mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-04-04 21:53:37 +03:00
Code Issues Projects Releases Wiki Activity

Merge branch 'hwdsl2:master' into master

Browse source
This commit is contained in:
Leo Liu 2022-03-01 13:59:48 +09:00 committed by GitHub
commit 75fe5b512c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
28 changed files with 492 additions and 366 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/test_set_1.yml vendored
View file

@ -228,7 +228,6 @@ jobs:
vpnclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
@ -241,7 +240,6 @@ jobs:
2
nonexistclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig

2
.github/workflows/test_set_2.yml vendored
View file

@ -247,7 +247,6 @@ jobs:
vpnclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
@ -260,7 +259,6 @@ jobs:
2
nonexistclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig

57
README-zh.md
View file

@ -83,7 +83,7 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh
这也包括各种公共云服务中的 Linux 虚拟机,比如 [DigitalOcean](https://blog.ls20.com/digitalocean), [Vultr](https://blog.ls20.com/vultr), [Linode](https://blog.ls20.com/linode), [Microsoft Azure](https://azure.microsoft.com) 和 [OVH](https://www.ovhcloud.com/en/vps/)。[Amazon EC2](https://aws.amazon.com/ec2/) 用户可以使用 [CloudFormation](aws/README-zh.md) 或者 [用户数据](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup) 快速部署。
[![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README-zh.md)  [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README-zh.md)  [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239)
[![Deploy to DigitalOcean](docs/images/do-install-button.png)](http://dovpn.carlfriess.com) [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239) [![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README-zh.md) [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README-zh.md)
[**» 我想建立并使用自己的 VPN ,但是没有可用的服务器**](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps)
@ -102,32 +102,16 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh
要安装 VPN请从以下选项中选择一个
<details open>
<summary>
选项 1: 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。
</summary>
**选项 1:** 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。
```bash
wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh
wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh
```
在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md)
**选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证。
```bash
# 使用默认选项配置 IKEv2
sudo ikev2.sh --auto
# 或者你也可以自定义 IKEv2 选项
sudo ikev2.sh
```
</details>
<details>
<summary>
选项 2: 编辑脚本并提供你自己的 VPN 登录凭证。
</summary>
```bash
wget https://git.io/vpnsetup -nv -O vpn.sh
wget https://git.io/vpnstart -nv -O vpn.sh
nano -w vpn.sh
[替换为你自己的值: YOUR_IPSEC_PSK, YOUR_USERNAME 和 YOUR_PASSWORD]
sudo sh vpn.sh
@ -135,41 +119,18 @@ sudo sh vpn.sh
**注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。
在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md)
```bash
# 使用默认选项配置 IKEv2
sudo ikev2.sh --auto
# 或者你也可以自定义 IKEv2 选项
sudo ikev2.sh
```
</details>
<details>
<summary>
选项 3: 将你自己的 VPN 登录凭证定义为环境变量。
</summary>
**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量。
```bash
# 所有变量值必须用 '单引号' 括起来
# *不要* 在值中使用这些字符: \ " '
wget https://git.io/vpnsetup -nv -O vpn.sh
wget https://git.io/vpnstart -nv -O vpn.sh
sudo VPN_IPSEC_PSK='你的IPsec预共享密钥' \
VPN_USER='你的VPN用户名' \
VPN_PASSWORD='你的VPN密码' \
sh vpn.sh
```
在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md)
```bash
# 使用默认选项配置 IKEv2
sudo ikev2.sh --auto
# 或者你也可以自定义 IKEv2 选项
sudo ikev2.sh
```
</details>
<details>
<summary>
如果无法通过 wget 下载,点这里查看解决方案。
@ -178,11 +139,11 @@ sudo ikev2.sh
你也可以使用 `curl` 下载。例如:
```bash
curl -fsSL https://git.io/vpnsetup -o vpn.sh
curl -fsSL https://git.io/vpnstart -o vpn.sh
sudo sh vpn.sh
```
或者,打开 [vpnsetup.sh](vpnsetup.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。
或者,打开 [quickstart.sh](extras/quickstart.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。
</details>
## 下一步

57
README.md
View file

@ -83,7 +83,7 @@ A dedicated server or virtual private server (VPS), freshly installed with one o
This also includes Linux VMs in public clouds, such as [DigitalOcean](https://blog.ls20.com/digitalocean), [Vultr](https://blog.ls20.com/vultr), [Linode](https://blog.ls20.com/linode), [Microsoft Azure](https://azure.microsoft.com) and [OVH](https://www.ovhcloud.com/en/vps/). [Amazon EC2](https://aws.amazon.com/ec2/) users can deploy rapidly using [CloudFormation](aws/README.md) or [user data](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup).
[![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README.md) &nbsp;[![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README.md) &nbsp;[![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239)
[![Deploy to DigitalOcean](docs/images/do-install-button.png)](http://dovpn.carlfriess.com) [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239) [![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README.md) [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README.md)
[**&raquo; I want to run my own VPN but don't have a server for that**](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps)
@ -102,32 +102,16 @@ First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade
To install the VPN, please choose one of the following options:
<details open>
<summary>
Option 1: Have the script generate random VPN credentials for you (will be displayed when finished).
</summary>
**Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished).
```bash
wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh
wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh
```
After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md):
**Option 2:** Edit the script and provide your own VPN credentials.
```bash
# Set up IKEv2 using default options
sudo ikev2.sh --auto
# Alternatively, you may customize IKEv2 options
sudo ikev2.sh
```
</details>
<details>
<summary>
Option 2: Edit the script and provide your own VPN credentials.
</summary>
```bash
wget https://git.io/vpnsetup -nv -O vpn.sh
wget https://git.io/vpnstart -nv -O vpn.sh
nano -w vpn.sh
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
sudo sh vpn.sh
@ -135,41 +119,18 @@ sudo sh vpn.sh
**Note:** A secure IPsec PSK should consist of at least 20 random characters.
After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md):
```bash
# Set up IKEv2 using default options
sudo ikev2.sh --auto
# Alternatively, you may customize IKEv2 options
sudo ikev2.sh
```
</details>
<details>
<summary>
Option 3: Define your VPN credentials as environment variables.
</summary>
**Option 3:** Define your VPN credentials as environment variables.
```bash
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
wget https://git.io/vpnsetup -nv -O vpn.sh
wget https://git.io/vpnstart -nv -O vpn.sh
sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
sh vpn.sh
```
After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md):
```bash
# Set up IKEv2 using default options
sudo ikev2.sh --auto
# Alternatively, you may customize IKEv2 options
sudo ikev2.sh
```
</details>
<details>
<summary>
Click here if you are unable to download using wget.
@ -178,11 +139,11 @@ Click here if you are unable to download using wget.
You may also use `curl` to download. For example:
```bash
curl -fsSL https://git.io/vpnsetup -o vpn.sh
curl -fsSL https://git.io/vpnstart -o vpn.sh
sudo sh vpn.sh
```
Alternatively, open [vpnsetup.sh](vpnsetup.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor.
Alternatively, open [quickstart.sh](extras/quickstart.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor.
</details>
## Next steps

