Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For an easier way, try Algo. Algo is a set of Ansible scripts that helps you deploy a fully functional StrongSwan IPSEC server with the most secure settings available:

https://github.com/trailofbits/algo

It even generates Apple profiles to auto configure your iPhone!



I have a simple bash script that does something similar, including the Apple profile, and also gets you a Let's Encrypt server cert that auto-renews.

https://github.com/jawj/IKEv2-setup


Bash is not idempotent, using a public CA has downsides, and MSCHAP has known weaknesses that make the crypto easier to bruteforce.


Right. On the other hand, a Bash script has a low barrier to entry, it's handy not to have to install certificates on the client, and the highest possible security is not always top priority (if, for example, you're just trying to evade your government's illiberal bulk domain/IP address collection policies). Swings and roundabouts, I'd say.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: