From 1da1493f53592a53cd5911ea217caf5b7ec9f4c2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 Feb 2022 21:49:49 -0600 Subject: [PATCH 01/20] Cleanup --- extras/ikev2onlymode.sh | 2 +- extras/ikev2setup.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/extras/ikev2onlymode.sh b/extras/ikev2onlymode.sh index 94cc758..ec2e567 100755 --- a/extras/ikev2onlymode.sh +++ b/extras/ikev2onlymode.sh @@ -70,7 +70,7 @@ cat 1>&2 <&2 < Date: Thu, 10 Feb 2022 21:53:59 -0600 Subject: [PATCH 02/20] Update docs --- README-zh.md | 10 +++++----- README.md | 10 +++++----- docs/advanced-usage-zh.md | 2 +- docs/advanced-usage.md | 2 +- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- docs/manage-users-zh.md | 6 +++--- docs/manage-users.md | 6 +++--- docs/uninstall-zh.md | 2 +- docs/uninstall.md | 2 +- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/README-zh.md b/README-zh.md index c7ba060..a640e5e 100644 --- a/README-zh.md +++ b/README-zh.md @@ -33,7 +33,7 @@ Ubuntu, Debian, CentOS/RHEL, Rocky Linux, AlmaLinux, Amazon Linux 2 或者 Alpin 使用以下命令快速搭建 IPsec VPN 服务器: ```bash -wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh ``` 你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。 @@ -95,7 +95,7 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh **选项 1:** 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示): ```bash -wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh ``` @@ -111,7 +111,7 @@ sudo ikev2.sh **选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证: ```bash -wget https://git.io/vpnsetup -O vpn.sh +wget https://git.io/vpnsetup -qO vpn.sh nano -w vpn.sh [替换为你自己的值: YOUR_IPSEC_PSK, YOUR_USERNAME 和 YOUR_PASSWORD] sudo sh vpn.sh @@ -126,7 +126,7 @@ sudo sh vpn.sh ```bash # 所有变量值必须用 '单引号' 括起来 # *不要* 在值中使用这些字符: \ " ' -wget https://git.io/vpnsetup -O vpn.sh +wget https://git.io/vpnsetup -qO vpn.sh sudo VPN_IPSEC_PSK='你的IPsec预共享密钥' \ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' \ @@ -174,7 +174,7 @@ sh vpn.sh 使用以下命令更新你的 VPN 服务器上的 [Libreswan](https://libreswan.org)([更新日志](https://github.com/libreswan/libreswan/blob/main/CHANGES) | [通知列表](https://lists.libreswan.org/mailman/listinfo/swan-announce))。 ```bash -wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh +wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh ``` 当前支持的 Libreswan 最新版本是 `4.6`。查看已安装版本:`ipsec --version`。 diff --git a/README.md b/README.md index 820aa6f..d77df99 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Ubuntu, Debian, CentOS/RHEL, Rocky Linux, AlmaLinux, Amazon Linux 2 or Alpine Li Use this one-liner to set up an IPsec VPN server: ```bash -wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh ``` Your VPN login details will be randomly generated, and displayed on the screen when finished. @@ -95,7 +95,7 @@ To install the VPN, please choose one of the following options: **Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished): ```bash -wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh ``` @@ -111,7 +111,7 @@ sudo ikev2.sh **Option 2:** Edit the script and provide your own VPN credentials: ```bash -wget https://git.io/vpnsetup -O vpn.sh +wget https://git.io/vpnsetup -qO vpn.sh nano -w vpn.sh [Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD] sudo sh vpn.sh @@ -126,7 +126,7 @@ After successful installation, it is recommended to [set up IKEv2](#ikev2-setup- ```bash # All values MUST be placed inside 'single quotes' # DO NOT use these special characters within values: \ " ' -wget https://git.io/vpnsetup -O vpn.sh +wget https://git.io/vpnsetup -qO vpn.sh sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' \ @@ -174,7 +174,7 @@ The scripts will backup existing config files before making changes, with `.old- Use this one-liner to update [Libreswan](https://libreswan.org) ([changelog](https://github.com/libreswan/libreswan/blob/main/CHANGES) | [announce](https://lists.libreswan.org/mailman/listinfo/swan-announce)) on your VPN server. ```bash -wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh +wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh ``` The latest supported Libreswan version is `4.6`. Check installed version: `ipsec --version`. diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index 043da8d..eca4123 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -45,7 +45,7 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto ```bash # 下载脚本 -wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode +wget -qO ikev2onlymode.sh https://bit.ly/ikev2onlymode # 运行脚本并按提示操作 sudo bash ikev2onlymode.sh ``` diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 089eb2a..cc1da6c 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -45,7 +45,7 @@ To enable IKEv2-only mode, first install the VPN server and set up IKEv2 using i ```bash # Download the script -wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode +wget -qO ikev2onlymode.sh https://bit.ly/ikev2onlymode # Run the script and follow the prompts sudo bash ikev2onlymode.sh ``` diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 7d0ea3b..7a27bcb 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -50,7 +50,7 @@ sudo ikev2.sh 如果你使用了较早版本的 VPN 安装脚本,这是正常的。首先下载 IKEv2 辅助脚本: ```bash -wget https://git.io/ikev2setup -O /opt/src/ikev2.sh +wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin ``` @@ -87,7 +87,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 ```bash -wget https://git.io/ikev2setup -O /opt/src/ikev2.sh +wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 3d550db..4a6e498 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -50,7 +50,7 @@ Error: "sudo: ikev2.sh: command not found". This is normal if you used an older version of the VPN setup script. First, download the IKEv2 helper script: ```bash -wget https://git.io/ikev2setup -O /opt/src/ikev2.sh +wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin ``` @@ -87,7 +87,7 @@ Learn how to update the IKEv2 helper script on your server. The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. ```bash -wget https://git.io/ikev2setup -O /opt/src/ikev2.sh +wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null ``` diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 97bbb57..51a4cf2 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -52,7 +52,7 @@ service xl2tpd restart ```bash # 下载脚本 -wget -O add_vpn_user.sh https://bit.ly/addvpnuser +wget -qO add_vpn_user.sh https://bit.ly/addvpnuser # 运行脚本并按提示操作 sudo bash add_vpn_user.sh ``` @@ -73,7 +73,7 @@ sudo bash add_vpn_user.sh '要更新的用户名' '新密码' ```bash # 下载脚本 -wget -O del_vpn_user.sh https://bit.ly/delvpnuser +wget -qO del_vpn_user.sh https://bit.ly/delvpnuser # 运行脚本并按提示操作 sudo bash del_vpn_user.sh ``` @@ -92,7 +92,7 @@ sudo bash del_vpn_user.sh '要删除的用户名' ```bash # 下载脚本 -wget -O update_vpn_users.sh https://bit.ly/updatevpnusers +wget -qO update_vpn_users.sh https://bit.ly/updatevpnusers ``` 要使用这个脚本,从以下选项中选择一个: diff --git a/docs/manage-users.md b/docs/manage-users.md index 221dce0..7ad25e9 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -52,7 +52,7 @@ Add a new VPN user, or update an existing VPN user with a new password. ```bash # Download the script -wget -O add_vpn_user.sh https://bit.ly/addvpnuser +wget -qO add_vpn_user.sh https://bit.ly/addvpnuser # Run the script and follow the prompts sudo bash add_vpn_user.sh ``` @@ -73,7 +73,7 @@ Delete the specified VPN user. ```bash # Download the script -wget -O del_vpn_user.sh https://bit.ly/delvpnuser +wget -qO del_vpn_user.sh https://bit.ly/delvpnuser # Run the script and follow the prompts sudo bash del_vpn_user.sh ``` @@ -92,7 +92,7 @@ Remove all existing VPN users and replace with the list of users you specify. ```bash # Download the script -wget -O update_vpn_users.sh https://bit.ly/updatevpnusers +wget -qO update_vpn_users.sh https://bit.ly/updatevpnusers ``` To use this script, choose one of the following options: diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index a5e2b5a..0c709a5 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -10,7 +10,7 @@ **警告:** 此[辅助脚本](../extras/vpnuninstall.sh)将从你的服务器中删除 IPsec VPN。所有的 VPN 配置将被**永久删除**,并且 Libreswan 和 xl2tpd 将被移除。此操作**不可撤销**! ```bash -wget https://git.io/vpnuninstall -O vpnunst.sh +wget https://git.io/vpnuninstall -qO vpnunst.sh sudo bash vpnunst.sh ``` diff --git a/docs/uninstall.md b/docs/uninstall.md index 7299a7f..09de1f9 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -10,7 +10,7 @@ **Warning:** This [helper script](../extras/vpnuninstall.sh) will remove IPsec VPN from your server. All VPN configuration will be **permanently deleted**, and Libreswan and xl2tpd will be removed. This **cannot be undone**! ```bash -wget https://git.io/vpnuninstall -O vpnunst.sh +wget https://git.io/vpnuninstall -qO vpnunst.sh sudo bash vpnunst.sh ``` From 7e809c2042be6a68a60892a064a87349b9318433 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 Feb 2022 23:10:39 -0600 Subject: [PATCH 03/20] Update tests --- .github/workflows/check_urls.yml | 4 +++- .github/workflows/test_set_1.yml | 28 +++++++++++++++++++--------- .github/workflows/test_set_2.yml | 22 +++++++++++++--------- 3 files changed, 35 insertions(+), 19 deletions(-) diff --git a/.github/workflows/check_urls.yml b/.github/workflows/check_urls.yml index cec311d..97b5bf6 100644 --- a/.github/workflows/check_urls.yml +++ b/.github/workflows/check_urls.yml @@ -39,7 +39,8 @@ jobs: $wg vpnsetup_amzn.sh "$gi/vpnsetup-amzn" $wg vpnsetup_ubuntu.sh "$gi/vpnsetup-ubuntu" $wg vpnsetup_alpine.sh "$gi/vpnsetup-alpine" - $wg quickstart.sh "$gi/vpnquickstart" + $wg quickstart.sh "$gi/vpnstart" + $wg quickstart_.sh "$gi/vpnquickstart" $wg ikev2setup.sh "$gi/ikev2setup" $wg vpnupgrade.sh "$gi/vpnupgrade" $wg vpnupgrade_centos.sh "$gi/vpnupgrade-centos" @@ -68,6 +69,7 @@ jobs: diff vpnsetup_ubuntu.sh ../vpnsetup_ubuntu.sh diff vpnsetup_alpine.sh ../vpnsetup_alpine.sh diff quickstart.sh ../extras/quickstart.sh + diff quickstart_.sh ../extras/quickstart.sh diff ikev2setup.sh ../extras/ikev2setup.sh diff vpnupgrade.sh ../extras/vpnupgrade.sh diff vpnupgrade_centos.sh ../extras/vpnupgrade_centos.sh diff --git a/.github/workflows/test_set_1.yml b/.github/workflows/test_set_1.yml index 728fe46..cb4ff2e 100644 --- a/.github/workflows/test_set_1.yml +++ b/.github/workflows/test_set_1.yml @@ -22,11 +22,19 @@ jobs: env: OS_VERSION: ${{ matrix.os_version }} steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0 + with: + persist-credentials: false - name: Build run: | mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + mkdir -p scripts/extras + ls -ld "$GITHUB_WORKSPACE/vpnsetup.sh" + cp -f "$GITHUB_WORKSPACE"/*.sh scripts/ + cp -f "$GITHUB_WORKSPACE"/extras/*.sh scripts/extras/ + cat > run.sh <<'EOF' #!/bin/bash set -eEx @@ -71,11 +79,12 @@ jobs: echo } + cd /opt/src yum -y -q update yum -y -q install wget rsyslog systemctl start rsyslog - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup + cp -f /opt/src/scripts/vpnsetup.sh . sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh sh vpnsetup.sh @@ -102,7 +111,7 @@ jobs: ls -l /usr/bin/ikev2.sh ls -l /opt/src/ikev2.sh - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall + cp -f /opt/src/scripts/extras/vpnuninstall.sh ./vpnunst.sh bash vpnunst.sh < run.sh if [ "$os_type" = "alpine" ]; then @@ -83,7 +87,7 @@ jobs: service rsyslog start fi - wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup + cp -f "$GITHUB_WORKSPACE"/vpnsetup.sh . sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh sh vpnsetup.sh @@ -115,7 +119,7 @@ jobs: ls -l /usr/bin/ikev2.sh ls -l /opt/src/ikev2.sh - wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall + cp -f "$GITHUB_WORKSPACE"/extras/vpnuninstall.sh ./vpnunst.sh bash vpnunst.sh < Date: Fri, 11 Feb 2022 21:50:00 -0600 Subject: [PATCH 04/20] Update IKEv2 script - Minor improvement to IKEv2 config password retrieval --- extras/ikev2setup.