mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-04-04 21:53:37 +03:00
Code Issues Projects Releases Wiki Activity

Merge branch 'hwdsl2:master' into master

Browse source
This commit is contained in:
Leo Liu 2022-02-15 16:59:55 +09:00 committed by GitHub
commit 06636ae7c3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
26 changed files with 961 additions and 397 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/00-bug-report.md vendored
View file

@ -17,7 +17,7 @@ assignees: ''
- [ ] This bug is about the VPN setup scripts, and not IPsec VPN itself
<!---
If you need help with IPsec VPN itself, please see [Bugs & Questions](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#bugs--questions). Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn).
If you need help with IPsec VPN itself, please see [Feedback & Questions](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#feedback--questions). Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn).
--->
**Describe the issue**

4
.github/workflows/check_urls.yml vendored
View file

@ -39,7 +39,8 @@ jobs:
$wg vpnsetup_amzn.sh "$gi/vpnsetup-amzn"
$wg vpnsetup_ubuntu.sh "$gi/vpnsetup-ubuntu"
$wg vpnsetup_alpine.sh "$gi/vpnsetup-alpine"
$wg quickstart.sh "$gi/vpnquickstart"
$wg quickstart.sh "$gi/vpnstart"
$wg quickstart_.sh "$gi/vpnquickstart"
$wg ikev2setup.sh "$gi/ikev2setup"
$wg vpnupgrade.sh "$gi/vpnupgrade"
$wg vpnupgrade_centos.sh "$gi/vpnupgrade-centos"
@ -68,6 +69,7 @@ jobs:
diff vpnsetup_ubuntu.sh ../vpnsetup_ubuntu.sh
diff vpnsetup_alpine.sh ../vpnsetup_alpine.sh
diff quickstart.sh ../extras/quickstart.sh
diff quickstart_.sh ../extras/quickstart.sh
diff ikev2setup.sh ../extras/ikev2setup.sh
diff vpnupgrade.sh ../extras/vpnupgrade.sh
diff vpnupgrade_centos.sh ../extras/vpnupgrade_centos.sh

58
.github/workflows/test_set_1.yml vendored
View file

@ -22,11 +22,19 @@ jobs:
env:
OS_VERSION: ${{ matrix.os_version }}
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0
with:
persist-credentials: false
- name: Build
run: |
mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
mkdir -p scripts/extras
ls -ld "$GITHUB_WORKSPACE/vpnsetup.sh"
cp -f "$GITHUB_WORKSPACE"/*.sh scripts/
cp -f "$GITHUB_WORKSPACE"/extras/*.sh scripts/extras/
cat > run.sh <<'EOF'
#!/bin/bash
set -eEx
@ -71,11 +79,12 @@ jobs:
echo
}
cd /opt/src
yum -y -q update
yum -y -q install wget rsyslog
systemctl start rsyslog
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
cp -f /opt/src/scripts/vpnsetup.sh .
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh
sh vpnsetup.sh
@ -102,7 +111,7 @@ jobs:
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall
cp -f /opt/src/scripts/extras/vpnuninstall.sh ./vpnunst.sh
bash vpnunst.sh <<ANSWERS
y
ANSWERS
@ -111,7 +120,7 @@ jobs:
mkdir /etc/xl2tpd
fi
wget -t 3 -T 30 -nv -O quickstart.sh https://git.io/vpnquickstart
cp -f /opt/src/scripts/extras/quickstart.sh .
sed -i -e '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' \
-e '/sleep 1/a sed -i "/swan_ver_latest=/s/^/#/" /opt/src/ikev2.sh' quickstart.sh
@ -151,9 +160,9 @@ jobs:
fi
if [ "$1" != "amazon" ]; then
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos
cp -f /opt/src/scripts/vpnsetup_centos.sh ./vpnsetup.sh
else
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-amzn
cp -f /opt/src/scripts/vpnsetup_amzn.sh ./vpnsetup.sh
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh
@ -190,7 +199,7 @@ jobs:
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup # hwdsl2
cp -f /opt/src/scripts/extras/ikev2setup.sh ./ikev2.sh # hwdsl2
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
@ -199,13 +208,15 @@ jobs:
y
ANSWERS
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
pk12util -W "" -l /etc/ipsec.d/vpnclient.p12
restart_ipsec
grep pluto "$log1" | tail -n 20
@ -217,22 +228,26 @@ jobs:
vpnclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
pk12util -W "" -l /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh <<ANSWERS
2
nonexistclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
pk12util -W "" -l /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh <<ANSWERS
3
@ -345,6 +360,8 @@ jobs:
ANSWERS
restart_ipsec
rm -f /etc/ipsec.d/vpnclient*
bash ikev2.sh <<ANSWERS
y
invalidfqdn
@ -357,6 +374,7 @@ jobs:
invaliddns
1.0.0.1
y
ANSWERS
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
@ -364,10 +382,21 @@ jobs:
restart_ipsec
ipsec status | grep -q ikev2-cp
config_file="/etc/ipsec.d/.vpnconfig"
p12_pw=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
pk12util -W "$p12_pw" -l /etc/ipsec.d/vpnclient.p12
bash ikev2.sh --addclient vpnclient2
pk12util -W "$p12_pw" -l /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --exportclient vpnclient2
pk12util -W "$p12_pw" -l /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" && exit 1
restart_ipsec
bash ikev2.sh <<ANSWERS
@ -380,7 +409,8 @@ jobs:
y
1.1.1.1
y
ANSWERS
grep -q 'leftid=1.2.3.4' /etc/ipsec.d/ikev2.conf
@ -407,17 +437,18 @@ jobs:
restart_ipsec
bash ikev2.sh --auto
grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" && exit 1
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade
cp -f /opt/src/scripts/extras/vpnupgrade.sh ./vpnup.sh
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpnup.sh"' vpnup.sh
for ver in 4.4 ""; do
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
@ -427,16 +458,16 @@ jobs:
done
if [ "$1" != "amazon" ]; then
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-centos
cp -f /opt/src/scripts/extras/vpnupgrade_centos.sh ./vpnup.sh
else
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-amzn
cp -f /opt/src/scripts/extras/vpnupgrade_amzn.sh ./vpnup.sh
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnup.sh
for ver in 4.5 ""; do
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
@ -482,6 +513,7 @@ jobs:
rm -f /lib/systemd/system/basic.target.wants/*; \
rm -f /lib/systemd/system/anaconda.target.wants/*;
COPY scripts/ /opt/src/scripts/
COPY ./run.sh /opt/src/run.sh
RUN chmod 755 /opt/src/run.sh

52
.github/workflows/test_set_2.yml vendored
View file

@ -23,6 +23,9 @@ jobs:
image: ${{ matrix.os_version }}
options: --cap-add=NET_ADMIN --device=/dev/ppp
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0
with:
persist-credentials: false
- name: Test
run: |
set -ex
@ -70,6 +73,7 @@ jobs:
mkdir -p /opt/src
cd /opt/src
ls -ld "$GITHUB_WORKSPACE/vpnsetup.sh"
echo "# hwdsl2" > run.sh
if [ "$os_type" = "alpine" ]; then
@ -83,7 +87,7 @@ jobs:
service rsyslog start
fi
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
cp -f "$GITHUB_WORKSPACE"/vpnsetup.sh .
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh
sh vpnsetup.sh
@ -115,7 +119,7 @@ jobs:
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall
cp -f "$GITHUB_WORKSPACE"/extras/vpnuninstall.sh ./vpnunst.sh
bash vpnunst.sh <<ANSWERS
y
ANSWERS
@ -126,7 +130,7 @@ jobs:
killall xl2tpd || true
fi
wget -t 3 -T 30 -nv -O quickstart.sh https://git.io/vpnquickstart
cp -f "$GITHUB_WORKSPACE"/extras/quickstart.sh .
sed -i -e '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' \
-e '/sleep 1/a sed -i "/swan_ver_latest=/s/^/#/" /opt/src/ikev2.sh' quickstart.sh
@ -172,9 +176,9 @@ jobs:
fi
if [ "$os_type" = "alpine" ]; then
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-alpine
cp -f "$GITHUB_WORKSPACE"/vpnsetup_alpine.sh ./vpnsetup.sh
else
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu
cp -f "$GITHUB_WORKSPACE"/vpnsetup_ubuntu.sh ./vpnsetup.sh
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh
@ -214,7 +218,7 @@ jobs:
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup
cp -f "$GITHUB_WORKSPACE"/extras/ikev2setup.sh ./ikev2.sh
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
@ -223,13 +227,15 @@ jobs:
y
ANSWERS
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
pk12util -W "" -l /etc/ipsec.d/vpnclient.p12
restart_ipsec
grep pluto "$log1" | tail -n 20
@ -241,22 +247,26 @@ jobs:
vpnclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
pk12util -W "" -l /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh <<ANSWERS
2
nonexistclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
pk12util -W "" -l /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh <<ANSWERS
3
@ -374,6 +384,8 @@ jobs:
ANSWERS
restart_ipsec
rm -f /etc/ipsec.d/vpnclient*
bash ikev2.sh <<ANSWERS
y
invalidfqdn
@ -386,6 +398,7 @@ jobs:
invaliddns
1.0.0.1
y
ANSWERS
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
@ -393,10 +406,21 @@ jobs:
restart_ipsec
ipsec status | grep -q ikev2-cp
config_file="/etc/ipsec.d/.vpnconfig"
p12_pw=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
pk12util -W "$p12_pw" -l /etc/ipsec.d/vpnclient.p12
bash ikev2.sh --addclient vpnclient2
pk12util -W "$p12_pw" -l /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --exportclient vpnclient2
pk12util -W "$p12_pw" -l /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" && exit 1
restart_ipsec
bash ikev2.sh <<ANSWERS
@ -409,7 +433,8 @@ jobs:
y
1.1.1.1
y
ANSWERS
grep -q 'leftid=1.2.3.4' /etc/ipsec.d/ikev2.conf
@ -436,11 +461,12 @@ jobs:
restart_ipsec
bash ikev2.sh --auto
grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" && exit 1
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade
cp -f "$GITHUB_WORKSPACE"/extras/vpnupgrade.sh ./vpnup.sh
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpnup.sh"' vpnup.sh
[ "$os_type" = "alpine" ] && ver1=4.5 || ver1=4.4
@ -450,7 +476,7 @@ jobs:
fi
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
@ -460,9 +486,9 @@ jobs:
done
if [ "$os_type" = "alpine" ]; then
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-alpine
cp -f "$GITHUB_WORKSPACE"/extras/vpnupgrade_alpine.sh ./vpnup.sh
else
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-ubuntu
cp -f "$GITHUB_WORKSPACE"/extras/vpnupgrade_ubuntu.sh ./vpnup.sh
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnup.sh
@ -472,7 +498,7 @@ jobs:
fi
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"

