mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-04-05 14:13:37 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1 from hwdsl2/master

Browse source 
同步
This commit is contained in:
Samuik 2018-11-24 13:45:02 +08:00 committed by GitHub
commit 125be727c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 1409 additions and 425 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
README-zh.md
View file

@ -1,6 +1,6 @@
# IPsec VPN 服务器一键安装脚本
[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)
[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)
使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。
@ -8,7 +8,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
我们将使用 <a href="https://libreswan.org/" target="_blank">Libreswan</a> 作为 IPsec 服务器,以及 <a href="https://github.com/xelerance/xl2tpd" target="_blank">xl2tpd</a> 作为 L2TP 提供者。
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">**&raquo; 相关教程: IPsec VPN Server Auto Setup with Libreswan**</a>
<a href="https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md" target="_blank">**&raquo; 另见: Docker 上的 IPsec VPN 服务器**</a>
*其他语言版本: [English](README.md), [简体中文](README-zh.md).*
@ -57,11 +57,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
## 系统要求
一个新创建的 <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> 实例,使用这些映像 (AMIs):
一个新创建的 <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> 实例,使用这些映像之一:
- <a href="https://cloud-images.ubuntu.com/locator/" target="_blank">Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank">Debian 9 (Stretch) or 8 (Jessie)</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/partners/redhat/faqs/" target="_blank">Red Hat Enterprise Linux (RHEL) 7 or 6</a>
请参见 <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">详细步骤</a> 以及 <a href="https://aws.amazon.com/cn/ec2/pricing/" target="_blank">EC2 定价细节</a>
@ -75,7 +76,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**&raquo; 我想建立并使用自己的 VPN ,但是没有可用的服务器**</a>
高级用户可以在 $35 <a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">Raspberry Pi 3</a> 上搭建 VPN 服务器
高级用户可以在一个 $35<a href="https://www.raspberrypi.org" target="_blank">Raspberry Pi 3</a> 上搭建 VPN 服务器。详见以下教程: <a href="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/" target="_blank">[1]</a> <a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">[2]</a>
:warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上!
@ -102,6 +103,8 @@ nano -w vpnsetup.sh
sudo sh vpnsetup.sh
```
**注:** 不要在值中使用这些字符: `\ " '`。一个安全的 IPsec PSK 应该至少包含 20 个随机字符。
**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量:
```bash
@ -110,7 +113,8 @@ sudo sh vpnsetup.sh
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
VPN_IPSEC_PSK='你的IPsec预共享密钥' \
VPN_USER='你的VPN用户名' \
VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
VPN_PASSWORD='你的VPN密码' \
sh vpnsetup.sh
```
**注:** 如果无法通过 `wget` 下载,你也可以打开 <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (或者 <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。
@ -129,7 +133,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
<a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 7 和更新版本**</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS**</a>
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>
@ -145,13 +149,13 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。
如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>
如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>该文档包含辅助脚本,以方便管理 VPN 用户。
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd``/etc/ipsec.conf` 并替换 `8.8.8.8``8.8.4.4`。然后重启服务器。
使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`
使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
在使用 `IPsec/L2TP` 连接时VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`
@ -168,8 +172,6 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh
wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh
```
:warning: VPN 脚本默认安装 Libreswan 3.22,因为新版本 3.23 和 3.25 存在问题,从而不能同时连接在同一个 NAT (比如家用路由器)后面的多个 IPsec/XAuth VPN 客户端。
## 问题和反馈
- 有问题需要提问?请先搜索已有的留言,在 <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">这个 Gist</a> 以及 <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">我的博客</a>

24
README.md
View file

@ -1,6 +1,6 @@
# IPsec VPN Server Auto Setup Scripts
[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server)
[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server)
Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest.
@ -8,7 +8,7 @@ An IPsec VPN encrypts your network traffic, so that nobody between you and the V
We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://github.com/xelerance/xl2tpd" target="_blank">xl2tpd</a> as the L2TP provider.
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">**&raquo; Related tutorial: IPsec VPN Server Auto Setup with Libreswan**</a>
<a href="https://github.com/hwdsl2/docker-ipsec-vpn-server" target="_blank">**&raquo; See also: IPsec VPN Server on Docker**</a>
*Read this in other languages: [English](README.md), [简体中文](README-zh.md).*
@ -57,11 +57,12 @@ For other installation options and how to set up VPN clients, read the sections
## Requirements
A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> instance, from these images (AMIs):
A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2</a> instance, from one of these images:
- <a href="https://cloud-images.ubuntu.com/locator/" target="_blank">Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty)</a>
- <a href="https://wiki.debian.org/Cloud/AmazonEC2Image" target="_blank">Debian 9 (Stretch) or 8 (Jessie)</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/partners/redhat/faqs/" target="_blank">Red Hat Enterprise Linux (RHEL) 7 or 6</a>
Please see <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">detailed instructions</a> and <a href="https://aws.amazon.com/ec2/pricing/" target="_blank">EC2 pricing</a>.
@ -75,7 +76,7 @@ This also includes Linux VMs in public clouds, such as <a href="https://blog.ls2
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**&raquo; I want to run my own VPN but don't have a server for that**</a>
Advanced users can set up the VPN server on a $35 <a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">Raspberry Pi 3</a>.
Advanced users can set up the VPN server on a $35 <a href="https://www.raspberrypi.org" target="_blank">Raspberry Pi 3</a>. Learn more in these articles: <a href="https://www.stewright.me/2018/07/create-a-raspberry-pi-vpn-server-using-l2tpipsec/" target="_blank">[1]</a> <a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" target="_blank">[2]</a>.
:warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server!
@ -102,6 +103,8 @@ nano -w vpnsetup.sh
sudo sh vpnsetup.sh
```
**Note:** DO NOT use these special characters within values: `\ " '`. A secure IPsec PSK should consist of at least 20 random characters.
**Option 3:** Define your VPN credentials as environment variables:
```bash
@ -110,7 +113,8 @@ sudo sh vpnsetup.sh
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh
VPN_PASSWORD='your_vpn_password' \
sh vpnsetup.sh
```
**Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
@ -129,7 +133,7 @@ Get your computer or device to use the VPN. Please refer to:
<a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows 7 and above**</a>
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows, macOS, Android and iOS**</a>
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
@ -145,13 +149,13 @@ The same VPN account can be used by your multiple devices. However, due to an IP
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433).
If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>.
If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users need to install the `` linux-image-extra-`uname -r` `` package and run `service xl2tpd restart`.
Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`.
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server.
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.
@ -168,8 +172,6 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh
wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh
```
:warning: The VPN scripts install Libreswan 3.22 by default, because newer versions 3.23 and 3.25 have issues with connecting multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
## Bugs & Questions
- Got a question? Please first search other people's comments <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">in this Gist</a> and <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">on my blog</a>.