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 34e4264..31d8ce4 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -651,10 +651,8 @@ create_client_cert() { create_p12_password() { config_file="/etc/ipsec.d/.vpnconfig" - if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then - . "$config_file" - p12_password="$IKEV2_CONFIG_PASSWORD" - else + p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") + if [ -z "$p12_password" ]; then p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' /dev/null | head -c 18) [ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file." mkdir -p /etc/ipsec.d From dbc3527448111697937f0cc7969a9f2583a8d87e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Feb 2022 01:21:12 -0600 Subject: [PATCH 05/20] Simplify IKEv2 import - Simplify IKEv2 configuration import: Remove passwords for IKEv2 client config files. When importing, it is no longer required to enter a config file password. - For macOS and iOS, .mobileconfig files require a password to work. The password is now included so there is no need to manually enter. - Note: Client config files should be securely transferred from the VPN server to VPN client device(s) for import. --- extras/ikev2setup.sh | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 31d8ce4..bdaec11 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -150,7 +150,7 @@ check_container() { show_header() { cat <<'EOF' -IKEv2 Script Copyright (c) 2020-2022 Lin Song 22 Jan 2022 +IKEv2 Script Copyright (c) 2020-2022 Lin Song 12 Feb 2022 EOF } @@ -665,13 +665,18 @@ export_p12_file() { bigecho2 "Creating client configuration..." create_p12_password p12_file="$export_dir$client_name.p12" - pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1 + p12_file_enc="$export_dir$client_name.enc.p12" + pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1 if [ "$os_type" = "alpine" ] || { [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "11" ]; }; then pem_file="$export_dir$client_name.temp.pem" - openssl pkcs12 -in "$p12_file" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 - openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ + openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 + openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 + openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ + -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 /bin/rm -f "$pem_file" + else + pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1 fi if [ "$export_to_home_dir" = "1" ]; then chown "$SUDO_USER:$SUDO_USER" "$p12_file" @@ -712,7 +717,9 @@ install_uuidgen() { create_mobileconfig() { [ -z "$server_addr" ] && get_server_address - p12_base64=$(base64 -w 52 "$export_dir$client_name.p12") + p12_file_enc="$export_dir$client_name.enc.p12" + p12_base64=$(base64 -w 52 "$p12_file_enc") + /bin/rm -f "$p12_file_enc" [ -z "$p12_base64" ] && exiterr "Could not encode .p12 file." ca_base64=$(certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a | grep -v CERTIFICATE) [ -z "$ca_base64" ] && exiterr "Could not encode IKEv2 VPN CA certificate." @@ -811,6 +818,8 @@ cat > "$mc_file" <IKEv2 + Password + $p12_password PayloadCertificateFileName $client_name PayloadContent @@ -1113,10 +1122,6 @@ cat < Date: Sat, 12 Feb 2022 01:22:26 -0600 Subject: [PATCH 06/20] Update docs --- docs/ikev2-howto-zh.md | 35 +++++------------------------------ docs/ikev2-howto.md | 37 ++++++------------------------------- 2 files changed, 11 insertions(+), 61 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 7a27bcb..c5d9dbe 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -116,7 +116,7 @@ To customize IKEv2 or client options, run this script without arguments. *其他语言版本: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端)。* -**注:** 客户端配置文件的密码可以在 IKEv2 辅助脚本的输出中找到。如果你想要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用参数 `-h` 显示使用信息。 +**注:** 如果要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用参数 `-h` 显示使用信息。 * [Windows 7, 8, 10 和 11](#windows-7-8-10-和-11) * [OS X (macOS)](#os-x-macos) @@ -126,6 +126,8 @@ To customize IKEv2 or client options, run this script without arguments. ### Windows 7, 8, 10 和 11 +**注:** 如果 IKEv2 辅助脚本的输出中没有包含客户端配置文件的密码,请在提示输入密码时按回车键继续,或者在手动导入 `.p12` 文件时保持密码字段空白。 + Windows 8, 10 和 11 用户可以自动导入 IKEv2 配置: 1. 将生成的 `.p12` 文件安全地传送到你的计算机。 @@ -355,7 +357,8 @@ sudo yum --enablerepo=epel install NetworkManager-strongswan-gnome ```bash # 示例:提取 CA 证书,客户端证书和私钥。在完成后可以删除 .p12 文件。 -# 注:你将需要输入 import password,它可以在 IKEv2 辅助脚本的输出中找到。 +# 注:你可能需要输入 import password,它可以在 IKEv2 辅助脚本的输出中找到。 +# 如果在脚本的输出中没有 import password,请按回车键继续。 openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key @@ -772,38 +775,10 @@ sudo ikev2.sh --revokeclient [client name] **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 -* [在导入时提示密码不正确](#在导入时提示密码不正确) * [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) * [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) * [其它已知问题](#其它已知问题) -### 在导入时提示密码不正确 - -如果你忘记了客户端配置文件的密码,可以重新 [导出 IKEv2 客户端的配置](#导出已有的客户端的配置)。 - -Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 [这里](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258)。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用以下解决方法。 -
- -Ubuntu 18.04 上的 NSS 问题的解决方法 - - -**注:** 该解决方法仅适用于运行在 `x86_64` 架构下的 Ubuntu 18.04 系统。 - -首先安装更新版本的 `libnss3` 相关的软件包: - -``` -wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.6_amd64.deb -wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb -wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb -apt-get -y update -apt-get -y install "./libnss3_3.49.1-1ubuntu1.6_amd64.deb" \ - "./libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb" \ - "./libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb" -``` - -然后重新 [导出 IKEv2 客户端的配置](#导出已有的客户端的配置)。 -
- ### IKEv2 在一小时后断开连接 如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 4a6e498..5516824 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -116,7 +116,7 @@ To customize IKEv2 or client options, run this script without arguments. *Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* -**Note:** The password for client configuration files can be found in the output of the IKEv2 helper script. If you want to add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use option `-h` to show usage information. +**Note:** If you want to add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use option `-h` to show usage information. * [Windows 7, 8, 10 and 11](#windows-7-8-10-and-11) * [OS X (macOS)](#os-x-macos) @@ -126,6 +126,8 @@ To customize IKEv2 or client options, run this script without arguments. ### Windows 7, 8, 10 and 11 +**Note:** If there is no password for client config files in the output of the IKEv2 helper script, press Enter to continue when prompted for the password, or if manually importing the `.p12` file, leave the password field blank. + Windows 8, 10 and 11 users can automatically import IKEv2 configuration: 1. Securely transfer the generated `.p12` file to your computer. @@ -356,8 +358,9 @@ Next, securely transfer the generated `.p12` file from the VPN server to your Li ```bash # Example: Extract CA certificate, client certificate and private key. # You may delete the .p12 file when finished. -# Note: You will need to enter the import password, which can be found -# in the output of the IKEv2 helper script. +# Note: You may need to enter the import password, which can be found +# in the output of the IKEv2 helper script. If the output does not +# contain an import password, press Enter to continue. openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key @@ -774,38 +777,10 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). -* [Incorrect password when trying to import](#incorrect-password-when-trying-to-import) * [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) * [Other known issues](#other-known-issues) -### Incorrect password when trying to import - -If you forgot the password for client config files, you may [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again. - -Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more [here](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258). As of 2021-01-21, the IKEv2 helper script was updated to automatically apply the workaround below. -
- -Workaround for the NSS bug on Ubuntu 18.04 - - -**Note:** This workaround should only be used on Ubuntu 18.04 systems running on the `x86_64` architecture. - -First, install newer versions of `libnss3` related packages: - -``` -wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.6_amd64.deb -wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb -wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb -apt-get -y update -apt-get -y install "./libnss3_3.49.1-1ubuntu1.6_amd64.deb" \ - "./libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb" \ - "./libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb" -``` - -After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again. -
- ### IKEv2 disconnects after one hour If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: From fb85eae7bac2c6f3682a30d604ff0f06a6ade8b0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Feb 2022 12:12:51 -0600 Subject: [PATCH 07/20] Update IKEv2 script - Add an option to protect IKEv2 client config files using a password, which users can select when customizing IKEv2 or client options Ref: dbc3527 - Change the default action to 'continue' when confirming IKEv2 setup options - Other minor improvements --- extras/ikev2setup.sh | 67 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 60 insertions(+), 7 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index bdaec11..7d1f439 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -286,7 +286,6 @@ check_custom_dns() { show_welcome() { cat <<'EOF' Welcome! Use this script to set up IKEv2 on your IPsec VPN server. - I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are OK with them. @@ -315,7 +314,7 @@ show_add_client() { } show_export_client() { - bigecho "Exporting existing IKEv2 client '$client_name'." + bigecho "Exporting IKEv2 client '$client_name', using default options." } get_export_dir() { @@ -565,7 +564,7 @@ The MOBIKE IKEv2 extension allows VPN clients to change network attachment point e.g. switch between mobile data and Wi-Fi and keep the IPsec tunnel up on the new IP. EOF - printf "Do you want to enable MOBIKE support? [Y/n] " + printf "Enable MOBIKE support? [Y/n] " read -r response case $response in [yY][eE][sS]|[yY]|'') @@ -578,6 +577,25 @@ EOF fi } +select_config_password() { +cat <<'EOF' + +IKEv2 client config files contain the client certificate, private key and CA certificate. +This script can optionally generate a random password to protect these files. + +EOF + printf "Protect client config files using a password? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + use_config_password=1 + ;; + *) + use_config_password=0 + ;; + esac +} + select_menu_option() { cat <<'EOF' IKEv2 is already set up on this server. @@ -634,7 +652,16 @@ DNS server(s): $dns_servers ====================================== EOF - confirm_or_abort "Do you want to continue? [y/N] " + printf "Do you want to continue? [Y/n] " + read -r response + case $response in + [yY][eE][sS]|[yY]|'') + echo + ;; + *) + abort_and_exit + ;; + esac } create_client_cert() { @@ -672,11 +699,19 @@ export_p12_file() { openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 - openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ - -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 + if [ "$use_config_password" = "1" ]; then + /bin/cp -f "$p12_file_enc" "$p12_file" + else + openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ + -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 + fi /bin/rm -f "$pem_file" else - pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1 + if [ "$use_config_password" = "1" ]; then + /bin/cp -f "$p12_file_enc" "$p12_file" + else + pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1 + fi fi if [ "$export_to_home_dir" = "1" ]; then chown "$SUDO_USER:$SUDO_USER" "$p12_file" @@ -818,8 +853,14 @@ cat > "$mc_file" <IKEv2 +EOF + if [ "$use_config_password" = "0" ]; then +cat >> "$mc_file" <Password $p12_password +EOF + fi +cat >> "$mc_file" <PayloadCertificateFileName $client_name PayloadContent @@ -1123,6 +1164,14 @@ $export_dir$client_name.p12 (for Windows & Linux) $export_dir$client_name.sswan (for Android) $export_dir$client_name.mobileconfig (for iOS & macOS) EOF + if [ "$use_config_password" = "1" ]; then +cat < Date: Sat, 12 Feb 2022 12:24:26 -0600 Subject: [PATCH 08/20] Cleanup - Change the default action to 'continue' in VPN scripts --- extras/add_vpn_user.sh | 4 ++-- extras/del_vpn_user.sh | 4 ++-- extras/ikev2onlymode.sh | 8 ++++---- extras/update_vpn_users.sh | 4 ++-- extras/vpnupgrade_alpine.sh | 4 ++-- extras/vpnupgrade_amzn.sh | 4 ++-- extras/vpnupgrade_centos.sh | 4 ++-- extras/vpnupgrade_ubuntu.sh | 4 ++-- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index 3925798..5606f7a 100755 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -107,10 +107,10 @@ Setup VPN clients: https://git.io/vpnclients EOF -printf "Do you want to continue? [y/N] " +printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo echo "Adding or updating VPN user..." echo diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index e64a4a4..e0ac633 100755 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -105,10 +105,10 @@ Username: $VPN_USER EOF -printf "Do you want to continue? [y/N] " +printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo echo "Deleting VPN user..." echo diff --git a/extras/ikev2onlymode.sh b/extras/ikev2onlymode.sh index ec2e567..22dcd11 100755 --- a/extras/ikev2onlymode.sh +++ b/extras/ikev2onlymode.sh @@ -26,11 +26,11 @@ abort_and_exit() { exit 1 } -confirm_or_abort() { +continue_or_abort() { printf '%s' "$1" read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo ;; *) @@ -95,7 +95,7 @@ Note: This option will disable IKEv2-only mode on this VPN server. With IKEv2-on IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) in addition to IKEv2. EOF - confirm_or_abort "Do you want to continue? [y/N] " + continue_or_abort "Do you want to continue? [Y/n] " } confirm_enable_ikev2_only() { @@ -107,7 +107,7 @@ Note: This option will enable IKEv2-only mode on this VPN server. With IKEv2-onl modes) will be dropped. EOF - confirm_or_abort "Do you want to continue? [y/N] " + continue_or_abort "Do you want to continue? [Y/n] " } toggle_ikev2_only() { diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index cd4364b..c744f57 100755 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -127,10 +127,10 @@ Setup VPN clients: https://git.io/vpnclients EOF -printf "Do you want to continue? [y/N] " +printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo echo "Updating VPN users..." echo diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh index 6a68647..17d4f83 100755 --- a/extras/vpnupgrade_alpine.sh +++ b/extras/vpnupgrade_alpine.sh @@ -123,10 +123,10 @@ Note: You already have Libreswan version $SWAN_VER installed! EOF fi - printf "Do you want to continue? [y/N] " + printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo ;; *) diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh index b563e5e..de599ac 100755 --- a/extras/vpnupgrade_amzn.sh +++ b/extras/vpnupgrade_amzn.sh @@ -107,10 +107,10 @@ Note: You already have Libreswan version $SWAN_VER installed! EOF fi - printf "Do you want to continue? [y/N] " + printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo ;; *) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f6fa048..bf7f007 100755 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -125,10 +125,10 @@ Note: You already have Libreswan version $SWAN_VER installed! EOF fi - printf "Do you want to continue? [y/N] " + printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo ;; *) diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index eec5a5d..4472da4 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -134,10 +134,10 @@ Note: You already have Libreswan version $SWAN_VER installed! EOF fi - printf "Do you want to continue? [y/N] " + printf "Do you want to continue? [Y/n] " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') echo ;; *) From 26af7deefe308679c7f71dcc8b484a1c20b335ca Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Feb 2022 12:27:26 -0600 Subject: [PATCH 09/20] Update tests --- .github/workflows/test_set_1.yml | 13 +++++++++---- .github/workflows/test_set_2.yml | 13 +++++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test_set_1.yml b/.github/workflows/test_set_1.yml index cb4ff2e..ae763e4 100644 --- a/.github/workflows/test_set_1.yml +++ b/.github/workflows/test_set_1.yml @@ -208,7 +208,8 @@ jobs: - y + + ANSWERS grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf @@ -226,6 +227,7 @@ jobs: vpnclient vpnclient2 + ANSWERS ls -ld /etc/ipsec.d/vpnclient2.mobileconfig @@ -237,6 +239,7 @@ jobs: 2 nonexistclient vpnclient2 + ANSWERS ls -ld /etc/ipsec.d/vpnclient2.mobileconfig @@ -366,6 +369,7 @@ jobs: invaliddns 1.0.0.1 y + ANSWERS grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf @@ -389,7 +393,8 @@ jobs: y 1.1.1.1 - y + + ANSWERS grep -q 'leftid=1.2.3.4' /etc/ipsec.d/ikev2.conf @@ -426,7 +431,7 @@ jobs: for ver in 4.4 ""; do sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh bash vpnup.sh < Date: Sat, 12 Feb 2022 12:27:37 -0600 Subject: [PATCH 10/20] Update docs --- docs/ikev2-howto-zh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index c5d9dbe..375c971 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -358,7 +358,7 @@ sudo yum --enablerepo=epel install NetworkManager-strongswan-gnome ```bash # 示例:提取 CA 证书,客户端证书和私钥。在完成后可以删除 .p12 文件。 # 注:你可能需要输入 import password,它可以在 IKEv2 辅助脚本的输出中找到。 -# 如果在脚本的输出中没有 import password,请按回车键继续。 +# 如果在脚本的输出中没有 import password,请按回车键继续。 openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key From c468f2cd15dfa70397942d0440a8f5ef1ddc71a2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Feb 2022 15:30:22 -0600 Subject: [PATCH 11/20] Update docs --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 375c971..697cb8a 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -126,8 +126,6 @@ To customize IKEv2 or client options, run this script without arguments. ### Windows 7, 8, 10 和 11 -**注:** 如果 IKEv2 辅助脚本的输出中没有包含客户端配置文件的密码,请在提示输入密码时按回车键继续,或者在手动导入 `.p12` 文件时保持密码字段空白。 - Windows 8, 10 和 11 用户可以自动导入 IKEv2 配置: 1. 将生成的 `.p12` 文件安全地传送到你的计算机。 @@ -144,6 +142,8 @@ Windows 8, 10 和 11 用户可以自动导入 IKEv2 配置: certutil -f -importpfx ".p12文件的位置和名称" NoExport ``` + **注:** 如果 IKEv2 辅助脚本的输出中没有包含客户端配置文件的密码,请按回车键继续,或者在手动导入 `.p12` 文件时保持密码字段空白。 + 或者,你也可以手动导入 `.p12` 文件。详细步骤请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs)。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8, 10 和 11,推荐从命令提示符运行以下命令创建 VPN 连接,以达到更佳的安全性和性能。Windows 7 不支持这些命令,你可以手动创建 VPN 连接(见下面)。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 5516824..6d7394b 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -126,8 +126,6 @@ To customize IKEv2 or client options, run this script without arguments. ### Windows 7, 8, 10 and 11 -**Note:** If there is no password for client config files in the output of the IKEv2 helper script, press Enter to continue when prompted for the password, or if manually importing the `.p12` file, leave the password field blank. - Windows 8, 10 and 11 users can automatically import IKEv2 configuration: 1. Securely transfer the generated `.p12` file to your computer. @@ -144,6 +142,8 @@ Alternatively, you may manually import IKEv2 configuration. These steps apply to certutil -f -importpfx "\path\to\your\file.p12" NoExport ``` + **Note:** If there is no password for client config files in the output of the IKEv2 helper script, press Enter to continue, or if manually importing the `.p12` file, leave the password field blank. + Alternatively, you can manually import the `.p12` file. Click [here](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs) for instructions. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". 1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8, 10 and 11, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance. Windows 7 does not support these commands, you may manually create the VPN connection (see below). From f815d6810a9f11fb86bbe0062836b07957b3d86b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Feb 2022 16:16:46 -0600 Subject: [PATCH 12/20] Update IKEv2 script - Minor improvement for IKEv2 config passwords --- extras/ikev2setup.sh | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 7d1f439..8425331 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -677,20 +677,28 @@ create_client_cert() { } create_p12_password() { - config_file="/etc/ipsec.d/.vpnconfig" - p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") - if [ -z "$p12_password" ]; then - p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' /dev/null | head -c 18) - [ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file." - mkdir -p /etc/ipsec.d - printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file" - chmod 600 "$config_file" + p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' /dev/null | head -c 18) + [ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file." +} + +get_p12_password() { + if [ "$use_config_password" = "0" ]; then + create_p12_password + else + config_file="/etc/ipsec.d/.vpnconfig" + p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") + if [ -z "$p12_password" ]; then + create_p12_password + mkdir -p /etc/ipsec.d + printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file" + chmod 600 "$config_file" + fi fi } export_p12_file() { bigecho2 "Creating client configuration..." - create_p12_password + get_p12_password p12_file="$export_dir$client_name.p12" p12_file_enc="$export_dir$client_name.enc.p12" pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1 From a168770482c4c77aa08197e3ea517fb21073fd0f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Feb 2022 23:20:31 -0600 Subject: [PATCH 13/20] Update docs --- .github/ISSUE_TEMPLATE/00-bug-report.md | 2 +- README-zh.md | 79 ++++++++++++++++++++----- README.md | 79 ++++++++++++++++++++----- 3 files changed, 129 insertions(+), 31 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/00-bug-report.md b/.github/ISSUE_TEMPLATE/00-bug-report.md index b864628..c0c9ff5 100644 --- a/.github/ISSUE_TEMPLATE/00-bug-report.md +++ b/.github/ISSUE_TEMPLATE/00-bug-report.md @@ -17,7 +17,7 @@ assignees: '' - [ ] This bug is about the VPN setup scripts, and not IPsec VPN itself **Describe the issue** diff --git a/README-zh.md b/README-zh.md index a640e5e..6e0f00b 100644 --- a/README-zh.md +++ b/README-zh.md @@ -21,8 +21,8 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 - [升级Libreswan](#升级libreswan) - [管理 VPN 用户](#管理-vpn-用户) - [高级用法](#高级用法) -- [问题和反馈](#问题和反馈) - [卸载说明](#卸载说明) +- [问题和反馈](#问题和反馈) - [授权协议](#授权协议) ## 快速开始 @@ -40,7 +40,17 @@ wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh
-单击此处查看 VPN 脚本的示例输出(终端记录)。 +或者,你也可以使用 curl 下载并运行脚本。 + + +```bash +curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh +``` +
+ +
+ +单击查看 VPN 脚本的示例输出(终端记录)。 **注:** 此终端记录仅用于演示目的。该记录中的 VPN 凭据 **无效**。 @@ -92,13 +102,15 @@ wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh 要安装 VPN,请从以下选项中选择一个: -**选项 1:** 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示): +
+ +选项 1: 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。 + ```bash wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh ``` - 在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): ```bash @@ -107,8 +119,12 @@ sudo ikev2.sh --auto # 或者你也可以自定义 IKEv2 选项 sudo ikev2.sh ``` +
-**选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证: +