8
aws/README-zh.md
View file

@ -8,7 +8,7 @@
- Amazon EC2 实例类型
> **注:** 在某些 AWS 区域中,此模版提供的某些实例类型可能不可用。比如 `m5a.large` 可能无法在 `ap-east-1` 区域部署(仅为假设)。在此情况下,你会在部署过程中遇到此错误:`The requested configuration is currently not supported. Please check the documentation for supported configurations`。新开放的 AWS 区域更容易出现此问题,因为它们提供的实例类型较少。如需了解更多关于实例可用性的信息,请参见 [https://instances.vantage.sh/](https://instances.vantage.sh/)。
- VPN 服务器的操作系统Ubuntu 20.04/18.04, Debian 9, CentOS 8/7, Amazon Linux 2
- VPN 服务器的操作系统Ubuntu 20.04/18.04, Debian 9, CentOS 7, Amazon Linux 2
> **注:** 在 EC2 上使用 Debian 9 映像之前,你需要先在 AWS Marketplace 上订阅:[Debian 9](https://aws.amazon.com/marketplace/pp/B073HW9SP3)。
- 你的 VPN 用户名
- 你的 VPN 密码
@ -36,7 +36,9 @@
要指定一个 AWS 区域,你可以使用导航栏上你的帐户信息右侧的选择器。当你在最后一步中点击 "create stack" 之后,请等待堆栈创建和 VPN 安装完成,可能需要最多 15 分钟。一旦堆栈的部署状态变成 **"CREATE_COMPLETE"** ,你就可以连接到 VPN 服务器了。单击 **Outputs** 选项卡以查看你的 VPN 登录信息,然后继续下一步:[配置 VPN 客户端](../README-zh.md#下一步)。
> **注**:如果你删除使用此模板部署的 CloudFormation 堆栈,在部署期间添加的密钥对将不会自动被清理。要管理你的密钥对,请转到 EC2 控制台 -> 密钥对。
> **注:** IKEv2 模式的客户端配置文件可以在你的 VPN 服务器的 `/root` 目录中找到。要使用 SSH 连接到服务器,请参见下面的 "常见问题" 小节。
> **注:** 如果你删除使用此模板部署的 CloudFormation 堆栈,在部署期间添加的密钥对将不会自动被清理。要管理你的密钥对,请转到 EC2 控制台 -> 密钥对。
## 常见问题
@ -56,7 +58,7 @@ EC2 上的每个 Linux 服务器发行版本都有它自己的默认登录用户
| --- | --- |
| Ubuntu (`Ubuntu *.04`) | `ubuntu` |
| Debian (`Debian 9`) | `admin` |
| CentOS (`CenOS 7/8`) | `centos` |
| CentOS (`CenOS 7`) | `centos` |
| Amazon Linux 2 | `ec2-user` |
此模板在部署期间为你生成一个密钥对,并且在成功创建堆栈后,其中的私钥将在 **Outputs** 选项卡下以文本形式提供。

10
aws/README.md
View file

@ -7,8 +7,8 @@ This template will create a fully-working IPsec VPN server on Amazon Elastic Com
Available customization parameters:
- Amazon EC2 instance type
> **Note**: It is possible that not all instance type options offered by this template are available in a specific AWS region. For example, you may not be able to deploy an `m5a.large` instance in `ap-east-1` (hypothetically). In that case, you might experience the following error during deployment: `The requested configuration is currently not supported. Please check the documentation for supported configurations`. Newly released regions are more prone to having this problem as there are less variety of instances. For more info about instance type availability, refer to [https://instances.vantage.sh/](https://instances.vantage.sh/).
- OS for your VPN server (Ubuntu 20.04/18.04, Debian 9, CentOS 8/7, Amazon Linux 2)
> **Note:** It is possible that not all instance type options offered by this template are available in a specific AWS region. For example, you may not be able to deploy an `m5a.large` instance in `ap-east-1` (hypothetically). In that case, you might experience the following error during deployment: `The requested configuration is currently not supported. Please check the documentation for supported configurations`. Newly released regions are more prone to having this problem as there are less variety of instances. For more info about instance type availability, refer to [https://instances.vantage.sh/](https://instances.vantage.sh/).
- OS for your VPN server (Ubuntu 20.04/18.04, Debian 9, CentOS 7, Amazon Linux 2)
> **Note:** Before using the Debian 9 image on EC2, you need to first subscribe at the AWS Marketplace: [Debian 9](https://aws.amazon.com/marketplace/pp/B073HW9SP3).
- Your VPN username
- Your VPN password
@ -36,7 +36,9 @@ Click the icon below to start:
You may choose an AWS region using the selector to the right of your account information on the navigation bar. After you click "create stack" in the final step, please wait for the stack creation and VPN setup to complete, which may take up to 15 minutes. As soon as the stack's status changes to **"CREATE_COMPLETE"**, you are ready to connect to the VPN server. Click the **Outputs** tab to view your VPN login details. Then continue to [Next steps: Configure VPN Clients](../README.md#next-steps).
> **Note**: If you delete a CloudFormation stack deployed using this template, the key pair that was added during deployment won't be automatically cleaned up. To manage your key pairs, go to EC2 console -> Key Pairs.
> **Note:** Client configuration files for IKEv2 mode can be found in the `/root` folder of your VPN server. To connect to the VPN server using SSH, refer to the FAQs section below.
> **Note:** If you delete a CloudFormation stack deployed using this template, the key pair that was added during deployment won't be automatically cleaned up. To manage your key pairs, go to EC2 console -> Key Pairs.
## FAQs
@ -56,7 +58,7 @@ List of default usernames:
| --- | --- |
| Ubuntu (`Ubuntu *.04`) | `ubuntu` |
| Debian (`Debian 9`) | `admin` |
| CentOS (`CenOS 7/8`) | `centos` |
| CentOS (`CenOS 7`) | `centos` |
| Amazon Linux 2 | `ec2-user` |
This template generates a key pair for you during deployment, and the private key will be available as text under the **Outputs** tab after the stack is successfully created.