14
docs/clients-xauth-zh.md
View file

@ -2,11 +2,11 @@
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 更高效地传输数据。
IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **更高效**地传输数据(较低的额外开销)
---
* 平台名称
@ -17,7 +17,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP
## Windows
**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。
**注** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。
1. 下载并安装免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN 客户端</a>
**注:** 该 VPN 客户端支持 Windows 2K/XP/Vista/7/8 系统。
@ -59,6 +59,8 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
## Android
1. 启动 **设置** 应用程序。
@ -92,11 +94,13 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
1. 在 **密码** 字段中输入`你的 VPN 密码`
1. 保持 **群组名称** 字段空白。
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`
1. 单击右上角的 **存储**。
1. 单击右上角的 **完成**。
1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
## 致谢
本文档是在 <a href="https://github.com/StreisandEffect/streisand" target="_blank">Streisand</a> 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。

8
docs/clients-xauth.md
View file

@ -2,11 +2,11 @@
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
*Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).*
**Note:** You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster than IPsec/L2TP with less overhead.
IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster than** IPsec/L2TP with less overhead.
---
* Platforms
@ -59,6 +59,8 @@ If you get an error when trying to connect, see <a href="clients.md#troubleshoot
To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
## Android
1. Launch the **Settings** application.
@ -97,6 +99,8 @@ If you get an error when trying to connect, see <a href="clients.md#troubleshoot
Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
## Credits
This document was adapted from the <a href="https://github.com/StreisandEffect/streisand" target="_blank">Streisand</a> project, maintained by Joshua Lund and contributors.

82
docs/clients-zh.md
View file

@ -2,9 +2,9 @@
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
*注: 你也可以使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
---
* 平台名称
@ -18,24 +18,28 @@
* [故障排除](#故障排除)
* [Windows 错误 809](#windows-错误-809)
* [Windows 错误 628](#windows-错误-628)
* [Windows 10 升级](#windows-10-升级)
* [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏)
* [macOS VPN 流量](#macos-vpn-流量)
* [Android 6 及以上版本](#android-6-及以上版本)
* [Chromebook 连接问题](#chromebook-连接问题)
* [Windows 10 升级](#windows-10-升级)
* [其它错误](#其它错误)
* [额外的步骤](#额外的步骤)
## Windows
**注:** 你也可以配置并且使用更新的 [IKEv2 模式](ikev2-howto-zh.md) 连接。
### Windows 10 and 8.x
1. 右键单击系统托盘中的无线/网络图标。
1. 选择 **打开网络共享中心**。
1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。
1. 单击 **设置新的连接或网络**
1. 选择 **连接到工作区**,然后单击 **下一步**
1. 单击 **使用我的Internet连接 (VPN)**
1. 在 **Internet地址** 字段中输入`你的 VPN 服务器 IP`
1. 在 **目标名称** 字段中输入任意内容。单击 **创建**
1. 返回 **网络共享中心**。单击左侧的 **更改适配器设置**
1. 返回 **网络共享中心**。单击左侧的 **更改适配器设置**
1. 右键单击新创建的 VPN 连接,并选择 **属性**
1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。
1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。
@ -44,13 +48,22 @@
1. 单击 **确定** 关闭 **高级设置**
1. 单击 **确定** 保存 VPN 连接的详细信息。
另外,除了按照以上步骤操作,你也可以运行下面的 Windows PowerShell 命令来创建 VPN 连接。将 `你的 VPN 服务器 IP``你的 VPN IPsec PSK` 换成你自己的值,用单引号括起来:
```console
# 不保存命令行历史记录
Set-PSReadlineOption HistorySaveStyle SaveNothing
# 创建 VPN 连接
Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk '你的 VPN IPsec PSK' -Force -RememberCredential -PassThru
```
**注:** 在首次连接之前需要修改一次注册表。请参见下面的说明。
### Windows 7, Vista and XP
1. 单击开始菜单,选择控制面板。
1. 进入 **网络和Internet** 部分。
1. 单击 **网络与共享中心**
1. 单击 **网络共享中心**。
1. 单击 **设置新的连接或网络**
1. 选择 **连接到工作区**,然后单击 **下一步**
1. 单击 **使用我的Internet连接 (VPN)**
@ -62,7 +75,7 @@
1. 在 **密码** 字段中输入`你的 VPN 密码`
1. 选中 **记住此密码** 复选框。
1. 单击 **创建**,然后单击 **关闭** 按钮。
1. 返回 **网络共享中心**。单击左侧的 **更改适配器设置**
1. 返回 **网络共享中心**。单击左侧的 **更改适配器设置**
1. 右键单击新创建的 VPN 连接,并选择 **属性**
1. 单击 **选项** 选项卡,取消选中 **包括Windows登录域** 复选框。
1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。
@ -80,6 +93,8 @@
## OS X
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。
1. 从 **接口** 下拉菜单选择 **VPN**
@ -93,14 +108,18 @@
1. 在 **机器鉴定** 部分,选择 **共享的密钥** 单选按钮,然后输入`你的 VPN IPsec PSK`
1. 单击 **好**
1. 选中 **在菜单栏中显示 VPN 状态** 复选框。
1. 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。
1. **(重要)** 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。
1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**
1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。
要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
## Android
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
1. 启动 **设置** 应用程序。
1. 在 **无线和网络** 部分单击 **更多...**
1. 单击 **VPN**
@ -122,6 +141,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
## iOS
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...**
1. 单击 **类型** 。选择 **L2TP** 并返回。
@ -131,11 +152,13 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
1. 在 **密码** 字段中输入`你的 VPN 密码`
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`
1. 启用 **发送所有流量** 选项。
1. 单击右上角的 **存储**。
1. 单击右上角的 **完成**。
1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
## Chromebook
1. 如果你尚未登录 Chromebook请先登录。
@ -167,6 +190,16 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums
*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).*
* [Windows 错误 809](#windows-错误-809)
* [Windows 错误 628](#windows-错误-628)
* [Windows 10 升级](#windows-10-升级)
* [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏)
* [macOS VPN 流量](#macos-vpn-流量)
* [Android 6 及以上版本](#android-6-及以上版本)
* [Chromebook 连接问题](#chromebook-连接问题)
* [其它错误](#其它错误)
* [额外的步骤](#额外的步骤)
### Windows 错误 809
> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。
@ -199,7 +232,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums
要解决此错误,请按以下步骤操作:
1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络共享中心**。
1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络共享中心**。
1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**
1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。
1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。
@ -210,23 +243,32 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums
![Select CHAP in VPN connection properties](images/vpn-properties-zh.png)
### Windows 10 升级
在升级 Windows 10 版本之后 (比如从 1709 到 1803你可能需要重新按照上面的 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。
### Windows 8/10 DNS 泄漏
Windows 8.x 和 10 默认使用 "smart multi-homed name resolution" (智能多宿主名称解析)。如果你的因特网适配器的 DNS 服务器在本地网段上,在使用 Windows 自带的 IPsec VPN 客户端时可能会导致 "DNS 泄漏"。要解决这个问题,你可以 <a href="https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/" target="_blank">禁用智能多宿主名称解析</a>,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后<a href="https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-" target="_blank">清除 DNS 缓存</a>并且重启计算机。
另外,如果你的计算机启用了 IPv6所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6请看<a href="https://support.microsoft.com/zh-cn/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users" target="_blank">这里</a>
### macOS VPN 流量
OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。
### Android 6 及以上版本
如果你无法使用 Android 6 或以上版本连接:
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。如果仍然无法连接,请尝试下一步。
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
![Android VPN workaround](images/vpn-profile-Android.png)
### Chromebook 连接问题
Chromebook 用户: 如果你无法连接,请参见 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/265" target="_blank">这个 Issue</a>。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`
### Windows 10 升级
在升级 Windows 10 版本之后 (比如从 1709 到 1803你可能需要重新按照 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。更多信息请参见 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/376" target="_blank">这个 Issue</a>
Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`
### 其它错误
@ -327,8 +369,8 @@ conn %default
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
ike=aes256-sha1-modp2048,aes128-sha1-modp2048!
esp=aes256-sha1-modp2048,aes128-sha1-modp2048!
conn myvpn
keyexchange=ikev1