99
README-zh.md
View file

@ -21,8 +21,8 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
- [升级Libreswan](#升级libreswan)
- [管理 VPN 用户](#管理-vpn-用户)
- [高级用法](#高级用法)
- [问题和反馈](#问题和反馈)
- [卸载说明](#卸载说明)
- [问题和反馈](#问题和反馈)
- [授权协议](#授权协议)
## 快速开始
@ -33,14 +33,24 @@ Ubuntu, Debian, CentOS/RHEL, Rocky Linux, AlmaLinux, Amazon Linux 2 或者 Alpin
使用以下命令快速搭建 IPsec VPN 服务器:
```bash
wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh
```
你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。
<details>
<summary>
单击此处查看 VPN 脚本的示例输出(终端记录)。
或者,你也可以使用 curl 下载。
</summary>
```bash
curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh
```
</details>
<details>
<summary>
查看 VPN 脚本的示例输出(终端记录)。
</summary>
**注:** 此终端记录仅用于演示目的。该记录中的 VPN 凭据 **无效**
@ -64,8 +74,8 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
一个专用服务器或者虚拟专用服务器 (VPS),全新安装以下操作系统之一:
- Ubuntu 20.04 (Focal) 或者 18.04 (Bionic)
- Debian 11 (Bullseye)[\*](#debian-10-note), 10 (Buster)[\*](#debian-10-note) 或者 9 (Stretch)
- Ubuntu 20.04 或者 18.04
- Debian 11[\*](#debian-10-note), 10[\*](#debian-10-note) 或者 9
- CentOS 7, Rocky Linux 8 或者 AlmaLinux 8[\*\*](#centos-8-note)
- Red Hat Enterprise Linux (RHEL) 8 或者 7
- Amazon Linux 2
@ -80,9 +90,9 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
另外,你也可以使用预构建的 [Docker 镜像](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)。高级用户可以在 [Raspberry Pi](https://www.raspberrypi.org) 上安装。[[1]](https://elasticbyte.net/posts/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/) [[2]](https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/)
<a name="debian-10-note"></a>
\* Debian 11/10 用户需要[使用标准的 Linux 内核](docs/clients-zh.md#debian-10-内核)。
\* Debian 11/10 用户需要 [使用标准的 Linux 内核](docs/clients-zh.md#debian-10-内核)。
<a name="centos-8-note"></a>
\*\* 对 CentOS Linux 8 的支持[已经结束](https://www.centos.org/centos-linux-eol/)。你可以另外使用比如 Rocky Linux 或者 AlmaLinux。
\*\* 对 CentOS Linux 8 的支持 [已经结束](https://www.centos.org/centos-linux-eol/)。你可以另外使用比如 Rocky Linux 或者 AlmaLinux。
:warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上!
@ -92,13 +102,15 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
要安装 VPN请从以下选项中选择一个
**选项 1:** 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示):
<details open>
<summary>
选项 1: 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。
</summary>
```bash
wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh
wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh
```
<a name="ikev2-setup-note"></a>
在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md)
```bash
@ -107,11 +119,15 @@ sudo ikev2.sh --auto
# 或者你也可以自定义 IKEv2 选项
sudo ikev2.sh
```
</details>
**选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证:
<details>
<summary>
选项 2: 编辑脚本并提供你自己的 VPN 登录凭证。
</summary>
```bash
wget https://git.io/vpnsetup -O vpn.sh
wget https://git.io/vpnsetup -nv -O vpn.sh
nano -w vpn.sh
[替换为你自己的值: YOUR_IPSEC_PSK, YOUR_USERNAME 和 YOUR_PASSWORD]
sudo sh vpn.sh
@ -119,23 +135,55 @@ sudo sh vpn.sh
**注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。
在安装成功之后,推荐 [配置 IKEv2](#ikev2-setup-note)。
在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md)
**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量:
```bash
# 使用默认选项配置 IKEv2
sudo ikev2.sh --auto
# 或者你也可以自定义 IKEv2 选项
sudo ikev2.sh
```
</details>
<details>
<summary>
选项 3: 将你自己的 VPN 登录凭证定义为环境变量。
</summary>
```bash
# 所有变量值必须用 '单引号' 括起来
# *不要* 在值中使用这些字符: \ " '
wget https://git.io/vpnsetup -O vpn.sh
wget https://git.io/vpnsetup -nv -O vpn.sh
sudo VPN_IPSEC_PSK='你的IPsec预共享密钥' \
VPN_USER='你的VPN用户名' \
VPN_PASSWORD='你的VPN密码' \
sh vpn.sh
```
在安装成功之后,推荐 [配置 IKEv2](#ikev2-setup-note)。
在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md)
**注:** 如果无法通过 `wget` 下载,你也可以打开 [vpnsetup.sh](vpnsetup.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl/Cmd + A` 全选, `Ctrl/Cmd + C` 复制,然后粘贴到你喜欢的编辑器。
```bash
# 使用默认选项配置 IKEv2
sudo ikev2.sh --auto
# 或者你也可以自定义 IKEv2 选项
sudo ikev2.sh
```
</details>
<details>
<summary>
如果无法通过 wget 下载,点这里查看解决方案。
</summary>
你也可以使用 `curl` 下载。例如:
```bash
curl -fsSL https://git.io/vpnsetup -o vpn.sh
sudo sh vpn.sh
```
或者,打开 [vpnsetup.sh](vpnsetup.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。
</details>
## 下一步
@ -157,7 +205,7 @@ sh vpn.sh
**Windows 用户** 对于 IPsec/L2TP 模式,在首次连接之前需要 [修改注册表](docs/clients-zh.md#windows-错误-809),以解决 VPN 服务器或客户端与 NAT比如家用路由器的兼容问题。
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT比如家用路由器后面的多个设备到 VPN 服务器,你必须使用 [IKEv2](docs/ikev2-howto-zh.md) 或者 [IPsec/XAuth](docs/clients-xauth-zh.md) 模式。
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要连接在同一个 NAT比如家用路由器后面的多个设备你必须使用 [IKEv2](docs/ikev2-howto-zh.md) 或者 [IPsec/XAuth](docs/clients-xauth-zh.md) 模式。
要查看或更改 VPN 用户账户,请参见 [管理 VPN 用户](docs/manage-users-zh.md)。该文档包含辅助脚本,以方便管理 VPN 用户。
@ -174,7 +222,7 @@ sh vpn.sh
使用以下命令更新你的 VPN 服务器上的 [Libreswan](https://libreswan.org)[更新日志](https://github.com/libreswan/libreswan/blob/main/CHANGES) | [通知列表](https://lists.libreswan.org/mailman/listinfo/swan-announce))。
```bash
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
```
当前支持的 Libreswan 最新版本是 `4.6`。查看已安装版本:`ipsec --version`
@ -204,12 +252,6 @@ wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
- [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则)
- [部署 Google BBR 拥塞控制算法](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制算法)
## 问题和反馈
- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。
- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。
- 如果你发现了一个可重复的程序漏洞,请提交一个 [GitHub Issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue)。
## 卸载说明
请参见 [卸载 VPN](docs/uninstall-zh.md)。
@ -217,6 +259,13 @@ wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
- [使用辅助脚本卸载 VPN](docs/uninstall-zh.md#使用辅助脚本卸载-vpn)
- [手动卸载 VPN](docs/uninstall-zh.md#手动卸载-vpn)
## 问题和反馈
- 如果你对文档或 VPN 脚本有改进建议,请提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。
- 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。
- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。
- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。
## 授权协议
版权所有 (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui)

95
README.md
View file

@ -21,8 +21,8 @@ We will use [Libreswan](https://libreswan.org/) as the IPsec server, and [xl2tpd
- [Upgrade Libreswan](#upgrade-libreswan)
- [Manage VPN users](#manage-vpn-users)
- [Advanced usage](#advanced-usage)
- [Bugs & Questions](#bugs--questions)
- [Uninstallation](#uninstallation)
- [Feedback & Questions](#feedback--questions)
- [License](#license)
## Quick start
@ -33,14 +33,24 @@ Ubuntu, Debian, CentOS/RHEL, Rocky Linux, AlmaLinux, Amazon Linux 2 or Alpine Li
Use this one-liner to set up an IPsec VPN server:
```bash
wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh
```
Your VPN login details will be randomly generated, and displayed on the screen when finished.
<details>
<summary>
Click here to see the VPN script in action (terminal recording).
Alternative one-liner using curl.
</summary>
```bash
curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh
```
</details>
<details>
<summary>
See the VPN script in action (terminal recording).
</summary>
**Note:** This recording is for demo purposes only. VPN credentials in this recording are **NOT** valid.
@ -64,8 +74,8 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is
A dedicated server or virtual private server (VPS), freshly installed with one of the following OS:
- Ubuntu 20.04 (Focal) or 18.04 (Bionic)
- Debian 11 (Bullseye)[\*](#debian-10-note), 10 (Buster)[\*](#debian-10-note) or 9 (Stretch)
- Ubuntu 20.04 or 18.04
- Debian 11[\*](#debian-10-note), 10[\*](#debian-10-note) or 9
- CentOS 7, Rocky Linux 8 or AlmaLinux 8[\*\*](#centos-8-note)
- Red Hat Enterprise Linux (RHEL) 8 or 7
- Amazon Linux 2
@ -92,13 +102,15 @@ First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade
To install the VPN, please choose one of the following options:
**Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished):
<details open>
<summary>
Option 1: Have the script generate random VPN credentials for you (will be displayed when finished).
</summary>
```bash
wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh
wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh
```
<a name="ikev2-setup-note"></a>
After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md):
```bash
@ -107,11 +119,15 @@ sudo ikev2.sh --auto
# Alternatively, you may customize IKEv2 options
sudo ikev2.sh
```
</details>
**Option 2:** Edit the script and provide your own VPN credentials:
<details>
<summary>
Option 2: Edit the script and provide your own VPN credentials.
</summary>
```bash
wget https://git.io/vpnsetup -O vpn.sh
wget https://git.io/vpnsetup -nv -O vpn.sh
nano -w vpn.sh
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
sudo sh vpn.sh
@ -119,23 +135,55 @@ sudo sh vpn.sh
**Note:** A secure IPsec PSK should consist of at least 20 random characters.
After successful installation, it is recommended to [set up IKEv2](#ikev2-setup-note).
After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md):
**Option 3:** Define your VPN credentials as environment variables:
```bash
# Set up IKEv2 using default options
sudo ikev2.sh --auto
# Alternatively, you may customize IKEv2 options
sudo ikev2.sh
```
</details>
<details>
<summary>
Option 3: Define your VPN credentials as environment variables.
</summary>
```bash
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
wget https://git.io/vpnsetup -O vpn.sh
wget https://git.io/vpnsetup -nv -O vpn.sh
sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpn.sh
```
After successful installation, it is recommended to [set up IKEv2](#ikev2-setup-note).
After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md):
**Note:** If unable to download via `wget`, you may also open [vpnsetup.sh](vpnsetup.sh), then click the **`Raw`** button on the right. Press `Ctrl/Cmd + A` to select all, `Ctrl/Cmd + C` to copy, then paste into your favorite editor.
```bash
# Set up IKEv2 using default options
sudo ikev2.sh --auto
# Alternatively, you may customize IKEv2 options
sudo ikev2.sh
```
</details>
<details>
<summary>
Click here if you are unable to download using wget.
</summary>
You may also use `curl` to download. For example:
```bash
curl -fsSL https://git.io/vpnsetup -o vpn.sh
sudo sh vpn.sh
```
Alternatively, open [vpnsetup.sh](vpnsetup.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor.
</details>
## Next steps
@ -157,7 +205,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
**Windows users**: For IPsec/L2TP mode, a [one-time registry change](docs/clients.md#windows-error-809) is required if the VPN server or client is behind NAT (e.g. home router).
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use [IKEv2](docs/ikev2-howto.md) or [IPsec/XAuth](docs/clients-xauth.md) mode.
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices from behind the same NAT (e.g. home router), you must use [IKEv2](docs/ikev2-howto.md) or [IPsec/XAuth](docs/clients-xauth.md) mode.
To view or update VPN user accounts, see [Manage VPN users](docs/manage-users.md). Helper scripts are included for convenience.
@ -174,7 +222,7 @@ The scripts will backup existing config files before making changes, with `.old-
Use this one-liner to update [Libreswan](https://libreswan.org) ([changelog](https://github.com/libreswan/libreswan/blob/main/CHANGES) | [announce](https://lists.libreswan.org/mailman/listinfo/swan-announce)) on your VPN server.
```bash
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
```
The latest supported Libreswan version is `4.6`. Check installed version: `ipsec --version`.
@ -204,12 +252,6 @@ See [Advanced usage](docs/advanced-usage.md).
- [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules)
- [Deploy Google BBR congestion control algorithm](docs/advanced-usage.md#deploy-google-bbr-congestion-control-algorithm)
## Bugs & Questions
- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread).
- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup).
- If you found a reproducible bug, open a [GitHub Issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) to submit a bug report.
## Uninstallation
See [Uninstall the VPN](docs/uninstall.md).
@ -217,6 +259,13 @@ See [Uninstall the VPN](docs/uninstall.md).
- [Uninstall using helper script](docs/uninstall.md#uninstall-using-helper-script)
- [Manually uninstall the VPN](docs/uninstall.md#manually-uninstall-the-vpn)
## Feedback & Questions
- Have an improvement suggestion for documentation or VPN scripts? Open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome.
- If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose).
- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread).
- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup).
## License
Copyright (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui)