7
aws/cloudformation-template-ipsec.json
View file

@ -14,9 +14,6 @@
"CentOS7": {
"HelperInstallationCommands": "yum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
},
"CentOS8": {
"HelperInstallationCommands": "yum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n"
},
"AmazonLinux2": {
"HelperInstallationCommands": "export PATH=\"$PATH:/opt/aws/bin\"\n"
}
@ -387,7 +384,7 @@
"Ref": "VpnPassword"
},
"'\n",
"wget -t 3 -T 30 -nv -O vpn.sh https://git.io/vpnsetup\n",
"wget -t 3 -T 30 -nv -O vpn.sh https://git.io/vpnstart\n",
"sh vpn.sh\n",
"cfn-signal -e 0 ",
" --stack ",
@ -651,7 +648,6 @@
" 'Ubuntu2004': 'ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*',",
" 'Debian9': 'debian-stretch-hvm-x86_64-gp2-*',",
" 'CentOS7': 'CentOS 7.9.2009 x86_64',",
" 'CentOS8': 'CentOS 8.3.2011 x86_64',",
" 'AmazonLinux2': 'amzn2-ami-hvm-*.*-x86_64-gp2',",
" }[distribution]",
" response = ec2.describe_images(Filters=[{'Name':'name', 'Values':[AMIName]}], Owners=['099720109477', '379101102735', '125523088429', 'amazon'])",
@ -805,7 +801,6 @@
"Ubuntu1804",
"Debian9",
"CentOS7",
"CentOS8",
"AmazonLinux2"
]
},

2
azure/README-zh.md
View file

@ -20,6 +20,8 @@
在完成部署之后Azure 会有提示。下一步:[配置 VPN 客户端](../README-zh.md#下一步)。
**注:** IKEv2 模式的客户端配置文件可以在你的 VPN 服务器的 `/root` 目录中找到。在使用 SSH 连接到服务器时,请使用你在部署模板中指定的用户名和密码。
## 作者
版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu)

2
azure/README.md
View file

@ -20,6 +20,8 @@ Press this button to start:
When the deployment finishes, Azure displays a notification. Next steps: [Configure VPN Clients](../README.md#next-steps).
**Note:** Client configuration files for IKEv2 mode can be found in the `/root` folder of your VPN server. When connecting to the server using SSH, use the username and password you specified in the deployment template.
## Authors
Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu)

5
azure/install.sh
View file

@ -4,7 +4,4 @@ export VPN_IPSEC_PSK=$1
export VPN_USER=$2
export VPN_PASSWORD=$3
# Wait 60 seconds for apt/dpkg lock
sleep 60
wget https://git.io/vpnsetup -O vpn.sh && sh vpn.sh
wget -t 3 -T 30 -nv -O vpn.sh https://git.io/vpnstart && sh vpn.sh

10
docs/clients-xauth-zh.md
View file

@ -18,7 +18,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP
## Windows
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。无需安装额外的软件。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。无需安装额外的软件。
1. 下载并安装免费的 [Shrew Soft VPN 客户端](https://www.shrew.net/download/vpn)。在安装时请选择 **Standard Edition**
**注:** 该 VPN 客户端 **不支持** Windows 10/11。
@ -42,7 +42,7 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
## OS X
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。
1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。
@ -66,7 +66,7 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
## Android
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。
1. 启动 **设置** 应用程序。
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**
@ -90,7 +90,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](
## iOS
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。
1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...**
@ -110,6 +110,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](
## Linux
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
### Fedora 和 CentOS
Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用 `yum` 安装 `NetworkManager-libreswan-gnome` 软件包,然后通过 GUI 配置 IPsec/XAuth VPN 客户端。

10
docs/clients-xauth.md
View file

@ -18,7 +18,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster t
## Windows
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. No additional software is required.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. No additional software is required.
1. Download and install the free [Shrew Soft VPN client](https://www.shrew.net/download/vpn). When prompted during install, select **Standard Edition**.
**Note:** This VPN client does NOT support Windows 10/11.
@ -42,7 +42,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro
## OS X
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode.
1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window.
@ -66,7 +66,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro
## Android
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode.
1. Launch the **Settings** application.
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
@ -90,7 +90,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro
## iOS
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode.
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.
@ -110,6 +110,8 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro
## Linux
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
### Fedora and CentOS
Fedora 28 (and newer) and CentOS 8/7 users can install the `NetworkManager-libreswan-gnome` package using `yum`, then configure the IPsec/XAuth VPN client using the GUI.

16
docs/clients-zh.md
View file

@ -18,7 +18,7 @@
## Windows
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
### Windows 11
@ -109,7 +109,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
## OS X
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。
@ -135,7 +135,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
## Android
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。
1. 启动 **设置** 应用程序。
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**
@ -160,7 +160,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](
## iOS
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...**
@ -199,11 +199,11 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可
## Linux
**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
### Ubuntu Linux
Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 用户可能需要添加 `nm-l2tp` PPA参见 [这里](https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721)。
Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。
1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。
1. 选择 **Layer 2 Tunneling Protocol (L2TP)**
@ -223,9 +223,9 @@ Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2t
1. 单击 **OK**,然后单击 **Add** 保存 VPN 连接信息。
1. 启用 **VPN** 连接。
VPN 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请尝试 [这个解决方案](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/2926ea0239fe970ff08cb8a7863f8cb519ece032/README.md#unable-to-establish-l2tp-connection-without-udp-source-port-1701)
如果在连接过程中遇到错误,请尝试 [这个解决方案](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/README.md#issue-with-not-stopping-system-xl2tpd-service)
VPN 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
### Fedora 和 CentOS

16
docs/clients.md
View file

@ -18,7 +18,7 @@ After [setting up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn
## Windows
**Note:** You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
### Windows 11
@ -109,7 +109,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
## OS X
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window.
@ -134,7 +134,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
## Android
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode.
1. Launch the **Settings** application.
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
@ -159,7 +159,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
## iOS
**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.
@ -198,11 +198,11 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
## Linux
**Note:** You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
> :information_source: You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
### Ubuntu Linux
Ubuntu 18.04 (and newer) users can install the [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) package using `apt`, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 users may need to add the `nm-l2tp` PPA, read more [here](https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721).
Ubuntu 18.04 (and newer) users can install the [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) package using `apt`, then configure the IPsec/L2TP VPN client using the GUI.
1. Go to Settings -> Network -> VPN. Click the **+** button.
1. Select **Layer 2 Tunneling Protocol (L2TP)**.
@ -222,9 +222,9 @@ Ubuntu 18.04 (and newer) users can install the [network-manager-l2tp-gnome](http
1. Click **OK**, then click **Add** to save the VPN connection information.
1. Turn the **VPN** switch ON.
Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, try [this fix](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/2926ea0239fe970ff08cb8a7863f8cb519ece032/README.md#unable-to-establish-l2tp-connection-without-udp-source-port-1701).
If you get an error when trying to connect, try [this fix](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/README.md#issue-with-not-stopping-system-xl2tpd-service).
Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
### Fedora and CentOS