76
docs/clients.md
View file

@ -2,7 +2,7 @@
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
*Note: You may also connect using [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).*
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
@ -18,18 +18,22 @@ After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">settin
* [Troubleshooting](#troubleshooting)
* [Windows Error 809](#windows-error-809)
* [Windows Error 628](#windows-error-628)
* [Windows 10 upgrades](#windows-10-upgrades)
* [Windows 8/10 DNS leaks](#windows-810-dns-leaks)
* [macOS VPN traffic](#macos-vpn-traffic)
* [Android 6 and above](#android-6-and-above)
* [Chromebook issues](#chromebook-issues)
* [Windows 10 upgrades](#windows-10-upgrades)
* [Other errors](#other-errors)
* [Additional steps](#additional-steps)
## Windows
**Note:** You may also set up and connect using the newer [IKEv2 mode](ikev2-howto.md).
### Windows 10 and 8.x
1. Right-click on the wireless/network icon in your system tray.
1. Select **Open Network and Sharing Center**.
1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**.
1. Click **Set up a new connection or network**.
1. Select **Connect to a workplace** and click **Next**.
1. Click **Use my Internet connection (VPN)**.
@ -38,12 +42,21 @@ After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">settin
1. Return to **Network and Sharing Center**. On the left, click **Change adapter settings**.
1. Right-click on the new VPN entry and choose **Properties**.
1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**.
1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox.
1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked.
1. Click the **Advanced settings** button.
1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**.
1. Click **OK** to close the **Advanced settings**.
1. Click **OK** to save the VPN connection details.
Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace `Your VPN Server IP` and `Your VPN IPsec PSK` with your own values, enclosed in single quotes:
```console
# Disable persistent command history
Set-PSReadlineOption HistorySaveStyle SaveNothing
# Create VPN connection
Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk 'Your VPN IPsec PSK' -Force -RememberCredential -PassThru
```
**Note:** A one-time registry change is required before connecting. See details below.
### Windows 7, Vista and XP
@ -66,7 +79,7 @@ After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">settin
1. Right-click on the new VPN entry and choose **Properties**.
1. Click the **Options** tab and uncheck **Include Windows logon domain**.
1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**.
1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox.
1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked.
1. Click the **Advanced settings** button.
1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**.
1. Click **OK** to close the **Advanced settings**.
@ -80,6 +93,8 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
## OS X
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window.
1. Select **VPN** from the **Interface** drop-down menu.
@ -93,14 +108,18 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
1. In the **Machine Authentication** section, select the **Shared Secret** radio button and enter `Your VPN IPsec PSK`.
1. Click **OK**.
1. Check the **Show VPN status in menu bar** checkbox.
1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked.
1. **(Important)** Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked.
1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section.
1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information.
To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="#troubleshooting">Troubleshooting</a>.
## Android
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
1. Launch the **Settings** application.
1. Tap **More...** in the **Wireless & Networks** section.
1. Tap **VPN**.
@ -122,6 +141,8 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
## iOS
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.
1. Tap **Type**. Select **L2TP** and go back.
@ -136,6 +157,8 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="#troubleshooting">Troubleshooting</a>.
## Chromebook
1. If you haven't already, sign in to your Chromebook.
@ -167,6 +190,16 @@ See [Linux VPN Clients](#linux-vpn-clients).
*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).*
* [Windows Error 809](#windows-error-809)
* [Windows Error 628](#windows-error-628)
* [Windows 10 upgrades](#windows-10-upgrades)
* [Windows 8/10 DNS leaks](#windows-810-dns-leaks)
* [macOS VPN traffic](#macos-vpn-traffic)
* [Android 6 and above](#android-6-and-above)
* [Chromebook issues](#chromebook-issues)
* [Other errors](#other-errors)
* [Additional steps](#additional-steps)
### Windows Error 809
> The network connection between your computer and the VPN server could not be established because the remote server is not responding.
@ -202,7 +235,7 @@ To fix this error, please follow these steps:
1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**.
1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**.
1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**.
1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox.
1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked.
1. Click the **Advanced settings** button.
1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**.
1. Click **OK** to close the **Advanced settings**.
@ -210,23 +243,32 @@ To fix this error, please follow these steps:
![Select CHAP in VPN connection properties](images/vpn-properties.png)
### Windows 10 upgrades
After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot.
### Windows 8/10 DNS leaks
Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either <a href="https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/" target="_blank">disable smart multi-homed name resolution</a>, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, <a href="https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-" target="_blank">clear the DNS cache</a> and reboot your PC.
In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to <a href="https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users" target="_blank">disable IPv6</a> in Windows.
### macOS VPN traffic
OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN.
### Android 6 and above
If you are unable to connect using Android 6 or above:
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step.
1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. If still unable to connect, try the next step.
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>)
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>).
![Android VPN workaround](images/vpn-profile-Android.png)
### Chromebook issues
Chromebook users: If you are unable to connect, refer to <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/265" target="_blank">this issue</a>. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`.
### Windows 10 upgrades
After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. Refer to <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/376" target="_blank">this issue</a> for more information.
Chromebook users: If you are unable to connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`.
### Other errors
@ -327,8 +369,8 @@ conn %default
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
ike=aes256-sha1-modp2048,aes128-sha1-modp2048!
esp=aes256-sha1-modp2048,aes128-sha1-modp2048!
conn myvpn
keyexchange=ikev1

