From 58e82552ae141831be6b745ed838e98388983730 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 17 Feb 2022 21:36:19 -0600 Subject: [PATCH 01/22] Update IKEv2 script - Minor improvements and cleanup --- extras/ikev2setup.sh | 44 ++++++++++++++++++-------------------------- 1 file changed, 18 insertions(+), 26 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 0268800..7486dae 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -150,7 +150,7 @@ confirm_or_abort() { show_header() { cat <<'EOF' -IKEv2 Script Copyright (c) 2020-2022 Lin Song 16 Feb 2022 +IKEv2 Script Copyright (c) 2020-2022 Lin Song 18 Feb 2022 EOF } @@ -308,8 +308,7 @@ set_dns_servers() { show_welcome() { cat <<'EOF' -Welcome! Use this script to set up IKEv2 on your IPsec VPN server. - +Welcome! Use this script to set up IKEv2 on your VPN server. I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are OK with them. @@ -317,20 +316,12 @@ EOF } show_start_setup() { - if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] || [ -n "$VPN_DNS_SRV1" ]; then - bigecho "Starting IKEv2 setup in auto mode." - printf '%s' "## Using custom option(s): " - [ -n "$VPN_DNS_NAME" ] && printf '%s' "VPN_DNS_NAME " - [ -n "$VPN_CLIENT_NAME" ] && printf '%s' "VPN_CLIENT_NAME " - if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then - printf '%s' "VPN_DNS_SRV1 VPN_DNS_SRV2" - elif [ -n "$VPN_DNS_SRV1" ]; then - printf '%s' "VPN_DNS_SRV1" - fi - echo - else - bigecho "Starting IKEv2 setup in auto mode, using default options." + op_text=default + if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \ + || [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ]; then + op_text=custom fi + bigecho "Starting IKEv2 setup in auto mode, using $op_text options." } show_add_client() { @@ -517,10 +508,10 @@ enter_custom_dns() { echo "Invalid DNS server." read -rp "Enter primary DNS server: " dns_server_1 done - read -rp "Enter secondary DNS server (enter to skip): " dns_server_2 + read -rp "Enter secondary DNS server (Enter to skip): " dns_server_2 until [ -z "$dns_server_2" ] || check_ip "$dns_server_2"; do echo "Invalid DNS server." - read -rp "Enter secondary DNS server (enter to skip): " dns_server_2 + read -rp "Enter secondary DNS server (Enter to skip): " dns_server_2 done if [ -n "$dns_server_2" ]; then dns_servers="$dns_server_1 $dns_server_2" @@ -612,7 +603,7 @@ select_config_password() { if [ "$use_config_password" = "0" ]; then cat <<'EOF' -IKEv2 client config files contain the client certificate, private key and CA certificate. +IKEv2 client config contains the client certificate, private key and CA certificate. This script can optionally generate a random password to protect these files. Future client config files will also be protected using this password. @@ -680,6 +671,11 @@ EOF else echo "MOBIKE support: Not available" fi + if [ "$use_config_password" = "1" ]; then + echo "Protect client config: Yes" + else + echo "Protect client config: No" + fi cat < Date: Thu, 17 Feb 2022 21:37:18 -0600 Subject: [PATCH 02/22] Update docs --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index ae40418..e3091ba 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -81,7 +81,7 @@ sudo VPN_CLIENT_NAME='your_client_name' ikev2.sh --auto sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto ``` -默认情况下,导入 IKEv2 客户端配置文件时不需要密码。你可以选择使用随机密码保护客户端配置文件。这是可选的。示例如下: +默认情况下,导入 IKEv2 客户端配置时不需要密码。你可以选择使用随机密码保护客户端配置文件。这是可选的。示例如下: ```bash sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index fb12834..6600474 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -81,7 +81,7 @@ By default, IKEv2 clients are set to use [Google Public DNS](https://developers. sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto ``` -By default, no password is required when importing IKEv2 client config files. You may optionally choose to protect client config files using a random password. Example: +By default, no password is required when importing IKEv2 client configuration. You may optionally choose to protect client config files using a random password. Example: ```bash sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto From 6ff28097db810bc2e8f0cdbc25c9f09f99f40c0a Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 17 Feb 2022 21:40:15 -0600 Subject: [PATCH 03/22] Update docs --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 2e8e267..0db2e78 100644 --- a/README-zh.md +++ b/README-zh.md @@ -121,7 +121,7 @@ sudo ikev2.sh ``` -
+
选项 2: 编辑脚本并提供你自己的 VPN 登录凭证。 diff --git a/README.md b/README.md index abb813f..70ae100 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,7 @@ sudo ikev2.sh ```
-
+
