From 8d90a3877c7c55854cf45192042bbc7d91892466 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Sep 2018 01:26:31 -0500 Subject: [PATCH 01/44] Add version note --- vpnsetup.sh | 2 ++ vpnsetup_centos.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index ca46b59..633b338 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -198,6 +198,8 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +# Note: DO NOT EDIT. To install a different Libreswan version, +# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e7b143a..0adb3cd 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -188,6 +188,8 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +# Note: DO NOT EDIT. To install a different Libreswan version, +# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" From 2fe44b172ebc5230ba7b7b45f5642986a7edd287 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 11 Sep 2018 00:03:04 -0500 Subject: [PATCH 02/44] Improve Libreswan versions - Add compilation workarounds specific to Libreswan 3.23/3.25 to the VPN setup scripts, so that users may install those versions by modifying SWAN_VER before running the scripts - Cleanup --- vpnsetup.sh | 17 +++++++++++------ vpnsetup_centos.sh | 17 +++++++++++------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 633b338..ff00b3f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -180,9 +180,7 @@ case "$(uname -r)" in l2tp_file="$l2tp_dir.tar.gz" l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" apt-get -yq install libpcap0.8-dev || exiterr2 - if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then - exit 1 - fi + wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1 /bin/rm -rf "/opt/src/$l2tp_dir" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install @@ -198,8 +196,6 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -# Note: DO NOT EDIT. To install a different Libreswan version, -# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" @@ -210,10 +206,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 @@ -291,6 +289,13 @@ conn xauth-psk also=shared EOF +case "$SWAN_VER" in + 3.2[35]) + sed -i "/modecfgdns/d" /etc/ipsec.conf + echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf + ;; +esac + if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0adb3cd..36eb6c3 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -170,9 +170,7 @@ case "$(uname -r)" in l2tp_file="$l2tp_dir.tar.gz" l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" yum "$REPO2" "$REPO3" -y install libpcap-devel || exiterr2 - if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then - exit 1 - fi + wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1 /bin/rm -rf "/opt/src/$l2tp_dir" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install @@ -188,8 +186,6 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -# Note: DO NOT EDIT. To install a different Libreswan version, -# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" @@ -200,10 +196,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 @@ -278,6 +276,13 @@ conn xauth-psk also=shared EOF +case "$SWAN_VER" in + 3.2[35]) + sed -i "/modecfgdns/d" /etc/ipsec.conf + echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf + ;; +esac + if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf From 716bdad687008f82e2b8f9cf475c5371a07e4f44 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 14 Sep 2018 00:01:00 -0500 Subject: [PATCH 03/44] Update docs - Add troubleshooting sections for Windows 10 version 1803 and macOS IPsec/L2TP mode "Send all traffic" - Cleanup - Ref: #442 #376 --- docs/clients-zh.md | 29 ++++++++++++++++++----------- docs/clients.md | 29 ++++++++++++++++++----------- 2 files changed, 36 insertions(+), 22 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index c1b26c6..34c51f2 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,9 +18,10 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) + * [Windows 10 版本 1803](#windows-10-版本-1803) + * [macOS VPN 流量](#macos-vpn-流量) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) - * [Windows 10 升级](#windows-10-升级) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -93,7 +94,7 @@ 1. 在 **机器鉴定** 部分,选择 **共享的密钥** 单选按钮,然后输入`你的 VPN IPsec PSK`。 1. 单击 **好**。 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 -1. 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 +1. **(重要)** 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。 @@ -210,23 +211,29 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 参见) +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (参见)。如果仍然无法连接,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。 ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook 连接问题 -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 - -### Windows 10 升级 - -在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。更多信息请参见 这个 Issue。 +Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index 6172e99..77c9502 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -18,9 +18,10 @@ After settin * [Troubleshooting](#troubleshooting) * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) + * [Windows 10 version 1803](#windows-10-version-1803) + * [macOS VPN traffic](#macos-vpn-traffic) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) - * [Windows 10 upgrades](#windows-10-upgrades) * [Other errors](#other-errors) * [Additional steps](#additional-steps) @@ -93,7 +94,7 @@ If you get an error when trying to connect, see Troub 1. In the **Machine Authentication** section, select the **Shared Secret** radio button and enter `Your VPN IPsec PSK`. 1. Click **OK**. 1. Check the **Show VPN status in menu bar** checkbox. -1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. +1. **(Important)** Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. @@ -210,23 +211,29 @@ To fix this error, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) +### Windows 10 version 1803 + +If you are unable to connect using Windows 10 version 1803 or above, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Then find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. + +Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. + +### macOS VPN traffic + +OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. + ### Android 6 and above -If you are unable to connect using Android 6 or above: +If you are unable to connect using Android 6 or above, try these steps in order: -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. If still unable to connect, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). If still unable to connect, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook issues -Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. - -### Windows 10 upgrades - -After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. Refer to this issue for more information. +Chromebook users: If you are unable to connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. ### Other errors From dfc5fce92c1e8d9be6620d7a815e46056f8cd700 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 16 Sep 2018 01:05:29 -0500 Subject: [PATCH 04/44] Improve version check - Improve Libreswan version check in upgrade scripts, including checking for supported versions and showing upgrade/downgrade info - Clean up notes --- extras/vpnupgrade.sh | 107 +++++++++++++++++++++--------------- extras/vpnupgrade_centos.sh | 107 +++++++++++++++++++++--------------- 2 files changed, 124 insertions(+), 90 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 5537249..8256f8e 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,11 +47,15 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +swan_ver_is_supported=0 case "$SWAN_VER" in - 3.24|3.2[6-9]) - exiterr "Libreswan version $SWAN_VER is not available." + 3.19|3.2[01235]) + swan_ver_is_supported=1 ;; esac +if [ "$swan_ver_is_supported" != "1" ]; then + exiterr "Libreswan version $SWAN_VER is not supported." +fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then @@ -75,12 +79,23 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then esac fi -is_downgrade_to_322=0 -if [ "$SWAN_VER" = "3.22" ]; then - if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then - is_downgrade_to_322=1 - fi -fi +is_upgrade_to_323_or_newer=0 +case "$SWAN_VER" in + 3.2[35]) + if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_upgrade_to_323_or_newer=1 + fi + ;; +esac + +is_downgrade_to_322_or_older=0 +case "$SWAN_VER" in + 3.19|3.2[012]) + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322_or_older=1 + fi + ;; +esac clear @@ -95,34 +110,28 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then +case "$SWAN_VER" in + 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple - IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF -fi + ;; +esac cat <<'EOF' NOTE: Libreswan versions 3.19 and newer require some configuration changes. - This script will make the following changes to your /etc/ipsec.conf: + This script will make the following updates to your /etc/ipsec.conf: - Replace this line: - auth=esp - with the following: - phase2=esp + 1. Replace "auth=esp" with "phase2=esp" + 2. Replace "forceencaps=yes" with "encapsulation=yes" + 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", + re-add "MODP1024" to the list of allowed "ike=" ciphers, + which was removed from the defaults in Libreswan 3.19. - Replace this line: - forceencaps=yes - with the following: - encapsulation=yes - - Consolidate VPN ciphers for "ike=" and "phase2alg=". - Re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19. - - Your other VPN configuration files will not be modified. + Your other VPN configuration files will not be modified. EOF @@ -186,7 +195,7 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." fi -# Update ipsec.conf for Libreswan 3.19 and newer +# Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" if uname -m | grep -qi '^arm'; then @@ -206,28 +215,36 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo -case "$SWAN_VER" in - 3.2[3-9]) +if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "service ipsec restart". EOF - ;; -esac +fi -if [ "$is_downgrade_to_322" = "1" ]; then +if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - Then run "service ipsec restart". +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "service ipsec restart". EOF fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index d97a432..0e22aac 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,11 +38,15 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +swan_ver_is_supported=0 case "$SWAN_VER" in - 3.24|3.2[6-9]) - exiterr "Libreswan version $SWAN_VER is not available." + 3.19|3.2[01235]) + swan_ver_is_supported=1 ;; esac +if [ "$swan_ver_is_supported" != "1" ]; then + exiterr "Libreswan version $SWAN_VER is not supported." +fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then @@ -66,12 +70,23 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then esac fi -is_downgrade_to_322=0 -if [ "$SWAN_VER" = "3.22" ]; then - if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then - is_downgrade_to_322=1 - fi -fi +is_upgrade_to_323_or_newer=0 +case "$SWAN_VER" in + 3.2[35]) + if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_upgrade_to_323_or_newer=1 + fi + ;; +esac + +is_downgrade_to_322_or_older=0 +case "$SWAN_VER" in + 3.19|3.2[012]) + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322_or_older=1 + fi + ;; +esac clear @@ -86,34 +101,28 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then +case "$SWAN_VER" in + 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple - IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF -fi + ;; +esac cat <<'EOF' NOTE: Libreswan versions 3.19 and newer require some configuration changes. - This script will make the following changes to your /etc/ipsec.conf: + This script will make the following updates to your /etc/ipsec.conf: - Replace this line: - auth=esp - with the following: - phase2=esp + 1. Replace "auth=esp" with "phase2=esp" + 2. Replace "forceencaps=yes" with "encapsulation=yes" + 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", + re-add "MODP1024" to the list of allowed "ike=" ciphers, + which was removed from the defaults in Libreswan 3.19. - Replace this line: - forceencaps=yes - with the following: - encapsulation=yes - - Consolidate VPN ciphers for "ike=" and "phase2alg=". - Re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19. - - Your other VPN configuration files will not be modified. + Your other VPN configuration files will not be modified. EOF @@ -190,7 +199,7 @@ restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null -# Update ipsec.conf for Libreswan 3.19 and newer +# Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ @@ -207,28 +216,36 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo -case "$SWAN_VER" in - 3.2[3-9]) +if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "service ipsec restart". EOF - ;; -esac +fi -if [ "$is_downgrade_to_322" = "1" ]; then +if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - Then run "service ipsec restart". +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "service ipsec restart". EOF fi From 329a5ecf507bcecc0905d1056b17cef371918d01 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 16 Sep 2018 21:36:49 -0500 Subject: [PATCH 05/44] Cleanup - Improve display of Libreswan versions in upgrade scripts - Clean up notes --- extras/vpnupgrade.sh | 64 +++++++++++++++++++++---------------- extras/vpnupgrade_centos.sh | 64 +++++++++++++++++++++---------------- 2 files changed, 72 insertions(+), 56 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 8256f8e..0a268ea 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -58,6 +58,7 @@ if [ "$swan_ver_is_supported" != "1" ]; then fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi @@ -105,8 +106,8 @@ Additional packages required for compilation will also be installed. It is intended for upgrading servers to a newer Libreswan version. -Current version: $ipsec_ver -Version to be installed: Libreswan $SWAN_VER +Current version: $ipsec_ver_short +Version to install: Libreswan $SWAN_VER EOF @@ -114,8 +115,8 @@ case "$SWAN_VER" in 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple - IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF ;; @@ -123,15 +124,15 @@ esac cat <<'EOF' NOTE: Libreswan versions 3.19 and newer require some configuration changes. - This script will make the following updates to your /etc/ipsec.conf: + This script will make the following updates to your /etc/ipsec.conf: - 1. Replace "auth=esp" with "phase2=esp" - 2. Replace "forceencaps=yes" with "encapsulation=yes" - 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", - re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19. + 1. Replace "auth=esp" with "phase2=esp" + 2. Replace "forceencaps=yes" with "encapsulation=yes" + 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", + re-add "MODP1024" to the list of allowed "ike=" ciphers, + which was removed from the defaults in Libreswan 3.19. - Your other VPN configuration files will not be modified. + Your other VPN configuration files will not be modified. EOF @@ -211,40 +212,47 @@ sed -i".old-$(date +%F-%T)" \ mkdir -p /run/pluto service ipsec restart -echo -echo "Libreswan $SWAN_VER was installed successfully! " -echo +cat < Date: Tue, 18 Sep 2018 00:57:03 -0500 Subject: [PATCH 06/44] Improve variables - Move SWAN_VER to the top of the scripts - Add check for Libreswan version - Cleanup --- extras/vpnupgrade.sh | 15 +++++-------- extras/vpnupgrade_centos.sh | 15 +++++-------- vpnsetup.sh | 42 +++++++++++++++++++++++-------------- vpnsetup_centos.sh | 42 +++++++++++++++++++++++-------------- 4 files changed, 62 insertions(+), 52 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 0a268ea..a551c8c 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -10,7 +10,7 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check https://libreswan.org for the latest version +# Specify which Libreswan version to install. See: https://libreswan.org SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -43,19 +43,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$SWAN_VER" ]; then - exiterr "Libreswan version 'SWAN_VER' not specified." -fi - -swan_ver_is_supported=0 case "$SWAN_VER" in 3.19|3.2[01235]) - swan_ver_is_supported=1 + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." ;; esac -if [ "$swan_ver_is_supported" != "1" ]; then - exiterr "Libreswan version $SWAN_VER is not supported." -fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 3168cb5..45d068f 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -10,7 +10,7 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check https://libreswan.org for the latest version +# Specify which Libreswan version to install. See: https://libreswan.org SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -34,19 +34,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$SWAN_VER" ]; then - exiterr "Libreswan version 'SWAN_VER' not specified." -fi - -swan_ver_is_supported=0 case "$SWAN_VER" in 3.19|3.2[01235]) - swan_ver_is_supported=1 + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." ;; esac -if [ "$swan_ver_is_supported" != "1" ]; then - exiterr "Libreswan version $SWAN_VER is not supported." -fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" diff --git a/vpnsetup.sh b/vpnsetup.sh index ff00b3f..c1d692c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -36,6 +36,8 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" +SWAN_VER=3.22 + exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -69,7 +71,16 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -net_iface=${VPN_NET_IFACE:-'eth0'} +case "$SWAN_VER" in + 3.19|3.2[01235]) + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." + ;; +esac + +NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -82,12 +93,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then ;; esac fi - net_iface="$def_iface" + NET_IFACE="$def_iface" fi -net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 +net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -418,17 +428,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 36eb6c3..f2b12ed 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -36,6 +36,8 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" +SWAN_VER=3.22 + exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -60,7 +62,16 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -net_iface=${VPN_NET_IFACE:-'eth0'} +case "$SWAN_VER" in + 3.19|3.2[01235]) + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." + ;; +esac + +NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -71,12 +82,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac - net_iface="$def_iface" + NET_IFACE="$def_iface" fi -net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 +net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -401,17 +411,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi From b803f32b71debbdb5d1060b899a9dea86acb8589 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 21 Sep 2018 23:44:29 -0500 Subject: [PATCH 07/44] New Libreswan version - Upgrade to new Libreswan version 3.26 - Ref: https://github.com/libreswan/libreswan/issues/202 - Cleanup --- extras/vpnupgrade.sh | 46 ++++++++++++++++++++++--------------- extras/vpnupgrade_centos.sh | 46 ++++++++++++++++++++++--------------- vpnsetup.sh | 27 ++++------------------ vpnsetup_centos.sh | 27 ++++------------------ 4 files changed, 64 insertions(+), 82 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index a551c8c..7f2d422 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.22 +SWAN_VER=3.26 ### DO NOT edit below this line ### @@ -44,11 +44,16 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235]) + 3.19|3.2[012356]) /bin/true ;; *) - exiterr "Libreswan version '$SWAN_VER' is not supported." +cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then @@ -220,34 +228,34 @@ EOF if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf - and replace these two lines: +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf - and replace this line: +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 45d068f..7f95d1a 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.22 +SWAN_VER=3.26 ### DO NOT edit below this line ### @@ -35,11 +35,16 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235]) + 3.19|3.2[012356]) /bin/true ;; *) - exiterr "Libreswan version '$SWAN_VER' is not supported." +cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" @@ -221,34 +229,34 @@ EOF if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf - and replace these two lines: +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf - and replace this line: +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi diff --git a/vpnsetup.sh b/vpnsetup.sh index c1d692c..cd1fddf 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -36,8 +36,6 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" -SWAN_VER=3.22 - exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -71,15 +69,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$SWAN_VER" in - 3.19|3.2[01235]) - /bin/true - ;; - *) - exiterr "Libreswan version '$SWAN_VER' is not supported." - ;; -esac - NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -207,6 +196,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +SWAN_VER=3.26 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -216,11 +206,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h -sed -i '/docker-targets\.mk/d' Makefile +sed -i 's/-lfreebl //' mk/config.mk +sed -i '/blapi\.h/d' programs/pluto/keys.c cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then @@ -285,8 +276,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns1=$DNS_SRV1 - modecfgdns2=$DNS_SRV2 + modecfgdns="$DNS_SRV1, $DNS_SRV2" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes @@ -299,13 +289,6 @@ conn xauth-psk also=shared EOF -case "$SWAN_VER" in - 3.2[35]) - sed -i "/modecfgdns/d" /etc/ipsec.conf - echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf - ;; -esac - if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index f2b12ed..45649e5 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -36,8 +36,6 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" -SWAN_VER=3.22 - exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -62,15 +60,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$SWAN_VER" in - 3.19|3.2[01235]) - /bin/true - ;; - *) - exiterr "Libreswan version '$SWAN_VER' is not supported." - ;; -esac - NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -197,6 +186,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +SWAN_VER=3.26 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -206,11 +196,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h -sed -i '/docker-targets\.mk/d' Makefile +sed -i 's/-lfreebl //' mk/config.mk +sed -i '/blapi\.h/d' programs/pluto/keys.c cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" @@ -272,8 +263,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns1=$DNS_SRV1 - modecfgdns2=$DNS_SRV2 + modecfgdns="$DNS_SRV1, $DNS_SRV2" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes @@ -286,13 +276,6 @@ conn xauth-psk also=shared EOF -case "$SWAN_VER" in - 3.2[35]) - sed -i "/modecfgdns/d" /etc/ipsec.conf - echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf - ;; -esac - if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf From 5d3f4eb7e657841cbcfbb9998009cfcac3dbd1cf Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 21 Sep 2018 23:56:16 -0500 Subject: [PATCH 08/44] Update docs - Update README and IKEv2 docs for Libreswan 3.26 --- README-zh.md | 2 -- README.md | 2 -- docs/ikev2-howto-zh.md | 18 +++++++++--------- docs/ikev2-howto.md | 18 +++++++++--------- 4 files changed, 18 insertions(+), 22 deletions(-) diff --git a/README-zh.md b/README-zh.md index a3a9bdd..f824a36 100644 --- a/README-zh.md +++ b/README-zh.md @@ -168,8 +168,6 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ``` -:warning: VPN 脚本默认安装 Libreswan 3.22,因为新版本 3.23 和 3.25 存在问题,从而不能同时连接在同一个 NAT (比如家用路由器)后面的多个 IPsec/XAuth VPN 客户端。 - ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 diff --git a/README.md b/README.md index 8c37b71..c8b14ac 100644 --- a/README.md +++ b/README.md @@ -168,8 +168,6 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ``` -:warning: The VPN scripts install Libreswan 3.22 by default, because newer versions 3.23 and 3.25 have issues with connecting multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 1830045..2635661 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -60,6 +60,15 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ ipsec --version ``` + 如果是 Libreswan 3.23 或更新版本: + + ```bash + $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf < Date: Sat, 22 Sep 2018 01:58:58 -0500 Subject: [PATCH 09/44] Update IKEv2 docs - Re-add Android instructions to IKEv2 docs because it is fixed in Libreswan 3.26 - Ref: 964b793 #307 - Cleanup --- README-zh.md | 2 +- README.md | 2 +- docs/ikev2-howto-zh.md | 25 +++++++++++++++++++++---- docs/ikev2-howto.md | 25 +++++++++++++++++++++---- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/README-zh.md b/README-zh.md index f824a36..3d66ff3 100644 --- a/README-zh.md +++ b/README-zh.md @@ -129,7 +129,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows 7 和更新版本** +**如何配置 IKEv2 VPN: Windows 和 Android** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index c8b14ac..b1f42d8 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows 7 and above** +**How-To: IKEv2 VPN for Windows and Android** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2635661..b591822 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 7 和更新版本 +# 如何配置 IKEv2 VPN: Windows 和 Android *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -10,9 +10,14 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外,IKEv2 支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器。 -Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: -在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 +- Windows 7, 8.x 和 10 +- strongSwan Android VPN 客户端 + +下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 + +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且已经将 Libreswan 升级到最新版本。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 @@ -186,11 +191,22 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. (可选步骤) 如需启用更安全的加密方式,你可以添加 这个注册表键 并重启。 + #### Android 4.x 和更新版本 + + 1. 从 **Google Play** 安装 strongSwan VPN Client。 + 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 + 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 + 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 + 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 + 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 + 1. 保存新的 VPN 连接,然后单击它以开始连接。 + 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 -Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试 修改注册表,或者换用 IPsec/L2TPIPsec/XAuth 模式连接。 +1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 ## 参考链接 @@ -198,3 +214,4 @@ Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 5cbe306..a8f7832 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows 7 and above +# How-To: IKEv2 VPN for Windows and Android *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -10,9 +10,14 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server. -Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. +Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: -Before continuing, make sure you have successfully set up your VPN server. +- Windows 7, 8.x and 10 +- strongSwan Android VPN client + +The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. + +Before continuing, make sure you have successfully set up your VPN server, and upgraded Libreswan to the latest version. 