4
docs/advanced-usage-zh.md
View file

@ -29,7 +29,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
对于 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后VPN 会继续正常工作,虽然可能需要重启服务器。
对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 [配置 IKEv2](ikev2-howto-zh.md) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,参见 [这一小节](ikev2-howto-zh.md#更改-ikev2-服务器地址)。或者,你也可以在 [配置 IKEv2](ikev2-howto-zh.md#使用辅助脚本配置-ikev2) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
```
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
@ -45,7 +45,7 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
```bash
# 下载脚本
wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode
wget -nv -O ikev2onlymode.sh https://bit.ly/ikev2onlymode
# 运行脚本并按提示操作
sudo bash ikev2onlymode.sh
```

4
docs/advanced-usage.md
View file

@ -29,7 +29,7 @@ In certain circumstances, you may want VPN clients to use the specified DNS serv
For [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, you may use a DNS name (e.g. `vpn.example.com`) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required.
For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, read [this section](ikev2-howto.md#change-ikev2-server-address). Alternatively, you may specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md#set-up-ikev2-using-helper-script). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
```
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
@ -45,7 +45,7 @@ To enable IKEv2-only mode, first install the VPN server and set up IKEv2 using i
```bash
# Download the script
wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode
wget -nv -O ikev2onlymode.sh https://bit.ly/ikev2onlymode
# Run the script and follow the prompts
sudo bash ikev2onlymode.sh
```

2
docs/bbr-zh.md
View file

@ -107,6 +107,6 @@ Amazon Linux 2提供过经过验证的新版Linux内核并可以通过启用
# tcp_bbr 16384 0
```
## 作者
## 文档作者
版权所有 (C) 2022 [Leo Liu](https://github.com/optimusleobear)

2
docs/bbr.md
View file

@ -107,7 +107,7 @@ In this section, we will start Google BBR by modifying the configuration file.
# tcp_bbr 16384 0
```
## Author
## Document author
Copyright (C) 2022 [Leo Liu](https://github.com/optimusleobear)
Translated by [Lin Song](https://github.com/hwdsl2)