+ +选项 2: 编辑脚本并提供你自己的 VPN 登录凭证。 + ```bash wget https://git.io/vpnsetup -qO vpn.sh @@ -119,9 +135,20 @@ sudo sh vpn.sh **注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 -在安装成功之后,推荐 [配置 IKEv2](#ikev2-setup-note)。 +在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): -**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量: +```bash +# 使用默认选项配置 IKEv2 +sudo ikev2.sh --auto +# 或者你也可以自定义 IKEv2 选项 +sudo ikev2.sh +``` +
+ +
+ +选项 3: 将你自己的 VPN 登录凭证定义为环境变量。 + ```bash # 所有变量值必须用 '单引号' 括起来 @@ -133,9 +160,30 @@ VPN_PASSWORD='你的VPN密码' \ sh vpn.sh ``` -在安装成功之后,推荐 [配置 IKEv2](#ikev2-setup-note)。 +在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): -**注:** 如果无法通过 `wget` 下载,你也可以打开 [vpnsetup.sh](vpnsetup.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl/Cmd + A` 全选, `Ctrl/Cmd + C` 复制,然后粘贴到你喜欢的编辑器。 +```bash +# 使用默认选项配置 IKEv2 +sudo ikev2.sh --auto +# 或者你也可以自定义 IKEv2 选项 +sudo ikev2.sh +``` +
+ +
+ +如果无法通过 wget 下载,点这里查看解决方案。 + + +你也可以使用 curl 下载。例如: + +```bash +curl -fsSL https://git.io/vpnsetup -o vpn.sh +sudo sh vpn.sh +``` + +或者,你也可以打开 [vpnsetup.sh](vpnsetup.sh),然后点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。 +
## 下一步 @@ -204,12 +252,6 @@ wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh - [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则) - [部署 Google BBR 拥塞控制算法](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制算法) -## 问题和反馈 - -- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。 -- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。 -- 如果你发现了一个可重复的程序漏洞,请提交一个 [GitHub Issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue)。 - ## 卸载说明 请参见 [卸载 VPN](docs/uninstall-zh.md)。 @@ -217,6 +259,13 @@ wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh - [使用辅助脚本卸载 VPN](docs/uninstall-zh.md#使用辅助脚本卸载-vpn) - [手动卸载 VPN](docs/uninstall-zh.md#手动卸载-vpn) +## 问题和反馈 + +- 如果你对文档或 VPN 脚本有改进建议,请提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。 +- 如果你发现了一个可重复的程序漏洞,请提交一个 [错误报告](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose)。 +- 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。 +- VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。 + ## 授权协议 版权所有 (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) diff --git a/README.md b/README.md index d77df99..be6be2d 100644 --- a/README.md +++ b/README.md @@ -21,8 +21,8 @@ We will use [Libreswan](https://libreswan.org/) as the IPsec server, and [xl2tpd - [Upgrade Libreswan](#upgrade-libreswan) - [Manage VPN users](#manage-vpn-users) - [Advanced usage](#advanced-usage) -- [Bugs & Questions](#bugs--questions) - [Uninstallation](#uninstallation) +- [Feedback & Questions](#feedback--questions) - [License](#license) ## Quick start @@ -40,7 +40,17 @@ Your VPN login details will be randomly generated, and displayed on the screen w
-Click here to see the VPN script in action (terminal recording). +Alternative one-liner using curl instead of wget. + + +```bash +curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh +``` +
+ +
+ +Click to see the VPN script in action (terminal recording). **Note:** This recording is for demo purposes only. VPN credentials in this recording are **NOT** valid. @@ -92,13 +102,15 @@ First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade To install the VPN, please choose one of the following options: -**Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished): +
+ +Option 1: Have the script generate random VPN credentials for you (will be displayed when finished). + ```bash wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh ``` - After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): ```bash @@ -107,8 +119,12 @@ sudo ikev2.sh --auto # Alternatively, you may customize IKEv2 options sudo ikev2.sh ``` +
-**Option 2:** Edit the script and provide your own VPN credentials: +
+ +Option 2: Edit the script and provide your own VPN credentials. + ```bash wget https://git.io/vpnsetup -qO vpn.sh @@ -119,9 +135,20 @@ sudo sh vpn.sh **Note:** A secure IPsec PSK should consist of at least 20 random characters. -After successful installation, it is recommended to [set up IKEv2](#ikev2-setup-note). +After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): -**Option 3:** Define your VPN credentials as environment variables: +```bash +# Set up IKEv2 using default options +sudo ikev2.sh --auto +# Alternatively, you may customize IKEv2 options +sudo ikev2.sh +``` +
+ +
+ +Option 3: Define your VPN credentials as environment variables. + ```bash # All values MUST be placed inside 'single quotes' @@ -133,9 +160,30 @@ VPN_PASSWORD='your_vpn_password' \ sh vpn.sh ``` -After successful installation, it is recommended to [set up IKEv2](#ikev2-setup-note). +After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): -**Note:** If unable to download via `wget`, you may also open [vpnsetup.sh](vpnsetup.sh), then click the **`Raw`** button on the right. Press `Ctrl/Cmd + A` to select all, `Ctrl/Cmd + C` to copy, then paste into your favorite editor. +```bash +# Set up IKEv2 using default options +sudo ikev2.sh --auto +# Alternatively, you may customize IKEv2 options +sudo ikev2.sh +``` +
+ +
+ +Click here if you are unable to download using wget. + + +You may also use curl to download. For example: + +```bash +curl -fsSL https://git.io/vpnsetup -o vpn.sh +sudo sh vpn.sh +``` + +Alternatively, you may open [vpnsetup.sh](vpnsetup.sh), then click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor. +
## Next steps @@ -204,12 +252,6 @@ See [Advanced usage](docs/advanced-usage.md). - [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules) - [Deploy Google BBR congestion control algorithm](docs/advanced-usage.md#deploy-google-bbr-congestion-control-algorithm) -## Bugs & Questions - -- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread). -- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup). -- If you found a reproducible bug, open a [GitHub Issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) to submit a bug report. - ## Uninstallation See [Uninstall the VPN](docs/uninstall.md). @@ -217,6 +259,13 @@ See [Uninstall the VPN](docs/uninstall.md). - [Uninstall using helper script](docs/uninstall.md#uninstall-using-helper-script) - [Manually uninstall the VPN](docs/uninstall.md#manually-uninstall-the-vpn) +## Feedback & Questions + +- Have an improvement suggestion for documentation or VPN scripts? Open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome. +- If you found a reproducible bug, please file a [Bug report](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). +- Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread). +- Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup). + ## License Copyright (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) From 34ece8bdc4c4277df2b910e4708be11f12332ca2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 Feb 2022 10:38:49 -0600 Subject: [PATCH 14/20] Update docs --- README-zh.md | 20 ++++++++++---------- README.md | 16 ++++++++-------- docs/bbr-zh.md | 2 +- docs/bbr.md | 2 +- docs/ikev2-howto-zh.md | 6 +++--- docs/ikev2-howto.md | 6 +++--- 6 files changed, 26 insertions(+), 26 deletions(-) diff --git a/README-zh.md b/README-zh.md index 6e0f00b..677b073 100644 --- a/README-zh.md +++ b/README-zh.md @@ -40,7 +40,7 @@ wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh
-或者,你也可以使用 curl 下载并运行脚本。 +或者,你也可以使用 curl 下载。 ```bash @@ -50,7 +50,7 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh
-单击查看 VPN 脚本的示例输出(终端记录)。 +查看 VPN 脚本的示例输出(终端记录)。 **注:** 此终端记录仅用于演示目的。该记录中的 VPN 凭据 **无效**。 @@ -74,8 +74,8 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以下操作系统之一: -- Ubuntu 20.04 (Focal) 或者 18.04 (Bionic) -- Debian 11 (Bullseye)[\*](#debian-10-note), 10 (Buster)[\*](#debian-10-note) 或者 9 (Stretch) +- Ubuntu 20.04 或者 18.04 +- Debian 11[\*](#debian-10-note), 10[\*](#debian-10-note) 或者 9 - CentOS 7, Rocky Linux 8 或者 AlmaLinux 8[\*\*](#centos-8-note) - Red Hat Enterprise Linux (RHEL) 8 或者 7 - Amazon Linux 2 @@ -90,9 +90,9 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh 另外,你也可以使用预构建的 [Docker 镜像](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)。高级用户可以在 [Raspberry Pi](https://www.raspberrypi.org) 上安装。[[1]](https://elasticbyte.net/posts/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/) [[2]](https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/) -\* Debian 11/10 用户需要[使用标准的 Linux 内核](docs/clients-zh.md#debian-10-内核)。 +\* Debian 11/10 用户需要 [使用标准的 Linux 内核](docs/clients-zh.md#debian-10-内核)。 -\*\* 对 CentOS Linux 8 的支持[已经结束](https://www.centos.org/centos-linux-eol/)。你可以另外使用比如 Rocky Linux 或者 AlmaLinux。 +\*\* 对 CentOS Linux 8 的支持 [已经结束](https://www.centos.org/centos-linux-eol/)。你可以另外使用比如 Rocky Linux 或者 AlmaLinux。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! @@ -175,14 +175,14 @@ sudo ikev2.sh 如果无法通过 wget 下载,点这里查看解决方案。 -你也可以使用 curl 下载。例如: +你也可以使用 `curl` 下载。例如: ```bash curl -fsSL https://git.io/vpnsetup -o vpn.sh sudo sh vpn.sh ``` -或者,你也可以打开 [vpnsetup.sh](vpnsetup.sh),然后点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。 +或者,打开 [vpnsetup.sh](vpnsetup.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。
## 下一步 @@ -205,7 +205,7 @@ sudo sh vpn.sh **Windows 用户** 对于 IPsec/L2TP 模式,在首次连接之前需要 [修改注册表](docs/clients-zh.md#windows-错误-809),以解决 VPN 服务器或客户端与 NAT(比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器,你必须使用 [IKEv2](docs/ikev2-howto-zh.md) 或者 [IPsec/XAuth](docs/clients-xauth-zh.md) 模式。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要连接在同一个 NAT(比如家用路由器)后面的多个设备,你必须使用 [IKEv2](docs/ikev2-howto-zh.md) 或者 [IPsec/XAuth](docs/clients-xauth-zh.md) 模式。 要查看或更改 VPN 用户账户,请参见 [管理 VPN 用户](docs/manage-users-zh.md)。该文档包含辅助脚本,以方便管理 VPN 用户。 @@ -262,7 +262,7 @@ wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh ## 问题和反馈 - 如果你对文档或 VPN 脚本有改进建议,请提交一个 [改进建议](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose),或者欢迎提交 [Pull request](https://github.com/hwdsl2/setup-ipsec-vpn/pulls)。 -- 如果你发现了一个可重复的程序漏洞,请提交一个 [错误报告](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose)。 +- 如果你发现了一个可重复的程序漏洞,请为 [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) 或者 [VPN 脚本](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose) 提交一个错误报告。 - 有问题需要提问?请先搜索 [已有的 issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) 以及在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 和 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread) 上已有的留言。 - VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 邮件列表提问,或者参考这些网站:[[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup)。 diff --git a/README.md b/README.md index be6be2d..ff76e67 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ Your VPN login details will be randomly generated, and displayed on the screen w
-Alternative one-liner using curl instead of wget. +Alternative one-liner using curl. ```bash @@ -50,7 +50,7 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh
-Click to see the VPN script in action (terminal recording). +See the VPN script in action (terminal recording). **Note:** This recording is for demo purposes only. VPN credentials in this recording are **NOT** valid. @@ -74,8 +74,8 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is A dedicated server or virtual private server (VPS), freshly installed with one of the following OS: -- Ubuntu 20.04 (Focal) or 18.04 (Bionic) -- Debian 11 (Bullseye)[\*](#debian-10-note), 10 (Buster)[\*](#debian-10-note) or 9 (Stretch) +- Ubuntu 20.04 or 18.04 +- Debian 11[\*](#debian-10-note), 10[\*](#debian-10-note) or 9 - CentOS 7, Rocky Linux 8 or AlmaLinux 8[\*\*](#centos-8-note) - Red Hat Enterprise Linux (RHEL) 8 or 7 - Amazon Linux 2 @@ -175,14 +175,14 @@ sudo ikev2.sh Click here if you are unable to download using wget. -You may also use curl to download. For example: +You may also use `curl` to download. For example: ```bash curl -fsSL https://git.io/vpnsetup -o vpn.sh sudo sh vpn.sh ``` -Alternatively, you may open [vpnsetup.sh](vpnsetup.sh), then click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor. +Alternatively, open [vpnsetup.sh](vpnsetup.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor.