1. Find the VPN server's public IP, save it to a variable and check. @@ -186,11 +191,22 @@ Before continuing, make sure you have successfully this registry key and reboot. + #### Android 4.x and newer + + 1. Install strongSwan VPN Client from **Google Play**. + 1. Launch the VPN client and tap **Add VPN Profile**. + 1. Enter `Your VPN Server IP` in the **Server** field. + 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. + 1. Tap **Select user certificate**, then tap **Install certificate**. + 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. + 1. Save the new VPN connection, then tap to connect. + 1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues -The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try this registry fix, or connect using IPsec/L2TP or IPsec/XAuth mode instead. +1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. +1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. ## References @@ -198,3 +214,4 @@ The built-in VPN client in Windows does not support IKEv2 fragmentation. On some * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient From e22664f7a27660cc4d24218aea28594237b6db3c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 22 Sep 2018 12:10:02 -0500 Subject: [PATCH 10/44] Improve upgrade config - Try to automatically update modecfgdns lines in /etc/ipsec.conf in the Libreswan upgrade scripts - Cleanup --- extras/vpnupgrade.sh | 109 +++++++++++++++++------------------- extras/vpnupgrade_centos.sh | 106 ++++++++++++++++------------------- 2 files changed, 101 insertions(+), 114 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 7f2d422..0b9beba 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -57,6 +57,25 @@ EOF ;; esac +dns_state=0 +case "$SWAN_VER" in + 3.2[356]) + DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) + DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) + [ -n "$DNS_SRV1" ] && dns_state=2 + [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 + [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + ;; + 3.19|3.2[012]) + DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) + DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1) + DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') + [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 + [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 + [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then @@ -80,24 +99,6 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then esac fi -is_upgrade_to_323_or_newer=0 -case "$SWAN_VER" in - 3.2[356]) - if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then - is_upgrade_to_323_or_newer=1 - fi - ;; -esac - -is_downgrade_to_322_or_older=0 -case "$SWAN_VER" in - 3.19|3.2[012]) - if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then - is_downgrade_to_322_or_older=1 - fi - ;; -esac - clear cat </dev/null # Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" + sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf +if [ "$dns_state" = "1" ]; then + sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ + -e "/modecfgdns2/d" /etc/ipsec.conf +elif [ "$dns_state" = "2" ]; then + sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf +elif [ "$dns_state" = "3" ]; then + sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf + sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf +elif [ "$dns_state" = "4" ]; then + sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf +fi + # Restart IPsec service mkdir -p /run/pluto service ipsec restart @@ -227,40 +253,6 @@ Libreswan $SWAN_VER has been successfully installed! EOF -if [ "$is_upgrade_to_323_or_newer" = "1" ]; then -cat <<'EOF' -IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit - /etc/ipsec.conf and replace these two lines: - - modecfgdns1=8.8.8.8 - modecfgdns2=8.8.4.4 - - with a single line like this: - - modecfgdns="8.8.8.8, 8.8.4.4" - - Then run "sudo service ipsec restart". - -EOF -fi - -if [ "$is_downgrade_to_322_or_older" = "1" ]; then -cat <<'EOF' -IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit - /etc/ipsec.conf and replace this line: - - modecfgdns="8.8.8.8, 8.8.4.4" - - with two lines like this: - - modecfgdns1=8.8.8.8 - modecfgdns2=8.8.4.4 - - Then run "sudo service ipsec restart". - -EOF -fi - } ## Defer setup until we have the complete script From 20f57975b38a581c06e1c6fc784277c437db9fde Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 30 Sep 2018 18:36:42 -0500 Subject: [PATCH 11/44] Update docs - Add notes for the faster IPsec/XAuth and IKEv2 modes - Cleanup --- docs/clients-xauth-zh.md | 8 ++++---- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 12 ++++++++++-- docs/clients.md | 10 +++++++++- docs/ikev2-howto-zh.md | 8 ++++---- docs/ikev2-howto.md | 4 ++-- 6 files changed, 30 insertions(+), 14 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 821549e..b354f8c 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -2,11 +2,11 @@ *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* -在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 更高效地传输数据。 +IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **更高效**地传输数据(较低的额外开销)。 --- * 平台名称 @@ -17,7 +17,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP ## Windows -**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 +**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 1. 下载并安装免费的 Shrew Soft VPN 客户端。 **注:** 该 VPN 客户端支持 Windows 2K/XP/Vista/7/8 系统。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 5d61398..59250b9 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -6,7 +6,7 @@ After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster than IPsec/L2TP with less overhead. +IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster than** IPsec/L2TP with less overhead. --- * Platforms diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 34c51f2..86c00a4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,9 +2,9 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*注: 你也可以使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +*注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* -在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 --- * 平台名称 @@ -27,6 +27,8 @@ ## Windows +**注:** 你也可以配置并且使用更新的 [IKEv2 模式](ikev2-howto-zh.md) 连接。 + ### Windows 10 and 8.x 1. 右键单击系统托盘中的无线/网络图标。 @@ -81,6 +83,8 @@ ## OS X +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。 + 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 1. 从 **接口** 下拉菜单选择 **VPN**。 @@ -102,6 +106,8 @@ ## Android +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 + 1. 启动 **设置** 应用程序。 1. 在 **无线和网络** 部分单击 **更多...**。 1. 单击 **VPN**。 @@ -123,6 +129,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. @@ -27,6 +27,8 @@ After settin ## Windows +**Note:** You may also set up and connect using the newer [IKEv2 mode](ikev2-howto.md). + ### Windows 10 and 8.x 1. Right-click on the wireless/network icon in your system tray. @@ -81,6 +83,8 @@ If you get an error when trying to connect, see Troub ## OS X +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). + 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. 1. Select **VPN** from the **Interface** drop-down menu. @@ -102,6 +106,8 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy ## Android +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). + 1. Launch the **Settings** application. 1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **VPN**. @@ -123,6 +129,8 @@ If you get an error when trying to connect, see Troub ## iOS +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). + 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. 1. Tap **Type**. Select **L2TP** and go back. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index b591822..bcdbe45 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -13,7 +13,7 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: - Windows 7, 8.x 和 10 -- strongSwan Android VPN 客户端 +- Android 4.x 和更新版本(使用 strongSwan VPN 客户端) 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 @@ -29,7 +29,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`。 -1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: +1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: ```bash $ cat >> /etc/ipsec.conf <这个注册表键 并重启。 + 1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看这里。 #### Android 4.x 和更新版本 - 1. 从 **Google Play** 安装 strongSwan VPN Client。 + 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index a8f7832..e2315d0 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -13,7 +13,7 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agil Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: - Windows 7, 8.x and 10 -- strongSwan Android VPN client +- Android 4.x and newer (using the strongSwan VPN client) The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -189,7 +189,7 @@ Before continuing, make sure you have successfully this registry key and reboot. + 1. (Optional) You may enable stronger ciphers by adding the registry key `NegotiateDH2048_AES256` and reboot. Read more here. #### Android 4.x and newer From 4f41fcba9a0a4cb4a4e79456003cf5369fc24895 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 30 Sep 2018 20:04:21 -0500 Subject: [PATCH 12/44] Improve upgrade config - Replace all occurrences when updating /etc/ipsec.conf - Prompt the user to edit manually if more than one modecfgdns1= or modecfgdns= line is present --- extras/vpnupgrade.sh | 44 ++++++++++++++++++++++++++++++++----- extras/vpnupgrade_centos.sh | 44 ++++++++++++++++++++++++++++++++----- 2 files changed, 76 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 0b9beba..aaaae1a 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -64,7 +64,7 @@ case "$SWAN_VER" in DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 - [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5 ;; 3.19|3.2[012]) DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) @@ -72,7 +72,7 @@ case "$SWAN_VER" in DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 - [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 ;; esac @@ -223,10 +223,10 @@ if uname -m | grep -qi '^arm'; then fi sed -i".old-$(date +%F-%T)" \ - -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ - -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ - -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf + -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ + -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ + -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf if [ "$dns_state" = "1" ]; then sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ @@ -255,6 +255,38 @@ Libreswan $SWAN_VER has been successfully installed! EOF +if [ "$dns_state" = "5" ]; then +cat <<'EOF' +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf + and replace all occurrences of these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "sudo service ipsec restart". + +EOF +elif [ "$dns_state" = "6" ]; then +cat <<'EOF' +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf + and replace all occurrences of this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "sudo service ipsec restart". + +EOF +fi + } ## Defer setup until we have the complete script diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 9282b0d..6dbc0e9 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -55,7 +55,7 @@ case "$SWAN_VER" in DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 - [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5 ;; 3.19|3.2[012]) DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) @@ -63,7 +63,7 @@ case "$SWAN_VER" in DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 - [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 ;; esac @@ -221,10 +221,10 @@ IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2; PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ - -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ - -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ - -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf + -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ + -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ + -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf if [ "$dns_state" = "1" ]; then sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ @@ -253,6 +253,38 @@ Libreswan $SWAN_VER has been successfully installed! EOF +if [ "$dns_state" = "5" ]; then +cat <<'EOF' +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf + and replace all occurrences of these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "sudo service ipsec restart". + +EOF +elif [ "$dns_state" = "6" ]; then +cat <<'EOF' +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf + and replace all occurrences of this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "sudo service ipsec restart". + +EOF +fi + } ## Defer setup until we have the complete script From a04d2d32e87e40b8d6d628e49fcfce6fd0e6a4bb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 9 Oct 2018 12:32:28 -0500 Subject: [PATCH 13/44] New Libreswan version - Upgrade Libreswan to 3.27 - Cleanup --- extras/vpnupgrade.sh | 12 ++++++------ extras/vpnupgrade_centos.sh | 12 ++++++------ vpnsetup.sh | 9 +-------- vpnsetup_centos.sh | 9 +-------- 4 files changed, 14 insertions(+), 28 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index aaaae1a..871ba81 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.26 +SWAN_VER=3.27 ### DO NOT edit below this line ### @@ -44,14 +44,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[012356]) + 3.19|3.2[0123567]) /bin/true ;; *) cat 1>&2 <&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -289,11 +287,6 @@ conn xauth-psk also=shared EOF -if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') - check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf -fi - if uname -m | grep -qi '^arm'; then sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 45649e5..2d5656b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -186,7 +186,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.26 +SWAN_VER=3.27 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -196,8 +196,6 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i 's/-lfreebl //' mk/config.mk -sed -i '/blapi\.h/d' programs/pluto/keys.c cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -276,11 +274,6 @@ conn xauth-psk also=shared EOF -if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') - check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf -fi - # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Sat, 13 Oct 2018 14:26:09 -0500 Subject: [PATCH 14/44] Update IKEv2 docs - Add instructions for iOS (iPhone/iPad). Thanks @zzuzjl for the suggestion! - Change IKEv2 address pool to 192.168.43.150-192.168.43.250 to help avoid conflict with IPsec/XAuth - Closes #453. Closes #461 - Cleanup --- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 6 +-- docs/clients.md | 4 +- docs/ikev2-howto-zh.md | 87 ++++++++++++++++++++++++++++------------ docs/ikev2-howto.md | 85 +++++++++++++++++++++++++++------------ 8 files changed, 131 insertions(+), 61 deletions(-) diff --git a/README-zh.md b/README-zh.md index 3d66ff3..3fb7c85 100644 --- a/README-zh.md +++ b/README-zh.md @@ -129,7 +129,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows 和 Android** +**如何配置 IKEv2 VPN: Windows, Android 和 iOS** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index b1f42d8..a9d9325 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows and Android** +**How-To: IKEv2 VPN for Windows, Android and iOS** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index b354f8c..d24f301 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 @@ -92,7 +92,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 59250b9..a44d205 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).