93
docs/ikev2-howto-zh.md
View file

@ -10,6 +10,8 @@
* [管理客户端证书](#管理客户端证书)
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
* [故障排除](#故障排除)
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
* [移除 IKEv2](#移除-ikev2)
* [参考链接](#参考链接)
@ -50,7 +52,7 @@ sudo ikev2.sh
如果你使用了较早版本的 VPN 安装脚本,这是正常的。首先下载 IKEv2 辅助脚本:
```bash
wget https://git.io/ikev2setup -O /opt/src/ikev2.sh
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
```
@ -58,7 +60,7 @@ chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
</details>
<details>
<summary>
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。
</summary>
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
@ -81,19 +83,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
</details>
<details>
<summary>
了解如何更新服务器上的 IKEv2 辅助脚本。
</summary>
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`
```bash
wget https://git.io/ikev2setup -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
</details>
<details>
<summary>
单击此处查看 IKEv2 脚本的使用信息。
查看 IKEv2 脚本的使用信息。
</summary>
```
@ -116,7 +106,7 @@ To customize IKEv2 or client options, run this script without arguments.
*其他语言版本: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端)。*
**注:** 客户端配置文件的密码可以在 IKEv2 辅助脚本的输出中找到。如果你想要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用参数 `-h` 显示使用信息。
**注:** 如果要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用参数 `-h` 显示使用信息。
* [Windows 7, 8, 10 和 11](#windows-7-8-10-和-11)
* [OS X (macOS)](#os-x-macos)
@ -142,6 +132,8 @@ Windows 8, 10 和 11 用户可以自动导入 IKEv2 配置:
certutil -f -importpfx ".p12文件的位置和名称" NoExport
```
**注:** 如果 IKEv2 辅助脚本的输出中没有包含客户端配置文件的密码,请按回车键继续,或者在手动导入 `.p12` 文件时保持密码字段空白。
或者,你也可以手动导入 `.p12` 文件。详细步骤请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs)。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8, 10 和 11推荐从命令提示符运行以下命令创建 VPN 连接以达到更佳的安全性和性能。Windows 7 不支持这些命令,你可以手动创建 VPN 连接(见下面)。
@ -355,7 +347,8 @@ sudo yum --enablerepo=epel install NetworkManager-strongswan-gnome
```bash
# 示例:提取 CA 证书,客户端证书和私钥。在完成后可以删除 .p12 文件。
# 注:你将需要输入 import password它可以在 IKEv2 辅助脚本的输出中找到。
# 注:你可能需要输入 import password它可以在 IKEv2 辅助脚本的输出中找到。
# 如果在脚本的输出中没有 import password请按回车键继续。
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
@ -432,7 +425,7 @@ sudo ikev2.sh --exportclient [client name]
首先,请阅读上面的重要说明。然后点这里查看详情。
</summary>
**重要:** 请先阅读上面的重要说明。如果你仍然想要删除证书,参见下面的步骤。此操作**不可撤销**
**警告:** 这将**永久删除**客户端证书和私钥。此操作**不可撤销**
如果要删除一个客户端证书:
@ -567,6 +560,11 @@ sudo ikev2.sh --revokeclient [client name]
下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
<details>
<summary>
查看手动在 Libreswan 上配置 IKEv2 的示例步骤。
</summary>
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
```bash
@ -703,7 +701,7 @@ sudo ikev2.sh --revokeclient [client name]
1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书。
**注:** 你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。
**注:** 你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。如需连接多个客户端,则必须为每个客户端生成唯一的证书。
生成客户端证书:
@ -765,6 +763,7 @@ sudo ikev2.sh --revokeclient [client name]
```
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
</details>
## 故障排除
@ -772,37 +771,25 @@ sudo ikev2.sh --revokeclient [client name]
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
* [在导入时提示密码不正确](#在导入时提示密码不正确)
* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
* [参数错误 policy match error](#参数错误-policy-match-error)
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
* [其它已知问题](#其它已知问题)
### 在导入时提示密码不正确
### IKE 身份验证凭证不可接受
如果你忘记了客户端配置文件的密码,可以重新 [导出 IKEv2 客户端的配置](#导出已有的客户端的配置)。
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 [这里](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258)。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用以下解决方法。
<details>
<summary>
Ubuntu 18.04 上的 NSS 问题的解决方法
</summary>
### 参数错误 policy match error
**注:** 该解决方法仅适用于运行在 `x86_64` 架构下的 Ubuntu 18.04 系统
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
首先安装更新版本的 `libnss3` 相关的软件包:
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.6_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb
apt-get -y update
apt-get -y install "./libnss3_3.49.1-1ubuntu1.6_amd64.deb" \
"./libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb" \
"./libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb"
```
然后重新 [导出 IKEv2 客户端的配置](#导出已有的客户端的配置)。
</details>
### IKEv2 在一小时后断开连接
@ -817,15 +804,37 @@ apt-get -y install "./libnss3_3.49.1-1ubuntu1.6_amd64.deb" \
### 无法同时连接多个 IKEv2 客户端
如果要同时连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。
如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。
如果你无法同时连接同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@<your_server_ip>` 并去掉 `@`,也就是说将它替换为 `leftid=<your_server_ip>`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
如果你无法连接同一个 NAT比如家用路由器后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@<your_server_ip>` 并去掉 `@`,也就是说将它替换为 `leftid=<your_server_ip>`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
### 其它已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
## 更新 IKEv2 辅助脚本
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## 更改 IKEv2 服务器地址
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。
```bash
# 下载脚本
wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr
# 运行脚本并按照提示操作
sudo bash ikev2changeaddr.sh
```
**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。
## 移除 IKEv2
如果你想要从 VPN 服务器移除 IKEv2但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式(如果已安装),请重新运行 [辅助脚本](#使用辅助脚本配置-ikev2) 并选择 "Remove IKEv2" 选项。**警告:** 这将**永久删除**所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**

95
docs/ikev2-howto.md
View file

@ -10,6 +10,8 @@
* [Manage client certificates](#manage-client-certificates)
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
* [Troubleshooting](#troubleshooting)
* [Update IKEv2 helper script](#update-ikev2-helper-script)
* [Change IKEv2 server address](#change-ikev2-server-address)
* [Remove IKEv2](#remove-ikev2)
* [References](#references)
@ -50,7 +52,7 @@ Error: "sudo: ikev2.sh: command not found".
This is normal if you used an older version of the VPN setup script. First, download the IKEv2 helper script:
```bash
wget https://git.io/ikev2setup -O /opt/src/ikev2.sh
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
```
@ -58,7 +60,7 @@ Then run the script using the instructions above.
</details>
<details>
<summary>
You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details.
You may optionally specify a DNS name, client name and/or custom DNS servers.
</summary>
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
@ -81,19 +83,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
</details>
<details>
<summary>
Learn how to update the IKEv2 helper script on your server.
</summary>
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
```bash
wget https://git.io/ikev2setup -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
</details>
<details>
<summary>
Click here to view usage information for the IKEv2 script.
View usage information for the IKEv2 script.
</summary>
```
@ -116,7 +106,7 @@ To customize IKEv2 or client options, run this script without arguments.
*Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).*
**Note:** The password for client configuration files can be found in the output of the IKEv2 helper script. If you want to add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use option `-h` to show usage information.
**Note:** If you want to add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use option `-h` to show usage information.
* [Windows 7, 8, 10 and 11](#windows-7-8-10-and-11)
* [OS X (macOS)](#os-x-macos)
@ -142,6 +132,8 @@ Alternatively, you may manually import IKEv2 configuration. These steps apply to
certutil -f -importpfx "\path\to\your\file.p12" NoExport
```
**Note:** If there is no password for client config files in the output of the IKEv2 helper script, press Enter to continue, or if manually importing the `.p12` file, leave the password field blank.
Alternatively, you can manually import the `.p12` file. Click [here](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs) for instructions. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8, 10 and 11, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance. Windows 7 does not support these commands, you may manually create the VPN connection (see below).
@ -356,8 +348,9 @@ Next, securely transfer the generated `.p12` file from the VPN server to your Li
```bash
# Example: Extract CA certificate, client certificate and private key.
# You may delete the .p12 file when finished.
# Note: You will need to enter the import password, which can be found
# in the output of the IKEv2 helper script.
# Note: You may need to enter the import password, which can be found
# in the output of the IKEv2 helper script. If the output does not
# contain an import password, press Enter to continue.
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
@ -434,7 +427,7 @@ sudo ikev2.sh --exportclient [client name]
First, read the important note above. Then click here for instructions.
</summary>
**Important:** Please first read the important note above. If you still want to delete a certificate, refer to the steps below. This **cannot be undone**!
**Warning:** The client certificate and private key will be **permanently deleted**. This **cannot be undone**!
To delete a client certificate:
@ -569,6 +562,11 @@ As an alternative to using the [helper script](#set-up-ikev2-using-helper-script
The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`.
<details>
<summary>
View example steps for manually configuring IKEv2 with Libreswan.
</summary>
1. Find the VPN server's public IP, save it to a variable and check.
```bash
@ -705,7 +703,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate.
**Note:** You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
**Note:** You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. To connect multiple VPN clients, you must generate a unique certificate for each.
Generate client certificate:
@ -767,6 +765,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
```
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
</details>
## Troubleshooting
@ -774,37 +773,25 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
* [Incorrect password when trying to import](#incorrect-password-when-trying-to-import)
* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
* [Policy match error](#policy-match-error)
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
* [Other known issues](#other-known-issues)
### Incorrect password when trying to import
### IKE authentication credentials are unacceptable
If you forgot the password for client config files, you may [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more [here](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258). As of 2021-01-21, the IKEv2 helper script was updated to automatically apply the workaround below.
<details>
<summary>
Workaround for the NSS bug on Ubuntu 18.04
</summary>
### Policy match error
**Note:** This workaround should only be used on Ubuntu 18.04 systems running on the `x86_64` architecture.
To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
First, install newer versions of `libnss3` related packages:
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.6_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb
apt-get -y update
apt-get -y install "./libnss3_3.49.1-1ubuntu1.6_amd64.deb" \
"./libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb" \
"./libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb"
```
After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
</details>
### IKEv2 disconnects after one hour
@ -819,15 +806,37 @@ Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helpe
### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients simultaneously, you must [generate a unique certificate](#add-a-client-certificate) for each.
To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each.
If you are unable to connect multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@<your_server_ip>` and remove the `@`, i.e. replace it with `leftid=<your_server_ip>`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@<your_server_ip>` and remove the `@`, i.e. replace it with `leftid=<your_server_ip>`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
### Other known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
## Update IKEv2 helper script
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## Change IKEv2 server address
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.
```bash
# Download the script
wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr
# Run the script and follow the prompts
sudo bash ikev2changeaddr.sh
```
**Important:** After running this script, you must manually update the server address on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script).
## Remove IKEv2
If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes (if installed), run the [helper script](#set-up-ikev2-using-helper-script) again and select the "Remove IKEv2" option. **Warning:** All IKEv2 configuration including certificates and keys will be **permanently deleted**. This **cannot be undone**!