212
docs/ikev2-howto-zh.md
View file

@ -8,10 +8,10 @@
* [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2)
* [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
* [管理客户端证书](#管理客户端证书)
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
* [故障排除](#故障排除)
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
* [手动配置 IKEv2](#手动配置-ikev2)
* [移除 IKEv2](#移除-ikev2)
* [参考链接](#参考链接)
@ -31,7 +31,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
## 使用辅助脚本配置 IKEv2
**重要:** 在继续之前,你应该已经成功地 [搭建自己的 VPN 服务器](../README-zh.md),并且(可选但推荐)[升级 Libreswan](../README-zh.md#升级libreswan)。**Docker 用户请看 [这里](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)**。
**重要:** 在继续之前,你应该已经成功地 [搭建自己的 VPN 服务器](../README-zh.md)。**Docker 用户请看 [这里](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)**。
使用这个 [辅助脚本](../extras/ikev2setup.sh) 来自动地在 VPN 服务器上配置 IKEv2
@ -42,6 +42,8 @@ sudo ikev2.sh --auto
sudo ikev2.sh
```
**注:** 如果 IKEv2 已经配置完成,但是你想要自定义 IKEv2 选项,首先 [移除 IKEv2](#移除-ikev2),然后运行 `sudo ikev2.sh` 重新配置。
在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。高级用户可以启用 [仅限 IKEv2 模式](advanced-usage-zh.md#仅限-ikev2-的-vpn)。这是可选的。
<details>
@ -81,7 +83,7 @@ sudo VPN_CLIENT_NAME='your_client_name' ikev2.sh --auto
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
```
默认情况下,导入 IKEv2 客户端配置文件时不需要密码。你可以选择使用随机密码保护客户端配置文件。这是可选的。示例如下:
默认情况下,导入 IKEv2 客户端配置时不需要密码。你可以选择使用随机密码保护客户端配置文件。这是可选的。示例如下:
```bash
sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
@ -89,6 +91,13 @@ sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
</details>
<details>
<summary>
了解如何更改 IKEv2 服务器地址。
</summary>
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要了解更多信息,参见 [这一小节](#更改-ikev2-服务器地址)。
</details>
<details>
<summary>
查看 IKEv2 脚本的使用信息。
</summary>
@ -112,7 +121,7 @@ To customize IKEv2 or client options, run this script without arguments.
*其他语言版本: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端)。*
**注:** 如果要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用参数 `-h` 显示使用信息。
**注:** 如果要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用 `-h` 显示使用信息。IKEv2 客户端配置文件可以在导入后安全删除。
* [Windows 7, 8, 10 和 11](#windows-7-8-10-和-11)
* [OS X (macOS)](#os-x-macos)
@ -129,13 +138,17 @@ To customize IKEv2 or client options, run this script without arguments.
1. 右键单击保存的脚本,选择 **属性**。单击对话框下方的 **解除锁定**,然后单击 **确定**
1. 右键单击保存的脚本,选择 **以管理员身份运行** 并按提示操作。
或者,你也可以手动导入 IKEv2 配置。这些步骤适用于 **Windows 7, 8, 10 和 11**
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)
1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。要导入 `.p12` 文件,打开 [提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html) 并运行以下命令:
或者,**Windows 7, 8, 10 和 11** 用户可以手动导入 IKEv2 配置:
1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到证书存储。
要导入 `.p12` 文件,打开 [提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html) 并运行以下命令:
```console
# 导入 .p12 文件(换成你自己的值)
certutil -f -importpfx ".p12文件的位置和名称" NoExport
certutil -f -importpfx "\path\to\your\file.p12" NoExport
```
**注:** 如果客户端配置文件没有密码,请按回车键继续,或者在手动导入 `.p12` 文件时保持密码字段空白。
@ -153,9 +166,13 @@ To customize IKEv2 or client options, run this script without arguments.
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
```
**Windows 7** 不支持这些命令,你可以 [手动创建 VPN 连接](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config)。你输入的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。
**Windows 7** 不支持这些命令,你可以 [手动创建 VPN 连接](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config)。
1. **此步骤为必须,如果你手动创建了 VPN 连接。** 为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。更多信息请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048)。
**注:** 你输入的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 **完全一致**。例如,如果你在配置 IKEv2 时指定了服务器的域名,则必须在 **Internet地址** 字段中输入该域名。
1. **此步骤为必须,如果你手动创建了 VPN 连接。**
为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。更多信息请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048)。
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
@ -221,12 +238,11 @@ To customize IKEv2 or client options, run this script without arguments.
1. 使用 [文件共享](https://support.apple.com/zh-cn/HT210598) 功能上传到设备,然后打开 iOS 设备上的 "文件" App将上传的文件移动到 "On My iPhone" 目录下。然后单击它并到 "设置" App 中导入,或者
1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。
在完成之后,检查并确保 "IKEv2 VPN" 显示在设置 -> 通用 -> 描述文件中。
在完成之后,检查并确保 "IKEv2 VPN" 显示在设置 -> 通用 -> VPN 与设备管理(或者描述文件中。
要连接到 VPN
1. 进入设置 -> 通用 -> VPN。
1. 选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。
1. 进入设置 -> VPN。选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。
1. 启用 **VPN** 连接。
(可选功能)你可以选择启用 [VPN On Demand按需连接](https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules) ,该功能在使用 Wi-Fi 网络时自动建立 VPN 连接。要启用它,单击 VPN 连接右边的 "i" 图标,然后启用 **按需连接**
@ -242,9 +258,9 @@ To customize IKEv2 or client options, run this script without arguments.
1. 使用 [文件共享](https://support.apple.com/zh-cn/HT210598) 功能上传到设备,然后打开 iOS 设备上的 "文件" App将上传的文件移动到 "On My iPhone" 目录下。然后逐个单击它们并到 "设置" App 中导入,或者
1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。
在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。
在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> VPN 与设备管理(或者描述文件中。
1. 进入设置 -> 通用 -> VPN。
1. 进入设置 -> 通用 -> VPN 与设备管理 -> VPN。
1. 单击 **添加VPN配置...**
1. 单击 **类型** 。选择 **IKEv2** 并返回。
1. 在 **描述** 字段中输入任意内容。
@ -414,7 +430,7 @@ sudo ikev2.sh --listclients
sudo ikev2.sh --addclient [client name]
```
另外,你也可以手动添加客户端证书。参见 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。
另外,你也可以手动添加客户端证书。参见 [这一小节](#手动配置-ikev2) 的第 4 步。
### 导出已有的客户端的配置
@ -562,9 +578,99 @@ sudo ikev2.sh --revokeclient [client name]
```
</details>
## 手动在 VPN 服务器上配置 IKEv2
## 故障排除
除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动配置 IKEv2。在继续之前推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。
*其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除)。*
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站)
* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
* [参数错误 policy match error](#参数错误-policy-match-error)
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
* [其它已知问题](#其它已知问题)
### 连接 IKEv2 后不能打开网站
如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案:
1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com)[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500
```bash
# 将 ens4 替换为你的服务器上的网络接口名称
sudo ifconfig ens4 mtu 1500
```
此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。
1. 如果更改 MTU 无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。
1. 在某些情况下Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。
### IKE 身份验证凭证不可接受
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
### 参数错误 policy match error
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 在一小时后断开连接
如果 IKEv2 连接在一小时60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
```
ikelifetime=24h
salifetime=24h
```
保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。
### 无法同时连接多个 IKEv2 客户端
如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。
如果你无法连接同一个 NAT比如家用路由器后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@<your_server_ip>` 并去掉 `@`,也就是说将它替换为 `leftid=<your_server_ip>`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
### 其它已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
## 更改 IKEv2 服务器地址
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。请注意,你在 VPN 客户端指定的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 **完全一致**,否则客户端可能无法连接。
要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。
```bash
# 下载脚本
wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr
# 运行脚本并按照提示操作
sudo bash ikev2changeaddr.sh
```
**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址以及 Remote ID如果适用。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。
## 更新 IKEv2 辅助脚本
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## 手动配置 IKEv2
除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动在 VPN 服务器上配置 IKEv2。在继续之前推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。
下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
@ -773,76 +879,6 @@ sudo ikev2.sh --revokeclient [client name]
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
</details>
## 故障排除
*其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除)。*
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
* [参数错误 policy match error](#参数错误-policy-match-error)
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
* [其它已知问题](#其它已知问题)
### IKE 身份验证凭证不可接受
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
### 参数错误 policy match error
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 在一小时后断开连接
如果 IKEv2 连接在一小时60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
```
ikelifetime=24h
salifetime=24h
```
保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。
### 无法同时连接多个 IKEv2 客户端
如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。
如果你无法连接同一个 NAT比如家用路由器后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@<your_server_ip>` 并去掉 `@`,也就是说将它替换为 `leftid=<your_server_ip>`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
### 其它已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
## 更新 IKEv2 辅助脚本
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## 更改 IKEv2 服务器地址
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。
```bash
# 下载脚本
wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr
# 运行脚本并按照提示操作
sudo bash ikev2changeaddr.sh
```
**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。
## 移除 IKEv2
如果你想要从 VPN 服务器移除 IKEv2但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式(如果已安装),请重新运行 [辅助脚本](#使用辅助脚本配置-ikev2) 并选择 "Remove IKEv2" 选项。**警告:** 这将**永久删除**所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**