* +**Note:** You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md). After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 86c00a4..4c0bc6d 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 @@ -129,7 +129,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients.md b/docs/clients.md index 6c2aba3..f99f601 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -*Note: You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).* +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. @@ -129,7 +129,7 @@ If you get an error when trying to connect, see Troub ## iOS -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index bcdbe45..f39634d 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 和 Android +# 如何配置 IKEv2 VPN: Windows, Android 和 iOS *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -14,10 +14,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - Windows 7, 8.x 和 10 - Android 4.x 和更新版本(使用 strongSwan VPN 客户端) +- iOS (iPhone/iPad) 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且已经将 Libreswan 升级到最新版本。 +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且将 Libreswan 升级到最新版本。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 @@ -43,7 +44,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 leftrsasigkey=%cert right=%any rightid=%fromcert - rightaddresspool=192.168.43.10-192.168.43.250 + rightaddresspool=192.168.43.150-192.168.43.250 rightca=%same rightrsasigkey=%cert narrowing=yes @@ -104,14 +105,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 -s "O=Example,CN=Example CA" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t "CT,," -2 + ``` - Generating key. This may take a few moments... + ``` + Generating key. This may take a few moments... - Is this a CA certificate [y/N]? - y - Enter the path length constraint, enter to skip [<0 for unlimited path]: > - Is this a critical extension [y/N]? - N + Is this a CA certificate [y/N]? + y + Enter the path length constraint, enter to skip [<0 for unlimited path]: > + Is this a critical extension [y/N]? + N ``` ```bash @@ -123,11 +126,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" - - Generating key. This may take a few moments... ``` -1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: + ``` + Generating key. This may take a few moments... + ``` + +1. 生成客户端证书,导出 CA 证书以及 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ @@ -137,19 +142,29 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "vpnclient" + ``` - Generating key. This may take a few moments... + ``` + Generating key. This may take a few moments... ``` ```bash - $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d - - Enter password for PKCS12 file: - Re-enter password: - pk12util: PKCS12 EXPORT SUCCESSFUL + $ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer ``` - 你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 + **注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。 + + ```bash + $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d + ``` + + ``` + Enter password for PKCS12 file: + Re-enter password: + pk12util: PKCS12 EXPORT SUCCESSFUL + ``` + + 指定一个安全的密码以保护导出的 `.p12` 文件。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 @@ -157,18 +172,20 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -L -d sql:/etc/ipsec.d + ``` - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI + ``` + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI - Example CA CTu,u,u - ($PUBLIC_IP) u,u,u - vpnclient u,u,u + Example CA CTu,u,u + ($PUBLIC_IP) u,u,u + vpnclient u,u,u ``` **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 -1. 重启 IPsec 服务: +1. **重启 IPsec 服务**: ```bash $ service ipsec restart @@ -195,18 +212,36 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 - 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 + 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 1. 保存新的 VPN 连接,然后单击它以开始连接。 + #### iOS (iPhone/iPad) + + 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `Example CA` 都显示在设置 -> 通用 -> 描述文件中。 + + 1. 进入设置 -> 通用 -> VPN。 + 1. 单击 **添加VPN配置...**。 + 1. 单击 **类型** 。选择 **IKEv2** 并返回。 + 1. 在 **描述** 字段中输入任意内容。 + 1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 保持 **本地 ID** 字段空白。 + 1. 单击 **用户鉴定** 。选择 **无** 并返回。 + 1. 启用 **使用证书** 选项。 + 1. 单击 **证书** 。选择 **vpnclient** 并返回。 + 1. 单击右上角的 **完成**。 + 1. 启用 **VPN** 连接。 + 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 +1. 在导入到 iOS 设备时,`.p12` 文件的密码不能为空。要解决这个问题,按照步骤 4 中的命令重新导出 `.p12` 文件并指定一个安全的密码。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index e2315d0..d2a1cfd 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows and Android +# How-To: IKEv2 VPN for Windows, Android and iOS *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -14,6 +14,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Windows 7, 8.x and 10 - Android 4.x and newer (using the strongSwan VPN client) +- iOS (iPhone/iPad) The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -43,7 +44,7 @@ Before continuing, make sure you have successfully - Is this a critical extension [y/N]? - N + Is this a CA certificate [y/N]? + y + Enter the path length constraint, enter to skip [<0 for unlimited path]: > + Is this a critical extension [y/N]? + N ``` ```bash @@ -123,11 +126,13 @@ Before continuing, make sure you have successfully this page. -1. Restart IPsec service: +1. **Restart IPsec service**: ```bash $ service ipsec restart @@ -195,18 +212,36 @@ Before continuing, make sure you have successfully strongSwan VPN Client from **Google Play**. 1. Launch the VPN client and tap **Add VPN Profile**. - 1. Enter `Your VPN Server IP` in the **Server** field. + 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. 1. Tap **Select user certificate**, then tap **Install certificate**. 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. 1. Save the new VPN connection, then tap to connect. + #### iOS (iPhone/iPad) + + First, send both `vpnca.cer` and `vpnclient.p12` (exported from step 4 above) to yourself as email attachments, then click to import them one by one as iOS profiles in the iOS Mail app. Alternatively, host the files on a secure website of yours, then download and import in Mobile Safari. When finished, check to make sure both `vpnclient` and `Example CA` are listed under Settings -> General -> Profiles. + + 1. Go to Settings -> General -> VPN. + 1. Tap **Add VPN Configuration...**. + 1. Tap **Type**. Select **IKEv2** and go back. + 1. Tap **Description** and enter anything you like. + 1. Tap **Server** and enter `Your VPN Server IP` (or DNS name). + 1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name). + 1. Leave the **Local ID** field blank. + 1. Tap **User Authentication**. Select **None** and go back. + 1. Make sure the **Use Certificate** switch is ON. + 1. Tap **Certificate**. Select **vpnclient** and go back. + 1. Tap **Done**. + 1. Slide the **VPN** switch ON. + 1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. The `.p12` file cannot have an empty password when importing into an iOS device. To resolve this issue, follow instructions in step 4 to re-export the file with a secure password. ## References From 9c529435cfbcde39515127b266ee89a87b79fa89 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 14 Oct 2018 23:53:06 -0500 Subject: [PATCH 15/44] Fix IKEv2 docs - Fixed an issue with address pool clashing by reverting to rightaddresspool=192.168.43.10-192.168.43.250 - Replaced "Example" with "IKEv2 VPN" for clarity - Closes #465 --- docs/ikev2-howto-zh.md | 22 +++++++++++----------- docs/ikev2-howto.md | 22 +++++++++++----------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index f39634d..69989db 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -44,7 +44,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 leftrsasigkey=%cert right=%any rightid=%fromcert - rightaddresspool=192.168.43.150-192.168.43.250 + rightaddresspool=192.168.43.10-192.168.43.250 rightca=%same rightrsasigkey=%cert narrowing=yes @@ -101,8 +101,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ - -S -x -n "Example CA" \ - -s "O=Example,CN=Example CA" \ + -S -x -n "IKEv2 VPN CA" \ + -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t "CT,," -2 ``` @@ -119,8 +119,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "Example CA" -n "$PUBLIC_IP" \ - -s "O=Example,CN=$PUBLIC_IP" \ + -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ + -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ @@ -136,8 +136,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "Example CA" -n "vpnclient" \ - -s "O=Example,CN=vpnclient" \ + -S -c "IKEv2 VPN CA" -n "vpnclient" \ + -s "O=IKEv2 VPN,CN=vpnclient" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ @@ -149,7 +149,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ``` ```bash - $ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer + $ certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer ``` **注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。 @@ -178,7 +178,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI - Example CA CTu,u,u + IKEv2 VPN CA CTu,u,u ($PUBLIC_IP) u,u,u vpnclient u,u,u ``` @@ -191,7 +191,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。下一步: +1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。然后按照你的操作系统对应的步骤操作。**注:** 如果你在上面的第一步指定了服务器的域名,则需要在 **Server** 和 **Remote ID** 字段中输入域名而不是 IP 地址。 #### Windows 7, 8.x 和 10 @@ -220,7 +220,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### iOS (iPhone/iPad) - 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `Example CA` 都显示在设置 -> 通用 -> 描述文件中。 + 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index d2a1cfd..4dbe23d 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -44,7 +44,7 @@ Before continuing, make sure you have successfully **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows, Android 和 iOS** +**如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index a9d9325..57fcb61 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows, Android and iOS** +**How-To: IKEv2 VPN for Windows, macOS, Android and iOS** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4c0bc6d..1c25a60 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -83,7 +83,7 @@ ## OS X -**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。 +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 diff --git a/docs/clients.md b/docs/clients.md index f99f601..d62f84d 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -83,7 +83,7 @@ If you get an error when trying to connect, see Troub ## OS X -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 69989db..dd79ba3 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows, Android 和 iOS +# 如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -13,6 +13,7 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: - Windows 7, 8.x 和 10 +- OS X (macOS) - Android 4.x 和更新版本(使用 strongSwan VPN 客户端) - iOS (iPhone/iPad) @@ -132,7 +133,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` -1. 生成客户端证书,导出 CA 证书以及 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: +1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ @@ -148,12 +149,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` - ```bash - $ certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer - ``` - - **注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。 - ```bash $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d ``` @@ -164,10 +159,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 指定一个安全的密码以保护导出的 `.p12` 文件。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 + 指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 设备时,该密码不能为空)。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 +1. (适用于 macOS 和 iOS 客户端) 导出 CA 证书到 `vpnca.cer`: + + ```bash + $ certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer + ``` + 1. 证书数据库现在应该包含以下内容: ```bash @@ -191,11 +192,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。然后按照你的操作系统对应的步骤操作。**注:** 如果你在上面的第一步指定了服务器的域名,则需要在 **Server** 和 **Remote ID** 字段中输入域名而不是 IP 地址。 +1. 按照你的操作系统对应的步骤操作。请注意,如果你在上面的第一步指定了服务器的域名,则需要在 **服务器地址** 和 **远程 ID** 字段中输入该域名而不是 IP 地址。 #### Windows 7, 8.x 和 10 - 1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 + 1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs @@ -208,9 +209,30 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看这里。 + #### OS X (macOS) + + 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 Mac,然后双击它们并逐个导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击刚才导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 + + 1. 打开系统偏好设置并转到网络部分。 + 1. 在窗口左下角单击 **+** 按钮。 + 1. 从 **接口** 下拉菜单选择 **VPN**。 + 1. 从 **VPN 类型** 下拉菜单选择 **IKEv2**。 + 1. 在 **服务名称** 字段中输入任意内容。 + 1. 单击 **创建**。 + 1. 在 **服务器地址** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 保持 **本地 ID** 字段空白。 + 1. 单击 **鉴定设置...** 按钮。 + 1. 从 **鉴定设置** 下拉菜单中选择 **无**。 + 1. 选择 **证书** 单选按钮,然后选择 **vpnclient** 证书。 + 1. 单击 **好**。 + 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 + 1. 单击 **应用** 保存VPN连接信息。 + 1. 单击 **连接**。 + #### Android 4.x 和更新版本 - 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 + 1. 将文件 `vpnclient.p12` 安全地传送到你的设备,然后从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 @@ -220,7 +242,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### iOS (iPhone/iPad) - 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 + 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 @@ -241,7 +263,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 -1. 