Ikev2 support

client/server_scripts/ipsec/Dockerfile

@@ -0,0 +1,4 @@
+FROM amneziavpn/ipsec-server:latest
+
+RUN mkdir -p /opt/amnezia
+LABEL maintainer="AmneziaVPN"

client/server_scripts/ipsec/configure_container.sh

@@ -0,0 +1,257 @@
+#!/bin/bash
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+if [ ! -e /dev/ppp ]; then
+cat <<'EOF'
+
+Warning: /dev/ppp is missing, and IPsec/L2TP mode may not work. Please use
+         IKEv2 (https://git.io/ikev2docker) or IPsec/XAuth mode to connect.
+EOF
+fi
+
+NET_IFACE=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$')
+[ -z "$NET_IFACE" ] && NET_IFACE=$(ip -4 route list 0/0 2>/dev/null | grep -m 1 -Po '(?<=dev )(\S+)')
+[ -z "$NET_IFACE" ] && NET_IFACE=eth0
+
+
+mkdir -p /opt/src
+mkdir -p /opt/amnezia/ikev2/clients
+
+
+# Create IPsec config
+cat > /etc/ipsec.conf <<EOF
+version 2.0
+
+config setup
+  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$IPSEC_VPN_L2TP_NET,%v4:!$IPSEC_VPN_XAUTH_NET
+  uniqueids=no
+
+conn shared
+  left=%defaultroute
+  leftid=$SERVER_IP_ADDRESS
+  right=%any
+  encapsulation=yes
+  authby=secret
+  pfs=no
+  rekey=no
+  keyingtries=5
+  dpddelay=30
+  dpdtimeout=120
+  dpdaction=clear
+  ikev2=never
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
+  ikelifetime=24h
+  salifetime=24h
+  sha2-truncbug=$IPSEC_VPN_SHA2_TRUNCBUG
+
+EOF
+
+if [ "$IPSEC_VPN_DISABLE_L2TP" != "yes" ]; then
+cat >> /etc/ipsec.conf <<'EOF'
+conn l2tp-psk
+  auto=add
+  leftprotoport=17/1701
+  rightprotoport=17/%any
+  type=transport
+  also=shared
+
+EOF
+fi
+
+if [ "$IPSEC_VPN_DISABLE_XAUTH" != "yes" ]; then
+cat >> /etc/ipsec.conf <<EOF
+conn xauth-psk
+  auto=add
+  leftsubnet=0.0.0.0/0
+  rightaddresspool=$IPSEC_VPN_XAUTH_POOL
+  modecfgdns=$PRIMARY_DNS,$SECONDARY_DNS
+  leftxauthserver=yes
+  rightxauthclient=yes
+  leftmodecfgserver=yes
+  rightmodecfgclient=yes
+  modecfgpull=yes
+  cisco-unity=yes
+  also=shared
+
+EOF
+fi
+
+cat >> /etc/ipsec.conf <<'EOF'
+include /etc/ipsec.d/*.conf
+EOF
+
+if uname -r | grep -qi 'coreos'; then
+  sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
+fi
+
+if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
+  sed -i 's/^[[:space:]]\+ike-frag=/  fragmentation=/' /etc/ipsec.d/ikev2.conf
+fi
+
+
+# Create xl2tpd config
+cat > /etc/xl2tpd/xl2tpd.conf <<EOF
+[global]
+port = 1701
+
+[lns default]
+ip range = $IPSEC_VPN_L2TP_POOL
+local ip = $IPSEC_VPN_L2TP_LOCAL
+require chap = yes
+refuse pap = yes
+require authentication = yes
+name = l2tpd
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes
+EOF
+
+# Set xl2tpd options
+cat > /etc/ppp/options.xl2tpd <<EOF
++mschap-v2
+ipcp-accept-local
+ipcp-accept-remote
+noccp
+auth
+mtu 1280
+mru 1280
+proxyarp
+lcp-echo-failure 4
+lcp-echo-interval 30
+connect-delay 5000
+ms-dns $PRIMARY_DNS
+ms-dns $SECONDARY_DNS
+EOF
+
+
+# Update sysctl settings
+syt='/sbin/sysctl -e -q -w'
+$syt kernel.msgmnb=65536 2>/dev/null
+$syt kernel.msgmax=65536 2>/dev/null
+$syt net.ipv4.ip_forward=1 2>/dev/null
+$syt net.ipv4.conf.all.accept_redirects=0 2>/dev/null
+$syt net.ipv4.conf.all.send_redirects=0 2>/dev/null
+$syt net.ipv4.conf.all.rp_filter=0 2>/dev/null
+$syt net.ipv4.conf.default.accept_redirects=0 2>/dev/null
+$syt net.ipv4.conf.default.send_redirects=0 2>/dev/null
+$syt net.ipv4.conf.default.rp_filter=0 2>/dev/null
+$syt "net.ipv4.conf.$NET_IFACE.send_redirects=0" 2>/dev/null
+$syt "net.ipv4.conf.$NET_IFACE.rp_filter=0" 2>/dev/null
+
+# Create IPTables rules
+ipi='iptables -I INPUT'
+ipf='iptables -I FORWARD'
+ipp='iptables -t nat -I POSTROUTING'
+res='RELATED,ESTABLISHED'
+if ! iptables -t nat -C POSTROUTING -s "$IPSEC_VPN_L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null; then
+  $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
+  $ipi 2 -m conntrack --ctstate INVALID -j DROP
+  $ipi 3 -m conntrack --ctstate "$res" -j ACCEPT
+  $ipi 4 -p udp -m multiport --dports 500,4500 -j ACCEPT
