GitHub/IKEv2-setup
1
0
Fork 0
mirror of https://github.com/jawj/IKEv2-setup.git synced 2025-11-01 05:53:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updates for Ubuntu 24.04

Browse Source
This commit is contained in:
George MacKerron
2024-08-22 10:05:16 -04:00
parent a815617605
commit 9273d7be50
2 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+7 -4
View File
@@ -17,11 +17,11 @@
## What?
A Bash script that takes Ubuntu Server 22.04, 20.04 or 18.04 LTS from clean install to production-ready IKEv2 VPN with strongSwan. Comments and pull requests welcome. It may still work on older Ubuntu versions back to 16.10 if you remove the version check, but these are not tested.
A Bash script that takes Ubuntu Server LTS versions 18.04 - 24.04 from clean install to fully-configured IKEv2 VPN using strongSwan. Comments and pull requests welcome.
### VPN server
* The VPN server identifies itself with a _Let's Encrypt_ certificate, so there's no need for clients to install private certificates — they can simply authenticate with username and strong password (EAP-MSCHAPv2).
* The VPN server identifies itself with a _Let's Encrypt_ certificate, so there's no need for clients to install private certificates — they can simply authenticate with a username and strong password (EAP-MSCHAPv2).
* The preferred cipher set is the US [Commercial National Security Algorithm Suite (CNSA)](https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html#_commercial_national_security_algorithm_suite): `aes256gcm16-prfsha384-ecp384`. However, due to an apparent bug in recent versions of macOS, `aes256gcm16-prfsha256-ecp256` is also accepted.
@@ -51,7 +51,11 @@ Configuration files, scripts and instructions are sent by email. They are also d
_Don't want to use your own domain name here? You could try using the reverse DNS name provided by your server host, or an automatic IP/DNS alias service such as [sslip.io](https://sslip.io/), [xip.io](http://xip.io), [nip.io](https://nip.io), [s.test.cab](https://s.test.cab), or [xip.lhjmmc.cn](https://xip.lhjmmc.cn/) (earlier versions of this script used an [sslip.io](https://sslip.io/) address by default). However, these options may fall foul of Let's Encrypt's per-domain rate limit of [50 certificates per week](https://letsencrypt.org/docs/rate-limits/). Note that ephemeral AWS domain names like `ec2-34-267-212-76.compute-1.amazonaws.com` [are not accepted by Let's Encrypt](https://community.letsencrypt.org/t/policy-forbids-issuing-for-name-on-amazon-ec2-domain/12692)._
2. Start with a clean Ubuntu Server installation. The cheapest VPSs offered by Linode, OVH, vps.ag, Google, AWS Lightsail, Hetzner and Vultr, and Scaleway's ARM64-2GB, have all been tested working. On Scaleway, unblock SMTP ports in the admin panel and *hard* reboot the server first, or your configuration email will not be delivered. On Vultr, port 25 may also be blocked, but you won't know, and the only way to fix it is to open a support ticket.
2. Start with a clean Ubuntu Server installation. The cheapest VPSs offered by Linode, OVH, vps.ag, Google, AWS Lightsail, Hetzner, Vultr, Scaleway's ARM64-2GB, and Oracle's VM.Standard.E2.1.Micro (AMD) have all been tested working.
* On Scaleway, unblock SMTP ports in the admin panel and *hard* reboot the server first, or your configuration email will not be delivered.
* On Vultr, port 25 may also be blocked, but you won't know, and the only way to fix it is to open a support ticket.
* On Oracle you'll need to enable network ingress for TCP on port 80 (for Let's Encrypt) and on any custom SSH port you choose, and for UDP on ports 500 and 4500 (for the VPN) in the interface for the relevant VNIC. Egress on port 25 is always blocked unlesss you file a ticket to open it.
3. Optionally, set up [key-based SSH authentication](https://help.ubuntu.com/community/SSH/OpenSSH/Keys) (alternatively, this may have been handled automatically by your server provider, or you may choose to stick with password-based authentication). This may require you to run some or all of the following commands, with appropriate substitutions, on the machine you're going to be logging in from:
@@ -178,4 +182,3 @@ More on IKEv2 at https://www.cl.cam.ac.uk/~mas90/resources/strongswan/ and https
### Why not Algo?
Feel free to use [Algo](https://github.com/trailofbits/algo) instead. It has similar aims, and now configures [WireGuard](https://www.wireguard.com/) too. However, it has many more moving parts, and requires several local installation steps before you even start setting up your VPN. This script is intended to be much simpler.
setup.sh
+2 -1
View File
@@ -18,7 +18,8 @@ UBUNTUVERSION=$(lsb_release -rs)
[[ "${UBUNTUVERSION}" == "18.04" ]] \
|| [[ "${UBUNTUVERSION}" == "20.04" ]] \
|| [[ "${UBUNTUVERSION}" == "22.04" ]] \
|| exit_badly "This script is for Ubuntu 18.04/20.04/22.04 only: aborting (if you know what you're doing, try deleting this check)"
|| [[ "${UBUNTUVERSION}" == "24.04" ]] \
|| exit_badly "This script is for Ubuntu 18.04/20.04/22.04/24.04 only: aborting (if you know what you're doing, try deleting this check)"
[[ $(id -u) -eq 0 ]] || exit_badly "Please run this script as root (e.g. sudo ./path/to/this/script)"