215
docs/ikev2-howto-zh.md
View file

@ -1,4 +1,4 @@
# 如何配置 IKEv2 VPN: Windows 7 和更新版本
# 如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@ -8,26 +8,35 @@
---
Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较IKEv2 的<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外IKEv2 支持同时连接在同一个 NAT比如家用路由器后面的多个设备到 VPN 服务器。
Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较IKEv2 的<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统:
在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>
- Windows 7, 8.x 和 10
- OS X (macOS)
- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
- iOS (iPhone/iPad)
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>,并且将 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级到最新版本</a>
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ echo "$PUBLIC_IP"
(检查显示的公共 IP
PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
printf '%s\n' "$PUBLIC_IP"
```
检查并确保以上命令的输出与服务器的公共 IP 一致。该变量将在以下步骤中使用。
**注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`
1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接
```bash
$ cat >> /etc/ipsec.conf <<EOF
cat >> /etc/ipsec.conf <<EOF
conn ikev2-cp
left=%defaultroute
@ -48,41 +57,45 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
auto=add
ikev2=insist
rekey=no
fragmentation=yes
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
pfs=no
ike-frag=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
EOF
```
还需要在该文件中添加一些行。首先查看你的 Libreswan 版本,然后运行以下命令之一:
```bash
$ ipsec --version
```
如果是 Libreswan 3.19-3.22
```bash
$ cat >> /etc/ipsec.conf <<EOF
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
encapsulation=yes
EOF
ipsec --version
```
如果是 Libreswan 3.23 或更新版本:
```bash
$ cat >> /etc/ipsec.conf <<EOF
cat >> /etc/ipsec.conf <<EOF
modecfgdns="8.8.8.8, 8.8.4.4"
encapsulation=yes
mobike=no
EOF
```
**注:** 如果你的服务器运行 Debian 或者 CentOS/RHEL并且你想要启用 MOBIKE 支持,可以将上面命令中的 `mobike=no` 换成 `mobike=yes`。**不要**在 Ubuntu 系统上启用该选项。
如果是 Libreswan 3.19-3.22
```bash
cat >> /etc/ipsec.conf <<EOF
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
encapsulation=yes
EOF
```
如果是 Libreswan 3.18 或更早版本:
```bash
$ cat >> /etc/ipsec.conf <<EOF
cat >> /etc/ipsec.conf <<EOF
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
forceencaps=yes
@ -91,89 +104,109 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
**注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。另外,如果你在上面的第一步使用了服务器的域名而不是 IP 地址,则需要将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`
**注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "Example CA" \
-s "O=Example,CN=Example CA" \
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA" \
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t "CT,," -2
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
```
```
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
```
**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
-S -c "Example CA" -n "$PUBLIC_IP" \
-s "O=Example,CN=$PUBLIC_IP" \
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
Generating key. This may take a few moments...
```
1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书:
```
Generating key. This may take a few moments...
```
1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书:
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
-S -c "Example CA" -n "vpnclient" \
-s "O=Example,CN=vpnclient" \
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "vpnclient" \
-s "O=IKEv2 VPN,CN=vpnclient" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
```
Generating key. This may take a few moments...
```
Generating key. This may take a few moments...
```
```bash
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
```
你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。
```
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 或 macOS 设备时,该密码不能为空)。你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。
**注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。
1. (适用于 macOS 和 iOS 客户端) 导出 CA 证书到 `vpnca.cer`
```bash
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer
```
1. 证书数据库现在应该包含以下内容:
```bash
$ certutil -L -d sql:/etc/ipsec.d
certutil -L -d sql:/etc/ipsec.d
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Example CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient u,u,u
IKEv2 VPN CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient u,u,u
```
**注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">这里</a>
1. 重启 IPsec 服务:
1. **(重要)重启 IPsec 服务**
```bash
$ service ipsec restart
service ipsec restart
```
1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。下一步:
1. 按照下面你的操作系统对应的步骤操作。
**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址****远程 ID** 字段中输入该域名。
#### Windows 7, 8.x 和 10
1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
详细的操作步骤:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
@ -184,13 +217,64 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 启用新的 VPN 连接,并且开始使用 IKEv2 VPN
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
1. (可选步骤) 如需启用更安全的加密方式,你可以添加 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">这个注册表键</a> 并重启。
1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看<a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">这里</a>
#### OS X (macOS)
首先,将文件 `vpnca.cer``vpnclient.p12` 安全地传送到你的 Mac然后双击它们并逐个导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击刚才导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient``IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。
1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。
1. 从 **接口** 下拉菜单选择 **VPN**
1. 从 **VPN 类型** 下拉菜单选择 **IKEv2**
1. 在 **服务名称** 字段中输入任意内容。
1. 单击 **创建**
1. 在 **服务器地址** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 保持 **本地 ID** 字段空白。
1. 单击 **鉴定设置...** 按钮。
1. 从 **鉴定设置** 下拉菜单中选择 **无**
1. 选择 **证书** 单选按钮,然后选择 **vpnclient** 证书。
1. 单击 **好**
1. 选中 **在菜单栏中显示 VPN 状态** 复选框。
1. 单击 **应用** 保存VPN连接信息。
1. 单击 **连接**
#### Android 4.x 和更新版本
1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN 客户端</a>
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**
1. 单击 **Select user certificate**,然后单击 **Install certificate**
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
1. 保存新的 VPN 连接,然后单击它以开始连接。
#### iOS (iPhone/iPad)
首先,将文件 `vpnca.cer``vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。你可以使用 AirDrop (隔空投送)来传输文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient``IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。
1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...**
1. 单击 **类型** 。选择 **IKEv2** 并返回。
1. 在 **描述** 字段中输入任意内容。
1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 保持 **本地 ID** 字段空白。
1. 单击 **用户鉴定** 。选择 **无** 并返回。
1. 启用 **使用证书** 选项。
1. 单击 **证书** 。选择 **vpnclient** 并返回。
1. 单击右上角的 **完成**
1. 启用 **VPN** 连接。
1. 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
## 已知问题
Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误或其它连接问题。你可以尝试 <a href="clients-zh.md#故障排除" target="_blank">修改注册表</a>,或者换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a><a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a><a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级</a>到版本 3.26 或以上。
1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式。
## 参考链接
@ -198,3 +282,4 @@ Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
* https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient

213
docs/ikev2-howto.md
View file

@ -1,4 +1,4 @@
# How-To: IKEv2 VPN for Windows 7 and above
# How-To: IKEv2 VPN for Windows, macOS, Android and iOS
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@ -8,26 +8,35 @@
---
Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server.
Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with:
Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.
- Windows 7, 8.x and 10
- OS X (macOS)
- Android 4.x and newer (using the strongSwan VPN client)
- iOS (iPhone/iPad)
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>, and upgraded Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan" target="_blank">to the latest version</a>.
1. Find the VPN server's public IP, save it to a variable and check.
```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ echo "$PUBLIC_IP"
(Check the displayed public IP)
PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
printf '%s\n' "$PUBLIC_IP"
```
Check to make sure the output matches the server's public IP. This variable is required in the steps below.
**Note:** Alternatively, you may specify the server's DNS name here. e.g. `PUBLIC_IP=myvpn.example.com`.
1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
```bash
$ cat >> /etc/ipsec.conf <<EOF
cat >> /etc/ipsec.conf <<EOF
conn ikev2-cp
left=%defaultroute
@ -48,41 +57,45 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
auto=add
ikev2=insist
rekey=no
fragmentation=yes
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
pfs=no
ike-frag=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
EOF
```
We need to add a few more lines to that file. First check your Libreswan version, then run one of the following commands:
```bash
$ ipsec --version
```
For Libreswan 3.19-3.22:
```bash
$ cat >> /etc/ipsec.conf <<EOF
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
encapsulation=yes
EOF
ipsec --version
```
For Libreswan 3.23 and newer:
```bash
$ cat >> /etc/ipsec.conf <<EOF
cat >> /etc/ipsec.conf <<EOF
modecfgdns="8.8.8.8, 8.8.4.4"
encapsulation=yes
mobike=no
EOF
```
**Note:** If your server runs Debian or CentOS/RHEL and you wish to enable MOBIKE support, replace `mobike=no` with `mobike=yes` in the command above. DO NOT enable this option on Ubuntu systems.
For Libreswan 3.19-3.22:
```bash
cat >> /etc/ipsec.conf <<EOF
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
encapsulation=yes
EOF
```
For Libreswan 3.18 and older:
```bash
$ cat >> /etc/ipsec.conf <<EOF
cat >> /etc/ipsec.conf <<EOF
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
forceencaps=yes
@ -91,89 +104,109 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
1. Generate Certificate Authority (CA) and VPN server certificates:
**Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 36". Also, if you used the server's DNS name instead of its IP address in step 1 above, replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`.
**Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 36".
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "Example CA" \
-s "O=Example,CN=Example CA" \
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA" \
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t "CT,," -2
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
```
```
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
```
**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`.
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
-S -c "Example CA" -n "$PUBLIC_IP" \
-s "O=Example,CN=$PUBLIC_IP" \
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
Generating key. This may take a few moments...
```
1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate:
```
Generating key. This may take a few moments...
```
1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate:
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
-S -c "Example CA" -n "vpnclient" \
-s "O=Example,CN=vpnclient" \
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "vpnclient" \
-s "O=IKEv2 VPN,CN=vpnclient" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
```
Generating key. This may take a few moments...
```
Generating key. This may take a few moments...
```
```bash
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
```
Repeat this step to generate certificates for additional VPN clients. Replace every `vpnclient` with `vpnclient2`, etc.
```
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty). You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc.
**Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
1. (For macOS and iOS clients) Export the CA certificate as `vpnca.cer`:
```bash
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer
```
1. The database should now contain:
```bash
$ certutil -L -d sql:/etc/ipsec.d
certutil -L -d sql:/etc/ipsec.d
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Example CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient u,u,u
IKEv2 VPN CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient u,u,u
```
**Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">this page</a>.
1. Restart IPsec service:
1. **(Important) Restart IPsec service**:
```bash
$ service ipsec restart
service ipsec restart
```
1. The `vpnclient.p12` file should then be securely transferred to the VPN client device. Next steps:
1. Follow instructions below for your operating system.
**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields.
#### Windows 7, 8.x and 10
1. Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
Detailed instructions:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
@ -184,13 +217,64 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
1. Start the new VPN connection, and enjoy your IKEv2 VPN!
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
1. (Optional) You may enable stronger ciphers by adding <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">this registry key</a> and reboot.
1. (Optional) You may enable stronger ciphers by adding the registry key `NegotiateDH2048_AES256` and reboot. Read more <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">here</a>.
#### OS X (macOS)
First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then double-click to import them one by one into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain.
1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window.
1. Select **VPN** from the **Interface** drop-down menu.
1. Select **IKEv2** from the **VPN Type** drop-down menu.
1. Enter anything you like for the **Service Name**.
1. Click **Create**.
1. Enter `Your VPN Server IP` (or DNS name) for the **Server Address**.
1. Enter `Your VPN Server IP` (or DNS name) for the **Remote ID**.
1. Leave the **Local ID** field blank.
1. Click the **Authentication Settings...** button.
1. Select **None** from the **Authentication Settings** drop-down menu.
1. Select the **Certificate** radio button, then select the **vpnclient** certificate.
1. Click **OK**.
1. Check the **Show VPN status in menu bar** checkbox.
1. Click **Apply** to save the VPN connection information.
1. Click **Connect**.
#### Android 4.x and newer
1. Securely transfer `vpnclient.p12` to your Android device.
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
1. Launch the VPN client and tap **Add VPN Profile**.
1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field.
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
1. Tap **Select user certificate**, then tap **Install certificate**.
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
1. Save the new VPN connection, then tap to connect.
#### iOS (iPhone/iPad)
First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use AirDrop. Alternatively, host the files on a secure website of yours, then download and import in Mobile Safari. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles.
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.
1. Tap **Type**. Select **IKEv2** and go back.
1. Tap **Description** and enter anything you like.
1. Tap **Server** and enter `Your VPN Server IP` (or DNS name).
1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name).
1. Leave the **Local ID** field blank.
1. Tap **User Authentication**. Select **None** and go back.
1. Make sure the **Use Certificate** switch is ON.
1. Tap **Certificate**. Select **vpnclient** and go back.
1. Tap **Done**.
1. Slide the **VPN** switch ON.
1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
## Known Issues
The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try <a href="clients.md#troubleshooting" target="_blank">this registry fix</a>, or connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode instead.
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
1. If using the strongSwan Android VPN client, you must <a href="https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan" target="_blank">upgrade Libreswan</a> on your server to version 3.26 or above.
1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
## References
@ -198,3 +282,4 @@ The built-in VPN client in Windows does not support IKEv2 fragmentation. On some
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
* https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient

94
docs/manage-users-zh.md
View file

@ -4,38 +4,110 @@
在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,更改或者删除用户,请阅读本文档。
首先IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。
## 使用辅助脚本
你可以使用这些脚本来更方便地管理 VPN 用户:[add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) 和 [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh)。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth (Cisco IPsec) 模式的用户。如果你需要更改 IPsec PSK请阅读下一节。
**注:** VPN 用户信息保存在文件 `/etc/ppp/chap-secrets``/etc/ipsec.d/passwd`。脚本在修改这些文件之前会先做备份,使用 `.old-日期-时间` 为后缀。
### 添加或更改一个 VPN 用户
添加一个新 VPN 用户,或者为一个已有的 VPN 用户更改密码。
```bash
# 下载脚本
wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh
```
```bash
# 所有变量值必须用 '单引号' 括起来
# *不要* 在值中使用这些字符: \ " '
sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add'
```
### 删除一个 VPN 用户
删除指定的 VPN 用户。
```bash
# 下载脚本
wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh
```
```bash
# 所有变量值必须用 '单引号' 括起来
# *不要* 在值中使用这些字符: \ " '
sudo sh del_vpn_user.sh 'username_to_delete'
```
### 更新所有的 VPN 用户
移除所有的 VPN 用户并替换为你指定的列表中的用户。
```bash
# 下载脚本
wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh
```
要使用这个脚本,从以下选项中选择一个:
**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的列表中的用户。如果你需要保留已有的 VPN 用户,则必须将它们包含在下面的变量中。
**选项 1:** 编辑脚本并输入 VPN 用户信息:
```bash
nano -w update_vpn_users.sh
[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS]
sudo sh update_vpn_users.sh
```
**选项 2:** 将 VPN 用户信息定义为环境变量:
```bash
# VPN用户名和密码列表用空格分隔
# 所有变量值必须用 '单引号' 括起来
# *不要* 在值中使用这些字符: \ " '
sudo \
VPN_USERS='用户名1 用户名2 ...' \
VPN_PASSWORDS='密码1 密码2 ...' \
sh update_vpn_users.sh
```
## 手动管理 VPN 用户和 PSK
首先IPsec PSK (预共享密钥)保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK可以编辑此文件。完成后必须重启服务见下面。所有的 VPN 用户将共享同一个 IPsec PSK。
```bash
%any %any : PSK "你的IPsec预共享密钥"
```
对于 `IPsec/L2TP`VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
对于 `IPsec/L2TP`VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
```bash
"你的VPN用户名1" l2tpd "你的VPN密码1" *
"你的VPN用户名2" l2tpd "你的VPN密码2" *
"用户名1" l2tpd "密码1" *
"用户名2" l2tpd "密码2" *
... ...
```
你可以添加更多用户,每个用户对应文件中的一行。**不要** 在用户名,密码或 PSK 中使用这些字符:`\ " '`
你可以添加更多用户,每个用户对应文件中的一行。**不要**在用户名,密码或 PSK 中使用这些字符:`\ " '`
对于 `IPsec/XAuth ("Cisco IPsec")` VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
对于 `IPsec/XAuth ("Cisco IPsec")`VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
```bash
你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk
你的VPN用户名2:你的VPN密码2的加盐哈希值:xauth-psk
用户名1:密码1的加盐哈希值:xauth-psk
用户名2:密码2的加盐哈希值:xauth-psk
... ...
```
这个文件中的密码以加盐哈希值的形式保存。该步骤可以借助比如 `openssl` 工具来完成:
```bash
# 以下命令的输出为你的VPN密码1的加盐哈希值
openssl passwd -1 '你的VPN密码1'
# 以下命令的输出为密码1的加盐哈希值
# 将你的密码用 '单引号' 括起来
openssl passwd -1 '密码1'
```
最后,如果你更换了新的 PSK则需要重启服务。对于添加更改或者删除 VPN 用户,一般不需重启。
最后,如果你更改了 PSK则必须重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。
```bash
service ipsec restart

