/libreswan/issues/892
2022-10-21 00:10:58 -05:00
hwdsl2
3dc675ba37 Add client validity option
- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
  the client certificate validity period (in months). Must be an integer
  between 1 and 120. Default value is 120. Users can define it as an
  environment variable when setting up IKEv2 in auto mode, or when
  adding a new IKEv2 client using "--addclient".
2022-10-16 00:45:45 -05:00
hwdsl2
ed359619bb Cleanup 2022-10-10 00:29:25 -05:00
hwdsl2
3bf17a75db Improve interface check
- Install iproute (for the "ip" command) in the unlikely cases that
  both "route" and "ip" commands are unavailable.
2022-10-04 22:52:37 -05:00
hwdsl2
6e596825e2 Improve VPN ciphers
- Improve security by removing support for modp1536 (DH group 5),
  which is less secure and rarely used by VPN clients. To do this,
  we specify modp2048 on the "ike=" line in ipsec.conf.
2022-09-30 01:11:18 -05:00
hwdsl2
025387df91 Improve VPN ciphers
- Improve security by removing support for modp1024 (DH group 2),
  which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
  IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
  Android users should instead connect using IKEv2 mode (recommended).
2022-09-29 22:52:40 -05:00
hwdsl2
cc99e18123 Cleanup 2022-09-24 18:56:27 -05:00
hwdsl2
32faed40d5 Improve IP check
- Instead of finding the server's public IP, use the IP address
  on the default route if it is not a private IP. This makes VPN
  setup slightly faster by skipping IP detection.
- Add a fallback URL for finding the server's public IP.
- Cleanup
2022-09-24 00:58:16 -05:00
hwdsl2
c5df950ea2 Improve VPN setup
- Continue VPN setup (instead of exiting) if fail2ban fails to install.
2022-09-09 23:53:13 -05:00
hwdsl2
db54638f5e Check kernel version
- Only enable TCP BBR congestion control if the server's Linux kernel
  version is 4.20 or newer.
- BBR requires the "fq" qdisc for older kernels < 4.20. That setting
  may not take effect on existing network interfaces without a reboot.
- References:
  https://github.com/google/bbr/blob/master/Documentation/bbr-quick-start.md
  0bb9d90
2022-09-08 00:29:18 -05:00
hwdsl2
6a525c6c10 Optimize TCP buffers
- Improve VPN performance by tuning TCP buffer sizes.
2022-09-07 23:29:10 -05:00
hwdsl2
0bb9d90668 Enable TCP BBR
- Improve VPN performance by enabling the TCP BBR congestion control
  algorithm on supported systems (e.g. Ubuntu 18.04+, Debian 10+,
  CentOS 8+) during VPN setup.
  References:
  https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster
  https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/bbr.md
2022-09-07 02:32:12 -05:00
hwdsl2
d2e9b5ff91 Cleanup 2022-08-27 21:51:19 -05:00
hwdsl2
56078b0a1e Add an option to skip IKEv2 setup
- Add an option to skip IKEv2 setup when installing the IPsec VPN.
  Example: sudo VPN_SKIP_IKEV2=yes sh vpn.sh
- This allows users to set up an IKEv1-only VPN, or install IKEv2
  interactively using "sudo ikev2.sh" after VPN setup.
2022-08-27 15:59:43 -05:00
hwdsl2
e2f211c678 Improve OS detection
- Improve OS detection and clean up
2022-08-10 22:41:55 -05:00
hwdsl2
1dbf897500 Cleanup
- Fix OS checking: Don't show errors for /etc/redhat-release.
- Fixes #1211.
2022-08-09 19:34:32 -05:00
hwdsl2
95be4b83fb Fix NSS config
- Update NSS config on e.g. AlmaLinux 9 to allow the SHA1 signature
  algorithm. This fixes the issue where IKEv2 clients cannot connect.
- Fixes #1206.
2022-07-31 23:40:09 -05:00
hwdsl2
200da23776 Add Oracle Linux 9 2022-07-30 09:31:27 -05:00
hwdsl2
10d54262fb Add CentOS 9
- Add support for version 9 of CentOS Stream, RHEL, Rocky Linux
  and AlmaLinux.
2022-07-30 02:59:49 -05:00
hwdsl2
066cb14e14 Cleanup 2022-07-30 00:50:40 -05:00
hwdsl2
d36c435c95 Improve IPsec config
- IKEv2 mode uses retransmit-timeout instead of dpdtimeout.
- Increase timeouts from 120s to 300s, so that the VPN server can
  keep the VPN connection open if the client's network is unstable.
