- Add variables VPN_DNS_SRV1 and VPN_DNS_SRV2, for specifying custom DNS
servers when running the IKEv2 script in auto mode. Example:
VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
- Add a variable VPN_DNS_NAME, which can be defined when running the
IKEv2 script in auto mode, to set up IKEv2 using a DNS name instead
of an IP address for the VPN server. The DNS name must be a fully
qualified domain name (FQDN). Example:
VPN_DNS_NAME=vpn.example.com bash ikev2.sh --auto
- Minor cleanup
- Improve output for the VPN setup and upgrade scripts. The outputs
of the scripts are now significantly reduced and only include the
most useful information for users.
- Other minor cleanup
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
- Fix an issue where multiple IKEv2 clients behind the same NAT cannot
connect simultaneously to the VPN server. Note that before this fix,
this issue only occurs when using an IP address (instead of a DNS name)
for IKEv2 for the VPN server.
- This issue is found to be related to Libreswan's matching of local IDs
when checking connections. A local ID with '@' prefix has type ID_FQDN,
which does not match the ID_IPV4_ADDR type that the peer expects. This
prevents connection switching from working correctly for the scenario
above. Removing the prefix fixed the issue.
- Fixes#924
- Improvement: If the script is run using sudo, export the VPN client
config files to the user's home directory instead of "/root", and set
owner/group so that users can more easily download the config files.
- Add a command-line option to remove IKEv2
- Change the error to a warning when option '--auto' is specified after
IKEv2 setup
- Other minor improvements
- New: Users can now specify '--addclient [client name]' or
'--exportclient [client name]' command-line arguments to automatically
add or export an IKEv2 client using default options.
- Show script usage when '-h' or '--help' is specified.
- Other minor improvements
- For the Ubuntu 18.04 NSS bug fix, use mirrors.kernel.org, which
is an Ubuntu mirror that supports HTTPS, instead of HTTP-only
security.ubuntu.com
- Minor fix: When uninstalling IKEv2, delete keys in addition to
certificates from the IPsec database
- New feature: Export configuration for an existing IKEv2 client
- If IKEv2 has already been set up, users can now choose from a menu to
either add a new client or export configuration for an existing client
- New feature: The IKEv2 helper script can now be run in "auto mode",
which sets up IKEv2 using default options, no user input needed.
To use this mode, add command-line parameter "--auto"
- Refactor entire script to remove duplicate code, improve structure
and make it easier to read and maintain
- Add check for Libreswan version
- Update tests
- New feature: For macOS and iOS clients, the IKEv2 helper script
can now create .mobileconfig files to simplify client setup
and improve VPN performance with ciphers such as AES-GCM.
- New feature: VPN On Demand is now supported on macOS and iOS.
See https://git.io/ikev2 for more details.
- The script no longer exports the IKEv2 VPN CA certificate, since
.mobileconfig support has been added.
- A random password is now generated for the .p12 and .mobileconfig
files, and displayed on the screen when finished. User input is
no longer required for this password.
- Check for latest supported Libreswan version, and remind users who use
a non-latest version of the VPN scripts that they can upgrade
- Other minor improvements
- CentOS 6 was EOL as of Nov. 30, 2020, and the default yum repos are
no longer available for installing new packages
Ref: https://wiki.centos.org/About/Product
- Remove workaround for EPEL repo issues (bff3fe5)
- "yum makecache" may have higher disk space requirements that could
cause issues on systems with low free disk space
- Improve modecfgdns format
- Better parsing of DNS servers in upgrade scripts
- Add usage of DNS server variables to README and allow users to specify
only one or both alternative DNS servers
- Optimize VPN ciphers and their order for improved security and
compatibility with different OS. Remove 3DES algorithm
- Change 'sha2-truncbug' from 'yes' to 'no'
- Update docs
- Replace all occurrences when updating /etc/ipsec.conf
- Prompt the user to edit manually if more than one modecfgdns1= or
modecfgdns= line is present