6
docs/manage-users-zh.md
View file

@ -52,7 +52,7 @@ service xl2tpd restart
```bash
# 下载脚本
wget -O add_vpn_user.sh https://bit.ly/addvpnuser
wget -nv -O add_vpn_user.sh https://bit.ly/addvpnuser
# 运行脚本并按提示操作
sudo bash add_vpn_user.sh
```
@ -73,7 +73,7 @@ sudo bash add_vpn_user.sh '要更新的用户名' '新密码'
```bash
# 下载脚本
wget -O del_vpn_user.sh https://bit.ly/delvpnuser
wget -nv -O del_vpn_user.sh https://bit.ly/delvpnuser
# 运行脚本并按提示操作
sudo bash del_vpn_user.sh
```
@ -92,7 +92,7 @@ sudo bash del_vpn_user.sh '要删除的用户名'
```bash
# 下载脚本
wget -O update_vpn_users.sh https://bit.ly/updatevpnusers
wget -nv -O update_vpn_users.sh https://bit.ly/updatevpnusers
```
要使用这个脚本,从以下选项中选择一个:

6
docs/manage-users.md
View file

@ -52,7 +52,7 @@ Add a new VPN user, or update an existing VPN user with a new password.
```bash
# Download the script
wget -O add_vpn_user.sh https://bit.ly/addvpnuser
wget -nv -O add_vpn_user.sh https://bit.ly/addvpnuser
# Run the script and follow the prompts
sudo bash add_vpn_user.sh
```
@ -73,7 +73,7 @@ Delete the specified VPN user.
```bash
# Download the script
wget -O del_vpn_user.sh https://bit.ly/delvpnuser
wget -nv -O del_vpn_user.sh https://bit.ly/delvpnuser
# Run the script and follow the prompts
sudo bash del_vpn_user.sh
```
@ -92,7 +92,7 @@ Remove all existing VPN users and replace with the list of users you specify.
```bash
# Download the script
wget -O update_vpn_users.sh https://bit.ly/updatevpnusers
wget -nv -O update_vpn_users.sh https://bit.ly/updatevpnusers
```
To use this script, choose one of the following options:

2
docs/uninstall-zh.md
View file

@ -10,7 +10,7 @@
**警告:** 此[辅助脚本](../extras/vpnuninstall.sh)将从你的服务器中删除 IPsec VPN。所有的 VPN 配置将被**永久删除**,并且 Libreswan 和 xl2tpd 将被移除。此操作**不可撤销**
```bash
wget https://git.io/vpnuninstall -O vpnunst.sh
wget https://git.io/vpnuninstall -nv -O vpnunst.sh
sudo bash vpnunst.sh
```

2
docs/uninstall.md
View file

@ -10,7 +10,7 @@
**Warning:** This [helper script](../extras/vpnuninstall.sh) will remove IPsec VPN from your server. All VPN configuration will be **permanently deleted**, and Libreswan and xl2tpd will be removed. This **cannot be undone**!
```bash
wget https://git.io/vpnuninstall -O vpnunst.sh
wget https://git.io/vpnuninstall -nv -O vpnunst.sh
sudo bash vpnunst.sh
```

4
extras/add_vpn_user.sh
View file

@ -107,10 +107,10 @@ Setup VPN clients: https://git.io/vpnclients
EOF
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
echo "Adding or updating VPN user..."
echo

4
extras/del_vpn_user.sh
View file

@ -105,10 +105,10 @@ Username: $VPN_USER
EOF
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
echo "Deleting VPN user..."
echo

320
extras/ikev2changeaddr.sh Executable file
View file

@ -0,0 +1,320 @@
#!/bin/bash
#
# Script to change IKEv2 VPN server address
#
# The latest version of this script is available at:
# https://github.com/hwdsl2/setup-ipsec-vpn
#
# Copyright (C) 2022 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
bigecho() { echo "## $1"; }
check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
}
check_dns_name() {
FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX"
}
check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
}
check_os() {
os_type=centos
rh_file="/etc/redhat-release"
if grep -qs "Red Hat" "$rh_file"; then
os_type=rhel
fi
if grep -qs "release 7" "$rh_file"; then
os_ver=7
elif grep -qs "release 8" "$rh_file"; then
os_ver=8
grep -qi stream "$rh_file" && os_ver=8s
grep -qi rocky "$rh_file" && os_type=rocky
grep -qi alma "$rh_file" && os_type=alma
elif grep -qs "Amazon Linux release 2" /etc/system-release; then
os_type=amzn
os_ver=2
else
os_type=$(lsb_release -si 2>/dev/null)
[ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID")
case $os_type in
[Uu]buntu)
os_type=ubuntu
;;
[Dd]ebian)
os_type=debian
;;
[Rr]aspbian)
os_type=raspbian
;;
[Aa]lpine)
os_type=alpine
;;
*)
cat 1>&2 <<'EOF'
Error: This script only supports one of the following OS:
Ubuntu, Debian, CentOS/RHEL 7/8, Rocky Linux, AlmaLinux,
Amazon Linux 2 or Alpine Linux
EOF
exit 1
;;
esac
if [ "$os_type" = "alpine" ]; then
os_ver=$(. /etc/os-release && printf '%s' "$VERSION_ID" | cut -d '.' -f 1,2)
if [ "$os_ver" != "3.14" ] && [ "$os_ver" != "3.15" ]; then
exiterr "This script only supports Alpine Linux 3.14/3.15."
fi
else
os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
fi
fi
}
check_libreswan() {
ipsec_ver=$(ipsec --version 2>/dev/null)
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF'
Error: This script can only be used with an IPsec server created using:
https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
}
check_ikev2() {
if ! grep -qs "conn ikev2-cp" /etc/ipsec.d/ikev2.conf; then
cat 1>&2 <<'EOF'
Error: You must first set up IKEv2 before changing IKEv2 server address.
See: https://git.io/ikev2
EOF
exit 1
fi
}
check_utils_exist() {
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
}
abort_and_exit() {
echo "Abort. No changes were made." >&2
exit 1
}
confirm_or_abort() {
printf '%s' "$1"
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
;;
*)
abort_and_exit
;;
esac
}
check_cert_exists() {
certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1
}
check_ca_cert_exists() {
check_cert_exists "IKEv2 VPN CA" || exiterr "Certificate 'IKEv2 VPN CA' does not exist. Abort."
}
get_server_address() {
server_addr_old=$(grep -s "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=)
[ -z "$server_addr_old" ] && server_addr_old=$(grep -s "leftcert=" /etc/ipsec.conf | cut -f2 -d=)
check_ip "$server_addr_old" || check_dns_name "$server_addr_old" || exiterr "Could not get current VPN server address."
}
show_welcome() {
cat <<EOF
Welcome! Use this script to change this IKEv2 VPN server's address. A new server
certificate will be generated if necessary.
Current server address: $server_addr_old
EOF
}
get_server_ip() {
bigecho "Trying to auto discover IP of this server..."
public_ip=${VPN_PUBLIC_IP:-''}
check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
check_ip "$public_ip" || public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
}
enter_server_address() {
echo "Do you want IKEv2 VPN clients to connect to this server using a DNS name,"
printf "e.g. vpn.example.com, instead of its IP address? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
use_dns_name=1
echo
;;
*)
use_dns_name=0
echo
;;
esac
if [ "$use_dns_name" = "1" ]; then
read -rp "Enter the DNS name of this VPN server: " server_addr
until check_dns_name "$server_addr"; do
echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
read -rp "Enter the DNS name of this VPN server: " server_addr
done
else
get_server_ip
echo
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip"
until check_ip "$server_addr"; do
echo "Invalid IP address."
read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr
[ -z "$server_addr" ] && server_addr="$public_ip"
done
fi
}
check_server_address() {
if [ "$server_addr" = "$server_addr_old" ]; then
echo >&2
echo "Error: IKEv2 server address is already '$server_addr'. Nothing to do." >&2
abort_and_exit
fi
}
confirm_changes() {
cat <<EOF
You are about to change this IKEv2 VPN server's address.
Read the important notes below before continuing.
===========================================
Current server address: $server_addr_old
New server address: $server_addr
===========================================
*IMPORTANT*
After running this script, you must manually update the server address
on any existing IKEv2 client devices. For iOS clients, you'll need to
export and re-import client configuration using the IKEv2 helper script.
EOF
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
;;
*)
abort_and_exit
;;
esac
}
create_server_cert() {
if check_cert_exists "$server_addr"; then
bigecho "Server certificate '$server_addr' already exists, skipping..."
else
bigecho "Generating server certificate..."
if [ "$use_dns_name" = "1" ]; then
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \
-k rsa -g 3072 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
else
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \
-k rsa -g 3072 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$server_addr,dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
fi
fi
}
update_ikev2_conf() {
bigecho "Updating IKEv2 configuration..."
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
echo >> /etc/ipsec.conf
echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
fi
sed -i -e "/^[[:space:]]\+leftcert=/d" \
-e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf
if [ "$use_dns_name" = "1" ]; then
sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf
else
sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf
fi
sed -i "/conn ikev2-cp/a \ leftcert=$server_addr" /etc/ipsec.d/ikev2.conf
}
restart_ipsec_service() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart 2>/dev/null
}
print_client_info() {
cat <<EOF
Successfully changed IKEv2 server address!
EOF
}
ikev2changeaddr() {
check_root
check_os
check_libreswan
check_ikev2
check_utils_exist
check_ca_cert_exists
get_server_address
show_welcome
enter_server_address
check_server_address
confirm_changes
create_server_cert
update_ikev2_conf
if [ "$os_type" = "alpine" ]; then
ipsec auto --replace ikev2-cp >/dev/null
else
restart_ipsec_service
fi
print_client_info
}
## Defer until we have the complete script
ikev2changeaddr "$@"
exit 0

