Enable PFS for Windows IKEv2

Install apparmor

client/core/controllers/serverController.cpp

@@ -757,6 +757,10 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential
 
 ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, DockerContainer container)
 {
+    if (credentials.userName == "root") {
+        return ErrorCode::NoError;
+    }
+
     QString stdOut;
     auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
         stdOut += data + "\n";
@@ -770,14 +774,8 @@ ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, D
     const QString scriptData = amnezia::scriptData(SharedScriptType::check_user_in_sudo);
     ErrorCode error = runScript(credentials, replaceVars(scriptData, genVarsForScript(credentials)), cbReadStdOut, cbReadStdErr);
 
-    if (credentials.userName != "root" && !stdOut.contains("sudo") && !stdOut.contains("wheel"))
+    if (!stdOut.contains("sudo"))
         return ErrorCode::ServerUserNotInSudo;
-    if (credentials.userName != "root" && stdOut.contains("sudo:") && !stdOut.contains("uname:") && stdOut.contains("not found"))
-        return ErrorCode::SudoPackageIsNotPreinstalled;
-    if (stdOut.contains("sudoers"))
-        return ErrorCode::ServerUserNotAllowedInSudoers;
-    if (stdOut.contains("password is required"))
-        return ErrorCode::ServerUserPasswordRequired;
 
     return error;
 }

client/core/defs.h

@@ -56,9 +56,6 @@ namespace amnezia
         ServerCancelInstallation = 204,
         ServerUserNotInSudo = 205,
         ServerPacketManagerError = 206,
-        SudoPackageIsNotPreinstalled = 207,
-        ServerUserNotAllowedInSudoers = 208,
-        ServerUserPasswordRequired = 209,
 
         // Ssh connection errors
         SshRequestDeniedError = 300,

client/core/errorstrings.cpp

@@ -19,11 +19,8 @@ QString errorString(ErrorCode code) {
     case(ErrorCode::ServerContainerMissingError): errorMessage = QObject::tr("Server error: Docker container missing"); break;
     case(ErrorCode::ServerDockerFailedError): errorMessage = QObject::tr("Server error: Docker failed"); break;
     case(ErrorCode::ServerCancelInstallation): errorMessage = QObject::tr("Installation canceled by user"); break;
-    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user is not a member of the sudo group"); break;
-    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Package manager error"); break;
-    case(ErrorCode::SudoPackageIsNotPreinstalled): errorMessage = QObject::tr("The sudo package is not pre-installed"); break;
-    case(ErrorCode::ServerUserNotAllowedInSudoers): errorMessage = QObject::tr("Action not allowed in sudoers"); break;
-    case(ErrorCode::ServerUserPasswordRequired): errorMessage = QObject::tr("The user's password is required"); break;
+    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user does not have permission to use sudo"); break;
+    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Packet manager error"); break;
 
     // Libssh errors
     case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;

client/protocols/ikev2_vpn_protocol_windows.cpp

@@ -238,7 +238,7 @@ ErrorCode Ikev2Protocol::start()
                                 "-CipherTransformConstants GCMAES128 "
                                 "-EncryptionMethod AES256 "
                                 "-IntegrityCheckMethod SHA256 "
-                                "-PfsGroup None "
+                                "-PfsGroup PFS2048 "
                                 "-DHGroup Group14 "
                                 "-PassThru -Force\"")
                             .arg(tunnelName());

client/secure_qsettings.cpp

@@ -15,6 +15,12 @@
 
 using namespace QKeychain;
 
+namespace {
+    constexpr const char *settingsKeyTag = "settingsKeyTag";
+    constexpr const char *settingsIvTag = "settingsIvTag";
+    constexpr const char *keyChainName = "AmneziaVPN-Keychain";
+}
+
 SecureQSettings::SecureQSettings(const QString &organization, const QString &application, QObject *parent)
     : QObject { parent }, m_settings(organization, application, parent), encryptedKeys({ "Servers/serversList" })
 {
@@ -49,7 +55,7 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue
     // check if value is not encrypted, v. < 2.0.x
     retVal = m_settings.value(key);
     if (retVal.isValid()) {
-        if (retVal.userType() == QVariant::ByteArray && retVal.toByteArray().mid(0, magicString.size()) == magicString) {
+        if (retVal.userType() == QMetaType::QByteArray && retVal.toByteArray().mid(0, magicString.size()) == magicString) {
 
             if (getEncKey().isEmpty() || getEncIv().isEmpty()) {
                 qCritical() << "SecureQSettings::setValue Decryption requested, but key is empty";

client/secure_qsettings.h

@@ -8,10 +8,6 @@
 
 #include "keychain.h"
 