在导入到 iOS 设备时,`.p12` 文件的密码不能为空。要解决这个问题,按照步骤 4 中的命令重新导出 `.p12` 文件并指定一个安全的密码。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 4dbe23d..787ce74 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows, Android and iOS +# How-To: IKEv2 VPN for Windows, macOS, Android and iOS *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -13,6 +13,7 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agil Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: - Windows 7, 8.x and 10 +- OS X (macOS) - Android 4.x and newer (using the strongSwan VPN client) - iOS (iPhone/iPad) @@ -132,7 +133,7 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". + 1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". Detailed instructions: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs @@ -208,9 +209,30 @@ Before continuing, make sure you have successfully here. + #### OS X (macOS) + + First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then double-click to import them one by one into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. + + 1. Open System Preferences and go to the Network section. + 1. Click the **+** button in the lower-left corner of the window. + 1. Select **VPN** from the **Interface** drop-down menu. + 1. Select **IKEv2** from the **VPN Type** drop-down menu. + 1. Enter anything you like for the **Service Name**. + 1. Click **Create**. + 1. Enter `Your VPN Server IP` (or DNS name) for the **Server Address**. + 1. Enter `Your VPN Server IP` (or DNS name) for the **Remote ID**. + 1. Leave the **Local ID** field blank. + 1. Click the **Authentication Settings...** button. + 1. Select **None** from the **Authentication Settings** drop-down menu. + 1. Select the **Certificate** radio button, then select the **vpnclient** certificate. + 1. Click **OK**. + 1. Check the **Show VPN status in menu bar** checkbox. + 1. Click **Apply** to save the VPN connection information. + 1. Click **Connect**. + #### Android 4.x and newer - 1. Install strongSwan VPN Client from **Google Play**. + 1. Securely transfer `vpnclient.p12` to your device. Then install strongSwan VPN Client from **Google Play**. 1. Launch the VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. @@ -220,7 +242,7 @@ Before continuing, make sure you have successfully IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. -1. The `.p12` file cannot have an empty password when importing into an iOS device. To resolve this issue, follow instructions in step 4 to re-export the file with a secure password. ## References From cf7737238d1265d8b4d914c72396bd3281bc7491 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 21 Oct 2018 00:05:21 -0500 Subject: [PATCH 17/44] Improve IPTables on boot - Improve loading of IPTables rules on boot for systems with "netplan" such as Ubuntu 18.04, by creating a systemd service. This is needed because ifupdown scripts do not run under netplan --- vpnsetup.sh | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 1b25244..485c599 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -434,10 +434,34 @@ iptables-restore < /etc/iptables.rules exit 0 EOF +if [ -f /usr/sbin/netplan ]; then + mkdir -p /etc/systemd/system +cat > /etc/systemd/system/load-iptables-rules.service <<'EOF' +[Unit] +Description = Load /etc/iptables.rules +DefaultDependencies=no + +Before=network-pre.target +Wants=network-pre.target + +Wants=systemd-modules-load.service local-fs.target +After=systemd-modules-load.service local-fs.target + +[Service] +Type=oneshot +ExecStart=/etc/network/if-pre-up.d/iptablesload + +[Install] +WantedBy=multi-user.target +EOF + systemctl enable load-iptables-rules 2>/dev/null +fi + for svc in fail2ban ipsec xl2tpd; do update-rc.d "$svc" enable >/dev/null 2>&1 systemctl enable "$svc" 2>/dev/null done + if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" @@ -451,7 +475,6 @@ cat >> /etc/rc.local <<'EOF' (sleep 15 service ipsec restart service xl2tpd restart -[ -f "/usr/sbin/netplan" ] && { iptables-restore < /etc/iptables.rules; service fail2ban restart; } echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF From 804211c1014fa04678820c09311ba2be2e6865c1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 21 Oct 2018 00:20:54 -0500 Subject: [PATCH 18/44] Cleanup --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- extras/vpnupgrade.sh | 4 ++-- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 1 + 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index dd79ba3..2f87c9b 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -25,7 +25,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ echo "$PUBLIC_IP" + $ printf '%s' "$PUBLIC_IP" (检查显示的公共 IP) ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 787ce74..8550699 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -25,7 +25,7 @@ Before continuing, make sure you have successfully /dev/null systemctl enable iptables fail2ban 2>/dev/null fi + if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" From 0442d25217b74dcb9e7804ee2d2f4b668b2cd8b0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 21 Oct 2018 20:25:34 -0500 Subject: [PATCH 19/44] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 8 +++++--- docs/ikev2-howto.md | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2f87c9b..0260b19 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -25,7 +25,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ printf '%s' "$PUBLIC_IP" + $ printf '%s\n' "$PUBLIC_IP" (检查显示的公共 IP) ``` @@ -98,7 +98,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: - **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。另外,如果你在上面的第一步使用了服务器的域名而不是 IP 地址,则需要将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 + **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ @@ -118,6 +118,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 N ``` + **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 + ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ @@ -192,7 +194,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 按照你的操作系统对应的步骤操作。请注意,如果你在上面的第一步指定了服务器的域名,则需要在 **服务器地址** 和 **远程 ID** 字段中输入该域名而不是 IP 地址。 +1. 按照下面你的操作系统对应的步骤操作。**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。 #### Windows 7, 8.x 和 10 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 8550699..7fa6da1 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -25,7 +25,7 @@ Before continuing, make sure you have successfully /etc/systemd/system/load-iptables-rules.service <<'EOF' [Unit] From 69d1bfe06fb862c3da59bac4dbc7e70c6b5e6d21 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 24 Oct 2018 00:56:37 -0500 Subject: [PATCH 21/44] Improve IPTables on boot - Improve checking for iptables-persistent, and do not add ifupdown script /etc/network/if-pre-up.d/iptablesload if it is in use --- vpnsetup.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 9549754..1e0b446 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -387,6 +387,7 @@ bigecho "Updating IPTables rules..." # Check if rules need updating ipt_flag=0 IPT_FILE="/etc/iptables.rules" +IPT_FILE2="/etc/iptables/rules.v4" if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then @@ -418,7 +419,6 @@ if [ "$ipt_flag" = "1" ]; then echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" - IPT_FILE2="/etc/iptables/rules.v4" if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" /bin/cp -f "$IPT_FILE" "$IPT_FILE2" @@ -427,16 +427,25 @@ fi bigecho "Enabling services on boot..." -mkdir -p /etc/network/if-pre-up.d +# Check for iptables-persistent +IPT_PST="/etc/init.d/iptables-persistent" +IPT_PST2="/usr/share/netfilter-persistent/plugins.d/15-ip4tables" +ipt_load=1 +if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then + ipt_load=0 +fi + +if [ "$ipt_load" = "1" ]; then + mkdir -p /etc/network/if-pre-up.d cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' #!/bin/sh iptables-restore < /etc/iptables.rules exit 0 EOF + chmod +x /etc/network/if-pre-up.d/iptablesload -IPT_PST="/usr/share/netfilter-persistent/plugins.d/15-ip4tables" -if [ -f /usr/sbin/netplan ] && [ ! -f "$IPT_PST" ]; then - mkdir -p /etc/systemd/system + if [ -f /usr/sbin/netplan ]; then + mkdir -p /etc/systemd/system cat > /etc/systemd/system/load-iptables-rules.service <<'EOF' [Unit] Description = Load /etc/iptables.rules @@ -455,7 +464,8 @@ ExecStart=/etc/network/if-pre-up.d/iptablesload [Install] WantedBy=multi-user.target EOF - systemctl enable load-iptables-rules 2>/dev/null + systemctl enable load-iptables-rules 2>/dev/null + fi fi for svc in fail2ban ipsec xl2tpd; do @@ -487,7 +497,7 @@ bigecho "Starting services..." sysctl -e -q -p # Update file attributes -chmod +x /etc/rc.local /etc/network/if-pre-up.d/iptablesload +chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules From f05bf90dbc0cc43ddc5721cfe1164a48f92adc6b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 25 Oct 2018 01:04:16 -0500 Subject: [PATCH 22/44] Update IKEv2 docs - Enable MOBIKE option for Libreswan 3.23 and newer - Add AES-GCM cipher for improved performance --- docs/ikev2-howto-zh.md | 3 ++- docs/ikev2-howto.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 0260b19..dde93b2 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -57,7 +57,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 rekey=no fragmentation=yes ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null EOF ``` @@ -73,6 +73,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf < Date: Thu, 25 Oct 2018 01:25:35 -0500 Subject: [PATCH 23/44] Improve VPN ciphers - Add AES-GCM cipher for Chromebook compatibility and performance --- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 93bb86e..55a94f5 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -216,10 +216,10 @@ fi # Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" if uname -m | grep -qi '^arm'; then - PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null" fi sed -i".old-$(date +%F-%T)" \ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 2a73a44..230b4f0 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -218,7 +218,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 1e0b446..885f588 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,7 +259,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 938cc89..783e137 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,7 +246,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk From 2f9f5c39debe34633639808dc8a1496955809eb5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 26 Oct 2018 15:16:39 -0500 Subject: [PATCH 24/44] Update IKEv2 docs - Add known issue about multiple IKEv2 clients from behind the same NAT - Ref: #469 --- docs/ikev2-howto-zh.md | 5 +++-- docs/ikev2-howto.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index dde93b2..06c0b83 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,7 +8,7 @@ --- -Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外,IKEv2 支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器。 +Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: @@ -189,7 +189,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 -1. **重启 IPsec 服务**: +1. **(重要)重启 IPsec 服务**: ```bash $ service ipsec restart @@ -266,6 +266,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 +1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 IPsec/XAuth 模式。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index d42b476..0699e81 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -8,7 +8,7 @@ --- -Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server. +Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: @@ -189,7 +189,7 @@ Before continuing, make sure you have successfully this page. -1. **Restart IPsec service**: +1. **(Important) Restart IPsec service**: ```bash $ service ipsec restart @@ -266,6 +266,7 @@ Before continuing, make sure you have successfully IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use IPsec/XAuth mode. ## References From 732ad1e94149e9d49a3c8d05775cfc8309c8fb25 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 27 Oct 2018 00:49:41 -0500 Subject: [PATCH 25/44] Improve VPN ciphers - Optimize VPN ciphers and their order for improved security and compatibility with different OS. Remove 3DES algorithm - Change 'sha2-truncbug' from 'yes' to 'no' - Update docs --- docs/clients-zh.md | 7 +++---- docs/clients.md | 7 +++---- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- extras/vpnupgrade.sh | 16 ++++++++-------- extras/vpnupgrade_centos.sh | 14 +++++++------- vpnsetup.sh | 8 ++++---- vpnsetup_centos.sh | 6 +++--- 8 files changed, 32 insertions(+), 34 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 1c25a60..b851be4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -221,7 +221,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 参见)。如果仍然无法连接,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (参见) ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/clients.md b/docs/clients.md index d62f84d..64484d2 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -221,7 +221,7 @@ To fix this error, please follow these steps: ### Windows 10 version 1803 -If you are unable to connect using Windows 10 version 1803 or above, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Then find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. +If you are unable to connect using Windows 10 version 1803 or above: Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. @@ -231,11 +231,10 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y ### Android 6 and above -If you are unable to connect using Android 6 or above, try these steps in order: +If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). If still unable to connect, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (Ref). ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 06c0b83..4e667fd 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -56,8 +56,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 0699e81..816d241 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -56,8 +56,8 @@ Before continuing, make sure you have successfully /dev/null | grep -qF "$SWAN_VER"; then fi # Update ipsec.conf -IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" +IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" if uname -m | grep -qi '^arm'; then - PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null" + PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 230b4f0..ea85036 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -120,20 +120,19 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. 