10
extras/ikev2onlymode.sh
View file

@ -26,11 +26,11 @@ abort_and_exit() {
exit 1
}
confirm_or_abort() {
continue_or_abort() {
printf '%s' "$1"
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
;;
*)
@ -70,7 +70,7 @@ cat 1>&2 <<EOF
Error: Libreswan version '$swan_ver' is not supported.
IKEv2-only mode requires Libreswan 4.2 or newer.
To update Libreswan, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
EOF
exit 1
fi
@ -95,7 +95,7 @@ Note: This option will disable IKEv2-only mode on this VPN server. With IKEv2-on
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) in addition to IKEv2.
EOF
confirm_or_abort "Do you want to continue? [y/N] "
continue_or_abort "Do you want to continue? [Y/n] "
}
confirm_enable_ikev2_only() {
@ -107,7 +107,7 @@ Note: This option will enable IKEv2-only mode on this VPN server. With IKEv2-onl
modes) will be dropped.
EOF
confirm_or_abort "Do you want to continue? [y/N] "
continue_or_abort "Do you want to continue? [Y/n] "
}
toggle_ikev2_only() {

474
extras/ikev2setup.sh
View file

@ -38,6 +38,13 @@ check_root() {
fi
}
check_container() {
in_container=0
if grep -qs "hwdsl2" /opt/src/run.sh; then
in_container=1
fi
}
check_os() {
os_type=centos
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
@ -91,6 +98,37 @@ EOF
fi
}
check_libreswan() {
ipsec_ver=$(ipsec --version 2>/dev/null)
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before setting up IKEv2.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
}
check_swan_ver() {
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! printf '%s\n%s' "3.23" "$swan_ver" | sort -C -V; then
cat 1>&2 <<EOF
Error: Libreswan version '$swan_ver' is not supported.
This script requires Libreswan 3.23 or newer.
To update Libreswan, run:
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
EOF
exit 1
fi
}
check_utils_exist() {
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
command -v crlutil >/dev/null 2>&1 || exiterr "'crlutil' not found. Abort."
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
}
abort_and_exit() {
echo "Abort. No changes were made." >&2
exit 1
@ -109,48 +147,10 @@ confirm_or_abort() {
esac
}
check_libreswan() {
ipsec_ver=$(ipsec --version 2>/dev/null)
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before setting up IKEv2.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
}
check_swan_ver() {
if ! printf '%s\n%s' "3.23" "$swan_ver" | sort -C -V; then
cat 1>&2 <<EOF
Error: Libreswan version '$swan_ver' is not supported.
This script requires Libreswan 3.23 or newer.
To update Libreswan, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
EOF
exit 1
fi
}
check_utils_exist() {
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
command -v crlutil >/dev/null 2>&1 || exiterr "'crlutil' not found. Abort."
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
}
check_container() {
in_container=0
if grep -qs "hwdsl2" /opt/src/run.sh; then
in_container=1
fi
}
show_header() {
cat <<'EOF'
IKEv2 Script Copyright (c) 2020-2022 Lin Song 22 Jan 2022
IKEv2 Script Copyright (c) 2020-2022 Lin Song 15 Feb 2022
EOF
}
@ -179,7 +179,7 @@ EOF
}
check_ikev2_exists() {
grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]
grep -qs "conn ikev2-cp" "$IPSEC_CONF" || [ -f "$IKEV2_CONF" ]
}
check_client_name() {
@ -188,49 +188,61 @@ check_client_name() {
}
check_cert_exists() {
certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1
certutil -L -d "$CERT_DB" -n "$1" >/dev/null 2>&1
}
check_cert_exists_and_exit() {
if certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1; then
if certutil -L -d "$CERT_DB" -n "$1" >/dev/null 2>&1; then
echo "Error: Certificate '$1' already exists." >&2
abort_and_exit
fi
}
check_cert_status() {
cert_status=$(certutil -V -u C -d sql:/etc/ipsec.d -n "$1")
cert_status=$(certutil -V -u C -d "$CERT_DB" -n "$1")
}
check_arguments() {
if [ "$use_defaults" = "1" ]; then
if check_ikev2_exists; then
echo "Warning: Ignoring parameter '--auto'. Use '-h' for usage information." >&2
fi
if [ "$use_defaults" = "1" ] && check_ikev2_exists; then
echo "Warning: Ignoring parameter '--auto'. Use '-h' for usage information." >&2
fi
if [ "$((add_client + export_client + list_clients + revoke_client))" -gt 1 ]; then
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients' or '--revokeclient'."
fi
if [ "$remove_ikev2" = "1" ]; then
if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
fi
fi
if ! check_ikev2_exists; then
[ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client."
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client."
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients."
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client certificate."
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
fi
if [ "$add_client" = "1" ]; then
check_ikev2_exists || exiterr "You must first set up IKEv2 before adding a client."
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
elif check_cert_exists "$client_name"; then
exiterr "Invalid client name. Client '$client_name' already exists."
fi
fi
if [ "$export_client" = "1" ]; then
check_ikev2_exists || exiterr "You must first set up IKEv2 before exporting a client."
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ]; then
get_server_address
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|| ! check_cert_exists "$client_name"; then
exiterr "Invalid client name, or client does not exist."
fi
if ! check_cert_status "$client_name"; then
printf '%s' "Error: Certificate '$client_name' " >&2
if printf '%s' "$cert_status" | grep -q "revoked"; then
echo "has been revoked." >&2
if [ "$revoke_client" = "1" ]; then
echo "has already been revoked." >&2
else
echo "has been revoked." >&2
fi
elif printf '%s' "$cert_status" | grep -q "expired"; then
echo "has expired." >&2
else
@ -239,35 +251,6 @@ check_arguments() {
exit 1
fi
fi
if [ "$list_clients" = "1" ]; then
check_ikev2_exists || exiterr "You must first set up IKEv2 before listing clients."
fi
if [ "$revoke_client" = "1" ]; then
check_ikev2_exists || exiterr "You must first set up IKEv2 before revoking a client certificate."
get_server_address
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|| ! check_cert_exists "$client_name"; then
exiterr "Invalid client name, or client does not exist."
fi
if ! check_cert_status "$client_name"; then
printf '%s' "Error: Certificate '$client_name' " >&2
if printf '%s' "$cert_status" | grep -q "revoked"; then
echo "has already been revoked." >&2
elif printf '%s' "$cert_status" | grep -q "expired"; then
echo "has expired." >&2
else
echo "is invalid." >&2
fi
exit 1
fi
fi
if [ "$remove_ikev2" = "1" ]; then
check_ikev2_exists || exiterr "Cannot remove IKEv2 because it has not been set up on this server."
if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
fi
fi
}
check_server_dns_name() {
@ -283,6 +266,46 @@ check_custom_dns() {
fi
}
check_and_set_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
client_name="$VPN_CLIENT_NAME"
check_client_name "$client_name" \
|| exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
else
client_name=vpnclient
fi
check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists."
}
set_server_address() {
if [ -n "$VPN_DNS_NAME" ]; then
use_dns_name=1
server_addr="$VPN_DNS_NAME"
else
use_dns_name=0
get_server_ip
check_ip "$public_ip" || exiterr "Cannot detect this server's public IP."
server_addr="$public_ip"
fi
check_cert_exists_and_exit "$server_addr"
}
set_dns_servers() {
if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then
dns_server_1="$VPN_DNS_SRV1"
dns_server_2="$VPN_DNS_SRV2"
dns_servers="$VPN_DNS_SRV1 $VPN_DNS_SRV2"
elif [ -n "$VPN_DNS_SRV1" ]; then
dns_server_1="$VPN_DNS_SRV1"
dns_server_2=""
dns_servers="$VPN_DNS_SRV1"
else
dns_server_1=8.8.8.8
dns_server_2=8.8.4.4
dns_servers="8.8.8.8 8.8.4.4"
fi
}
show_welcome() {
cat <<'EOF'
Welcome! Use this script to set up IKEv2 on your IPsec VPN server.
@ -315,7 +338,7 @@ show_add_client() {
}
show_export_client() {
bigecho "Exporting existing IKEv2 client '$client_name'."
bigecho "Exporting IKEv2 client '$client_name', using default options."
}
get_export_dir() {
@ -342,15 +365,15 @@ get_server_ip() {
}
get_server_address() {
server_addr=$(grep -s "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=)
[ -z "$server_addr" ] && server_addr=$(grep -s "leftcert=" /etc/ipsec.conf | cut -f2 -d=)
server_addr=$(grep -s "leftcert=" "$IKEV2_CONF" | cut -f2 -d=)
[ -z "$server_addr" ] && server_addr=$(grep -s "leftcert=" "$IPSEC_CONF" | cut -f2 -d=)
check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address."
}