## Next steps @@ -205,7 +205,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: **Windows users**: For IPsec/L2TP mode, a [one-time registry change](docs/clients.md#windows-error-809) is required if the VPN server or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use [IKEv2](docs/ikev2-howto.md) or [IPsec/XAuth](docs/clients-xauth.md) mode. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices from behind the same NAT (e.g. home router), you must use [IKEv2](docs/ikev2-howto.md) or [IPsec/XAuth](docs/clients-xauth.md) mode. To view or update VPN user accounts, see [Manage VPN users](docs/manage-users.md). Helper scripts are included for convenience. @@ -262,7 +262,7 @@ See [Uninstall the VPN](docs/uninstall.md). ## Feedback & Questions - Have an improvement suggestion for documentation or VPN scripts? Open an [Enhancement request](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). [Pull requests](https://github.com/hwdsl2/setup-ipsec-vpn/pulls) are also welcome. -- If you found a reproducible bug, please file a [Bug report](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). +- If you found a reproducible bug, open a bug report for the [IPsec VPN](https://github.com/libreswan/libreswan/issues?q=is%3Aissue) or for the [VPN scripts](https://github.com/hwdsl2/setup-ipsec-vpn/issues/new/choose). - Got a question? Please first search [existing issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) and comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread). - Ask VPN related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or read these wikis: [[1]](https://libreswan.org/wiki/Main_Page) [[2]](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks) [[3]](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation) [[4]](https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server) [[5]](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup). diff --git a/docs/bbr-zh.md b/docs/bbr-zh.md index 3ceb6bf..1312595 100644 --- a/docs/bbr-zh.md +++ b/docs/bbr-zh.md @@ -107,6 +107,6 @@ Amazon Linux 2提供过经过验证的新版Linux内核,并可以通过启用 # tcp_bbr 16384 0 ``` -## 作者 +## 文档作者 版权所有 (C) 2022 [Leo Liu](https://github.com/optimusleobear) diff --git a/docs/bbr.md b/docs/bbr.md index 3ed620f..40bb221 100644 --- a/docs/bbr.md +++ b/docs/bbr.md @@ -107,7 +107,7 @@ In this section, we will start Google BBR by modifying the configuration file. # tcp_bbr 16384 0 ``` -## Author +## Document author Copyright (C) 2022 [Leo Liu](https://github.com/optimusleobear) Translated by [Lin Song](https://github.com/hwdsl2) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 697cb8a..b1fa63a 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -706,7 +706,7 @@ sudo ikev2.sh --revokeclient [client name] 1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书。 - **注:** 你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 + **注:** 你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。如需连接多个客户端,则必须为每个客户端生成唯一的证书。 生成客户端证书: @@ -792,9 +792,9 @@ sudo ikev2.sh --revokeclient [client name] ### 无法同时连接多个 IKEv2 客户端 -如果要同时连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 +如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 -如果你无法同时连接同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 +如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 ### 其它已知问题 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 6d7394b..e5dbdd3 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -708,7 +708,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm 1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate. - **Note:** You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. To connect multiple VPN clients simultaneously, you must generate a unique certificate for each. + **Note:** You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. To connect multiple VPN clients, you must generate a unique certificate for each. Generate client certificate: @@ -794,9 +794,9 @@ Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helpe ### Unable to connect multiple IKEv2 clients -To connect multiple IKEv2 clients simultaneously, you must [generate a unique certificate](#add-a-client-certificate) for each. +To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. -If you are unable to connect multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. +If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. ### Other known issues From 444403ba10df64d6514104cf68a5c7c573384d26 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 Feb 2022 23:41:35 -0600 Subject: [PATCH 15/20] Add IKEv2 change address helper script - New: IKEv2 change address helper script. This script can be used to change the IKEv2 VPN server's address. --- extras/ikev2changeaddr.sh | 320 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 320 insertions(+) create mode 100755 extras/ikev2changeaddr.sh diff --git a/extras/ikev2changeaddr.sh b/extras/ikev2changeaddr.sh new file mode 100755 index 0000000..225b1e3 --- /dev/null +++ b/extras/ikev2changeaddr.sh @@ -0,0 +1,320 @@ +#!/bin/bash +# +# Script to change IKEv2 VPN server address +# +# The latest version of this script is available at: +# https://github.com/hwdsl2/setup-ipsec-vpn +# +# Copyright (C) 2022 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +exiterr() { echo "Error: $1" >&2; exit 1; } +bigecho() { echo "## $1"; } + +check_ip() { + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" +} + +check_dns_name() { + FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$' + printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX" +} + +check_root() { + if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo bash $0'" + fi +} + +check_os() { + os_type=centos + rh_file="/etc/redhat-release" + if grep -qs "Red Hat" "$rh_file"; then + os_type=rhel + fi + if grep -qs "release 7" "$rh_file"; then + os_ver=7 + elif grep -qs "release 8" "$rh_file"; then + os_ver=8 + grep -qi stream "$rh_file" && os_ver=8s + grep -qi rocky "$rh_file" && os_type=rocky + grep -qi alma "$rh_file" && os_type=alma + elif grep -qs "Amazon Linux release 2" /etc/system-release; then + os_type=amzn + os_ver=2 + else + os_type=$(lsb_release -si 2>/dev/null) + [ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") + case $os_type in + [Uu]buntu) + os_type=ubuntu + ;; + [Dd]ebian) + os_type=debian + ;; + [Rr]aspbian) + os_type=raspbian + ;; + [Aa]lpine) + os_type=alpine + ;; + *) +cat 1>&2 <<'EOF' +Error: This script only supports one of the following OS: + Ubuntu, Debian, CentOS/RHEL 7/8, Rocky Linux, AlmaLinux, + Amazon Linux 2 or Alpine Linux +EOF + exit 1 + ;; + esac + if [ "$os_type" = "alpine" ]; then + os_ver=$(. /etc/os-release && printf '%s' "$VERSION_ID" | cut -d '.' -f 1,2) + if [ "$os_ver" != "3.14" ] && [ "$os_ver" != "3.15" ]; then + exiterr "This script only supports Alpine Linux 3.14/3.15." + fi + else + os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9') + fi + fi +} + +check_libreswan() { + ipsec_ver=$(ipsec --version 2>/dev/null) + if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ + || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then +cat 1>&2 <<'EOF' +Error: This script can only be used with an IPsec server created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 + fi +} + +check_ikev2() { + if ! grep -qs "conn ikev2-cp" /etc/ipsec.d/ikev2.conf; then +cat 1>&2 <<'EOF' +Error: You must first set up IKEv2 before changing IKEv2 server address. + See: https://git.io/ikev2 +EOF + exit 1 + fi +} + +check_utils_exist() { + command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort." +} + +abort_and_exit() { + echo "Abort. No changes were made." >&2 + exit 1 +} + +confirm_or_abort() { + printf '%s' "$1" + read -r response + case $response in + [yY][eE][sS]|[yY]) + echo + ;; + *) + abort_and_exit + ;; + esac +} + +check_cert_exists() { + certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1 +} + +check_ca_cert_exists() { + check_cert_exists "IKEv2 VPN CA" || exiterr "Certificate 'IKEv2 VPN CA' does not exist. Abort." +} + +get_server_address() { + server_addr_old=$(grep -s "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=) + [ -z "$server_addr_old" ] && server_addr_old=$(grep -s "leftcert=" /etc/ipsec.conf | cut -f2 -d=) + check_ip "$server_addr_old" || check_dns_name "$server_addr_old" || exiterr "Could not get current VPN server address." +} + +show_welcome() { +cat <&2 + echo "Error: IKEv2 server address is already '$server_addr'. Nothing to do." >&2 + abort_and_exit + fi +} + +confirm_changes() { +cat </dev/null 2>&1 || exiterr "Failed to create server certificate." + else + certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "$server_addr" \ + -s "O=IKEv2 VPN,CN=$server_addr" \ + -k rsa -g 3072 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth \ + --extSAN "ip:$server_addr,dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate." + fi + fi +} + +update_ikev2_conf() { + bigecho "Updating IKEv2 configuration..." + if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then + echo >> /etc/ipsec.conf + echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf + fi + sed -i -e "/^[[:space:]]\+leftcert=/d" \ + -e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf + if [ "$use_dns_name" = "1" ]; then + sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf + else + sed -i "/conn ikev2-cp/a \ leftid=$server_addr" /etc/ipsec.d/ikev2.conf + fi + sed -i "/conn ikev2-cp/a \ leftcert=$server_addr" /etc/ipsec.d/ikev2.conf +} + +restart_ipsec_service() { + bigecho "Restarting IPsec service..." + mkdir -p /run/pluto + service ipsec restart 2>/dev/null +} + +print_client_info() { +cat </dev/null + else + restart_ipsec_service + fi + print_client_info +} + +## Defer until we have the complete script +ikev2changeaddr "$@" + +exit 0 From ddb6a65b828e9ca30fee5344b8e1566620872cae Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 14 Feb 2022 00:37:18 -0600 Subject: [PATCH 16/20] Update docs --- README-zh.md | 4 ++-- README.md | 4 ++-- docs/advanced-usage-zh.md | 4 ++-- docs/advanced-usage.md | 4 ++-- docs/ikev2-howto-zh.md | 27 ++++++++++++++++++++++++--- docs/ikev2-howto.md | 27 ++++++++++++++++++++++++--- docs/manage-users-zh.md | 6 +++--- docs/manage-users.md | 6 +++--- docs/uninstall-zh.md | 2 +- docs/uninstall.md | 2 +- 10 files changed, 64 insertions(+), 22 deletions(-) diff --git a/README-zh.md b/README-zh.md index 677b073..2e8e267 100644 --- a/README-zh.md +++ b/README-zh.md @@ -127,7 +127,7 @@ sudo ikev2.sh ```bash -wget https://git.io/vpnsetup -qO vpn.sh +wget https://git.io/vpnsetup -nv -O vpn.sh nano -w vpn.sh [替换为你自己的值: YOUR_IPSEC_PSK, YOUR_USERNAME 和 YOUR_PASSWORD] sudo sh vpn.sh @@ -153,7 +153,7 @@ sudo ikev2.sh ```bash # 所有变量值必须用 '单引号' 括起来 # *不要* 在值中使用这些字符: \ " ' -wget https://git.io/vpnsetup -qO vpn.sh +wget https://git.io/vpnsetup -nv -O vpn.sh sudo VPN_IPSEC_PSK='你的IPsec预共享密钥' \ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' \ diff --git a/README.md b/README.md index ff76e67..abb813f 100644 --- a/README.md +++ b/README.md @@ -127,7 +127,7 @@ Option 2: Edit the script and provide your own VPN credentials. ```bash -wget https://git.io/vpnsetup -qO vpn.sh +wget https://git.io/vpnsetup -nv -O vpn.sh nano -w vpn.sh [Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD] sudo sh vpn.sh @@ -153,7 +153,7 @@ Option 3: Define your VPN credentials as environment variables. ```bash # All values MUST be placed inside 'single quotes' # DO NOT use these special characters within values: \ " ' -wget https://git.io/vpnsetup -qO vpn.sh +wget https://git.io/vpnsetup -nv -O vpn.sh sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' \ diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index eca4123..b4d157e 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -29,7 +29,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto 对于 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后,VPN 会继续正常工作,虽然可能需要重启服务器。 -对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 [配置 IKEv2](ikev2-howto-zh.md) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下: +对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,参见 [这一小节](ikev2-howto-zh.md#更改-ikev2-服务器地址)。