- Install package libcrypt-dev on Ubuntu/Debian, and package
libxcrypt-devel on CentOS 8+, which are needed for Libreswan
compilation. This change fixes VPN setup on Ubuntu 26.04.
- Use a /116 subnet (4096 addresses) for IPv6.
- Set IPv6 forwarding in rc.local, in addition to sysctl.conf.
In some cases, setting it in sysctl.conf may not work reliably.
- Add initial IPv6 support for IKEv2 mode. For VPN servers with
a public (global unicast) IPv6 address, IPv6 support for
IKEv2 clients is automatically enabled during VPN setup.
- Currently tested on Android using the strongSwan VPN client.
Other platforms (e.g. Windows, macOS, iOS) may have limitations
or require additional configuration for IPv6 to work.
- Fixed an issue with adding VPN related firewall rules on CentOS,
Rocky Linux and similar Linux distributions, when firewalld is
configured to be the sole owner of nftables.
- Closes#1678. Thanks @CaptainFrosty!
- Fixed an issue where AlmaLinux 9 users may encounter the error
"unsupported xtables compat expression" for xt target "MASQUERADE",
which prevents nftables rules from loading. This could happen if the
server already has OpenVPN and/or WireGuard installed before
installing the IPsec VPN.
- Add an option for specifying a Libreswan version to install,
using variable VPN_SWAN_VER. Currently supported values are
4.15 and 5.0. This could be useful for users who want to
install the older Libreswan version 4.
- Use new Libreswan version 4.9.
- Compilation of Libreswan 4.9 on Ubuntu 18.04 requires newer
versions of NSS packages. They are installed in a similar way
as apply_ubuntu1804_nss_fix in ikev2setup.sh.
Ref: https://github.com/libreswan/libreswan/issues/892
- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
the client certificate validity period (in months). Must be an integer
between 1 and 120. Default value is 120. Users can define it as an
environment variable when setting up IKEv2 in auto mode, or when
adding a new IKEv2 client using "--addclient".
- Improve security by removing support for modp1536 (DH group 5),
which is less secure and rarely used by VPN clients. To do this,
we specify modp2048 on the "ike=" line in ipsec.conf.
- Improve security by removing support for modp1024 (DH group 2),
which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
Android users should instead connect using IKEv2 mode (recommended).
- Instead of finding the server's public IP, use the IP address
on the default route if it is not a private IP. This makes VPN
setup slightly faster by skipping IP detection.
- Add a fallback URL for finding the server's public IP.
- Cleanup
- Only enable TCP BBR congestion control if the server's Linux kernel
version is 4.20 or newer.
- BBR requires the "fq" qdisc for older kernels < 4.20. That setting
may not take effect on existing network interfaces without a reboot.
- References:
https://github.com/google/bbr/blob/master/Documentation/bbr-quick-start.md0bb9d90
- Add an option to skip IKEv2 setup when installing the IPsec VPN.
Example: sudo VPN_SKIP_IKEV2=yes sh vpn.sh
- This allows users to set up an IKEv1-only VPN, or install IKEv2
interactively using "sudo ikev2.sh" after VPN setup.
- IKEv2 mode uses retransmit-timeout instead of dpdtimeout.
- Increase timeouts from 120s to 300s, so that the VPN server can
keep the VPN connection open if the client's network is unstable.