list_existing_clients() {
echo "Checking for existing IKEv2 client(s)..."
echo
client_names=$(certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' ')
client_names=$(certutil -L -d "$CERT_DB" | grep -v -e '^$' -e "$CA_NAME" -e '\.' | tail -n +3 | cut -f1 -d ' ')
max_len=$(printf '%s\n' "$client_names" | wc -L 2>/dev/null)
[[ $max_len =~ ^[0-9]+$ ]] || max_len=64
[ "$max_len" -gt "64" ] && max_len=64
@ -359,7 +382,7 @@ list_existing_clients() {
printf "%-${max_len}s %s\n" '------------' '-------------------'
printf '%s\n' "$client_names" | LC_ALL=C sort | while read -r line; do
printf "%-${max_len}s " "$line"
client_status=$(certutil -V -u C -d sql:/etc/ipsec.d -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //')
client_status=$(certutil -V -u C -d "$CERT_DB" -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //')
[ -z "$client_status" ] && client_status=unknown
printf '%s\n' "$client_status"
done
@ -403,33 +426,26 @@ enter_client_name() {
echo
echo "Provide a name for the IKEv2 VPN client."
echo "Use one word only, no special characters except '-' and '_'."
read -rp "Client name: " client_name
[ -z "$client_name" ] && abort_and_exit
if [ "$1" = "with_defaults" ]; then
read -rp "Client name: [vpnclient] " client_name
[ -z "$client_name" ] && client_name=vpnclient
else
read -rp "Client name: " client_name
[ -z "$client_name" ] && abort_and_exit
fi
while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do
if ! check_client_name "$client_name"; then
echo "Invalid client name."
else
echo "Invalid client name. Client '$client_name' already exists."
fi
read -rp "Client name: " client_name
[ -z "$client_name" ] && abort_and_exit
done
}
enter_client_name_with_defaults() {
echo
echo "Provide a name for the IKEv2 VPN client."
echo "Use one word only, no special characters except '-' and '_'."
read -rp "Client name: [vpnclient] " client_name
[ -z "$client_name" ] && client_name=vpnclient
while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do
if ! check_client_name "$client_name"; then
echo "Invalid client name."
else
echo "Invalid client name. Client '$client_name' already exists."
fi
read -rp "Client name: [vpnclient] " client_name
[ -z "$client_name" ] && client_name=vpnclient
if [ "$1" = "with_defaults" ]; then
read -rp "Client name: [vpnclient] " client_name
[ -z "$client_name" ] && client_name=vpnclient
else
read -rp "Client name: " client_name
[ -z "$client_name" ] && abort_and_exit
fi
done
}
@ -440,10 +456,10 @@ enter_client_name_for() {
echo
read -rp "Enter the name of the IKEv2 client to $1: " client_name
[ -z "$client_name" ] && abort_and_exit
while ! check_client_name "$client_name" || [ "$client_name" = "IKEv2 VPN CA" ] \
while ! check_client_name "$client_name" || [ "$client_name" = "$CA_NAME" ] \
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name" \
|| ! check_cert_status "$client_name"; do
if ! check_client_name "$client_name" || [ "$client_name" = "IKEv2 VPN CA" ] \
if ! check_client_name "$client_name" || [ "$client_name" = "$CA_NAME" ] \
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name"; then
echo "Invalid client name, or client does not exist."
else
@ -465,7 +481,7 @@ enter_client_name_for() {
done
}
enter_client_cert_validity() {
enter_client_validity() {
echo
echo "Specify the validity period (in months) for this client certificate."
read -rp "Enter a number between 1 and 120: [120] " client_validity
@ -565,7 +581,7 @@ The MOBIKE IKEv2 extension allows VPN clients to change network attachment point
e.g. switch between mobile data and Wi-Fi and keep the IPsec tunnel up on the new IP.
EOF
printf "Do you want to enable MOBIKE support? [Y/n] "
printf "Enable MOBIKE support? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
@ -578,6 +594,36 @@ EOF
fi
}
check_config_password() {
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE"; then
use_config_password=1
else
use_config_password=0
fi
}
select_config_password() {
if [ "$use_config_password" = "0" ]; then
cat <<'EOF'
IKEv2 client config files contain the client certificate, private key and CA certificate.
This script can optionally generate a random password to protect these files.
Future client config files will also be protected using this password.
EOF
printf "Protect client config files using a password? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
use_config_password=1
;;
*)
use_config_password=0
;;
esac
fi
}
select_menu_option() {
cat <<'EOF'
IKEv2 is already set up on this server.
@ -634,46 +680,72 @@ DNS server(s): $dns_servers
======================================
EOF
confirm_or_abort "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
;;
*)
abort_and_exit
;;
esac
}
create_client_cert() {
bigecho2 "Generating client certificate..."
sleep 1
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$client_name" \
-S -c "$CA_NAME" -n "$client_name" \
-s "O=IKEv2 VPN,CN=$client_name" \
-k rsa -g 3072 -v "$client_validity" \
-d sql:/etc/ipsec.d -t ",," \
-d "$CERT_DB" -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null 2>&1 || exiterr "Failed to create client certificate."
}
create_p12_password() {
config_file="/etc/ipsec.d/.vpnconfig"
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
. "$config_file"
p12_password="$IKEV2_CONFIG_PASSWORD"
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' </dev/urandom 2>/dev/null | head -c 18)
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
}
get_p12_password() {
if [ "$use_config_password" = "0" ]; then
create_p12_password
else
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' </dev/urandom 2>/dev/null | head -c 18)
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
mkdir -p /etc/ipsec.d
printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file"
chmod 600 "$config_file"
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
if [ -z "$p12_password" ]; then
create_p12_password
if [ -n "$CONFIG_FILE" ] && [ -n "$CONFIG_DIR" ]; then
mkdir -p "$CONFIG_DIR"
printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$CONFIG_FILE"
chmod 600 "$CONFIG_FILE"
fi
fi
fi
}
export_p12_file() {
bigecho2 "Creating client configuration..."
create_p12_password
get_p12_password
p12_file="$export_dir$client_name.p12"
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1
p12_file_enc="$export_dir$client_name.enc.p12"
pk12util -W "$p12_password" -d "$CERT_DB" -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1
if [ "$os_type" = "alpine" ] || { [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "11" ]; }; then
pem_file="$export_dir$client_name.temp.pem"
openssl pkcs12 -in "$p12_file" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
if [ "$use_config_password" = "0" ]; then
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
fi
/bin/rm -f "$pem_file"
elif [ "$use_config_password" = "0" ]; then
pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
fi
if [ "$use_config_password" = "1" ]; then
/bin/cp -f "$p12_file_enc" "$p12_file"
fi
if [ "$export_to_home_dir" = "1" ]; then
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
@ -714,10 +786,12 @@ install_uuidgen() {
create_mobileconfig() {
[ -z "$server_addr" ] && get_server_address
p12_base64=$(base64 -w 52 "$export_dir$client_name.p12")
p12_file_enc="$export_dir$client_name.enc.p12"
p12_base64=$(base64 -w 52 "$p12_file_enc")
/bin/rm -f "$p12_file_enc"
[ -z "$p12_base64" ] && exiterr "Could not encode .p12 file."
ca_base64=$(certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a | grep -v CERTIFICATE)
[ -z "$ca_base64" ] && exiterr "Could not encode IKEv2 VPN CA certificate."
ca_base64=$(certutil -L -d "$CERT_DB" -n "$CA_NAME" -a | grep -v CERTIFICATE)
[ -z "$ca_base64" ] && exiterr "Could not encode $CA_NAME certificate."
uuid1=$(uuidgen)
[ -z "$uuid1" ] && exiterr "Could not generate UUID value."
mc_file="$export_dir$client_name.mobileconfig"
@ -813,6 +887,14 @@ cat > "$mc_file" <<EOF
<string>IKEv2</string>
</dict>
<dict>
EOF
if [ "$use_config_password" = "0" ]; then
cat >> "$mc_file" <<EOF
<key>Password</key>
<string>$p12_password</string>
EOF
fi
cat >> "$mc_file" <<EOF
<key>PayloadCertificateFileName</key>
<string>$client_name</string>
<key>PayloadContent</key>
@ -854,7 +936,7 @@ $ca_base64
</dict>
</array>
<key>PayloadDisplayName</key>
<string>IKEv2 VPN ($server_addr)</string>
<string>IKEv2 VPN $server_addr</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.$(uuidgen)</string>
<key>PayloadRemovalDisallowed</key>
@ -884,7 +966,7 @@ create_android_profile() {
cat > "$sswan_file" <<EOF
{
"uuid": "$uuid2",
"name": "IKEv2 VPN ($server_addr)",
"name": "IKEv2 VPN $server_addr",
