summaryrefslogtreecommitdiff
path: root/vpn
AgeCommit message (Collapse)AuthorLines
13 daysRe-enable IKE fragmentation (remove fragmentation=no)yyamashita-1/+0
Android 12 IKEv2 may handle IKE-level fragments better than IP-level fragmentation. iOS was failing with IKE fragmentation previously (ECDSA cert era) — test if RSA cert + IKE fragmentation now works for both platforms. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysForce send ISRG Root X1 via local.cacerts for Android compatyyamashita-0/+1
strongSwan skips self-signed root CAs from CERT payloads by default. Setting cacerts = chain-3.crt in the local section forces it to include ISRG Root X1 explicitly so Android 12 can complete trust chain validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysAppend issuer root CA to cert chain for Android IKEv2 compatyyamashita-0/+14
Android 12 native IKEv2 requires the presented cert chain to include a cert that is directly in the device trust store. Fetch the issuer root CA (ISRG Root X1) via AIA from the last intermediate cert and append it to server-chain.crt so strongSwan sends 4 CERT payloads: Leaf + YR1 + Root YR + ISRG Root X1 (trusted on all Android versions). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
14 daysRemove cert logic duplication from vpn/install.shyyamashita-58/+17
install.sh and renew-cert.sh had identical cert fetch/split code. install.sh now delegates to renew-cert.sh, which in turn calls deploy.sh. Flow: install.sh → renew-cert.sh → deploy.sh Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
14 daysUnify install.sh pattern: always delegate to deploy.shyyamashita-3/+3
Both hetzner-admin and vpn install.sh were calling docker compose directly instead of going through their own deploy.sh, unlike mail which already followed the correct pattern. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
14 daysSend full cert chain to fix iOS IKEv2 validationyyamashita-3/+3
iOS IKEv2 does not look up intermediates from the system trust store (unlike TLS/HTTPS). Send all 3 certs: YE1 + Root YE + cross-signed ISRG Root X2, so iOS can build the full chain through to ISRG Root X1. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Disable IKE fragmentation, use IP-level fragmentation for iOSyyamashita-1/+2
iOS may have a bug where it advertises N(FRAG_SUP) but fails to reassemble IKE fragments in IKE_AUTH responses. Switching to fragmentation=no forces the large IKE_AUTH response to be sent as a single UDP packet with IP-level fragmentation, which iOS's standard IP stack handles correctly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Send only YE1+RootYE intermediates, skip cross-signed ISRG Root X2yyamashita-0/+3
iOS 14+ and Android 11+ have ISRG Root X2 in their trust store. Sending the cross-signed ISRG Root X2 alongside the trusted self-signed version can confuse the cert path-building algorithm. Chain: leaf -> YE1 -> Root YE -> [ISRG Root X2 from trust store] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Fix VPN cert chain: split multi-cert PEM for strongSwanyyamashita-1/+18
Caddy's cert chain contains 4 certs: 1. leaf (signed by YE1) 2. YE1 (signed by Root YE) 3. Root YE (cross-signed by ISRG Root X2) 4. ISRG Root X2 (cross-signed by ISRG Root X1) iOS/Android trust ISRG Root X1 but not Root YE directly. The full cross-signed chain must be sent in IKE_AUTH. strongSwan only reads the first cert from a multi-cert PEM file, so entrypoint.sh now splits server-chain.crt into individual files in x509ca/ before starting charon. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Restore intermediate cert + reduce IKE fragment size to 512 bytesyyamashita-0/+2
iOS/Android VPN stacks don't follow AIA to download intermediate certs, so YE1 must be sent by the server for cert chain validation. The original 1236-byte IKE fragment was being dropped mid-path. Setting fragment_size=512 splits the 1776-byte IKE_AUTH into ~4 fragments of ≤560 bytes each, which should traverse any NAT/router. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Remove intermediate CA cert to fix IKE fragmentationyyamashita-1/+0