1. Replace "auth=esp" with "phase2=esp" 2. Replace "forceencaps=yes" with "encapsulation=yes" - 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", - re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19 + 3. Optimize VPN ciphers for "ike=" and "phase2alg=" + 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no" EOF if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then cat <<'EOF' - 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" + 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" EOF fi if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then cat <<'EOF' - 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" + 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" EOF fi @@ -217,12 +216,13 @@ restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf -IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" +IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/vpnsetup.sh b/vpnsetup.sh index 885f588..eea63b8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -258,9 +258,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 - sha2-truncbug=yes + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=no conn l2tp-psk auto=add @@ -288,7 +288,7 @@ conn xauth-psk EOF if uname -m | grep -qi '^arm'; then - sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf + sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf fi # Specify IPsec PSK diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 783e137..964b17d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -245,9 +245,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 - sha2-truncbug=yes + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=no conn l2tp-psk auto=add From e8723245f02af0149c01932a854c0f0177f23394 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 27 Oct 2018 15:22:53 -0500 Subject: [PATCH 26/44] Improve VPN config - Increase auto-generated IPsec PSK length to 20 characters - Add a note to README --- README-zh.md | 2 ++ README.md | 2 ++ vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 716472f..272ad47 100644 --- a/README-zh.md +++ b/README-zh.md @@ -102,6 +102,8 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` +**注:** 不要在值中使用这些字符: `\ " '`。一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 + **选项 3:** 将你自己的 VPN 登录凭证定义为环境变量: ```bash diff --git a/README.md b/README.md index 57fcb61..9f187ab 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,8 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` +**Note:** DO NOT use these special characters within values: `\ " '`. A secure IPsec PSK should consist of at least 20 random characters. + **Option 3:** Define your VPN credentials as environment variables: ```bash diff --git a/vpnsetup.sh b/vpnsetup.sh index eea63b8..20a2753 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -103,7 +103,7 @@ fi if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then bigecho "VPN credentials not set by user. Generating random PSK and password..." - VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" + VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 964b17d..2ad6fa0 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -92,7 +92,7 @@ fi if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then bigecho "VPN credentials not set by user. Generating random PSK and password..." - VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" + VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" fi From 5f75a7306a38a2e07f817f4dc473643ca0dcbf38 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 28 Oct 2018 00:33:42 -0500 Subject: [PATCH 27/44] Improve VPN ciphers - Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with Android versions 6.x and 7.x. - Remove aes128-sha2_512 algorithm - Ref: 732ad1e --- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- extras/vpnupgrade.sh | 8 +++----- extras/vpnupgrade_centos.sh | 8 +++----- vpnsetup.sh | 6 +++--- vpnsetup_centos.sh | 4 ++-- 6 files changed, 13 insertions(+), 17 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index b851be4..7727937 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -234,7 +234,7 @@ OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是 如果你无法使用 Android 6 或以上版本连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (参见) +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (参见) ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/clients.md b/docs/clients.md index 64484d2..845fd8e 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -234,7 +234,7 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (Ref). +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 8fd6e16..683fa8d 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -130,18 +130,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. 1. Replace "auth=esp" with "phase2=esp" 2. Replace "forceencaps=yes" with "encapsulation=yes" 3. Optimize VPN ciphers for "ike=" and "phase2alg=" - 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no" EOF if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then cat <<'EOF' - 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" + 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" EOF fi if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then cat <<'EOF' - 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" + 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" EOF fi @@ -215,7 +214,7 @@ fi # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" if uname -m | grep -qi '^arm'; then PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" @@ -224,7 +223,6 @@ fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ - -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index ea85036..b0cffdb 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -121,18 +121,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. 1. Replace "auth=esp" with "phase2=esp" 2. Replace "forceencaps=yes" with "encapsulation=yes" 3. Optimize VPN ciphers for "ike=" and "phase2alg=" - 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no" EOF if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then cat <<'EOF' - 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" + 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" EOF fi if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then cat <<'EOF' - 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" + 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" EOF fi @@ -217,12 +216,11 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ - -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/vpnsetup.sh b/vpnsetup.sh index 20a2753..586e115 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,8 +259,8 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - sha2-truncbug=no + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=yes conn l2tp-psk auto=add @@ -288,7 +288,7 @@ conn xauth-psk EOF if uname -m | grep -qi '^arm'; then - sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf fi # Specify IPsec PSK diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 2ad6fa0..c9bd855 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,8 +246,8 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - sha2-truncbug=no + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=yes conn l2tp-psk auto=add From ccc93a8c96e8e2a8188b7bf4f20223b026893aa9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 29 Oct 2018 01:27:04 -0500 Subject: [PATCH 28/44] Update docs --- docs/clients-xauth-zh.md | 4 ++++ docs/clients-xauth.md | 4 ++++ docs/clients-zh.md | 26 ++++++++++++++------------ docs/clients.md | 24 +++++++++++++----------- 4 files changed, 35 insertions(+), 23 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d24f301..3a224be 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -59,6 +59,8 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl 要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Android 1. 启动 **设置** 应用程序。 @@ -97,6 +99,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## 致谢 本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a44d205..e394046 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -59,6 +59,8 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Android 1. Launch the **Settings** application. @@ -97,6 +99,8 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Credits This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 7727937..f86ac8d 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) - * [Windows 10 版本 1803](#windows-10-版本-1803) + * [Windows 10 升级](#windows-10-升级) * [macOS VPN 流量](#macos-vpn-流量) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) @@ -32,13 +32,13 @@ ### Windows 10 and 8.x 1. 右键单击系统托盘中的无线/网络图标。 -1. 选择 **打开网络与共享中心**。 +1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。 1. 单击 **设置新的连接或网络**。 1. 选择 **连接到工作区**,然后单击 **下一步**。 1. 单击 **使用我的Internet连接 (VPN)**。 1. 在 **Internet地址** 字段中输入`你的 VPN 服务器 IP`。 1. 在 **目标名称** 字段中输入任意内容。单击 **创建**。 -1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 +1. 返回 **网络和共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 @@ -53,7 +53,7 @@ 1. 单击开始菜单,选择控制面板。 1. 进入 **网络和Internet** 部分。 -1. 单击 **网络与共享中心**。 +1. 单击 **网络和共享中心**。 1. 单击 **设置新的连接或网络**。 1. 选择 **连接到工作区**,然后单击 **下一步**。 1. 单击 **使用我的Internet连接 (VPN)**。 @@ -65,7 +65,7 @@ 1. 在 **密码** 字段中输入`你的 VPN 密码`。 1. 选中 **记住此密码** 复选框。 1. 单击 **创建**,然后单击 **关闭** 按钮。 -1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 +1. 返回 **网络和共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **选项** 选项卡,取消选中 **包括Windows登录域** 复选框。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 @@ -104,6 +104,8 @@ 要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Android **注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 @@ -145,6 +147,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Chromebook 1. 如果你尚未登录 Chromebook,请先登录。 @@ -208,7 +212,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 settin * [Troubleshooting](#troubleshooting) * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) - * [Windows 10 version 1803](#windows-10-version-1803) + * [Windows 10 upgrades](#windows-10-upgrades) * [macOS VPN traffic](#macos-vpn-traffic) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) @@ -32,7 +32,7 @@ After settin ### Windows 10 and 8.x 1. Right-click on the wireless/network icon in your system tray. -1. Select **Open Network and Sharing Center**. +1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. 1. Click **Set up a new connection or network**. 1. Select **Connect to a workplace** and click **Next**. 1. Click **Use my Internet connection (VPN)**. @@ -41,7 +41,7 @@ After settin 1. Return to **Network and Sharing Center**. On the left, click **Change adapter settings**. 1. Right-click on the new VPN entry and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -69,7 +69,7 @@ After settin 1. Right-click on the new VPN entry and choose **Properties**. 1. Click the **Options** tab and uncheck **Include Windows logon domain**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -104,6 +104,8 @@ If you get an error when trying to connect, see Troub To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Android **Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). @@ -145,6 +147,8 @@ If you get an error when trying to connect, see Troub Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Chromebook 1. If you haven't already, sign in to your Chromebook. @@ -211,7 +215,7 @@ To fix this error, please follow these steps: 1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. 1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -219,11 +223,9 @@ To fix this error, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) -### Windows 10 version 1803 +### Windows 10 upgrades -If you are unable to connect using Windows 10 version 1803 or above: Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. - -Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. +After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. ### macOS VPN traffic @@ -341,8 +343,8 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret - ike=aes128-sha1-modp1024,3des-sha1-modp1024! - esp=aes128-sha1-modp1024,3des-sha1-modp1024! + ike=aes256-sha1-modp2048,aes128-sha1-modp2048! + esp=aes256-sha1-modp2048,aes128-sha1-modp2048! conn myvpn keyexchange=ikev1 From e797493a17746fbd6d4138fcf02ec8fbbf99e9e7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 30 Oct 2018 00:00:08 -0500 Subject: [PATCH 29/44] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 5 +++-- docs/ikev2-howto.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 4e667fd..1774392 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -235,7 +235,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### Android 4.x 和更新版本 - 1. 将文件 `vpnclient.p12` 安全地传送到你的设备,然后从 **Google Play** 安装 strongSwan VPN 客户端。 + 1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 + 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 @@ -245,7 +246,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### iOS (iPhone/iPad) - 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 + 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。你可以使用 AirDrop (隔空投送)来传输文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 816d241..68c1926 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -235,7 +235,8 @@ Before continuing, make sure you have successfully strongSwan VPN Client from **Google Play**. + 1. Securely transfer `vpnclient.p12` to your Android device. + 1. Install strongSwan VPN Client from **Google Play**. 