或者,你也可以在 [配置 IKEv2](ikev2-howto-zh.md#使用辅助脚本配置-ikev2) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下: ``` sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto @@ -45,7 +45,7 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto ```bash # 下载脚本 -wget -qO ikev2onlymode.sh https://bit.ly/ikev2onlymode +wget -nv -O ikev2onlymode.sh https://bit.ly/ikev2onlymode # 运行脚本并按提示操作 sudo bash ikev2onlymode.sh ``` diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index cc1da6c..67a01bd 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -29,7 +29,7 @@ In certain circumstances, you may want VPN clients to use the specified DNS serv For [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, you may use a DNS name (e.g. `vpn.example.com`) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required. -For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example: +For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, read [this section](ikev2-howto.md#change-ikev2-server-address). Alternatively, you may specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md#set-up-ikev2-using-helper-script). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example: ``` sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto @@ -45,7 +45,7 @@ To enable IKEv2-only mode, first install the VPN server and set up IKEv2 using i ```bash # Download the script -wget -qO ikev2onlymode.sh https://bit.ly/ikev2onlymode +wget -nv -O ikev2onlymode.sh https://bit.ly/ikev2onlymode # Run the script and follow the prompts sudo bash ikev2onlymode.sh ``` diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index b1fa63a..5e96b67 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -10,6 +10,7 @@ * [管理客户端证书](#管理客户端证书) * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [故障排除](#故障排除) +* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) * [移除 IKEv2](#移除-ikev2) * [参考链接](#参考链接) @@ -50,7 +51,7 @@ sudo ikev2.sh 如果你使用了较早版本的 VPN 安装脚本,这是正常的。首先下载 IKEv2 辅助脚本: ```bash -wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin ``` @@ -87,13 +88,20 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 ```bash -wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null ```
-单击此处查看 IKEv2 脚本的使用信息。 +了解如何在配置 IKEv2 之后更改服务器地址。 + + +在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。参见 [这一小节](#更改-ikev2-服务器地址)。 +
+
+ +查看 IKEv2 脚本的使用信息。 ``` @@ -801,6 +809,19 @@ sudo ikev2.sh --revokeclient [client name] 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 +## 更改 IKEv2 服务器地址 + +在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 + +```bash +# 下载脚本 +wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr +# 运行脚本并按照提示操作 +sudo bash ikev2changeaddr.sh +``` + +**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。 + ## 移除 IKEv2 如果你想要从 VPN 服务器移除 IKEv2,但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式(如果已安装),请重新运行 [辅助脚本](#使用辅助脚本配置-ikev2) 并选择 "Remove IKEv2" 选项。**警告:** 这将**永久删除**所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**! diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index e5dbdd3..611f9f5 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -10,6 +10,7 @@ * [Manage client certificates](#manage-client-certificates) * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Troubleshooting](#troubleshooting) +* [Change IKEv2 server address](#change-ikev2-server-address) * [Remove IKEv2](#remove-ikev2) * [References](#references) @@ -50,7 +51,7 @@ Error: "sudo: ikev2.sh: command not found". This is normal if you used an older version of the VPN setup script. First, download the IKEv2 helper script: ```bash -wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin ``` @@ -87,13 +88,20 @@ Learn how to update the IKEv2 helper script on your server. The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. ```bash -wget https://git.io/ikev2setup -qO /opt/src/ikev2.sh +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null ```
-Click here to view usage information for the IKEv2 script. +Learn how to change server address after IKEv2 setup. + + +In certain circumstances, you may need to change the IKEv2 server address after setup. Learn more in [this section](#change-ikev2-server-address). +
+
+ +View usage information for the IKEv2 script. ``` @@ -803,6 +811,19 @@ If you are unable to connect multiple IKEv2 clients from behind the same NAT (e. 1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. 1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. +## Change IKEv2 server address + +In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts. + +```bash +# Download the script +wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr +# Run the script and follow the prompts +sudo bash ikev2changeaddr.sh +``` + +**Important:** After running this script, you must manually update the server address on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script). + ## Remove IKEv2 If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes (if installed), run the [helper script](#set-up-ikev2-using-helper-script) again and select the "Remove IKEv2" option. **Warning:** All IKEv2 configuration including certificates and keys will be **permanently deleted**. This **cannot be undone**! diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 51a4cf2..67f7c48 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -52,7 +52,7 @@ service xl2tpd restart ```bash # 下载脚本 -wget -qO add_vpn_user.sh https://bit.ly/addvpnuser +wget -nv -O add_vpn_user.sh https://bit.ly/addvpnuser # 运行脚本并按提示操作 sudo bash add_vpn_user.sh ``` @@ -73,7 +73,7 @@ sudo bash add_vpn_user.sh '要更新的用户名' '新密码' ```bash # 下载脚本 -wget -qO del_vpn_user.sh https://bit.ly/delvpnuser +wget -nv -O del_vpn_user.sh https://bit.ly/delvpnuser # 运行脚本并按提示操作 sudo bash del_vpn_user.sh ``` @@ -92,7 +92,7 @@ sudo bash del_vpn_user.sh '要删除的用户名' ```bash # 下载脚本 -wget -qO update_vpn_users.sh https://bit.ly/updatevpnusers +wget -nv -O update_vpn_users.sh https://bit.ly/updatevpnusers ``` 要使用这个脚本,从以下选项中选择一个: diff --git a/docs/manage-users.md b/docs/manage-users.md index 7ad25e9..ce7d5ce 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -52,7 +52,7 @@ Add a new VPN user, or update an existing VPN user with a new password. ```bash # Download the script -wget -qO add_vpn_user.sh https://bit.ly/addvpnuser +wget -nv -O add_vpn_user.sh https://bit.ly/addvpnuser # Run the script and follow the prompts sudo bash add_vpn_user.sh ``` @@ -73,7 +73,7 @@ Delete the specified VPN user. ```bash # Download the script -wget -qO del_vpn_user.sh https://bit.ly/delvpnuser +wget -nv -O del_vpn_user.sh https://bit.ly/delvpnuser # Run the script and follow the prompts sudo bash del_vpn_user.sh ``` @@ -92,7 +92,7 @@ Remove all existing VPN users and replace with the list of users you specify. ```bash # Download the script -wget -qO update_vpn_users.sh https://bit.ly/updatevpnusers +wget -nv -O update_vpn_users.sh https://bit.ly/updatevpnusers ``` To use this script, choose one of the following options: diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index 0c709a5..fa8f01d 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -10,7 +10,7 @@ **警告:** 此[辅助脚本](../extras/vpnuninstall.sh)将从你的服务器中删除 IPsec VPN。所有的 VPN 配置将被**永久删除**,并且 Libreswan 和 xl2tpd 将被移除。此操作**不可撤销**! ```bash -wget https://git.io/vpnuninstall -qO vpnunst.sh +wget https://git.io/vpnuninstall -nv -O vpnunst.sh sudo bash vpnunst.sh ``` diff --git a/docs/uninstall.md b/docs/uninstall.md index 09de1f9..a0014e9 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -10,7 +10,7 @@ **Warning:** This [helper script](../extras/vpnuninstall.sh) will remove IPsec VPN from your server. All VPN configuration will be **permanently deleted**, and Libreswan and xl2tpd will be removed. This **cannot be undone**! ```bash -wget https://git.io/vpnuninstall -qO vpnunst.sh +wget https://git.io/vpnuninstall -nv -O vpnunst.sh sudo bash vpnunst.sh ``` From 7c0d08442ed3fa244a9211d4682040e8fb139db4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 14 Feb 2022 03:46:06 -0600 Subject: [PATCH 17/20] Update IKEv2 script - Improve backward compatibility: Protect IKEv2 client config files using a password if one was previously generated. - Ref: dbc3527 --- extras/ikev2setup.sh | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 8425331..87adb23 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -577,23 +577,35 @@ EOF fi } +check_config_password() { + config_file="/etc/ipsec.d/.vpnconfig" + if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then + use_config_password=1 + else + use_config_password=0 + fi +} + select_config_password() { + if [ "$use_config_password" = "0" ]; then cat <<'EOF' IKEv2 client config files contain the client certificate, private key and CA certificate. This script can optionally generate a random password to protect these files. +Future client config files will also be protected using the same password. EOF - printf "Protect client config files using a password? [y/N] " - read -r response - case $response in - [yY][eE][sS]|[yY]) - use_config_password=1 - ;; - *) - use_config_password=0 - ;; - esac + printf "Protect client config files using a password? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + use_config_password=1 + ;; + *) + use_config_password=0 + ;; + esac + fi } select_menu_option() { @@ -1273,7 +1285,6 @@ ikev2setup() { check_utils_exist use_defaults=0 - use_config_password=0 add_client=0 export_client=0 list_clients=0 @@ -1321,6 +1332,7 @@ ikev2setup() { done check_arguments + check_config_password get_export_dir if [ "$add_client" = "1" ]; then From f072e8312a1f9f491788cd21b499e7434ff6ad4f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 14 Feb 2022 23:45:13 -0600 Subject: [PATCH 18/20] Update IKEv2 script - Cleanup --- extras/ikev2setup.sh | 398 +++++++++++++++++++++---------------------- 1 file changed, 195 insertions(+), 203 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 87adb23..7336144 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -38,6 +38,13 @@ check_root() { fi } +check_container() { + in_container=0 + if grep -qs "hwdsl2" /opt/src/run.sh; then + in_container=1 + fi +} + check_os() { os_type=centos os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') @@ -91,6 +98,37 @@ EOF fi } +check_libreswan() { + ipsec_ver=$(ipsec --version 2>/dev/null) + if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ + || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then +cat 1>&2 <<'EOF' +Error: Your must first set up the IPsec VPN server before setting up IKEv2. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 + fi +} + +check_swan_ver() { + swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') + if ! printf '%s\n%s' "3.23" "$swan_ver" | sort -C -V; then +cat 1>&2 </dev/null 2>&1 || exiterr "'certutil' not found. Abort." + command -v crlutil >/dev/null 2>&1 || exiterr "'crlutil' not found. Abort." + command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort." +} + abort_and_exit() { echo "Abort. No changes were made." >&2 exit 1 @@ -109,48 +147,10 @@ confirm_or_abort() { esac } -check_libreswan() { - ipsec_ver=$(ipsec --version 2>/dev/null) - swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') - if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ - || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then -cat 1>&2 <<'EOF' -Error: Your must first set up the IPsec VPN server before setting up IKEv2. - See: https://github.com/hwdsl2/setup-ipsec-vpn -EOF - exit 1 - fi -} - -check_swan_ver() { - if ! printf '%s\n%s' "3.23" "$swan_ver" | sort -C -V; then -cat 1>&2 </dev/null 2>&1 || exiterr "'certutil' not found. Abort." - command -v crlutil >/dev/null 2>&1 || exiterr "'crlutil' not found. Abort." - command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort." -} - -check_container() { - in_container=0 - if grep -qs "hwdsl2" /opt/src/run.sh; then - in_container=1 - fi -} - show_header() { cat <<'EOF' -IKEv2 Script Copyright (c) 2020-2022 Lin Song 12 Feb 2022 +IKEv2 Script Copyright (c) 2020-2022 Lin Song 15 Feb 2022 EOF } @@ -179,7 +179,7 @@ EOF } check_ikev2_exists() { - grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ] + grep -qs "conn ikev2-cp" "$IPSEC_CONF" || [ -f "$IKEV2_CONF" ] } check_client_name() { @@ -188,49 +188,61 @@ check_client_name() { } check_cert_exists() { - certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1 + certutil -L -d "$CERT_DB" -n "$1" >/dev/null 2>&1 } check_cert_exists_and_exit() { - if certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1; then + if certutil -L -d "$CERT_DB" -n "$1" >/dev/null 2>&1; then echo "Error: Certificate '$1' already