-constexpr const char *settingsKeyTag = "settingsKeyTag";
-constexpr const char *settingsIvTag = "settingsIvTag";
-constexpr const char *keyChainName = "AmneziaVPN-Keychain";
-
 class SecureQSettings : public QObject
 {
     Q_OBJECT
@@ -44,7 +40,7 @@ public:
 private:
     QSettings m_settings;
 
-    mutable QMap<QString, QVariant> m_cache;
+    mutable QHash<QString, QVariant> m_cache;
 
     QStringList encryptedKeys; // encode only key listed here
     // only this fields need for backup

client/server_scripts/check_user_in_sudo.sh

@@ -1,11 +1,2 @@
-if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); opt="--version";\
-elif which dnf > /dev/null 2>&1; then pm=$(which dnf); opt="--version";\
-elif which yum > /dev/null 2>&1; then pm=$(which yum); opt="--version";\
-elif which pacman > /dev/null 2>&1; then pm=$(which pacman); opt="--version";\
-else pm="uname"; opt="-a";\
-fi;\
-CUR_USER=$(whoami 2> /dev/null || echo ~ | sed 's/.*\///');\
-echo $LANG | grep -qE '^(en_US.UTF-8|C.UTF-8|C)$' || export LC_ALL=C;\
-if [ "$CUR_USER" = "root" ] || ( groups "$CUR_USER" | grep -E '\<(sudo|wheel)\>' ); then \
-  sudo -K && sudo -nu $CUR_USER $pm $opt > /dev/null && sudo -n $pm $opt > /dev/null;\
-fi
+CUR_USER=$(whoami);\
+groups $CUR_USER

client/server_scripts/install_docker.sh

@@ -1,7 +1,7 @@
 if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); silent_inst="-yq install"; check_pkgs="-yq update"; docker_pkg="docker.io"; dist="debian";\
 elif which dnf > /dev/null 2>&1; then pm=$(which dnf); silent_inst="-yq install"; check_pkgs="-yq check-update"; docker_pkg="docker"; dist="fedora";\
 elif which yum > /dev/null 2>&1; then pm=$(which yum); silent_inst="-y -q install"; check_pkgs="-y -q check-update"; docker_pkg="docker"; dist="centos";\
-elif which pacman > /dev/null 2>&1; then pm=$(which pacman); silent_inst="-S --noconfirm --noprogressbar --quiet"; check_pkgs="> /dev/null 2>&1"; docker_pkg="docker"; dist="archlinux";\
+elif which pacman > /dev/null 2>&1; then pm=$(which pacman); silent_inst="-S --noconfirm --noprogressbar --quiet"; check_pkgs="-Sup"; docker_pkg="docker"; dist="archlinux";\
 else echo "Packet manager not found"; exit 1; fi;\
 echo "Dist: $dist, Packet manager: $pm, Install command: $silent_inst, Check pkgs command: $check_pkgs, Docker pkg: $docker_pkg";\
 if [ "$dist" = "debian" ]; then export DEBIAN_FRONTEND=noninteractive; fi;\
@@ -12,6 +12,9 @@ if ! command -v docker > /dev/null 2>&1; then \
   sudo $pm $check_pkgs; sudo $pm $silent_inst $docker_pkg;\
   sleep 5; sudo systemctl enable --now docker; sleep 5;\
 fi;\
+if [ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null)" = "Y" ]; then \
+  if ! command -v apparmor_parser > /dev/null 2>&1; then sudo $pm $check_pkgs; sudo $pm $silent_inst apparmor; fi;\
+fi;\
 if [ "$(systemctl is-active docker)" != "active" ]; then \
   sudo $pm $check_pkgs; sudo $pm $silent_inst $docker_pkg;\
   sleep 5; sudo systemctl start docker; sleep 5;\

client/server_scripts/ipsec/configure_container.sh

@@ -33,14 +33,14 @@ conn shared
   right=%any
   encapsulation=yes
   authby=secret
-  pfs=no
+  pfs=yes
   rekey=no
   keyingtries=5
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
@@ -244,9 +244,9 @@ conn ikev2-cp
   auto=add
   ikev2=insist
   rekey=no
-  pfs=no
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  pfs=yes
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
   encapsulation=yes

client/server_scripts/prepare_host.sh

@@ -1,4 +1,4 @@
-CUR_USER=$(whoami 2> /dev/null || echo ~ | sed 's/.*\///');\
+CUR_USER=$(whoami);\
 sudo mkdir -p $DOCKERFILE_FOLDER;\
 sudo chown $CUR_USER $DOCKERFILE_FOLDER;\
 if ! sudo docker network ls | grep -q amnezia-dns-net; then sudo docker network create \