210
docs/ikev2-howto.md
View file

@ -8,10 +8,10 @@
* [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script)
* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
* [Manage client certificates](#manage-client-certificates)
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
* [Troubleshooting](#troubleshooting)
* [Update IKEv2 helper script](#update-ikev2-helper-script)
* [Change IKEv2 server address](#change-ikev2-server-address)
* [Update IKEv2 helper script](#update-ikev2-helper-script)
* [Manually set up IKEv2](#manually-set-up-ikev2)
* [Remove IKEv2](#remove-ikev2)
* [References](#references)
@ -31,7 +31,7 @@ After following this guide, you will be able to connect to the VPN using IKEv2 i
## Set up IKEv2 using helper script
**Important:** Before continuing, you should have successfully [set up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn), and (optional but recommended) [updated Libreswan](../README.md#upgrade-libreswan). **Docker users, see [here](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn)**.
**Important:** Before continuing, you should have successfully [set up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn). **Docker users, see [here](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn)**.
Use this [helper script](../extras/ikev2setup.sh) to automatically set up IKEv2 on the VPN server:
@ -42,6 +42,8 @@ sudo ikev2.sh --auto
sudo ikev2.sh
```
**Note:** If IKEv2 is already set up, but you want to customize IKEv2 options, first [remove IKEv2](#remove-ikev2), then set it up again using `sudo ikev2.sh`.
When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Advanced users can optionally enable [IKEv2-only mode](advanced-usage.md#ikev2-only-vpn).
<details>
@ -81,7 +83,7 @@ By default, IKEv2 clients are set to use [Google Public DNS](https://developers.
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
```
By default, no password is required when importing IKEv2 client config files. You may optionally choose to protect client config files using a random password. Example:
By default, no password is required when importing IKEv2 client configuration. You may optionally choose to protect client config files using a random password. Example:
```bash
sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
@ -89,6 +91,13 @@ sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
</details>
<details>
<summary>
Learn how to change the IKEv2 server address.
</summary>
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Learn more in [this section](#change-ikev2-server-address).
</details>
<details>
<summary>
View usage information for the IKEv2 script.
</summary>
@ -112,7 +121,7 @@ To customize IKEv2 or client options, run this script without arguments.
*Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).*
**Note:** If you want to add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use option `-h` to show usage information.
**Note:** To add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use `-h` to show usage information. IKEv2 client config files can be safely deleted after import.
* [Windows 7, 8, 10 and 11](#windows-7-8-10-and-11)
* [OS X (macOS)](#os-x-macos)
@ -129,9 +138,13 @@ To customize IKEv2 or client options, run this script without arguments.
1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**.
1. Right-click on the saved script, select **Run as administrator** and follow the prompts.
Alternatively, you may manually import IKEv2 configuration. These steps apply to **Windows 7, 8, 10 and 11**.
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. To import the `.p12` file, run the following from an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/):
Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 configuration:
1. Securely transfer the generated `.p12` file to your computer, then import it into the certificate store.
To import the `.p12` file, run the following from an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/):
```console
# Import .p12 file (replace with your own value)
@ -153,9 +166,13 @@ Alternatively, you may manually import IKEv2 configuration. These steps apply to
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
```
**Windows 7** does not support these commands, you can [manually create the VPN connection](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config). The server address you specify must **exactly match** the server address in the output of the IKEv2 helper script. For example, if you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.
**Windows 7** does not support these commands, you can [manually create the VPN connection](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config).
1. **This step is required if you manually created the VPN connection.** Enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. Read more [here](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048).
**Note:** The server address you specify must **exactly match** the server address in the output of the IKEv2 helper script. For example, if you specified the server's DNS name during IKEv2 setup, you must enter the DNS name in the **Internet address** field.
1. **This step is required if you manually created the VPN connection.**
Enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. Read more [here](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048).
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
@ -221,12 +238,11 @@ First, securely transfer the generated `.mobileconfig` file to your iOS device,
1. Upload to your device using [File Sharing](https://support.apple.com/en-us/HT210598), then open the "Files" app on your iOS device, move the uploaded file to the "On My iPhone" folder. After that, tap the file and go to the "Settings" app to import, or
1. Host the file on a secure website of yours, then download and import it in Mobile Safari.
When finished, check to make sure "IKEv2 VPN" is listed under Settings -> General -> Profile(s).
When finished, check to make sure "IKEv2 VPN" is listed under Settings -> General -> VPN & Device Management or Profile(s).
To connect to the VPN:
1. Go to Settings -> General -> VPN.
1. Select the VPN connection with `Your VPN Server IP` (or DNS name).
1. Go to Settings -> VPN. Select the VPN connection with `Your VPN Server IP` (or DNS name).
1. Slide the **VPN** switch ON.
(Optional feature) You can choose to enable [VPN On Demand](https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules). This is an "always-on" feature that can automatically connect to the VPN while on Wi-Fi. To enable, tap the "i" icon on the right of the VPN connection, and enable **Connect On Demand**.