+  $ipi 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+  $ipi 6 -p udp --dport 1701 -j DROP
+  $ipf 1 -m conntrack --ctstate INVALID -j DROP
+  $ipf 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate "$res" -j ACCEPT
+  $ipf 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
+  $ipf 4 -i ppp+ -o ppp+ -j ACCEPT
+  $ipf 5 -i "$NET_IFACE" -d "$IPSEC_VPN_XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
+  $ipf 6 -s "$IPSEC_VPN_XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
+  $ipf 7 -s "$IPSEC_VPN_XAUTH_NET" -o ppp+ -j ACCEPT
+
+  if [ "$IPSEC_VPN_VPN_ANDROID_MTU_FIX" = "yes" ]; then
+  # Client-to-client traffic is allowed by default. To *disallow* such traffic,
+  # uncomment below and restart the Docker container.
+   $ipf 2 -i ppp+ -o ppp+ -s "$IPSEC_VPN_L2TP_NET" -d "$IPSEC_VPN_L2TP_NET" -j DROP
+   $ipf 3 -s "$IPSEC_VPN_XAUTH_NET" -d "$IPSEC_VPN_XAUTH_NET" -j DROP
+   $ipf 4 -i ppp+ -d "$IPSEC_VPN_XAUTH_NET" -j DROP
+   $ipf 5 -s "$IPSEC_VPN_XAUTH_NET" -o ppp+ -j DROP
+  fi
+
+  iptables -A FORWARD -j DROP
+  $ipp -s "$IPSEC_VPN_XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
+  $ipp -s "$IPSEC_VPN_L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
+fi
+
+
+if [ "$IPSEC_VPN_VPN_ANDROID_MTU_FIX" = "yes" ]; then
+    echo "Applying fix for Android MTU/MSS issues..."
+    iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \
+      -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \
+      -j TCPMSS --set-mss 1360
+    iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \
+      -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \
+      -j TCPMSS --set-mss 1360
+
+fi
+
+# Update file attributes
+touch /etc/ipsec.secrets /etc/ppp/chap-secrets /etc/ipsec.d/passwd
+chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets /etc/ipsec.d/passwd
+
+
+echo
+echo "Starting IPsec service..."
+mkdir -p /run/pluto /var/run/pluto
+rm -f /run/pluto/pluto.pid /var/run/pluto/pluto.pid
+
+ipsec initnss >/dev/null
+ipsec pluto --config /etc/ipsec.conf
+
+
+# Start xl2tpd
+mkdir -p /var/run/xl2tpd
+rm -f /var/run/xl2tpd.pid
+/usr/sbin/xl2tpd -c /etc/xl2tpd/xl2tpd.conf
+
+
+################# IKEV2 ##################
+if [ "$IPSEC_VPN_DISABLE_IKEV2" != "yes" ]; then
+printf "y\n\nN\n" | certutil -z <(head -c 1024 /dev/urandom) \
+  -S -x -n "IKEv2 VPN CA" \
+  -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
+  -k rsa -g 3072 -v 120 \
+  -d sql:/etc/ipsec.d -t "CT,," -2
+
+certutil -z <(head -c 1024 /dev/urandom) \
+   -S -c "IKEv2 VPN CA" -n "$SERVER_IP_ADDRESS" \
+   -s "O=IKEv2 VPN,CN=$SERVER_IP_ADDRESS" \
+   -k rsa -g 3072 -v 120 \
+   -d sql:/etc/ipsec.d -t ",," \
+   --keyUsage digitalSignature,keyEncipherment \
+   --extKeyUsage serverAuth \
+   --extSAN "ip:$SERVER_IP_ADDRESS,dns:$SERVER_IP_ADDRESS"
+
+cat > /etc/ipsec.d/ikev2.conf <<EOF
+conn ikev2-cp
+  left=%defaultroute
+  leftcert=$SERVER_IP_ADDRESS
+  leftid=$SERVER_IP_ADDRESS
+  leftsendcert=always
+  leftsubnet=0.0.0.0/0
+  leftrsasigkey=%cert
+  right=%any
+  rightid=%fromcert
+  rightaddresspool=192.168.43.10-192.168.43.250
+  rightca=%same
+  rightrsasigkey=%cert
+  narrowing=yes
+  dpddelay=30
+  dpdtimeout=120
+  dpdaction=clear
+  auto=add
+  ikev2=insist
+  rekey=no
+  pfs=no
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  ikelifetime=24h
+  salifetime=24h
+  encapsulation=yes
+  modecfgdns=$PRIMARY_DNS,$SECONDARY_DNS
+EOF
+
+ ipsec auto --add ikev2-cp
+else
+ ipsec auto --delete ikev2-cp
+fi # if [ "$IPSEC_VPN_DISABLE_IKEV2" != "yes" ]

client/server_scripts/ipsec/run_container.sh

@@ -0,0 +1,7 @@
+sudo docker run \
+    --restart=always \
+    -p 500:500/udp \
+    -p 4500:4500/udp \
+    -d --privileged \
+    --name $CONTAINER_NAME $CONTAINER_NAME
+

client/server_scripts/wireguard/template.conf

@@ -1,6 +1,6 @@
 [Interface]
 Address = 10.8.1.2/32
-DNS = 1.1.1.1, 1.0.0.1
+DNS = $PRIMARY_DNS, $SECONDARY_DNS
 PrivateKey = $WIREGUARD_CLIENT_PRIVATE_KEY
 
 [Peer]