YE1 intermediate cert was inflating IKE_AUTH response to 1776 bytes, causing it to be split into 2 IKE fragments that iOS/Android clients could not reassemble. Both iOS and Android 12 (Beam Pro) have Let's Encrypt trust chain in their system store, so the intermediate cert is not needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Revert VPN file logging (caused container crash)yyamashita-9/+0
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Add file logging to VPN container for diagnosticsyyamashita-0/+9
Logs to /home/yyamashita/vpn-logs/charon.log (readable without root) to diagnose iPhone IKEv2 connection failures. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Revert fragmentation=no to restore iPhone VPN connectivityyyamashita-1/+0
fragmentation=no caused IP-level fragmentation (1808-byte packets) which is blocked by mobile networks. Default IKE fragmentation (RFC 7383) works for iOS/macOS with 2 fragments. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Fix IKE fragmentation: use fragmentation=no instead of fragment_size=0yyamashita-1/+1
fragment_size=0 was interpreted as minimum fragment size (resulting in 4 tiny fragments), not disabled. fragmentation=no in swanctl.conf is the correct per-connection setting to disable IKE fragmentation entirely. The server now sends a single large UDP packet; the OS kernel handles IP fragmentation instead of the IKE layer. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Restore intermediate CA cert, disable IKE fragmentationyyamashita-0/+2
Android (XREAL Beam Pro) fails to reassemble IKE fragments even though FRAG_SUP is negotiated. IP-level fragmentation (handled by the OS kernel) works better. Removing the intermediate cert broke macOS/iOS. This config: - Sends leaf cert + YE1 intermediate (so any client can verify the chain) - fragment_size=0 disables IKE fragmentation; the 1776-byte IKE_AUTH response is sent as one large UDP packet (OS handles IP fragmentation) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Serve YE1 intermediate CA cert for Android VPN trust chainyyamashita-1/+11
Android (XREAL Beam Pro) can't validate the server cert because it lacks the Let's Encrypt YE1 hierarchy in its system trust store. The fix: - Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy - Android VPN profile: set CA certificate to this downloaded cert - install.sh / renew-cert.sh now extract and copy YE1 to caddy dir Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Remove intermediate CA cert mount to fix Android IKEv2 fragmentationyyamashita-1/+0
Android (XREAL Beam Pro) advertises FRAG_SUP but fails to reassemble IKE fragments. The IKE_AUTH response was 1776 bytes (leaf + YE1 intermediate) requiring fragmentation into 2 packets. Without x509ca mount, only the leaf cert is sent (~886 bytes total), fitting in a single packet without fragmentation. Android fetches the intermediate CA (YE1) via AIA extension before tunnel setup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Fix VPN: send certificate always, split cert chain, fix entrypointyyamashita-16/+21
- swanctl.conf.tpl: send_cert = always (fix Android cert verification failure) - docker-compose.yml: mount intermediate CAs to /etc/swanctl/x509ca/ - install.sh: split server.crt into leaf + chain for proper chain distribution - entrypoint.sh: run charon directly for Docker log visibility, fix sysctl error handling, fix charon binary path - strongswan.conf: increase IKE log level to 4 for debugging Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30Fix VPN entrypoint: handle sysctl read-only in host network modeyyamashita-3/+7
network_mode: host では /proc/sys への書き込みが制限されるため、 sysctl の失敗を無視してホスト側の設定値を確認するよう変更。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30Add strongSwan IKEv2 VPN serviceyyamashita-0/+221
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh - install.sh: Caddy 証明書流用 + コンテナ起動 - renew-cert.sh: 証明書更新 + swanctl ホットリロード - caddy/Caddyfile: vpn.yyamashita.com 追加(Let's Encrypt 証明書取得用) - post-receive: vpn/deploy.sh を追加 - setup-route53.py: WEB_SUBDOMAINS に vpn を追加 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>