"type": "ikev2-cert",
"remote": {
"addr": "$server_addr"
@ -917,10 +999,10 @@ export_client_config() {
create_ca_server_certs() {
bigecho2 "Generating CA and server certificates..."
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA" \
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
-S -x -n "$CA_NAME" \
-s "O=IKEv2 VPN,CN=$CA_NAME" \
-k rsa -g 3072 -v 120 \
-d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
-d "$CERT_DB" -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
y
N
@ -928,19 +1010,19 @@ ANSWERS
sleep 1
if [ "$use_dns_name" = "1" ]; then
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$server_addr" \
-S -c "$CA_NAME" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \
-k rsa -g 3072 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
-d "$CERT_DB" -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
else
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$server_addr" \
-S -c "$CA_NAME" -n "$server_addr" \
-s "O=IKEv2 VPN,CN=$server_addr" \
-k rsa -g 3072 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
-d "$CERT_DB" -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$server_addr,dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
@ -949,11 +1031,11 @@ ANSWERS
add_ikev2_connection() {
bigecho2 "Adding a new IKEv2 connection..."
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
echo >> /etc/ipsec.conf
echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' "$IPSEC_CONF"; then
echo >> "$IPSEC_CONF"
echo 'include /etc/ipsec.d/*.conf' >> "$IPSEC_CONF"
fi
cat > /etc/ipsec.d/ikev2.conf <<EOF
cat > "$IKEV2_CONF" <<EOF
conn ikev2-cp
left=%defaultroute
@ -981,27 +1063,27 @@ conn ikev2-cp
encapsulation=yes
EOF
if [ "$use_dns_name" = "1" ]; then
cat >> /etc/ipsec.d/ikev2.conf <<EOF
cat >> "$IKEV2_CONF" <<EOF
leftid=@$server_addr
EOF
else
cat >> /etc/ipsec.d/ikev2.conf <<EOF
cat >> "$IKEV2_CONF" <<EOF
leftid=$server_addr
EOF
fi
if [ -n "$dns_server_2" ]; then
cat >> /etc/ipsec.d/ikev2.conf <<EOF
cat >> "$IKEV2_CONF" <<EOF
modecfgdns="$dns_servers"
EOF
else
cat >> /etc/ipsec.d/ikev2.conf <<EOF
cat >> "$IKEV2_CONF" <<EOF
modecfgdns=$dns_server_1
EOF
fi
if [ "$mobike_enable" = "1" ]; then
echo " mobike=yes" >> /etc/ipsec.d/ikev2.conf
echo " mobike=yes" >> "$IKEV2_CONF"
else
echo " mobike=no" >> /etc/ipsec.d/ikev2.conf
echo " mobike=no" >> "$IKEV2_CONF"
fi
}
@ -1036,18 +1118,18 @@ restart_ipsec_service() {
}
create_crl() {
if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null >/dev/null
if ! crlutil -L -d "$CERT_DB" -n "$CA_NAME" >/dev/null 2>&1; then
crlutil -G -d "$CERT_DB" -n "$CA_NAME" -c /dev/null >/dev/null
fi
sleep 2
}
add_client_cert_to_crl() {
sn_txt=$(certutil -L -d sql:/etc/ipsec.d -n "$client_name" | grep -A 1 'Serial Number' | tail -n 1)
sn_txt=$(certutil -L -d "$CERT_DB" -n "$client_name" | grep -A 1 'Serial Number' | tail -n 1)
sn_hex=$(printf '%s' "$sn_txt" | sed -e 's/^ *//' -e 's/://g')
sn_dec=$((16#$sn_hex))
[ -z "$sn_dec" ] && exiterr "Could not find serial number of client certificate."
crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null <<EOF || exiterr "Failed to add client certificate to CRL."
crlutil -M -d "$CERT_DB" -n "$CA_NAME" >/dev/null <<EOF || exiterr "Failed to add client certificate to CRL."
addcert $sn_dec $(date -u +%Y%m%d%H%M%SZ)
EOF
}
@ -1115,11 +1197,15 @@ cat <<EOF
$export_dir$client_name.p12 (for Windows & Linux)
$export_dir$client_name.sswan (for Android)
$export_dir$client_name.mobileconfig (for iOS & macOS)
EOF
if [ "$use_config_password" = "1" ]; then
cat <<EOF
*IMPORTANT* Password for client config files:
$p12_password
Write this down, you'll need it for import!
EOF
fi
cat <<'EOF'
Next steps: Configure IKEv2 VPN clients. See:
@ -1140,16 +1226,16 @@ check_swan_update() {
cat <<EOF
Note: A newer version of Libreswan ($swan_ver_latest) is available.
To update, run:
wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
EOF
fi
}
check_ipsec_conf() {
if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then
cat 1>&2 <<'EOF'
Error: IKEv2 configuration section found in /etc/ipsec.conf.
if grep -qs "conn ikev2-cp" "$IPSEC_CONF"; then
cat 1>&2 <<EOF
Error: IKEv2 configuration section found in $IPSEC_CONF.
This script cannot automatically remove IKEv2 from this server.
To manually remove IKEv2, see https://git.io/ikev2
EOF
@ -1179,23 +1265,22 @@ EOF
}
delete_ikev2_conf() {
bigecho "Deleting /etc/ipsec.d/ikev2.conf..."
/bin/rm -f /etc/ipsec.d/ikev2.conf
bigecho "Deleting $IKEV2_CONF..."
/bin/rm -f "$IKEV2_CONF"
}
delete_certificates() {
echo
bigecho "Deleting certificates and keys from the IPsec database..."
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
certutil -F -d sql:/etc/ipsec.d -n "$line"
certutil -D -d sql:/etc/ipsec.d -n "$line" 2>/dev/null
certutil -L -d "$CERT_DB" | grep -v -e '^$' -e "$CA_NAME" | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
certutil -F -d "$CERT_DB" -n "$line"
certutil -D -d "$CERT_DB" -n "$line" 2>/dev/null
done
crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
certutil -F -d sql:/etc/ipsec.d -n "IKEv2 VPN CA"
certutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
config_file="/etc/ipsec.d/.vpnconfig"
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$config_file"
crlutil -D -d "$CERT_DB" -n "$CA_NAME" 2>/dev/null
certutil -F -d "$CERT_DB" -n "$CA_NAME"
certutil -D -d "$CERT_DB" -n "$CA_NAME" 2>/dev/null
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE"; then
sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$CONFIG_FILE"
fi
}
@ -1259,7 +1344,15 @@ ikev2setup() {
esac
done
CA_NAME="IKEv2 VPN CA"
CERT_DB="sql:/etc/ipsec.d"
CONFIG_DIR="/etc/ipsec.d"
CONFIG_FILE="/etc/ipsec.d/.vpnconfig"
IKEV2_CONF="/etc/ipsec.d/ikev2.conf"
IPSEC_CONF="/etc/ipsec.conf"
check_arguments
check_config_password
get_export_dir
if [ "$add_client" = "1" ]; then
@ -1320,7 +1413,8 @@ ikev2setup() {
case $selected_option in
1)
enter_client_name
enter_client_cert_validity
enter_client_validity
select_config_password
echo
create_client_cert
export_client_config
@ -1330,6 +1424,7 @@ ikev2setup() {
;;
2)
enter_client_name_for export
select_config_password
echo
export_client_config
print_client_exported
@ -1372,56 +1467,29 @@ ikev2setup() {
esac
fi
check_cert_exists_and_exit "IKEv2 VPN CA"
check_cert_exists_and_exit "$CA_NAME"
if [ "$use_defaults" = "0" ]; then
show_header
show_welcome
enter_server_address
check_cert_exists_and_exit "$server_addr"
enter_client_name_with_defaults
enter_client_cert_validity
enter_client_name with_defaults
enter_client_validity
enter_custom_dns
check_mobike_support
select_mobike
select_config_password
confirm_setup_options
else
check_server_dns_name
check_custom_dns
if [ -n "$VPN_CLIENT_NAME" ]; then
client_name="$VPN_CLIENT_NAME"
check_client_name "$client_name" \
|| exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
else
client_name=vpnclient
fi
check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists."
check_and_set_client_name
client_validity=120
show_header
show_start_setup
if [ -n "$VPN_DNS_NAME" ]; then
use_dns_name=1
server_addr="$VPN_DNS_NAME"
else
use_dns_name=0
get_server_ip
check_ip "$public_ip" || exiterr "Cannot detect this server's public IP."
server_addr="$public_ip"
fi
check_cert_exists_and_exit "$server_addr"
if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then
dns_server_1="$VPN_DNS_SRV1"
dns_server_2="$VPN_DNS_SRV2"
dns_servers="$VPN_DNS_SRV1 $VPN_DNS_SRV2"
elif [ -n "$VPN_DNS_SRV1" ]; then
dns_server_1="$VPN_DNS_SRV1"
dns_server_2=""
dns_servers="$VPN_DNS_SRV1"
else
dns_server_1=8.8.8.8
dns_server_2=8.8.4.4
dns_servers="8.8.8.8 8.8.4.4"
fi
set_server_address
set_dns_servers
check_mobike_support
mobike_enable="$mobike_support"
fi

4
extras/update_vpn_users.sh
View file

@ -127,10 +127,10 @@ Setup VPN clients: https://git.io/vpnclients
EOF
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
echo "Updating VPN users..."
echo

4
extras/vpnupgrade_alpine.sh
View file

@ -123,10 +123,10 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
;;
*)

4
extras/vpnupgrade_amzn.sh
View file

@ -107,10 +107,10 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
;;
*)

4
extras/vpnupgrade_centos.sh
View file

@ -125,10 +125,10 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
;;
*)

4
extras/vpnupgrade_ubuntu.sh
View file

@ -134,10 +134,10 @@ Note: You already have Libreswan version $SWAN_VER installed!
EOF
fi
printf "Do you want to continue? [y/N] "
printf "Do you want to continue? [Y/n] "
read -r response
case $response in
[yY][eE][sS]|[yY])
[yY][eE][sS]|[yY]|'')
echo
;;
*)