exists." >&2 abort_and_exit fi } check_cert_status() { - cert_status=$(certutil -V -u C -d sql:/etc/ipsec.d -n "$1") + cert_status=$(certutil -V -u C -d "$CERT_DB" -n "$1") } check_arguments() { - if [ "$use_defaults" = "1" ]; then - if check_ikev2_exists; then - echo "Warning: Ignoring parameter '--auto'. Use '-h' for usage information." >&2 - fi + if [ "$use_defaults" = "1" ] && check_ikev2_exists; then + echo "Warning: Ignoring parameter '--auto'. Use '-h' for usage information." >&2 fi if [ "$((add_client + export_client + list_clients + revoke_client))" -gt 1 ]; then show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients' or '--revokeclient'." fi + if [ "$remove_ikev2" = "1" ]; then + if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then + show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters." + fi + fi + if ! check_ikev2_exists; then + [ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client." + [ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client." + [ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients." + [ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client certificate." + [ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server." + fi if [ "$add_client" = "1" ]; then - check_ikev2_exists || exiterr "You must first set up IKEv2 before adding a client." if [ -z "$client_name" ] || ! check_client_name "$client_name"; then exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." elif check_cert_exists "$client_name"; then exiterr "Invalid client name. Client '$client_name' already exists." fi fi - if [ "$export_client" = "1" ]; then - check_ikev2_exists || exiterr "You must first set up IKEv2 before exporting a client." + if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ]; then get_server_address if [ -z "$client_name" ] || ! check_client_name "$client_name" \ - || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \ + || [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \ || ! check_cert_exists "$client_name"; then exiterr "Invalid client name, or client does not exist." fi if ! check_cert_status "$client_name"; then printf '%s' "Error: Certificate '$client_name' " >&2 if printf '%s' "$cert_status" | grep -q "revoked"; then - echo "has been revoked." >&2 + if [ "$revoke_client" = "1" ]; then + echo "has already been revoked." >&2 + else + echo "has been revoked." >&2 + fi elif printf '%s' "$cert_status" | grep -q "expired"; then echo "has expired." >&2 else @@ -239,35 +251,6 @@ check_arguments() { exit 1 fi fi - if [ "$list_clients" = "1" ]; then - check_ikev2_exists || exiterr "You must first set up IKEv2 before listing clients." - fi - if [ "$revoke_client" = "1" ]; then - check_ikev2_exists || exiterr "You must first set up IKEv2 before revoking a client certificate." - get_server_address - if [ -z "$client_name" ] || ! check_client_name "$client_name" \ - || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \ - || ! check_cert_exists "$client_name"; then - exiterr "Invalid client name, or client does not exist." - fi - if ! check_cert_status "$client_name"; then - printf '%s' "Error: Certificate '$client_name' " >&2 - if printf '%s' "$cert_status" | grep -q "revoked"; then - echo "has already been revoked." >&2 - elif printf '%s' "$cert_status" | grep -q "expired"; then - echo "has expired." >&2 - else - echo "is invalid." >&2 - fi - exit 1 - fi - fi - if [ "$remove_ikev2" = "1" ]; then - check_ikev2_exists || exiterr "Cannot remove IKEv2 because it has not been set up on this server." - if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then - show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters." - fi - fi } check_server_dns_name() { @@ -283,9 +266,50 @@ check_custom_dns() { fi } +check_and_set_client_name() { + if [ -n "$VPN_CLIENT_NAME" ]; then + client_name="$VPN_CLIENT_NAME" + check_client_name "$client_name" \ + || exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." + else + client_name=vpnclient + fi + check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists." +} + +set_server_address() { + if [ -n "$VPN_DNS_NAME" ]; then + use_dns_name=1 + server_addr="$VPN_DNS_NAME" + else + use_dns_name=0 + get_server_ip + check_ip "$public_ip" || exiterr "Cannot detect this server's public IP." + server_addr="$public_ip" + fi + check_cert_exists_and_exit "$server_addr" +} + +set_dns_servers() { + if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then + dns_server_1="$VPN_DNS_SRV1" + dns_server_2="$VPN_DNS_SRV2" + dns_servers="$VPN_DNS_SRV1 $VPN_DNS_SRV2" + elif [ -n "$VPN_DNS_SRV1" ]; then + dns_server_1="$VPN_DNS_SRV1" + dns_server_2="" + dns_servers="$VPN_DNS_SRV1" + else + dns_server_1=8.8.8.8 + dns_server_2=8.8.4.4 + dns_servers="8.8.8.8 8.8.4.4" + fi +} + show_welcome() { cat <<'EOF' Welcome! Use this script to set up IKEv2 on your IPsec VPN server. + I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are OK with them. @@ -341,15 +365,15 @@ get_server_ip() { } get_server_address() { - server_addr=$(grep -s "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=) - [ -z "$server_addr" ] && server_addr=$(grep -s "leftcert=" /etc/ipsec.conf | cut -f2 -d=) + server_addr=$(grep -s "leftcert=" "$IKEV2_CONF" | cut -f2 -d=) + [ -z "$server_addr" ] && server_addr=$(grep -s "leftcert=" "$IPSEC_CONF" | cut -f2 -d=) check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address." } list_existing_clients() { echo "Checking for existing IKEv2 client(s)..." echo - client_names=$(certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' ') + client_names=$(certutil -L -d "$CERT_DB" | grep -v -e '^$' -e "$CA_NAME" -e '\.' | tail -n +3 | cut -f1 -d ' ') max_len=$(printf '%s\n' "$client_names" | wc -L 2>/dev/null) [[ $max_len =~ ^[0-9]+$ ]] || max_len=64 [ "$max_len" -gt "64" ] && max_len=64 @@ -358,7 +382,7 @@ list_existing_clients() { printf "%-${max_len}s %s\n" '------------' '-------------------' printf '%s\n' "$client_names" | LC_ALL=C sort | while read -r line; do printf "%-${max_len}s " "$line" - client_status=$(certutil -V -u C -d sql:/etc/ipsec.d -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //') + client_status=$(certutil -V -u C -d "$CERT_DB" -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //') [ -z "$client_status" ] && client_status=unknown printf '%s\n' "$client_status" done @@ -402,33 +426,26 @@ enter_client_name() { echo echo "Provide a name for the IKEv2 VPN client." echo "Use one word only, no special characters except '-' and '_'." - read -rp "Client name: " client_name - [ -z "$client_name" ] && abort_and_exit + if [ "$1" = "with_defaults" ]; then + read -rp "Client name: [vpnclient] " client_name + [ -z "$client_name" ] && client_name=vpnclient + else + read -rp "Client name: " client_name + [ -z "$client_name" ] && abort_and_exit + fi while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do if ! check_client_name "$client_name"; then echo "Invalid client name." else echo "Invalid client name. Client '$client_name' already exists." fi - read -rp "Client name: " client_name - [ -z "$client_name" ] && abort_and_exit - done -} - -enter_client_name_with_defaults() { - echo - echo "Provide a name for the IKEv2 VPN client." - echo "Use one word only, no special characters except '-' and '_'." - read -rp "Client name: [vpnclient] " client_name - [ -z "$client_name" ] && client_name=vpnclient - while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do - if ! check_client_name "$client_name"; then - echo "Invalid client name." - else - echo "Invalid client name. Client '$client_name' already exists." - fi - read -rp "Client name: [vpnclient] " client_name - [ -z "$client_name" ] && client_name=vpnclient + if [ "$1" = "with_defaults" ]; then + read -rp "Client name: [vpnclient] " client_name + [ -z "$client_name" ] && client_name=vpnclient + else + read -rp "Client name: " client_name + [ -z "$client_name" ] && abort_and_exit + fi done } @@ -439,10 +456,10 @@ enter_client_name_for() { echo read -rp "Enter the name of the IKEv2 client to $1: " client_name [ -z "$client_name" ] && abort_and_exit - while ! check_client_name "$client_name" || [ "$client_name" = "IKEv2 VPN CA" ] \ + while ! check_client_name "$client_name" || [ "$client_name" = "$CA_NAME" ] \ || [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name" \ || ! check_cert_status "$client_name"; do - if ! check_client_name "$client_name" || [ "$client_name" = "IKEv2 VPN CA" ] \ + if ! check_client_name "$client_name" || [ "$client_name" = "$CA_NAME" ] \ || [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name"; then echo "Invalid client name, or client does not exist." else @@ -464,7 +481,7 @@ enter_client_name_for() { done } -enter_client_cert_validity() { +enter_client_validity() { echo echo "Specify the validity period (in months) for this client certificate." read -rp "Enter a number between 1 and 120: [120] " client_validity @@ -578,8 +595,7 @@ EOF } check_config_password() { - config_file="/etc/ipsec.d/.vpnconfig" - if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then + if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE"; then use_config_password=1 else use_config_password=0 @@ -592,7 +608,7 @@ cat <<'EOF' IKEv2 client config files contain the client certificate, private key and CA certificate. This script can optionally generate a random password to protect these files. -Future client config files will also be protected using the same password. +Future client config files will also be protected using this password. EOF printf "Protect client config files using a password? [y/N] " @@ -680,10 +696,10 @@ create_client_cert() { bigecho2 "Generating client certificate..." sleep 1 certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "IKEv2 VPN CA" -n "$client_name" \ + -S -c "$CA_NAME" -n "$client_name" \ -s "O=IKEv2 VPN,CN=$client_name" \ -k rsa -g 3072 -v "$client_validity" \ - -d sql:/etc/ipsec.d -t ",," \ + -d "$CERT_DB" -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null 2>&1 || exiterr "Failed to create client certificate." } @@ -697,13 +713,14 @@ get_p12_password() { if [ "$use_config_password" = "0" ]; then create_p12_password else - config_file="/etc/ipsec.d/.vpnconfig" - p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") + p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//") if [ -z "$p12_password" ]; then create_p12_password - mkdir -p /etc/ipsec.d - printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file" - chmod 600 "$config_file" + if [ -n "$CONFIG_FILE" ] && [ -n "$CONFIG_DIR" ]; then + mkdir -p "$CONFIG_DIR" + printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$CONFIG_FILE" + chmod 600 "$CONFIG_FILE" + fi fi fi } @@ -713,25 +730,22 @@ export_p12_file() { get_p12_password p12_file="$export_dir$client_name.p12" p12_file_enc="$export_dir$client_name.enc.p12" - pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1 + pk12util -W "$p12_password" -d "$CERT_DB" -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1 if [ "$os_type" = "alpine" ] || { [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "11" ]; }; then pem_file="$export_dir$client_name.temp.pem" openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \ -name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1 - if [ "$use_config_password" = "1" ]; then - /bin/cp -f "$p12_file_enc" "$p12_file" - else + if [ "$use_config_password" = "0" ]; then openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \ -name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1 fi /bin/rm -f "$pem_file" - else - if [ "$use_config_password" = "1" ]; then - /bin/cp -f "$p12_file_enc" "$p12_file" - else - pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1 - fi + elif [ "$use_config_password" = "0" ]; then + pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1 + fi + if [ "$use_config_password" = "1" ]; then + /bin/cp -f "$p12_file_enc" "$p12_file" fi if [ "$export_to_home_dir" = "1" ]; then chown "$SUDO_USER:$SUDO_USER" "$p12_file" @@ -776,8 +790,8 @@ create_mobileconfig() { p12_base64=$(base64 -w 52 "$p12_file_enc") /bin/rm -f "$p12_file_enc" [ -z "$p12_base64" ] && exiterr "Could not encode .p12 file." - ca_base64=$(certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a | grep -v CERTIFICATE) - [ -z "$ca_base64" ] && exiterr "Could not encode IKEv2 VPN CA certificate." + ca_base64=$(certutil -L -d "$CERT_DB" -n "$CA_NAME" -a | grep -v CERTIFICATE) + [ -z "$ca_base64" ] && exiterr "Could not encode $CA_NAME certificate." uuid1=$(uuidgen) [ -z "$uuid1" ] && exiterr "Could not generate UUID value." mc_file="$export_dir$client_name.mobileconfig" @@ -922,7 +936,7 @@ $ca_base64 PayloadDisplayName - IKEv2 VPN ($server_addr) + IKEv2 VPN $server_addr PayloadIdentifier com.apple.vpn.managed.