client/translations/amneziavpn_ar_EG.ts

@@ -3334,8 +3334,8 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>المستخدم ليس عضوًا في مجموعة sudo</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>ليس لدي المستخدم الصلحيات لأستخدام sudo</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>
@@ -3399,7 +3399,7 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
+        <source>Server error: Packet manager error</source>
         <translation>خطأ في الخادم: خطأ في مدير الحزم</translation>
     </message>
     <message>

client/translations/amneziavpn_fa_IR.ts

@@ -3468,8 +3468,8 @@ It&apos;s okay as long as it&apos;s from someone you trust.</source>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>کاربر عضو گروه sudo نیست</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>The user does not have permission to use sudo</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>
@@ -3590,8 +3590,8 @@ It&apos;s okay as long as it&apos;s from someone you trust.</source>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
-        <translation>خطای سرور: خطای مدیر بسته</translation>
+        <source>Server error: Packet manager error</source>
+        <translation>Server error: Packet manager error</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="34"/>

client/translations/amneziavpn_hi_IN.ts

@@ -3434,13 +3434,13 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>उपयोगकर्ता sudo समूह का सदस्य नहीं है</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>उपयोगकर्ता के पास sudo का उपयोग करने की अनुमति नहीं है</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
-        <translation>सर्वर त्रुटि: पैकेज प्रबंधक त्रुटि</translation>
+        <source>Server error: Packet manager error</source>
+        <translation>सर्वर त्रुटि: पैकेट प्रबंधक त्रुटि</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>

client/translations/amneziavpn_my_MM.ts

@@ -3330,8 +3330,8 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>ဤအသုံးပြုသူသည် sudo အဖွဲ့၏ အဖွဲ့ဝင်မဟုတ်ပါ</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>ဤအသုံးပြုသူသည် sudo ကိုအသုံးပြုရန်ခွင့်ပြုချက်မရှိပါ</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>
@@ -3395,8 +3395,8 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
-        <translation>ဆာဗာ အမှား- Package manager အမှား</translation>
+        <source>Server error: Packet manager error</source>
+        <translation>ဆာဗာ မှားယွင်းမှု: Packet Manager မှားယွင်းမှု</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="34"/>

client/translations/amneziavpn_ru_RU.ts

@@ -3604,12 +3604,12 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>Пользователь не входит в группу sudo</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>У пользователя нет прав на использование sudo</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
+        <source>Server error: Packet manager error</source>
         <translation>Ошибка сервера: ошибка менеджера пакетов</translation>
     </message>
     <message>

client/translations/amneziavpn_uk_UA.ts

@@ -3700,13 +3700,13 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>Користувач не входить до групи sudo</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>The user does not have permission to use sudo</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
-        <translation>Помилка сервера: помилка менеджера пакетів</translation>
+        <source>Server error: Packet manager error</source>
+        <translation type="unfinished"></translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>

client/translations/amneziavpn_ur_PK.ts

@@ -3433,8 +3433,8 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>صارف sudo گروپ کا رکن نہیں ہے</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>صارف کو sudo استعمال کرنے کی اجازت نہیں ہے</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>
@@ -3498,7 +3498,7 @@ Already installed containers were found on the server. All installed containers
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
+        <source>Server error: Packet manager error</source>
         <translation>سرور خطا: پیکیج منیجر خطا</translation>
     </message>
     <message>

client/translations/amneziavpn_zh_CN.ts

@@ -3675,13 +3675,13 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user is not a member of the sudo group</source>
-        <translation>用户不是 sudo 组的成员</translation>
+        <source>The user does not have permission to use sudo</source>
+        <translation>用户没有root权限</translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Package manager error</source>
-        <translation>服务器错误：包管理器错误</translation>
+        <source>Server error: Packet manager error</source>
+        <translation type="unfinished"></translation>
     </message>
     <message>
         <location filename="../core/errorstrings.cpp" line="26"/>

client/ui/qml/Pages2/PageSetupWizardConfigSource.qml

@@ -217,6 +217,8 @@ PageType {
                 Layout.alignment: Qt.AlignHCenter
                 implicitHeight: 32
 
+                visible: Qt.platform.os !== "ios"
+
                 defaultColor: AmneziaStyle.color.transparent
                 hoveredColor: AmneziaStyle.color.translucentWhite
                 pressedColor: AmneziaStyle.color.sheerWhite
@@ -330,7 +332,7 @@ PageType {
         property string title: qsTr("I have nothing")
         property string description: qsTr("")
         property string imageSource: "qrc:/images/controls/help-circle.svg"
-        property bool isVisible: PageController.isStartPageVisible()
+        property bool isVisible: PageController.isStartPageVisible() && Qt.platform.os !== "ios"
         property var handler: function() {
             Qt.openUrlExternally(LanguageModel.getCurrentSiteUrl())
         }