88
docs/manage-users.md
View file

@ -4,7 +4,78 @@
By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document.
First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK.
## Using helper scripts
You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) and [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh). They will update users for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec). For changing the IPsec PSK, read the next section.
**Note:** VPN users are stored in `/etc/ppp/chap-secrets` and `/etc/ipsec.d/passwd`. The scripts will backup these files before making changes, with `.old-date-time` suffix.
### Add or edit a VPN user
Add a new VPN user or update an existing VPN user with a new password.
```bash
# Download the script
wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh
```
```bash
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add'
```
### Delete a VPN user
Delete the specified VPN user.
```bash
# Download the script
wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh
```
```bash
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo sh del_vpn_user.sh 'username_to_delete'
```
### Update all VPN users
Remove all existing VPN users and replace with the list of users you specify.
```bash
# Download the script
wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh
```
To use this script, choose one of the following options:
**Important:** This script will remove **ALL** existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below.
**Option 1:** Edit the script and enter VPN user details:
```bash
nano -w update_vpn_users.sh
[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS]
sudo sh update_vpn_users.sh
```
**Option 2:** Define VPN user details as environment variables:
```bash
# List of VPN usernames and passwords, separated by spaces
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo \
VPN_USERS='username1 username2 ...' \
VPN_PASSWORDS='password1 password2 ...' \
sh update_vpn_users.sh
```
## Manually manage VPN users and PSK
First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. You must restart services when finished (see below). All VPN users will share the same IPsec PSK.
```bash
%any %any : PSK "your_ipsec_pre_shared_key"
@ -13,8 +84,8 @@ First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To chan
For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
```bash
"your_vpn_username_1" l2tpd "your_vpn_password_1" *
"your_vpn_username_2" l2tpd "your_vpn_password_2" *
"username1" l2tpd "password1" *
"username2" l2tpd "password2" *
... ...
```
@ -23,19 +94,20 @@ You can add more users, use one line for each user. DO NOT use these special cha
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:
```bash
your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk
your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk
username1:password1hashed:xauth-psk
username2:password2hashed:xauth-psk
... ...
```
Passwords in this file are salted and hashed. This step can be done using e.g. the `openssl` utility:
```bash
# The output will be your_vpn_password_1_hashed
openssl passwd -1 'your_vpn_password_1'
# The output will be password1hashed
# Put your password inside 'single quotes'
openssl passwd -1 'password1'
```
Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required.
Finally, you must restart services if changing the PSK. For add/edit/remove VPN users, this is normally not required.
```bash
service ipsec restart

136
extras/add_vpn_user.sh Normal file
View file

@ -0,0 +1,136 @@
#!/bin/sh
#
# Script to add/update an VPN user for both IPsec/L2TP and Cisco IPsec
#
# Copyright (C) 2018 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT="$(date +%F-%T)"
exiterr() { echo "Error: $1" >&2; exit 1; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
add_vpn_user() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then
cat 1>&2 <<'EOF'
Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist!
Your must first set up the VPN server before adding VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
cat 1>&2 <<'EOF'
Error: This script can only be used with VPN servers created using:
https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
VPN_USER=$1
VPN_PASSWORD=$2
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
cat 1>&2 <<EOF
Usage: sudo sh $0 'username_to_add' 'password_to_add'
EOF
exit 1
fi
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
clear
cat <<EOF
Welcome! This script will add or update an VPN user account
for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec).
If the username you specified matches an existing VPN user,
that user will be updated with the new password.
Please double check before continuing!
================================================
VPN user to add or update:
Username: $VPN_USER
Password: $VPN_PASSWORD
Write these down. You'll need them to connect!
================================================
EOF
printf "Do you wish to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Adding or updating VPN user..."
echo
;;
*)
echo
echo "Aborting. No changes were made."
echo
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Add or update VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
NOTE: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets.
EOF
}
## Defer until we have the complete script
add_vpn_user "$@"
exit 0

138
extras/del_vpn_user.sh Normal file
View file

@ -0,0 +1,138 @@
#!/bin/sh
#
# Script to delete an VPN user for both IPsec/L2TP and Cisco IPsec
#
# Copyright (C) 2018 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT="$(date +%F-%T)"
exiterr() { echo "Error: $1" >&2; exit 1; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
del_vpn_user() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then
cat 1>&2 <<'EOF'
Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist!
Your must first set up the VPN server before deleting VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
cat 1>&2 <<'EOF'
Error: This script can only be used with VPN servers created using:
https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
VPN_USER=$1
if [ -z "$VPN_USER" ]; then
cat 1>&2 <<EOF
Usage: sudo sh $0 'username_to_delete'
EOF
exit 1
fi
if printf '%s' "$VPN_USER" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN username must not contain non-ASCII characters."
fi
case "$VPN_USER" in
*[\\\"\']*)
exiterr "VPN username must not contain these special characters: \\ \" '"
;;
esac
if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \
|| [ "$(grep -c "^$VPN_USER:\\\$1\\\$" /etc/ipsec.d/passwd)" = "0" ]; then
cat 1>&2 <<'EOF'
Error: The specified VPN user does not exist in /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd.
Aborting. No changes were made.
EOF
exit 1
fi
if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \
|| [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then
cat 1>&2 <<'EOF'
Error: Cannot delete the only VPN user from /etc/ppp/chap-secrets
and/or /etc/ipsec.d/passwd.
Aborting. No changes were made.
EOF
exit 1
fi
clear
cat <<EOF
Welcome! This script will delete an VPN user account
for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec).
Please double check before continuing!
================================================
VPN user to delete:
Username: $VPN_USER
================================================
EOF
printf "Do you wish to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Deleting VPN user..."
echo
;;
*)
echo
echo "Aborting. No changes were made."
echo
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Delete VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
EOF
}
## Defer until we have the complete script
del_vpn_user "$@"
exit 0

176
extras/update_vpn_users.sh Normal file
View file

@ -0,0 +1,176 @@
#!/bin/sh
#
# Script to update VPN users for both IPsec/L2TP and Cisco IPsec
#
# Copyright (C) 2018 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# =====================================================
# Define your own values for these variables
# - List of VPN usernames and passwords, separated by spaces
# - All values MUST be placed inside 'single quotes'
# - DO NOT use these special characters within values: \ " '
YOUR_USERNAMES=''
YOUR_PASSWORDS=''
# Example:
# YOUR_USERNAMES='username1 username2'
# YOUR_PASSWORDS='password1 password2'
# =====================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT="$(date +%F-%T)"
exiterr() { echo "Error: $1" >&2; exit 1; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
onespace() { printf '%s' "$1" | tr -s ' '; }
noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; }
noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
update_vpn_users() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then
cat 1>&2 <<'EOF'
Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist!
Your must first set up the VPN server before updating VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
cat 1>&2 <<'EOF'
Error: This script can only be used with VPN servers created using:
https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
VPN_USERS="$(noquotes "$VPN_USERS")"
VPN_USERS="$(onespace "$VPN_USERS")"
VPN_USERS="$(noquotes2 "$VPN_USERS")"
VPN_PASSWORDS="$(noquotes "$VPN_PASSWORDS")"
VPN_PASSWORDS="$(onespace "$VPN_PASSWORDS")"
VPN_PASSWORDS="$(noquotes2 "$VPN_PASSWORDS")"
if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USERS $VPN_PASSWORDS" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
clear
cat <<'EOF'
Welcome! This script will update VPN user accounts
for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec).
WARNING: ALL existing VPN users will be removed
and replaced with the users listed below.
Please double check before continuing!
==================================================
Updated list of VPN users (username | password):
EOF
count=1
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
cat <<EOF
$vpn_user | $vpn_password
EOF
count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done
cat <<'EOF'
Write these down. You'll need them to connect!
==================================================
EOF
printf "Do you wish to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Updating VPN users..."
echo
;;
*)
echo
echo "Aborting. No changes were made."
echo
exit 1
;;
esac
# Backup and remove config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
# Update VPN users
count=1
vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
vpn_password_enc=$(openssl passwd -1 "$vpn_password")
cat >> /etc/ppp/chap-secrets <<EOF
"$vpn_user" l2tpd "$vpn_password" *
EOF
cat >> /etc/ipsec.d/passwd <<EOF
$vpn_user:$vpn_password_enc:xauth-psk
EOF
count=$((count+1))
vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
done
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
NOTE: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets.
EOF
}
## Defer until we have the complete script
update_vpn_users "$@"
exit 0