$(uuidgen) PayloadRemovalDisallowed @@ -952,7 +966,7 @@ create_android_profile() { cat > "$sswan_file" </dev/null 2>&1 </dev/null 2>&1 </dev/null 2>&1 || exiterr "Failed to create server certificate." else certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "IKEv2 VPN CA" -n "$server_addr" \ + -S -c "$CA_NAME" -n "$server_addr" \ -s "O=IKEv2 VPN,CN=$server_addr" \ -k rsa -g 3072 -v 120 \ - -d sql:/etc/ipsec.d -t ",," \ + -d "$CERT_DB" -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ --extSAN "ip:$server_addr,dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate." @@ -1017,11 +1031,11 @@ ANSWERS add_ikev2_connection() { bigecho2 "Adding a new IKEv2 connection..." - if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then - echo >> /etc/ipsec.conf - echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf + if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' "$IPSEC_CONF"; then + echo >> "$IPSEC_CONF" + echo 'include /etc/ipsec.d/*.conf' >> "$IPSEC_CONF" fi -cat > /etc/ipsec.d/ikev2.conf < "$IKEV2_CONF" <> /etc/ipsec.d/ikev2.conf <> "$IKEV2_CONF" <> /etc/ipsec.d/ikev2.conf <> "$IKEV2_CONF" <> /etc/ipsec.d/ikev2.conf <> "$IKEV2_CONF" <> /etc/ipsec.d/ikev2.conf <> "$IKEV2_CONF" <> /etc/ipsec.d/ikev2.conf + echo " mobike=yes" >> "$IKEV2_CONF" else - echo " mobike=no" >> /etc/ipsec.d/ikev2.conf + echo " mobike=no" >> "$IKEV2_CONF" fi } @@ -1104,18 +1118,18 @@ restart_ipsec_service() { } create_crl() { - if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then - crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null >/dev/null + if ! crlutil -L -d "$CERT_DB" -n "$CA_NAME" >/dev/null 2>&1; then + crlutil -G -d "$CERT_DB" -n "$CA_NAME" -c /dev/null >/dev/null fi sleep 2 } add_client_cert_to_crl() { - sn_txt=$(certutil -L -d sql:/etc/ipsec.d -n "$client_name" | grep -A 1 'Serial Number' | tail -n 1) + sn_txt=$(certutil -L -d "$CERT_DB" -n "$client_name" | grep -A 1 'Serial Number' | tail -n 1) sn_hex=$(printf '%s' "$sn_txt" | sed -e 's/^ *//' -e 's/://g') sn_dec=$((16#$sn_hex)) [ -z "$sn_dec" ] && exiterr "Could not find serial number of client certificate." -crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null </dev/null <&2 <<'EOF' -Error: IKEv2 configuration section found in /etc/ipsec.conf. + if grep -qs "conn ikev2-cp" "$IPSEC_CONF"; then +cat 1>&2 </dev/null + certutil -L -d "$CERT_DB" | grep -v -e '^$' -e "$CA_NAME" | tail -n +3 | cut -f1 -d ' ' | while read -r line; do + certutil -F -d "$CERT_DB" -n "$line" + certutil -D -d "$CERT_DB" -n "$line" 2>/dev/null done - crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null - certutil -F -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" - certutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null - config_file="/etc/ipsec.d/.vpnconfig" - if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then - sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$config_file" + crlutil -D -d "$CERT_DB" -n "$CA_NAME" 2>/dev/null + certutil -F -d "$CERT_DB" -n "$CA_NAME" + certutil -D -d "$CERT_DB" -n "$CA_NAME" 2>/dev/null + if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE"; then + sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$CONFIG_FILE" fi } @@ -1331,6 +1344,13 @@ ikev2setup() { esac done + CA_NAME="IKEv2 VPN CA" + CERT_DB="sql:/etc/ipsec.d" + CONFIG_DIR="/etc/ipsec.d" + CONFIG_FILE="/etc/ipsec.d/.vpnconfig" + IKEV2_CONF="/etc/ipsec.d/ikev2.conf" + IPSEC_CONF="/etc/ipsec.conf" + check_arguments check_config_password get_export_dir @@ -1393,7 +1413,7 @@ ikev2setup() { case $selected_option in 1) enter_client_name - enter_client_cert_validity + enter_client_validity select_config_password echo create_client_cert @@ -1447,15 +1467,15 @@ ikev2setup() { esac fi - check_cert_exists_and_exit "IKEv2 VPN CA" + check_cert_exists_and_exit "$CA_NAME" if [ "$use_defaults" = "0" ]; then show_header show_welcome enter_server_address check_cert_exists_and_exit "$server_addr" - enter_client_name_with_defaults - enter_client_cert_validity + enter_client_name with_defaults + enter_client_validity enter_custom_dns check_mobike_support select_mobike @@ -1464,40 +1484,12 @@ ikev2setup() { else check_server_dns_name check_custom_dns - if [ -n "$VPN_CLIENT_NAME" ]; then - client_name="$VPN_CLIENT_NAME" - check_client_name "$client_name" \ - || exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." - else - client_name=vpnclient - fi - check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists." + check_and_set_client_name client_validity=120 show_header show_start_setup - if [ -n "$VPN_DNS_NAME" ]; then - use_dns_name=1 - server_addr="$VPN_DNS_NAME" - else - use_dns_name=0 - get_server_ip - check_ip "$public_ip" || exiterr "Cannot detect this server's public IP." - server_addr="$public_ip" - fi - check_cert_exists_and_exit "$server_addr" - if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then - dns_server_1="$VPN_DNS_SRV1" - dns_server_2="$VPN_DNS_SRV2" - dns_servers="$VPN_DNS_SRV1 $VPN_DNS_SRV2" - elif [ -n "$VPN_DNS_SRV1" ]; then - dns_server_1="$VPN_DNS_SRV1" - dns_server_2="" - dns_servers="$VPN_DNS_SRV1" - else - dns_server_1=8.8.8.8 - dns_server_2=8.8.4.4 - dns_servers="8.8.8.8 8.8.4.4" - fi + set_server_address + set_dns_servers check_mobike_support mobike_enable="$mobike_support" fi From 354c512d86fafa20b6f3ed6bbfe33ab1139ddf20 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 14 Feb 2022 23:55:13 -0600 Subject: [PATCH 19/20] Update tests --- .github/workflows/test_set_1.yml | 17 +++++++++++++++++ .github/workflows/test_set_2.yml | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/.github/workflows/test_set_1.yml b/.github/workflows/test_set_1.yml index ae763e4..25825a1 100644 --- a/.github/workflows/test_set_1.yml +++ b/.github/workflows/test_set_1.yml @@ -216,6 +216,7 @@ jobs: ls -ld /etc/ipsec.d/vpnclient.mobileconfig ls -ld /etc/ipsec.d/vpnclient.sswan ls -ld /etc/ipsec.d/vpnclient.p12 + pk12util -W "" -l /etc/ipsec.d/vpnclient.p12 restart_ipsec grep pluto "$log1" | tail -n 20 @@ -233,6 +234,7 @@ jobs: ls -ld /etc/ipsec.d/vpnclient2.mobileconfig ls -ld /etc/ipsec.d/vpnclient2.sswan ls -ld /etc/ipsec.d/vpnclient2.p12 + pk12util -W "" -l /etc/ipsec.d/vpnclient2.p12 rm -f /etc/ipsec.d/vpnclient2* bash ikev2.sh < Date: Tue, 15 Feb 2022 00:31:34 -0600 Subject: [PATCH 20/20] Update docs --- docs/ikev2-howto-zh.md | 55 ++++++++++++++++++++++++++---------------- docs/ikev2-howto.md | 55 ++++++++++++++++++++++++++---------------- 2 files changed, 68 insertions(+), 42 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 5e96b67..33e2452 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -10,6 +10,7 @@ * [管理客户端证书](#管理客户端证书) * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [故障排除](#故障排除) +* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) * [移除 IKEv2](#移除-ikev2) * [参考链接](#参考链接) @@ -59,7 +60,7 @@ chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
-你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。 +你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。 在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下: @@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
-了解如何更新服务器上的 IKEv2 辅助脚本。 - - -IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` -
-
- -了解如何在配置 IKEv2 之后更改服务器地址。 - - -在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。参见 [这一小节](#更改-ikev2-服务器地址)。 -
-
- 查看 IKEv2 脚本的使用信息。 @@ -443,7 +425,7 @@ sudo ikev2.sh --exportclient [client name] 首先,请阅读上面的重要说明。然后点这里查看详情。 -**重要:** 请先阅读上面的重要说明。如果你仍然想要删除证书,参见下面的步骤。此操作**不可撤销**! +**警告:** 这将**永久删除**客户端证书和私钥。此操作**不可撤销**! 如果要删除一个客户端证书: @@ -578,6 +560,11 @@ sudo ikev2.sh --revokeclient [client name] 下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +
+ +查看手动在 Libreswan 上配置 IKEv2 的示例步骤。 + + 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 ```bash @@ -776,6 +763,7 @@ sudo ikev2.sh --revokeclient [client name] ``` 在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。 +
## 故障排除 @@ -783,10 +771,26 @@ sudo ikev2.sh --revokeclient [client name] **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 +* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) +* [参数错误 policy match error](#参数错误-policy-match-error) * [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) * [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) * [其它已知问题](#其它已知问题) +### IKE 身份验证凭证不可接受 + +如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 + +### 参数错误 policy match error + +要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 + +- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + ### IKEv2 在一小时后断开连接 如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: @@ -809,6 +813,15 @@ sudo ikev2.sh --revokeclient [client name] 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 +## 更新 IKEv2 辅助脚本 + +IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + ## 更改 IKEv2 服务器地址 在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 611f9f5..12384d9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -10,6 +10,7 @@ * [Manage client certificates](#manage-client-certificates) * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Troubleshooting](#troubleshooting) +* [Update IKEv2 helper script](#update-ikev2-helper-script) * [Change IKEv2 server address](#change-ikev2-server-address) * [Remove IKEv2](#remove-ikev2) * [References](#references) @@ -59,7 +60,7 @@ Then run the script using the instructions above.
-You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details. +You may optionally specify a DNS name, client name and/or custom DNS servers. When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example: @@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
-Learn how to update the IKEv2 helper script on your server. - - -The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` -
-
- -Learn how to change server address after IKEv2 setup. - - -In certain circumstances, you may need to change the IKEv2 server address after setup. Learn more in [this section](#change-ikev2-server-address). -
-
- View usage information for the IKEv2 script. @@ -445,7 +427,7 @@ sudo ikev2.sh --exportclient [client name] First, read the important note above. Then click here for instructions. -**Important:** Please first read the important note above. If you still want to delete a certificate, refer to the steps below. This **cannot be undone**! +**Warning:** The client certificate and private key will be **permanently deleted**. This **cannot be undone**! To delete a client certificate: @@ -580,6 +562,11 @@ As an alternative to using the [helper script](#set-up-ikev2-using-helper-script The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`. +
+ +View example steps for manually configuring IKEv2 with Libreswan. + + 1. Find the VPN server's public IP, save it to a variable and check. ```bash @@ -778,6 +765,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm ``` Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients). +
## Troubleshooting @@ -785,10 +773,26 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). +* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) +* [Policy match error](#policy-match-error) * [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) * [Other known issues](#other-known-issues) +### IKE authentication credentials are unacceptable + +If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). + +### Policy match error + +To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. + +- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + ### IKEv2 disconnects after one hour If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: @@ -811,6 +815,15 @@ If you are unable to connect multiple IKEv2 clients from behind the same NAT (e. 1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. 1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. +## Update IKEv2 helper script + +The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + ## Change IKEv2 server address In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.