@ -242,9 +258,9 @@ First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your
1. Upload to your device using [File Sharing](https://support.apple.com/en-us/HT210598), then open the "Files" app on your iOS device, move the uploaded files to the "On My iPhone" folder. After that, tap each file and go to the "Settings" app to import, or
1. Host the files on a secure website of yours, then download and import them in Mobile Safari.
When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles.
When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> VPN & Device Management or Profile(s).
1. Go to Settings -> General -> VPN.
1. Go to Settings -> General -> VPN & Device Management -> VPN.
1. Tap **Add VPN Configuration...**.
1. Tap **Type**. Select **IKEv2** and go back.
1. Tap **Description** and enter anything you like.
@ -416,7 +432,7 @@ To generate certificates for additional IKEv2 clients, just run the [helper scri
sudo ikev2.sh --addclient [client name]
```
Alternatively, you may manually add a client certificate. Refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server).
Alternatively, you may manually add a client certificate. Refer to step 4 in [this section](#manually-set-up-ikev2).
### Export configuration for an existing client
@ -564,9 +580,99 @@ Alternatively, you may manually revoke a client certificate. This can be done us
```
</details>
## Manually set up IKEv2 on the VPN server
## Troubleshooting
As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version.
*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).*
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2)
* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
* [Policy match error](#policy-match-error)
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
* [Other known issues](#other-known-issues)
### Cannot open websites after connecting to IKEv2
If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes:
1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server:
```bash
# Replace ens4 with the network interface name on your server
sudo ifconfig ens4 mtu 1500
```
This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web.
1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues).
1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4.
### IKE authentication credentials are unacceptable
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
### Policy match error
To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 disconnects after one hour
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
```
ikelifetime=24h
salifetime=24h
```
Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix.
### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each.
If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@<your_server_ip>` and remove the `@`, i.e. replace it with `leftid=<your_server_ip>`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
### Other known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
## Change IKEv2 server address
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Note that the server address you specify on VPN client devices must **exactly match** the server address in the output of the IKEv2 helper script. Otherwise, devices may be unable to connect.
To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.
```bash
# Download the script
wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr
# Run the script and follow the prompts
sudo bash ikev2changeaddr.sh
```
**Important:** After running this script, you must manually update the server address (and remote ID, if applicable) on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script).
## Update IKEv2 helper script
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## Manually set up IKEv2
As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2 on the VPN server. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version.
The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`.
@ -775,76 +881,6 @@ View example steps for manually configuring IKEv2 with Libreswan.
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
</details>
## Troubleshooting
*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).*
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
* [Policy match error](#policy-match-error)
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
* [Other known issues](#other-known-issues)
### IKE authentication credentials are unacceptable
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
### Policy match error
To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 disconnects after one hour
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
```
ikelifetime=24h
salifetime=24h
```
Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix.
### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each.
If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@<your_server_ip>` and remove the `@`, i.e. replace it with `leftid=<your_server_ip>`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
### Other known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
## Update IKEv2 helper script
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## Change IKEv2 server address
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.
```bash
# Download the script
wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr
# Run the script and follow the prompts
sudo bash ikev2changeaddr.sh
```
**Important:** After running this script, you must manually update the server address on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script).
## Remove IKEv2
If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes (if installed), run the [helper script](#set-up-ikev2-using-helper-script) again and select the "Remove IKEv2" option. **Warning:** All IKEv2 configuration including certificates and keys will be **permanently deleted**. This **cannot be undone**!

4
extras/ikev2changeaddr.sh
View file

@ -14,6 +14,7 @@
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
bigecho() { echo "## $1"; }
@ -266,7 +267,8 @@ update_ikev2_conf() {
echo >> /etc/ipsec.conf
echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
fi
sed -i -e "/^[[:space:]]\+leftcert=/d" \
sed -i".old-$SYS_DT" \
-e "/^[[:space:]]\+leftcert=/d" \
-e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf
if [ "$use_dns_name" = "1" ]; then
sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf

5
extras/ikev2onlymode.sh
View file

@ -11,6 +11,7 @@
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
bigecho() { echo "## $1"; }
@ -114,11 +115,11 @@ toggle_ikev2_only() {
if [ "$ikev2_only_status" = "ENABLED" ]; then
confirm_disable_ikev2_only