1. Launch the VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. @@ -245,7 +246,7 @@ Before continuing, make sure you have successfully Date: Fri, 2 Nov 2018 01:54:49 -0500 Subject: [PATCH 31/44] Improve VPN ciphers - Replace "aes_gcm256-null,aes_gcm128-null" with "aes_gcm-null" to improve compatibility with some Linux kernels - Ref: https://libreswan.org/wiki/FAQ#Using_aes_gcm_or_aes_ctr_results_in_ERROR:_netlink_response_for_Add_SA_esp.XXXXXXXX.40IPADDRESS_included_errno_22:_Invalid_argument --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 352d92d..cdf92b9 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -57,7 +57,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 rekey=no fragmentation=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index fa3244a..2e5261e 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -57,7 +57,7 @@ Before continuing, make sure you have successfully /dev/null # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 586e115..2069e58 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,7 +259,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c9bd855..1646aa4 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,7 +246,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 sha2-truncbug=yes conn l2tp-psk From 23458655ac5addbb68c1872df82a537404105e70 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 4 Nov 2018 00:59:01 -0500 Subject: [PATCH 32/44] Update IKEv2 docs - Add "pfs=no" to fix IKEv2 disconnect issues (at 8 mins) on iOS/macOS - Replace "fragmentation" with "ike-frag" for compatibility - Fixes #474 - Ref: https://github.com/libreswan/libreswan/issues/222 - Ref: http://www.openradar.appspot.com/29821241 --- docs/ikev2-howto-zh.md | 3 ++- docs/ikev2-howto.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index cdf92b9..04cc4d8 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -55,7 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 auto=add ikev2=insist rekey=no - fragmentation=yes + pfs=no + ike-frag=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 EOF diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 2e5261e..2194fc5 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -55,7 +55,8 @@ Before continuing, make sure you have successfully Date: Mon, 5 Nov 2018 07:47:09 -0600 Subject: [PATCH 34/44] Update docs --- docs/clients-zh.md | 5 +++++ docs/clients.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index f86ac8d..3934baf 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -19,6 +19,7 @@ * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) * [Windows 10 升级](#windows-10-升级) + * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) @@ -227,6 +228,10 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后重启计算机。 + ### macOS VPN 流量 OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。 diff --git a/docs/clients.md b/docs/clients.md index 59044a9..1b5a039 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -19,6 +19,7 @@ After settin * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) * [Windows 10 upgrades](#windows-10-upgrades) + * [Windows 8/10 DNS leaks](#windows-810-dns-leaks) * [macOS VPN traffic](#macos-vpn-traffic) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) @@ -227,6 +228,10 @@ To fix this error, please follow these steps: After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. +### Windows 8/10 DNS leaks + +Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter is from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). Reboot your PC when finished. + ### macOS VPN traffic OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. From 593bb3eea08981bdbfdfe1005804fadbe364b5f5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 7 Nov 2018 00:40:24 -0600 Subject: [PATCH 35/44] Update docs --- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3934baf..3fc649d 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -230,7 +230,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后重启计算机。 +Windows 8.x 和 10 默认使用 "smart multi-homed name resolution" (智能多宿主名称解析)。如果你的因特网适配器的 DNS 服务器在本地网段上,在使用 Windows 自带的 IPsec VPN 客户端时可能会导致 "DNS 泄漏"。要解决这个问题,你可以 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后清除 DNS 缓存并且重启计算机。 ### macOS VPN 流量 diff --git a/docs/clients.md b/docs/clients.md index 1b5a039..12c2ed8 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -230,7 +230,7 @@ After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re- ### Windows 8/10 DNS leaks -Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter is from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). Reboot your PC when finished. +Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, clear the DNS cache and reboot your PC. ### macOS VPN traffic From 442458193a4cc2a6e3c4d4315a803f234656b084 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 9 Nov 2018 00:00:58 -0600 Subject: [PATCH 36/44] Update docs - Add Windows PowerShell commands for creating a VPN connection - Closes #478. Thanks @nzbart! --- docs/clients-zh.md | 9 +++++++++ docs/clients.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3fc649d..3a6317f 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -48,6 +48,15 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 +另外,除了按照以上步骤操作,你也可以运行下面的 Windows PowerShell 命令来创建 VPN 连接。将 `你的 VPN 服务器 IP` 和 `你的 VPN IPsec PSK` 换成你自己的值,用单引号括起来: + +```console +# 不保存命令行历史记录 +Set-PSReadlineOption –HistorySaveStyle SaveNothing +# 创建 VPN 连接 +Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk '你的 VPN IPsec PSK' -Force -RememberCredential -PassThru +``` + **注:** 在首次连接之前需要修改一次注册表。请参见下面的说明。 ### Windows 7, Vista and XP diff --git a/docs/clients.md b/docs/clients.md index 12c2ed8..4adf0e7 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -48,6 +48,15 @@ After settin 1. Click **OK** to close the **Advanced settings**. 1. Click **OK** to save the VPN connection details. +Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace `Your VPN Server IP` and `Your VPN IPsec PSK` with your own values, enclosed in single quotes: + +```console +# Disable persistent command history +Set-PSReadlineOption –HistorySaveStyle SaveNothing +# Create VPN connection +Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk 'Your VPN IPsec PSK' -Force -RememberCredential -PassThru +``` + **Note:** A one-time registry change is required before connecting. See details below. ### Windows 7, Vista and XP From 7c6563d581404e264c011c87da1707353dc47708 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 9 Nov 2018 18:47:34 -0600 Subject: [PATCH 37/44] Update docs - Add info about IPv6 traffic - Closes #480. Thanks @sunfeilong! --- docs/clients-zh.md | 2 ++ docs/clients.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3a6317f..1e26b28 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -241,6 +241,8 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后清除 DNS 缓存并且重启计算机。 +另外,如果你的计算机启用了 IPv6,所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6,请看这里。 + ### macOS VPN 流量 OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。 diff --git a/docs/clients.md b/docs/clients.md index 4adf0e7..fc5b73c 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -241,6 +241,8 @@ After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re- Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, clear the DNS cache and reboot your PC. +In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to disable IPv6 in Windows. + ### macOS VPN traffic OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. From 0adf0bebcd32a86cd6b32ef1d2eeef2aaff79fc4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 13 Nov 2018 23:04:47 -0600 Subject: [PATCH 38/44] Update docs --- README-zh.md | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index 272ad47..f6ebcb4 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,6 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) +[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) 使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 @@ -8,7 +8,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 我们将使用 Libreswan 作为 IPsec 服务器,以及 xl2tpd 作为 L2TP 提供者。 -**» 相关教程: IPsec VPN Server Auto Setup with Libreswan** +**» 另见: Docker 上的 IPsec VPN 服务器** *其他语言版本: [English](README.md), [简体中文](README-zh.md).* @@ -75,7 +75,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** -高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 +高级用户可以在一个 $35 的 Raspberry Pi 3 上搭建 VPN 服务器。详见以下教程: [1] [2]。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index 9f187ab..209f2ce 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. @@ -8,7 +8,7 @@ An IPsec VPN encrypts your network traffic, so that nobody between you and the V We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider. -**» Related tutorial: IPsec VPN Server Auto Setup with Libreswan** +**» See also: IPsec VPN Server on Docker** *Read this in other languages: [English](README.md), [简体中文](README-zh.md).* @@ -75,7 +75,7 @@ This also includes Linux VMs in public clouds, such as **» I want to run my own VPN but don't have a server for that** -Advanced users can set up the VPN server on a $35 Raspberry Pi 3. +Advanced users can set up the VPN server on a $35 Raspberry Pi 3. Learn more in these articles: [1] [2]. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! From ed997dd190bab997eaaf8a21bd3953ac90117a50 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 16 Nov 2018 13:05:29 -0600 Subject: [PATCH 39/44] Update docs --- README-zh.md | 5 +++-- README.md | 5 +++-- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index f6ebcb4..d5d2555 100644 --- a/README-zh.md +++ b/README-zh.md @@ -57,11 +57,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 -一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): +一个新创建的 Amazon EC2 实例,使用这些映像之一: - Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates +- Red Hat Enterprise Linux (RHEL) 7 or 6 请参见 详细步骤 以及 EC2 定价细节。 @@ -153,7 +154,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 -如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 +如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 209f2ce..0de60e6 100644 --- a/README.md +++ b/README.md @@ -57,11 +57,12 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements -A newly created Amazon EC2 instance, from these images (AMIs): +A newly created Amazon EC2 instance, from one of these images: - Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates +- Red Hat Enterprise Linux (RHEL) 7 or 6 Please see detailed instructions and EC2 pricing. @@ -153,7 +154,7 @@ Clients are set to use Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 -使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/README.md b/README.md index 0de60e6..00dd414 100644 --- a/README.md +++ b/README.md @@ -152,7 +152,7 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. -Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users need to install the `` linux-image-extra-`uname -r` `` package and run `service xl2tpd restart`. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 1e26b28..2db647c 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -190,6 +190,16 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 @@ -148,7 +149,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含一个辅助脚本,以方便更新 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 diff --git a/README.md b/README.md index 00dd414..5fb9f3b 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,8 @@ sudo sh vpnsetup.sh wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ -VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh +VPN_PASSWORD='your_vpn_password' \ +sh vpnsetup.sh ``` **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. @@ -148,7 +149,7 @@ The same VPN account can be used by your multiple devices. However, due to an IP For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. A helper script is included for convenience. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 138b025..2096e4a 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,13 +4,15 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,更改或者删除用户,请阅读本文档。 +**注:** 现在提供一个辅助脚本,以方便更新 VPN 用户。请参见 [辅助脚本](#辅助脚本)。 + 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。 ```bash %any %any : PSK "你的IPsec预共享密钥" ``` -对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: +对于 `IPsec/L2TP`,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: ```bash "你的VPN用户名1" l2tpd "你的VPN密码1" * @@ -20,7 +22,7 @@ 你可以添加更多用户,每个用户对应文件中的一行。**不要** 在用户名,密码或 PSK 中使用这些字符:`\ " '` -对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: +对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: ```bash 你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk @@ -41,3 +43,35 @@ openssl passwd -1 '你的VPN密码1' service ipsec restart service xl2tpd restart ``` + +## 辅助脚本 + +你可以使用 [这个辅助脚本](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) 来更新 VPN 用户。首先下载脚本: + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +要更新 VPN 用户,从以下选项中选择一个: + +**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的新用户。如果你需要保留当前的 VPN 用户,则必须将它们包含在下面的变量中。或者你也可以按照上面的说明手动更新 VPN 用户。 + +**选项 1:** 编辑脚本并输入 VPN 用户信息: + +```bash +nano -w update_vpn_users.sh +[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**选项 2:** 将 VPN 用户信息定义为环境变量: + +```bash +# VPN用户名和密码列表,用空格分隔 +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' +sudo \ +VPN_USERS='用户名1 用户名2 ...' \ +VPN_PASSWORDS='密码1 密码2 ...' \ +sh update_vpn_users.sh +``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 07d27ed..56289d2 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,6 +4,8 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. +**Note:** A helper script to update VPN users is now available. See [Helper script](#helper-script). + First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK. ```bash @@ -41,3 +43,35 @@ Finally, restart services if you changed to a new PSK. For add, edit or remove V service ipsec restart service xl2tpd restart ``` + +## Helper script + +You may use [this helper script](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) to update VPN users. First download the script: + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +To update VPN users, choose one of the following options: + +**Important:** This script will remove **ALL** existing VPN users and replace them with the new users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. Or, you may update users manually (see above). + +**Option 1:** Edit the script and enter VPN user details: + +```bash +nano -w update_vpn_users.sh +[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**Option 2:** Define VPN user details as environment variables: + +```bash +# List of VPN usernames and passwords, separated by spaces +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' +sudo \ +VPN_USERS='username1 username2 ...' \ +VPN_PASSWORDS='password1 password2 ...' \ +sh update_vpn_users.sh +``` diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh new file mode 100644 index 0000000..cde41f8 --- /dev/null +++ b/extras/update_vpn_users.sh @@ -0,0 +1,174 @@ +#!