forked from jawj/IKEv2-setup
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added key-based SSH auth instructions now that this is supported
- Loading branch information
Showing
1 changed file
with
14 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -44,18 +44,28 @@ Configuration files, scripts and instructions are sent by email. They are also d | |
|
|
||
| ## How? | ||
|
|
||
| * _Either:_ Pick a domain name for the VPN server and **ensure that it already resolves to the correct IP** by creating the appropriate A record in the DNS and making sure it has propagated. _Let's Encrypt_ needs this in order to create your server certificate. | ||
|
|
||
| _Or:_ Choose to rely on an automatic DNS name from [sslip.io](https://sslip.io/) of the form _nnn.nnn.nnn.nnn.sslip.io_, which will be used automatically if you omit to enter a hostname when prompted by the script. | ||
|
|
||
| * Start with a clean Ubuntu 18.04 Server installation. | ||
|
|
||
| * _Either:_ Pick a domain name for the VPN server and **ensure that it already resolves to the correct IP** by creating the appropriate A record in the DNS and making sure it has propagated. _Let's Encrypt_ needs this in order to create your server certificate. | ||
| * Optionally, set up [key-based SSH authentication](https://help.ubuntu.com/community/SSH/OpenSSH/Keys) (alternatively, this may have been handled automatically by your server provider, or you may choose to stick with password-based authentication). This may require you to run some or all of the following commands, with appropriate substitutions, on the machine you're going to be logging in from: | ||
|
|
||
| ssh-keygen -t ed25519 -C "[email protected]" # if you need a new key, ed25519 is the latest and possibly most secure option | ||
| ssh-keygen -t rsa -b 4096 -C "[email protected]" # alternatively, use RSA and go (4,096 bits) large | ||
|
|
||
| * _Or:_ Choose to rely on an automatic DNS name from [sslip.io](https://sslip.io/) of the form _nnn.nnn.nnn.nnn.sslip.io_, which will be used automatically if you omit to enter a hostname when prompted by the script. | ||
| ssh [email protected] # if your host forces a password change before anything else (e.g. Hetzner), do it now, then exit | ||
| ssh-copy-id -i ~/.ssh/id_ed25519 [email protected] # copy your public key over to the VPN server | ||
| ssh [email protected] # log back in to the server for the next step ... | ||
|
|
||
| * Download the script and give it execute permissions: | ||
| * On your new server installation, become `root`, download the script, give it execute permissions, and run it: | ||
|
|
||
| wget https://raw.githubusercontent.com/jawj/IKEv2-setup/master/setup.sh | ||
| chmod u+x setup.sh | ||
| ./setup.sh | ||
|
|
||
| * Run `./setup.sh` as root and you'll be prompted to enter all the necessary details. **You *must* use a strong password** or passphrase for the login user, or your server *will* be compromised. | ||
| * You'll be prompted to enter all the necessary details. If you are not using key-based SSH authentication, **you *must* pick a really strong password** for the login user when prompted, or your server *will* be compromised. | ||
|
|
||
| ### Troubleshooting | ||
|
|
||
|
|
||