bigecho "Disabling IKEv2-only mode..."
sed -i "/ikev1-policy=/d" /etc/ipsec.conf
sed -i".old-$SYS_DT" "/ikev1-policy=/d" /etc/ipsec.conf
elif [ "$ikev2_only_status" = "DISABLED" ]; then
confirm_enable_ikev2_only
bigecho "Enabling IKEv2-only mode..."
sed -i "/ikev1-policy=/d" /etc/ipsec.conf
sed -i".old-$SYS_DT" "/ikev1-policy=/d" /etc/ipsec.conf
sed -i "/config setup/a \ ikev1-policy=drop" /etc/ipsec.conf
fi
}

66
extras/ikev2setup.sh
View file

@ -150,7 +150,7 @@ confirm_or_abort() {
show_header() {
cat <<'EOF'
IKEv2 Script Copyright (c) 2020-2022 Lin Song 16 Feb 2022
IKEv2 Script Copyright (c) 2020-2022 Lin Song 26 Feb 2022
EOF
}
@ -308,8 +308,7 @@ set_dns_servers() {
show_welcome() {
cat <<'EOF'
Welcome! Use this script to set up IKEv2 on your IPsec VPN server.
Welcome! Use this script to set up IKEv2 on your VPN server.
I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are OK with them.
@ -317,20 +316,12 @@ EOF
}
show_start_setup() {
if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] || [ -n "$VPN_DNS_SRV1" ]; then
bigecho "Starting IKEv2 setup in auto mode."
printf '%s' "## Using custom option(s): "
[ -n "$VPN_DNS_NAME" ] && printf '%s' "VPN_DNS_NAME "
[ -n "$VPN_CLIENT_NAME" ] && printf '%s' "VPN_CLIENT_NAME "
if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then
printf '%s' "VPN_DNS_SRV1 VPN_DNS_SRV2"
elif [ -n "$VPN_DNS_SRV1" ]; then
printf '%s' "VPN_DNS_SRV1"
fi
echo
else
bigecho "Starting IKEv2 setup in auto mode, using default options."
op_text=default
if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \
|| [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ]; then
op_text=custom
fi
bigecho "Starting IKEv2 setup in auto mode, using $op_text options."
}
show_add_client() {
@ -338,7 +329,7 @@ show_add_client() {
}
show_export_client() {
bigecho "Exporting IKEv2 client '$client_name', using default options."
bigecho "Exporting IKEv2 client '$client_name'."
}
get_export_dir() {
@ -517,10 +508,10 @@ enter_custom_dns() {
echo "Invalid DNS server."
read -rp "Enter primary DNS server: " dns_server_1
done
read -rp "Enter secondary DNS server (enter to skip): " dns_server_2
read -rp "Enter secondary DNS server (Enter to skip): " dns_server_2
until [ -z "$dns_server_2" ] || check_ip "$dns_server_2"; do
echo "Invalid DNS server."
read -rp "Enter secondary DNS server (enter to skip): " dns_server_2
read -rp "Enter secondary DNS server (Enter to skip): " dns_server_2
done
if [ -n "$dns_server_2" ]; then
dns_servers="$dns_server_1 $dns_server_2"
@ -614,7 +605,6 @@ cat <<'EOF'
IKEv2 client config files contain the client certificate, private key and CA certificate.
This script can optionally generate a random password to protect these files.
Future client config files will also be protected using this password.
EOF
printf "Protect client config files using a password? [y/N] "
@ -680,6 +670,11 @@ EOF
else
echo "MOBIKE support: Not available"
fi
if [ "$use_config_password" = "1" ]; then
echo "Protect client config: Yes"
else
echo "Protect client config: No"
fi
cat <<EOF
DNS server(s): $dns_servers
@ -1035,8 +1030,24 @@ ANSWERS
fi
}
create_config_readme() {
readme_file="$export_dir$client_name-README.txt"
if [ "$in_container" = "0" ] && [ "$use_config_password" = "0" ] \
&& [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
cat > "$readme_file" <<'EOF'
These IKEv2 client config files were created during IPsec VPN setup.
To configure IKEv2 VPN clients, see: https://git.io/ikev2clients
EOF
if [ "$export_to_home_dir" = "1" ]; then
chown "$SUDO_USER:$SUDO_USER" "$readme_file"
fi
chmod 600 "$readme_file"
fi
}
add_ikev2_connection() {
bigecho2 "Adding a new IKEv2 connection..."
XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' "$IPSEC_CONF"; then
echo >> "$IPSEC_CONF"
echo 'include /etc/ipsec.d/*.conf' >> "$IPSEC_CONF"
@ -1051,7 +1062,7 @@ conn ikev2-cp
leftrsasigkey=%cert
right=%any
rightid=%fromcert
rightaddresspool=192.168.43.10-192.168.43.250
rightaddresspool=$XAUTH_POOL
rightca=%same
rightrsasigkey=%cert
narrowing=yes
@ -1173,12 +1184,8 @@ print_client_revoked() {
}
print_setup_complete() {
if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] || [ -n "$VPN_DNS_SRV1" ]; then
printf '\e[2K\r'
else
printf '\e[2K\e[1A\e[2K\r'
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
fi
printf '\e[2K\e[1A\e[2K\r'
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
cat <<EOF
================================================
@ -1215,7 +1222,7 @@ EOF
cat <<'EOF'
Note: No password is required when importing
client config files.
client configuration.
EOF
fi
cat <<'EOF'
@ -1426,7 +1433,6 @@ ikev2setup() {
1)
enter_client_name
enter_client_validity
select_config_password
echo
create_client_cert
export_client_config
@ -1436,7 +1442,6 @@ ikev2setup() {
;;
2)
enter_client_name_for export
select_config_password
echo
export_client_config
print_client_exported
@ -1510,6 +1515,7 @@ ikev2setup() {
create_ca_server_certs
create_client_cert
export_client_config
create_config_readme
add_ikev2_connection
if [ "$os_type" = "alpine" ]; then
ipsec auto --add ikev2-cp >/dev/null

89
extras/quickstart.sh
View file

@ -17,10 +17,37 @@
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# =====================================================
# Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes'
# - DO NOT use these special characters within values: \ " '
YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''
# Important notes: https://git.io/vpnnotes
# Setup VPN clients: https://git.io/vpnclients
# IKEv2 guide: https://git.io/ikev2
# =====================================================
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr() { echo "Error: $1" >&2; exit 1; }
check_ip() {
IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
}
check_dns_name() {
FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX"
}
check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo sh $0'"
@ -124,6 +151,53 @@ check_iface() {
fi
}
check_creds() {
[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"
if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
return 0
fi
if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
fi
if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
}
check_dns() {
if { [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; } \
|| { [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; }; then
exiterr "The DNS server specified is invalid."
fi
}
check_server_dns() {
if [ -n "$VPN_DNS_NAME" ] && ! check_dns_name "$VPN_DNS_NAME"; then
exiterr "Invalid DNS name. 'VPN_DNS_NAME' must be a fully qualified domain name (FQDN)."
fi
}
check_client_name() {
if [ -n "$VPN_CLIENT_NAME" ]; then
