VPN_CONFIG_PROTECT password invalid

[lewtopia]

Checklist

• [Y] I read the README
• [Y] I read the Important notes
• [Y] I followed instructions to configure VPN clients
• [Y] I checked IKEv1 troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• [Y] I searched existing Issues
• [Y] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue Even when VPN_CONFIG_PROTECT is set to NO, the produced certificates are password protected.

When examining the vpnuser.mobileconfig file in an editor, the certificate section does display a password key / value, but this string is not the password, as it fails to open the certificate.

How or where to find the password that is generated to config protect the certificates?

To Reproduce Steps to reproduce the behavior:

1. follow instructions

Expected behavior 1) reveal the certificate password

OR

2) DON'T password protect certificates

Logs

Server (please complete the following information)

• Docker host OS: UNRAID OS 6.12.10
• Hosting provider (if applicable): [e.g. GCP, AWS]

Client (please complete the following information)

• Device: iPhone 13, iPhone 14 Pro Max
• OS: iOS 17
• VPN mode: IKEv2

Additional context Add any other context about the problem here.

[hwdsl2]

@lewtopia Hello! Apple devices require .mobileconfig files to have a password when importing. The password cannot be blank. As a result, this project handles this password in the following way. There are two cases:

1. If VPN_PROTECT_CONFIG is NOT set to yes (or not set), a random password is generated to protect the .mobileconfig file, and that password is embedded in the .mobileconfig file itself. Apple devices will retrieve the password from the file automatically when importing, and will not ask the user for the password during import. In your issue description, you are probably referring to this password. It is the password used when encrypting the certificate in the file.

2. If VPN_PROTECT_CONFIG is set to yes, a random password is generated to protect the .mobileconfig files, but the password is NOT embedded in the .mobileconfig files. To retrieve the generated password, first open a Bash shell inside the container, then run cat /etc/ipsec.d/.vpnconfig. If this file does not exist, this case (2) does not apply to you, see (1) above instead.

   Note that if VPN_PROTECT_CONFIG was previously set to yes, changing it to no at a later time will not remove the password. If you want to remove the password for newly generated client configuration files, remove /etc/ipsec.d/.vpnconfig inside the container, then run sudo ikev2.sh to re-create the client configuration.

[Jayucrol]

I think I found the problem: see if your mirror version is old, and if so, update it to the latest version. Because of Aliyun's image warehouse, I pulled the image from two years ago that caused the same problem as you. Today, I changed the image warehouse, and the updated version was solved.