2022-06-15 00:28:21 -05:00
hwdsl2
0e24f8b086 Cleanup 2022-06-09 13:44:16 -05:00
hwdsl2
593f726c80 Cleanup 2022-06-07 22:48:40 -05:00
hwdsl2
41d37e808e Cleanup 2022-06-07 00:37:31 -05:00
hwdsl2
6e6d01dcf7 Improve IPTables rules
- Improve IPTables rules for IPsec VPN setup on systems such as CentOS 8.
  Do not add a DROP rule to the IPTables FORWARD chain if firewalld is
  active, so that existing firewalld FORWARD rules can continue to work.
2022-06-05 00:02:22 -05:00
hwdsl2
7b9813d562 Cleanup 2022-05-27 01:12:37 -05:00
hwdsl2
5f1f444a8f New Libreswan version
- Use new Libreswan version 4.7.
  Ref: https://lists.libreswan.org/pipermail/swan-announce/2022/000047.html
2022-05-25 23:57:30 -05:00
hwdsl2
c2a01e966c Cleanup 2022-05-22 00:36:47 -05:00
hwdsl2
a0f2345c3b Improve subnet check
- Improve check for custom VPN subnets.
  Ref: 95d9fc4
2022-05-16 21:43:56 -05:00
hwdsl2
857c6b9bea Add LXC check 2022-05-10 09:02:46 -05:00
hwdsl2
95d9fc4e03 Add subnet check
- Add a check for custom VPN subnets. Those can only be specified
  during initial VPN install.
  Ref: 1834b79
2022-05-10 08:47:59 -05:00
hwdsl2
c66ca577f3 Update links
- Update links due to git.io deprecation.
  Ref: https://github.blog/changelog/2022-04-25-git-io-deprecation/
2022-04-29 22:32:22 -05:00
hwdsl2
b2626dc921 Cleanup 2022-04-27 00:05:45 -05:00
hwdsl2
24ce5bedd8 Cleanup 2022-04-23 00:30:26 -05:00
hwdsl2
9458735d2c Improve Libreswan check 2022-04-23 00:07:46 -05:00
hwdsl2
a1ab13d9a9 Improve VPN setup
- Add fallback URLs for improved reliability
2022-04-11 22:36:43 -05:00
hwdsl2
629b39d3b3 Add Oracle Linux
- Add support for Oracle Linux 8 and 7.
2022-03-20 23:10:11 -05:00
hwdsl2
742e43ffcd Cleanup 2022-03-18 21:52:20 -05:00
hwdsl2
d182d9651a Improve VPN setup
- Download the add/delete VPN user helper scripts during setup,
  so users can use them directly without manual download.
2022-03-13 15:03:28 -05:00
hwdsl2
beb756f1f2 Remove CentOS 8
- Remove support for CentOS Linux 8, which is EOL.
  Ref: https://www.centos.org/centos-linux-eol/
2022-03-08 21:39:19 -06:00
hwdsl2
46a83e4f9f Cleanup 2022-03-08 21:17:16 -06:00
hwdsl2
e5703d8aaa Cleanup 2022-03-07 21:29:13 -06:00
hwdsl2
40859c5f7f Improve VPN setup
- Display a message if IKEv2 is already set up on the VPN server.
2022-03-06 22:41:29 -06:00
hwdsl2
b6c54c316f Improve VPN setup
- Skip Libreswan install if it has already been installed recently.
2022-03-06 22:36:20 -06:00
hwdsl2
6f4080bab4 Improve VPN setup
- Refactor VPN scripts to move IKEv2 setup inside vpnsetup_*.sh
2022-03-03 22:05:09 -06:00
hwdsl2
79a344ec46 Cleanup 2022-02-24 09:18:39 -06:00
hwdsl2
a4e452e9df Cleanup 2022-02-23 00:08:45 -06:00
hwdsl2
06c5e27080 Fix for GCP MTU size
- This fix is specifically for Google Cloud Platform (GCP) VMs.
  The default MTU size on GCP, 1460 bytes, could cause network issues
  such as "cannot open websites" with IKEv2 VPN clients.
  This issue was brought up multiple times in this repo, e.g. #1000.
- The fix changes the MTU to 1500 (the default that is widely used),
  and updates dhclient.conf so that it is not reverted to 1460 by DHCP.
- Refs: https://cloud.google.com/vpc/docs/vpc#mtu
        https://cloud.google.com/compute/docs/instances/detect-compute-engine
        https://linuxhint.com/how-to-change-mtu-size-in-linux/
        https://git.io/ikev2#cannot-open-websites-after-connecting-to-ikev2
2022-02-23 00:07:33 -06:00