name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)"
if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
fi
fi
}
check_iptables() {
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
if [ -x /sbin/iptables ] && ! iptables -nL INPUT >/dev/null 2>&1; then
@ -192,9 +266,18 @@ run_setup() {
if tmpdir=$(mktemp --tmpdir -d vpn.XXXXX 2>/dev/null); then
if ( set -x; wget -t 3 -T 30 -q -O "$tmpdir/vpn.sh" "$setup_url" \
|| curl -fsL "$setup_url" -o "$tmpdir/vpn.sh" 2>/dev/null ); then
if /bin/bash "$tmpdir/vpn.sh"; then
if VPN_IPSEC_PSK="$VPN_IPSEC_PSK" VPN_USER="$VPN_USER" VPN_PASSWORD="$VPN_PASSWORD" \
VPN_PUBLIC_IP="$VPN_PUBLIC_IP" VPN_L2TP_NET="$VPN_L2TP_NET" \
VPN_L2TP_LOCAL="$VPN_L2TP_LOCAL" VPN_L2TP_POOL="$VPN_L2TP_POOL" \
VPN_XAUTH_NET="$VPN_XAUTH_NET" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
/bin/bash "$tmpdir/vpn.sh"; then
if [ -s /opt/src/ikev2.sh ] && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
sleep 1
VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$VPN_PUBLIC_IP" \
VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
/bin/bash /opt/src/ikev2.sh --auto || status=1
fi
else
@ -217,6 +300,10 @@ quickstart() {
check_lxc
check_os
check_iface
check_creds
check_dns
check_server_dns
check_client_name
check_iptables
install_pkgs
get_setup_url

7
extras/vpnupgrade_alpine.sh
View file

@ -20,6 +20,7 @@ SWAN_VER=
### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; }
@ -202,7 +203,7 @@ update_ikev2_script() {
wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url"
) || /bin/rm -f ikev2.sh.new
if [ -s ikev2.sh.new ]; then
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT"
/bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \
&& ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
/bin/rm -f ikev2.sh.new
@ -227,7 +228,7 @@ update_config() {
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -247,7 +248,7 @@ update_config() {
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}

7
extras/vpnupgrade_amzn.sh
View file

@ -20,6 +20,7 @@ SWAN_VER=
### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; }
@ -197,7 +198,7 @@ update_ikev2_script() {
wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url"
) || /bin/rm -f ikev2.sh.new
if [ -s ikev2.sh.new ]; then
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT"
/bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \
&& ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
/bin/rm -f ikev2.sh.new
@ -216,7 +217,7 @@ update_config() {
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -236,7 +237,7 @@ update_config() {
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}

7
extras/vpnupgrade_centos.sh
View file

@ -20,6 +20,7 @@ SWAN_VER=
### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; }
@ -233,7 +234,7 @@ update_ikev2_script() {
wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url"
) || /bin/rm -f ikev2.sh.new
if [ -s ikev2.sh.new ]; then
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT"
/bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \
&& ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
/bin/rm -f ikev2.sh.new
@ -252,7 +253,7 @@ update_config() {
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -272,7 +273,7 @@ update_config() {
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}

7
extras/vpnupgrade_ubuntu.sh
View file

@ -20,6 +20,7 @@ SWAN_VER=
### DO NOT edit below this line ###
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
exiterr() { echo "Error: $1" >&2; exit 1; }
@ -234,7 +235,7 @@ update_ikev2_script() {
wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url"
) || /bin/rm -f ikev2.sh.new
if [ -s ikev2.sh.new ]; then
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old
[ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT"
/bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \
&& ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
/bin/rm -f ikev2.sh.new
@ -259,7 +260,7 @@ update_config() {
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \
sed -i".old-$SYS_DT" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
@ -279,7 +280,7 @@ update_config() {
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
}

2
vpnsetup_alpine.sh
View file

@ -516,10 +516,10 @@ vpnsetup() {
detect_ip
install_vpn_pkgs
install_fail2ban
get_ikev2_script
get_swan_ver
get_libreswan
install_libreswan
get_ikev2_script
create_vpn_config
update_sysctl
update_iptables

2
vpnsetup_amzn.sh
View file

@ -530,10 +530,10 @@ vpnsetup() {
install_vpn_pkgs_1
install_vpn_pkgs_2
install_fail2ban
get_ikev2_script
get_swan_ver
get_libreswan
install_libreswan
get_ikev2_script
create_vpn_config
create_f2b_config
update_sysctl

18
vpnsetup_centos.sh
View file

@ -535,6 +535,21 @@ update_iptables() {
fi
}
apply_gcp_mtu_fix() {
if dmidecode -s system-product-name 2>/dev/null | grep -qi 'Google Compute Engine' \
&& ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -qi 'mtu 1460'; then
bigecho "Applying fix for MTU size..."
ifconfig "$NET_IFACE" mtu 1500
dh_file="/etc/dhcp/dhclient.conf"
if grep -qs "send host-name" "$dh_file" \
&& ! grep -qs "interface-mtu 1500" "$dh_file"; then
sed -i".old-$SYS_DT" \
"/send host-name/a \interface \"$NET_IFACE\" {\ndefault interface-mtu 1500;\nsupersede interface-mtu 1500;\n}" \
"$dh_file"
fi
fi
}
enable_on_boot() {
bigecho "Enabling services on boot..."
systemctl --now mask firewalld 2>/dev/null
@ -630,14 +645,15 @@ vpnsetup() {
install_vpn_pkgs_2
install_vpn_pkgs_3
install_fail2ban
get_ikev2_script
get_swan_ver
get_libreswan
install_libreswan
get_ikev2_script
create_vpn_config
create_f2b_config
update_sysctl
update_iptables
apply_gcp_mtu_fix
enable_on_boot
start_services
show_vpn_info

18
vpnsetup_ubuntu.sh
View file

@ -491,6 +491,21 @@ update_iptables() {
fi
}
apply_gcp_mtu_fix() {
if dmidecode -s system-product-name 2>/dev/null | grep -qi 'Google Compute Engine' \
&& ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -qi 'mtu 1460'; then
bigecho "Applying fix for MTU size..."
ifconfig "$NET_IFACE" mtu 1500
dh_file="/etc/dhcp/dhclient.conf"
if grep -qs "send host-name" "$dh_file" \
&& ! grep -qs "interface-mtu 1500" "$dh_file"; then
sed -i".old-$SYS_DT" \
"/send host-name/a \interface \"$NET_IFACE\" {\ndefault interface-mtu 1500;\nsupersede interface-mtu 1500;\n}" \
"$dh_file"
fi
fi
}
enable_on_boot() {
bigecho "Enabling services on boot..."
IPT_PST=/etc/init.d/iptables-persistent
@ -618,13 +633,14 @@ vpnsetup() {
detect_ip
install_vpn_pkgs
install_fail2ban
get_ikev2_script
get_swan_ver
get_libreswan
install_libreswan
get_ikev2_script
create_vpn_config
update_sysctl
update_iptables
apply_gcp_mtu_fix
enable_on_boot
start_services
show_vpn_info