201
extras/vpnupgrade.sh
View file

@ -10,8 +10,8 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# Check https://libreswan.org for the latest version
SWAN_VER=3.22
# Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.27
### DO NOT edit below this line ###
@ -24,8 +24,8 @@ vpnupgrade() {
os_type="$(lsb_release -si 2>/dev/null)"
if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")"
fi
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu and Debian."
@ -43,17 +43,41 @@ if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'SWAN_VER' not specified."
fi
case "$SWAN_VER" in
3.24|3.2[6-9])
exiterr "Libreswan version $SWAN_VER is not available."
3.19|3.2[0123567])
/bin/true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions:
3.19-3.23, 3.25-3.26 and 3.27
EOF
exit 1
;;
esac
dns_state=0
case "$SWAN_VER" in
3.2[3567])
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5
;;
3.19|3.2[012])
DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2)
DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1)
DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//')
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4
[ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6
;;
esac
ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')"
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed."
fi
@ -75,54 +99,54 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
esac
fi
is_downgrade_to_322=0
if [ "$SWAN_VER" = "3.22" ]; then
if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
is_downgrade_to_322=1
fi
fi
clear
cat <<EOF
Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver
Version to be installed: Libreswan $SWAN_VER
Current version: $ipsec_ver_short
Version to install: Libreswan $SWAN_VER
EOF
if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then
case "$SWAN_VER" in
3.2[35])
cat <<'EOF'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT upgrade to 3.23/3.25 if your use cases include the above.
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT upgrade to 3.23/3.25 if your use cases include the above.
EOF
;;
esac
cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf:
1. Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes"
3. Optimize VPN ciphers for "ike=" and "phase2alg="
EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF'
4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF
fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF'
4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Replace this line:
auth=esp
with the following:
phase2=esp
Replace this line:
forceencaps=yes
with the following:
encapsulation=yes
Consolidate VPN ciphers for "ike=" and "phase2alg=".
Re-add "MODP1024" to the list of allowed "ike=" ciphers,
which was removed from the defaults in Libreswan 3.19.
Your other VPN configuration files will not be modified.
Your other VPN configuration files will not be modified.
EOF
@ -144,16 +168,15 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
# Update package index and install Wget
# Update package index
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update || exiterr "'apt-get update' failed."
apt-get -yq install wget || exiterr2
# Install necessary packages
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
libevent-dev || exiterr2
libcurl4-nss-dev libnss3-tools libevent-dev \
flex bison gcc make wget sed || exiterr2
# Compile and install Libreswan
swan_file="libreswan-$SWAN_VER.tar.gz"
@ -166,10 +189,13 @@ fi
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
sed -i '/docker-targets\.mk/d' Makefile
[ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile
[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
@ -186,48 +212,75 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
# Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
# Update ipsec.conf
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
if uname -m | grep -qi '^arm'; then
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
fi
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \
-e "/modecfgdns2/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf
elif [ "$dns_state" = "3" ]; then
sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi
# Restart IPsec service
mkdir -p /run/pluto
service ipsec restart
echo
echo "Libreswan $SWAN_VER was installed successfully! "
echo
cat <<EOF
case "$SWAN_VER" in
3.2[3-9])
cat <<'EOF'
NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
Then run "service ipsec restart".
===================================================
Libreswan $SWAN_VER has been successfully installed!
===================================================
EOF
;;
esac
if [ "$is_downgrade_to_322" = "1" ]; then
if [ "$dns_state" = "5" ]; then
cat <<'EOF'
NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "service ipsec restart".
IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
and replace all occurrences of these two lines:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
Then run "sudo service ipsec restart".
EOF
elif [ "$dns_state" = "6" ]; then
cat <<'EOF'
IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
and replace all occurrences of this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "sudo service ipsec restart".
EOF
fi

192
extras/vpnupgrade_centos.sh
View file

@ -10,8 +10,8 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# Check https://libreswan.org for the latest version
SWAN_VER=3.22
# Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.27
### DO NOT edit below this line ###
@ -34,17 +34,41 @@ if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'SWAN_VER' not specified."
fi
case "$SWAN_VER" in
3.24|3.2[6-9])
exiterr "Libreswan version $SWAN_VER is not available."
3.19|3.2[0123567])
/bin/true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions:
3.19-3.23, 3.25-3.26 and 3.27
EOF
exit 1
;;
esac
dns_state=0
case "$SWAN_VER" in
3.2[3567])
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5
;;
3.19|3.2[012])
DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2)
DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1)
DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//')
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4
[ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6
;;
esac
ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')"
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed."
fi
@ -66,54 +90,54 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
esac
fi
is_downgrade_to_322=0
if [ "$SWAN_VER" = "3.22" ]; then
if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
is_downgrade_to_322=1
fi
fi
clear
cat <<EOF
Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver
Version to be installed: Libreswan $SWAN_VER
Current version: $ipsec_ver_short
Version to install: Libreswan $SWAN_VER
EOF
if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then
case "$SWAN_VER" in
3.2[35])
cat <<'EOF'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT upgrade to 3.23/3.25 if your use cases include the above.
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT upgrade to 3.23/3.25 if your use cases include the above.
EOF
;;
esac
cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf:
1. Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes"
3. Optimize VPN ciphers for "ike=" and "phase2alg="
EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF'
4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF
fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF'
4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Replace this line:
auth=esp
with the following:
phase2=esp
Replace this line:
forceencaps=yes
with the following:
encapsulation=yes
Consolidate VPN ciphers for "ike=" and "phase2alg=".
Re-add "MODP1024" to the list of allowed "ike=" ciphers,
which was removed from the defaults in Libreswan 3.19.
Your other VPN configuration files will not be modified.
Your other VPN configuration files will not be modified.
EOF
@ -135,9 +159,6 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
# Install Wget
yum -y install wget || exiterr2
# Add the EPEL repository
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
yum -y install epel-release || yum -y install "$epel_url" || exiterr2
@ -145,7 +166,7 @@ yum -y install epel-release || yum -y install "$epel_url" || exiterr2
# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
libcap-ng-devel libselinux-devel curl-devel \
flex bison gcc make || exiterr2
flex bison gcc make wget sed || exiterr2
REPO1='--enablerepo=*server-optional*'
REPO2='--enablerepo=*releases-optional*'
@ -168,10 +189,13 @@ fi
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
sed -i '/docker-targets\.mk/d' Makefile
[ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile
[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
@ -190,45 +214,71 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
# Update ipsec.conf
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then
sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \
-e "/modecfgdns2/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then
sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf
elif [ "$dns_state" = "3" ]; then
sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi
# Restart IPsec service
mkdir -p /run/pluto
service ipsec restart
echo
echo "Libreswan $SWAN_VER was installed successfully! "
echo
cat <<EOF
case "$SWAN_VER" in
3.2[3-9])
cat <<'EOF'
NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
Then run "service ipsec restart".
===================================================
Libreswan $SWAN_VER has been successfully installed!
===================================================
EOF
;;
esac
if [ "$is_downgrade_to_322" = "1" ]; then
if [ "$dns_state" = "5" ]; then
cat <<'EOF'
NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "service ipsec restart".
IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
and replace all occurrences of these two lines:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
Then run "sudo service ipsec restart".
EOF
elif [ "$dns_state" = "6" ]; then
cat <<'EOF'
IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
and replace all occurrences of this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "sudo service ipsec restart".
EOF
fi