/bin/sh +# +# Script to update VPN users for both IPsec/L2TP and Cisco IPsec +# +# Copyright (C) 2018 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +# ===================================================== + +# Define your own values for these variables +# - List of VPN usernames and passwords, separated by spaces +# - All values MUST be placed inside 'single quotes' +# - DO NOT use these special characters within values: \ " ' + +YOUR_USERNAMES='' +YOUR_PASSWORDS='' + +# Example: +# YOUR_USERNAMES='username1 username2' +# YOUR_PASSWORDS='password1 password2' + +# ===================================================== + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +onespace() { printf '%s' "$1" | tr -s ' '; } +noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; } +noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; } + +update_vpn_users() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before updating VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES" +[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS" + +if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then + exiterr "All VPN credentials must be specified. Edit the script and re-enter them." +fi + +VPN_USERS="$(noquotes "$VPN_USERS")" +VPN_USERS="$(onespace "$VPN_USERS")" +VPN_USERS="$(noquotes2 "$VPN_USERS")" +VPN_PASSWORDS="$(noquotes "$VPN_PASSWORDS")" +VPN_PASSWORDS="$(onespace "$VPN_PASSWORDS")" +VPN_PASSWORDS="$(noquotes2 "$VPN_PASSWORDS")" + +if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." +fi + +case "$VPN_USERS $VPN_PASSWORDS" in + *[\\\"\']*) + exiterr "VPN credentials must not contain these special characters: \\ \" '" + ;; +esac + +clear + +cat <<'EOF' + +Welcome! This script will update VPN user accounts +for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec). + +WARNING: ALL existing VPN users will be removed + and replaced with the users listed below. + Please double check before continuing! + +================================================== + +Updated list of VPN users (username | password): + +EOF + +count=1 +vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1) +vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1) +while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do +cat <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd < Date: Thu, 22 Nov 2018 16:49:56 -0600 Subject: [PATCH 42/44] Add more helper scripts - Create additional helper scripts for managing VPN users - Update docs - Closes: #355 --- README-zh.md | 2 +- README.md | 2 +- docs/manage-users-zh.md | 92 +++++++++++++++---------- docs/manage-users.md | 92 +++++++++++++++---------- extras/add_vpn_user.sh | 136 ++++++++++++++++++++++++++++++++++++ extras/del_vpn_user.sh | 138 +++++++++++++++++++++++++++++++++++++ extras/update_vpn_users.sh | 2 + 7 files changed, 392 insertions(+), 72 deletions(-) create mode 100644 extras/add_vpn_user.sh create mode 100644 extras/del_vpn_user.sh diff --git a/README-zh.md b/README-zh.md index 65b974b..1034672 100644 --- a/README-zh.md +++ b/README-zh.md @@ -149,7 +149,7 @@ sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含一个辅助脚本,以方便更新 VPN 用户。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 diff --git a/README.md b/README.md index 5fb9f3b..ef7713a 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ The same VPN account can be used by your multiple devices. However, due to an IP For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. A helper script is included for convenience. +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Helper scripts are included for convenience. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 2096e4a..e329970 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,9 +4,63 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,更改或者删除用户,请阅读本文档。 -**注:** 现在提供一个辅助脚本,以方便更新 VPN 用户。请参见 [辅助脚本](#辅助脚本)。 +## 使用辅助脚本 -首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。 +你可以使用这些脚本来更方便地管理 VPN 用户:[add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) 和 [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh)。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth (Cisco IPsec) 模式的用户。如果你需要更新 IPsec PSK,请阅读下一节。 + +### 添加或者更新一个 VPN 用户 + +添加一个新 VPN 用户,或者为一个已有的 VPN 用户更新密码。 + +```bash +wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' +``` + +### 删除一个 VPN 用户 + +删除指定的 VPN 用户。 + +```bash +wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +sudo sh del_vpn_user.sh 'username_to_delete' +``` + +### 更新所有的 VPN 用户 + +移除所有的 VPN 用户并替换为你指定的列表中的用户。 + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +要使用这个脚本,从以下选项中选择一个: + +**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的列表中的用户。如果你需要保留已有的 VPN 用户,则必须将它们包含在下面的变量中。 + +**选项 1:** 编辑脚本并输入 VPN 用户信息: + +```bash +nano -w update_vpn_users.sh +[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**选项 2:** 将 VPN 用户信息定义为环境变量: + +```bash +# VPN用户名和密码列表,用空格分隔 +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' +sudo \ +VPN_USERS='用户名1 用户名2 ...' \ +VPN_PASSWORDS='密码1 密码2 ...' \ +sh update_vpn_users.sh +``` + +## 手动管理 VPN 用户和 PSK + +首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。完成后必须重启服务(见下面)。所有的 VPN 用户将共享同一个 IPsec PSK。 ```bash %any %any : PSK "你的IPsec预共享密钥" @@ -37,41 +91,9 @@ openssl passwd -1 '你的VPN密码1' ``` -最后,如果你更换了新的 PSK,则需要重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。 +最后,如果你更换了新的 PSK,则必须重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。 ```bash service ipsec restart service xl2tpd restart ``` - -## 辅助脚本 - -你可以使用 [这个辅助脚本](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) 来更新 VPN 用户。首先下载脚本: - -```bash -wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh -``` - -要更新 VPN 用户,从以下选项中选择一个: - -**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的新用户。如果你需要保留当前的 VPN 用户,则必须将它们包含在下面的变量中。或者你也可以按照上面的说明手动更新 VPN 用户。 - -**选项 1:** 编辑脚本并输入 VPN 用户信息: - -```bash -nano -w update_vpn_users.sh -[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS] -sudo sh update_vpn_users.sh -``` - -**选项 2:** 将 VPN 用户信息定义为环境变量: - -```bash -# VPN用户名和密码列表,用空格分隔 -# 所有变量值必须用 '单引号' 括起来 -# *不要* 在值中使用这些字符: \ " ' -sudo \ -VPN_USERS='用户名1 用户名2 ...' \ -VPN_PASSWORDS='密码1 密码2 ...' \ -sh update_vpn_users.sh -``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 56289d2..005d02a 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,9 +4,63 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -**Note:** A helper script to update VPN users is now available. See [Helper script](#helper-script). +## Using helper scripts -First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK. +You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) and [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh). They will update users for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec) modes. For updating the IPsec PSK, read the next section. + +### Add or update a VPN user + +Add a new VPN user or update an existing user with a new password. + +```bash +wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' +``` + +### Delete a VPN user + +Delete the specified VPN user. + +```bash +wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +sudo sh del_vpn_user.sh 'username_to_delete' +``` + +### Update all VPN users + +Remove all existing VPN users and replace with the list of users you specify. + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +To use this script, choose one of the following options: + +**Important:** This script will remove **ALL** existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. + +**Option 1:** Edit the script and enter VPN user details: + +```bash +nano -w update_vpn_users.sh +[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**Option 2:** Define VPN user details as environment variables: + +```bash +# List of VPN usernames and passwords, separated by spaces +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' +sudo \ +VPN_USERS='username1 username2 ...' \ +VPN_PASSWORDS='password1 password2 ...' \ +sh update_vpn_users.sh +``` + +## Manually manage VPN users and PSK + +First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. You must restart services when finished (see below). All VPN users will share the same IPsec PSK. ```bash %any %any : PSK "your_ipsec_pre_shared_key" @@ -37,41 +91,9 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t openssl passwd -1 'your_vpn_password_1' ``` -Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required. +Finally, you must restart services if changing to a new PSK. For adding, editing or removing VPN users, this is normally not required. ```bash service ipsec restart service xl2tpd restart ``` - -## Helper script - -You may use [this helper script](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) to update VPN users. First download the script: - -```bash -wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh -``` - -To update VPN users, choose one of the following options: - -**Important:** This script will remove **ALL** existing VPN users and replace them with the new users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. Or, you may update users manually (see above). - -**Option 1:** Edit the script and enter VPN user details: - -```bash -nano -w update_vpn_users.sh -[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS] -sudo sh update_vpn_users.sh -``` - -**Option 2:** Define VPN user details as environment variables: - -```bash -# List of VPN usernames and passwords, separated by spaces -# All values MUST be placed inside 'single quotes' -# DO NOT use these special characters within values: \ " ' -sudo \ -VPN_USERS='username1 username2 ...' \ -VPN_PASSWORDS='password1 password2 ...' \ -sh update_vpn_users.sh -``` diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh new file mode 100644 index 0000000..ca40a5d --- /dev/null +++ b/extras/add_vpn_user.sh @@ -0,0 +1,136 @@ +#!/bin/sh +# +# Script to add/update an VPN user for both IPsec/L2TP and Cisco IPsec +# +# Copyright (C) 2018 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + +add_vpn_user() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before adding VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +VPN_USER=$1 +VPN_PASSWORD=$2 + +if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then +cat 1>&2 <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd < +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + +del_vpn_user() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before deleting VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +VPN_USER=$1 + +if [ -z "$VPN_USER" ]; then +cat 1>&2 <&2 <<'EOF' +Error: The specified VPN user does not exist in /etc/ppp/chap-secrets + and/or /etc/ipsec.d/passwd. + Aborting. No changes were made. +EOF + exit 1 +fi + +if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ + || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then +cat 1>&2 <<'EOF' +Error: Cannot delete the only VPN user from /etc/ppp/chap-secrets + and/or /etc/ipsec.d/passwd. + Aborting. No changes were made. +EOF + exit 1 +fi + +clear + +cat < Date: Fri, 23 Nov 2018 00:21:47 -0600 Subject: [PATCH 43/44] Update docs - Update docs for managing VPN users --- docs/manage-users-zh.md | 13 +++++++++++++ docs/manage-users.md | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index e329970..ec32cb9 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -13,7 +13,13 @@ 添加一个新 VPN 用户,或者为一个已有的 VPN 用户更新密码。 ```bash +# 下载脚本 wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +``` + +```bash +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' ``` @@ -22,7 +28,13 @@ sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' 删除指定的 VPN 用户。 ```bash +# 下载脚本 wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +``` + +```bash +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' sudo sh del_vpn_user.sh 'username_to_delete' ``` @@ -31,6 +43,7 @@ sudo sh del_vpn_user.sh 'username_to_delete' 移除所有的 VPN 用户并替换为你指定的列表中的用户。 ```bash +# 下载脚本 wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh ``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 005d02a..409ded3 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -13,7 +13,13 @@ You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](htt Add a new VPN user or update an existing user with a new password. ```bash +# Download the script wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +``` + +```bash +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' ``` @@ -22,7 +28,13 @@ sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' Delete the specified VPN user. ```bash +# Download the script wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +``` + +```bash +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' sudo sh del_vpn_user.sh 'username_to_delete' ``` @@ -31,6 +43,7 @@ sudo sh del_vpn_user.sh 'username_to_delete' Remove all existing VPN users and replace with the list of users you specify. ```bash +# Download the script wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh ``` From 582f98d18c72f49c8b262acd271ed0383bcab3f4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 23 Nov 2018 11:52:38 -0600 Subject: [PATCH 44/44] Update docs --- docs/ikev2-howto-zh.md | 36 ++++++++++++++++++++---------------- docs/ikev2-howto.md | 36 ++++++++++++++++++++---------------- docs/manage-users-zh.md | 29 ++++++++++++++++------------- docs/manage-users.md | 23 +++++++++++++---------- 4 files changed, 69 insertions(+), 55 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 5eaaddc..3273e8a 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -24,17 +24,19 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 ```bash - $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ printf '%s\n' "$PUBLIC_IP" - (检查显示的公共 IP) + PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) + printf '%s\n' "$PUBLIC_IP" ``` + 检查并确保以上命令的输出与服务器的公共 IP 一致。该变量将在以下步骤中使用。 + **注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`。 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: ```bash - $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <