- Update client config file generation code due to a recent change
on Ubuntu 20.04: The libnss3 package was recently updated to
version 3.98 on Ubuntu 20.04, which requires these changes to the
IKEv2 script.
Ref: https://packages.ubuntu.com/focal/libnss3
- When using the IKEv2 change server address script on Docker,
update the IKEv2 setup log with the new server address, so that
it can be displayed in the container logs after a restart.
- Improve the optional VPN On Demand feature on macOS and iOS.
Connect only on WiFi networks (instead of any network), with
captive portal detection. This is the most common use case.
- Support upgrading to Libreswan 4.9.
- Compilation of Libreswan 4.9 on Ubuntu 18.04 requires newer
versions of NSS packages. They are installed in a similar way
as apply_ubuntu1804_nss_fix in ikev2setup.sh.
Ref: https://github.com/libreswan/libreswan/issues/892
- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
the client certificate validity period (in months). Must be an integer
between 1 and 120. Default value is 120. Users can define it as an
environment variable when setting up IKEv2 in auto mode, or when
adding a new IKEv2 client using "--addclient".
- Improve security by removing support for modp1536 (DH group 5),
which is less secure and rarely used by VPN clients. To do this,
we specify modp2048 on the "ike=" line in ipsec.conf.
- Improve security by removing support for modp1024 (DH group 2),
which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
Android users should instead connect using IKEv2 mode (recommended).
- Instead of finding the server's public IP, use the IP address
on the default route if it is not a private IP. This makes VPN
setup slightly faster by skipping IP detection.
- Add a fallback URL for finding the server's public IP.
- Cleanup
- Add an option to skip IKEv2 setup when installing the IPsec VPN.
Example: sudo VPN_SKIP_IKEV2=yes sh vpn.sh
- This allows users to set up an IKEv1-only VPN, or install IKEv2
interactively using "sudo ikev2.sh" after VPN setup.
- Make the VPN setup scripts work on Kali Linux (based on Debian).
- Update IKEv2 helper script to check for OpenSSL 3 first when
exporting the .p12 file.