99
vpnsetup.sh
View file

@ -50,8 +50,8 @@ vpnsetup() {
os_type="$(lsb_release -si 2>/dev/null)"
if [ -z "$os_type" ]; then
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")"
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")"
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")"
fi
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then
exiterr "This script only supports Ubuntu and Debian."
@ -69,7 +69,7 @@ if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
net_iface=${VPN_NET_IFACE:-'eth0'}
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
@ -82,12 +82,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then
;;
esac
fi
net_iface="$def_iface"
NET_IFACE="$def_iface"
fi
net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null)
if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF
Could not detect the default network interface. Re-run this script with:
@ -103,7 +103,7 @@ fi
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
bigecho "VPN credentials not set by user. Generating random PSK and password..."
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)"
VPN_USER=vpnuser
VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
fi
@ -180,9 +180,7 @@ case "$(uname -r)" in
l2tp_file="$l2tp_dir.tar.gz"
l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz"
apt-get -yq install libpcap0.8-dev || exiterr2
if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then
exit 1
fi
wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1
/bin/rm -rf "/opt/src/$l2tp_dir"
tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file"
cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install
@ -198,7 +196,7 @@ apt-get -yq install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
SWAN_VER=3.22
SWAN_VER=3.27
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@ -208,10 +206,11 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2
@ -259,8 +258,8 @@ conn shared
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
sha2-truncbug=yes
conn l2tp-psk
@ -275,8 +274,7 @@ conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=$XAUTH_POOL
modecfgdns1=$DNS_SRV1
modecfgdns2=$DNS_SRV2
modecfgdns="$DNS_SRV1, $DNS_SRV2"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
@ -289,11 +287,6 @@ conn xauth-psk
also=shared
EOF
if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then
PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}')
check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
fi
if uname -m | grep -qi '^arm'; then
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi
@ -379,8 +372,8 @@ net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.$net_iface.send_redirects = 0
net.ipv4.conf.$net_iface.rp_filter = 0
net.ipv4.conf.$NET_IFACE.send_redirects = 0
net.ipv4.conf.$NET_IFACE.rp_filter = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
@ -394,9 +387,10 @@ bigecho "Updating IPTables rules..."
# Check if rules need updating
ipt_flag=0
IPT_FILE="/etc/iptables.rules"
IPT_FILE2="/etc/iptables/rules.v4"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
@ -411,21 +405,20 @@ if [ "$ipt_flag" = "1" ]; then
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
# Uncomment if you wish to disallow traffic between VPN clients themselves
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
IPT_FILE2="/etc/iptables/rules.v4"
if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2"
/bin/cp -f "$IPT_FILE" "$IPT_FILE2"
@ -434,17 +427,52 @@ fi
bigecho "Enabling services on boot..."
mkdir -p /etc/network/if-pre-up.d
# Check for iptables-persistent
IPT_PST="/etc/init.d/iptables-persistent"
IPT_PST2="/usr/share/netfilter-persistent/plugins.d/15-ip4tables"
ipt_load=1
if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then
ipt_load=0
fi
if [ "$ipt_load" = "1" ]; then
mkdir -p /etc/network/if-pre-up.d
cat > /etc/network/if-pre-up.d/iptablesload <<'EOF'
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF
chmod +x /etc/network/if-pre-up.d/iptablesload
if [ -f /usr/sbin/netplan ]; then
mkdir -p /etc/systemd/system
cat > /etc/systemd/system/load-iptables-rules.service <<'EOF'
[Unit]
Description = Load /etc/iptables.rules
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
Wants=systemd-modules-load.service local-fs.target
After=systemd-modules-load.service local-fs.target
[Service]
Type=oneshot
ExecStart=/etc/network/if-pre-up.d/iptablesload
[Install]
WantedBy=multi-user.target
EOF
systemctl enable load-iptables-rules 2>/dev/null
fi
fi
for svc in fail2ban ipsec xl2tpd; do
update-rc.d "$svc" enable >/dev/null 2>&1
systemctl enable "$svc" 2>/dev/null
done
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local"
@ -458,7 +486,6 @@ cat >> /etc/rc.local <<'EOF'
(sleep 15
service ipsec restart
service xl2tpd restart
[ -f "/usr/sbin/netplan" ] && { iptables-restore < /etc/iptables.rules; service fail2ban restart; }
echo 1 > /proc/sys/net/ipv4/ip_forward)&
exit 0
EOF
@ -470,7 +497,7 @@ bigecho "Starting services..."
sysctl -e -q -p
# Update file attributes
chmod +x /etc/rc.local /etc/network/if-pre-up.d/iptablesload
chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
# Apply new IPTables rules

54
vpnsetup_centos.sh
View file

@ -60,7 +60,7 @@ if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
fi
net_iface=${VPN_NET_IFACE:-'eth0'}
NET_IFACE=${VPN_NET_IFACE:-'eth0'}
def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
@ -71,12 +71,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then
exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!"
;;
esac
net_iface="$def_iface"
NET_IFACE="$def_iface"
fi
net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null)
if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2
net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null)
if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then
printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2
if [ -z "$VPN_NET_IFACE" ]; then
cat 1>&2 <<EOF
Could not detect the default network interface. Re-run this script with:
@ -92,7 +92,7 @@ fi
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
bigecho "VPN credentials not set by user. Generating random PSK and password..."
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)"
VPN_USER=vpnuser
VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)"
fi
@ -170,9 +170,7 @@ case "$(uname -r)" in
l2tp_file="$l2tp_dir.tar.gz"
l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz"
yum "$REPO2" "$REPO3" -y install libpcap-devel || exiterr2
if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then
exit 1
fi
wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1
/bin/rm -rf "/opt/src/$l2tp_dir"
tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file"
cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install
@ -188,7 +186,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
SWAN_VER=3.22
SWAN_VER=3.27
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@ -198,10 +196,11 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
NPROCS="$(grep -c ^processor /proc/cpuinfo)"
[ -z "$NPROCS" ] && NPROCS=1
@ -246,8 +245,8 @@ conn shared
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
sha2-truncbug=yes
conn l2tp-psk
@ -262,8 +261,7 @@ conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=$XAUTH_POOL
modecfgdns1=$DNS_SRV1
modecfgdns2=$DNS_SRV2
modecfgdns="$DNS_SRV1, $DNS_SRV2"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
@ -276,11 +274,6 @@ conn xauth-psk
also=shared
EOF
if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then
PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}')
check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
fi
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF
@ -362,8 +355,8 @@ net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.$net_iface.send_redirects = 0
net.ipv4.conf.$net_iface.rp_filter = 0
net.ipv4.conf.$NET_IFACE.send_redirects = 0
net.ipv4.conf.$NET_IFACE.rp_filter = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
@ -378,8 +371,8 @@ bigecho "Updating IPTables rules..."
ipt_flag=0
IPT_FILE="/etc/sysconfig/iptables"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
|| ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
@ -394,17 +387,17 @@ if [ "$ipt_flag" = "1" ]; then
iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I INPUT 6 -p udp --dport 1701 -j DROP
iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
# Uncomment if you wish to disallow traffic between VPN clients themselves
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
# iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
fi
@ -430,6 +423,7 @@ else
systemctl --now mask firewalld 2>/dev/null
systemctl enable iptables fail2ban 2>/dev/null
fi
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
if [ -f /etc/rc.local ]; then
conf_bk "/etc/rc.local"