Option 2: Edit the script and provide your own VPN credentials. From 42c8d288e2774c66a578f25e4141e71c5c76ebf6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 18 Feb 2022 21:42:37 -0600 Subject: [PATCH 04/22] Cleanup - Improve backup of VPN config files --- extras/ikev2changeaddr.sh | 4 +++- extras/ikev2onlymode.sh | 5 +++-- extras/vpnupgrade_alpine.sh | 7 ++++--- extras/vpnupgrade_amzn.sh | 7 ++++--- extras/vpnupgrade_centos.sh | 7 ++++--- extras/vpnupgrade_ubuntu.sh | 7 ++++--- 6 files changed, 22 insertions(+), 15 deletions(-) diff --git a/extras/ikev2changeaddr.sh b/extras/ikev2changeaddr.sh index 225b1e3..a9dae9e 100755 --- a/extras/ikev2changeaddr.sh +++ b/extras/ikev2changeaddr.sh @@ -14,6 +14,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } bigecho() { echo "## $1"; } @@ -266,7 +267,8 @@ update_ikev2_conf() { echo >> /etc/ipsec.conf echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf fi - sed -i -e "/^[[:space:]]\+leftcert=/d" \ + sed -i".old-$SYS_DT" \ + -e "/^[[:space:]]\+leftcert=/d" \ -e "/^[[:space:]]\+leftid=/d" /etc/ipsec.d/ikev2.conf if [ "$use_dns_name" = "1" ]; then sed -i "/conn ikev2-cp/a \ leftid=@$server_addr" /etc/ipsec.d/ikev2.conf diff --git a/extras/ikev2onlymode.sh b/extras/ikev2onlymode.sh index 22dcd11..532938c 100755 --- a/extras/ikev2onlymode.sh +++ b/extras/ikev2onlymode.sh @@ -11,6 +11,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } bigecho() { echo "## $1"; } @@ -114,11 +115,11 @@ toggle_ikev2_only() { if [ "$ikev2_only_status" = "ENABLED" ]; then confirm_disable_ikev2_only bigecho "Disabling IKEv2-only mode..." - sed -i "/ikev1-policy=/d" /etc/ipsec.conf + sed -i".old-$SYS_DT" "/ikev1-policy=/d" /etc/ipsec.conf elif [ "$ikev2_only_status" = "DISABLED" ]; then confirm_enable_ikev2_only bigecho "Enabling IKEv2-only mode..." - sed -i "/ikev1-policy=/d" /etc/ipsec.conf + sed -i".old-$SYS_DT" "/ikev1-policy=/d" /etc/ipsec.conf sed -i "/config setup/a \ ikev1-policy=drop" /etc/ipsec.conf fi } diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh index 17d4f83..136e1b1 100755 --- a/extras/vpnupgrade_alpine.sh +++ b/extras/vpnupgrade_alpine.sh @@ -20,6 +20,7 @@ SWAN_VER= ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T | tr ':' '_') [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" exiterr() { echo "Error: $1" >&2; exit 1; } @@ -202,7 +203,7 @@ update_ikev2_script() { wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url" ) || /bin/rm -f ikev2.sh.new if [ -s ikev2.sh.new ]; then - [ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old + [ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT" /bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \ && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null /bin/rm -f ikev2.sh.new @@ -227,7 +228,7 @@ update_config() { [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$(date +%F-%T)" \ + sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ @@ -247,7 +248,7 @@ update_config() { sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then - sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf + sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi } diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh index de599ac..4c69995 100755 --- a/extras/vpnupgrade_amzn.sh +++ b/extras/vpnupgrade_amzn.sh @@ -20,6 +20,7 @@ SWAN_VER= ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T | tr ':' '_') [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" exiterr() { echo "Error: $1" >&2; exit 1; } @@ -197,7 +198,7 @@ update_ikev2_script() { wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url" ) || /bin/rm -f ikev2.sh.new if [ -s ikev2.sh.new ]; then - [ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old + [ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT" /bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \ && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null /bin/rm -f ikev2.sh.new @@ -216,7 +217,7 @@ update_config() { [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$(date +%F-%T)" \ + sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ @@ -236,7 +237,7 @@ update_config() { sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then - sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf + sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index bf7f007..851a48b 100755 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -20,6 +20,7 @@ SWAN_VER= ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T | tr ':' '_') [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" exiterr() { echo "Error: $1" >&2; exit 1; } @@ -233,7 +234,7 @@ update_ikev2_script() { wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url" ) || /bin/rm -f ikev2.sh.new if [ -s ikev2.sh.new ]; then - [ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old + [ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT" /bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \ && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null /bin/rm -f ikev2.sh.new @@ -252,7 +253,7 @@ update_config() { [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$(date +%F-%T)" \ + sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ @@ -272,7 +273,7 @@ update_config() { sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then - sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf + sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi } diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index 4472da4..78d2efb 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -20,6 +20,7 @@ SWAN_VER= ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T | tr ':' '_') [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER" exiterr() { echo "Error: $1" >&2; exit 1; } @@ -234,7 +235,7 @@ update_ikev2_script() { wget -t 3 -T 30 -q -O ikev2.sh.new "$ikev2_url" ) || /bin/rm -f ikev2.sh.new if [ -s ikev2.sh.new ]; then - [ -s ikev2.sh ] && /bin/cp -f ikev2.sh ikev2.sh.old + [ -s ikev2.sh ] && /bin/cp -f ikev2.sh "ikev2.sh.old-$SYS_DT" /bin/cp -f ikev2.sh.new ikev2.sh && chmod +x ikev2.sh \ && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null /bin/rm -f ikev2.sh.new @@ -259,7 +260,7 @@ update_config() { [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3 - sed -i".old-$(date +%F-%T)" \ + sed -i".old-$SYS_DT" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \ @@ -279,7 +280,7 @@ update_config() { sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then - sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf + sed -i".old-$SYS_DT" 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf fi } From 55c91c7202296c6ad80928bbc72389fb62c5aeb9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 19 Feb 2022 22:06:20 -0600 Subject: [PATCH 05/22] Update docs --- docs/clients-xauth-zh.md | 10 ++++++---- docs/clients-xauth.md | 10 ++++++---- docs/clients-zh.md | 16 ++++++++-------- docs/clients.md | 16 ++++++++-------- 4 files changed, 28 insertions(+), 24 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index b071e23..37b61e3 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -18,7 +18,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP ## Windows -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。无需安装额外的软件。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。无需安装额外的软件。 1. 下载并安装免费的 [Shrew Soft VPN 客户端](https://www.shrew.net/download/vpn)。在安装时请选择 **Standard Edition**。 **注:** 该 VPN 客户端 **不支持** Windows 10/11。 @@ -42,7 +42,7 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl ## OS X -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 @@ -66,7 +66,7 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl ## Android -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。 1. 启动 **设置** 应用程序。 1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。 @@ -90,7 +90,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里]( ## iOS -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 @@ -110,6 +110,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里]( ## Linux +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。 + ### Fedora 和 CentOS Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用 `yum` 安装 `NetworkManager-libreswan-gnome` 软件包,然后通过 GUI 配置 IPsec/XAuth VPN 客户端。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 48c9f0a..68e8c10 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -18,7 +18,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster t ## Windows -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. No additional software is required. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. No additional software is required. 1. Download and install the free [Shrew Soft VPN client](https://www.shrew.net/download/vpn). When prompted during install, select **Standard Edition**. **Note:** This VPN client does NOT support Windows 10/11. @@ -42,7 +42,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro ## OS X -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. @@ -66,7 +66,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro ## Android -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode. 1. Launch the **Settings** application. 1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section. @@ -90,7 +90,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro ## iOS -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. @@ -110,6 +110,8 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro ## Linux +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) mode (recommended). + ### Fedora and CentOS Fedora 28 (and newer) and CentOS 8/7 users can install the `NetworkManager-libreswan-gnome` package using `yum`, then configure the IPsec/XAuth VPN client using the GUI. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3bd9c75..1053c0e 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ ## Windows -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。 ### Windows 11 @@ -109,7 +109,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' ## OS X -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 @@ -135,7 +135,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' ## Android -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。 1. 启动 **设置** 应用程序。 1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。 @@ -160,7 +160,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里]( ## iOS -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 @@ -199,11 +199,11 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 ## Linux -**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。 +> :information_source: 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。 ### Ubuntu Linux -Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 用户可能需要添加 `nm-l2tp` PPA,参见 [这里](https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721)。 +Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。 1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 1. 选择 **Layer 2 Tunneling Protocol (L2TP)**。 @@ -223,9 +223,9 @@ Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2t 1. 单击 **OK**,然后单击 **Add** 保存 VPN 连接信息。 1. 启用 **VPN** 连接。 -VPN 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请尝试 [这个解决方案](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/2926ea0239fe970ff08cb8a7863f8cb519ece032/README.md#unable-to-establish-l2tp-connection-without-udp-source-port-1701)。 -如果在连接过程中遇到错误,请尝试 [这个解决方案](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/README.md#issue-with-not-stopping-system-xl2tpd-service)。 +VPN 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ### Fedora 和 CentOS diff --git a/docs/clients.md b/docs/clients.md index c1ec041..541d740 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -18,7 +18,7 @@ After [setting up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn ## Windows -**Note:** You may also connect using [IKEv2](ikev2-howto.md) mode (recommended). +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) mode (recommended). ### Windows 11 @@ -109,7 +109,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti ## OS X -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. @@ -134,7 +134,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti ## Android -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode. 1. Launch the **Settings** application. 1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section. @@ -159,7 +159,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti ## iOS -**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. @@ -198,11 +198,11 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti ## Linux -**Note:** You may also connect using [IKEv2](ikev2-howto.md) mode (recommended). +> :information_source: You may also connect using [IKEv2](ikev2-howto.md) mode (recommended). ### Ubuntu Linux -Ubuntu 18.04 (and newer) users can install the [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) package using `apt`, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 users may need to add the `nm-l2tp` PPA, read more [here](https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721). +Ubuntu 18.04 (and newer) users can install the [network-manager-l2tp-gnome](https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome) package using `apt`, then configure the IPsec/L2TP VPN client using the GUI. 1. Go to Settings -> Network -> VPN. Click the **+** button. 1. Select **Layer 2 Tunneling Protocol (L2TP)**. @@ -222,9 +222,9 @@ Ubuntu 18.04 (and newer) users can install the [network-manager-l2tp-gnome](http 1. Click **OK**, then click **Add** to save the VPN connection information. 1. Turn the **VPN** switch ON. -Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, try [this fix](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/2926ea0239fe970ff08cb8a7863f8cb519ece032/README.md#unable-to-establish-l2tp-connection-without-udp-source-port-1701). -If you get an error when trying to connect, try [this fix](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/README.md#issue-with-not-stopping-system-xl2tpd-service). +Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". ### Fedora and CentOS From 88c86c0191fa95a7324e6b5a8255598f22c7a332 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 20 Feb 2022 21:45:11 -0600 Subject: [PATCH 06/22] Update IKEv2 script - Show the option to protect IKEv2 client config files only during IKEv2 setup, not when adding or exporting a client. - Cleanup --- extras/ikev2setup.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 7486dae..e1f1829 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -150,7 +150,7 @@ confirm_or_abort() { show_header() { cat <<'EOF' -IKEv2 Script Copyright (c) 2020-2022 Lin Song 18 Feb 2022 +IKEv2 Script Copyright (c) 2020-2022 Lin Song 21 Feb 2022 EOF } @@ -329,7 +329,7 @@ show_add_client() { } show_export_client() { - bigecho "Exporting IKEv2 client '$client_name', using default options." + bigecho "Exporting IKEv2 client '$client_name'." } get_export_dir() { @@ -603,9 +603,8 @@ select_config_password() { if [ "$use_config_password" = "0" ]; then cat <<'EOF' -IKEv2 client config contains the client certificate, private key and CA certificate. +IKEv2 client config files contain the client certificate, private key and CA certificate. This script can optionally generate a random password to protect these files. -Future client config files will also be protected using this password. EOF printf "Protect client config files using a password? [y/N] " @@ -1418,7 +1417,6 @@ ikev2setup() { 1) enter_client_name enter_client_validity - select_config_password echo create_client_cert export_client_config @@ -1428,7 +1426,6 @@ ikev2setup() { ;; 2) enter_client_name_for export - select_config_password echo export_client_config print_client_exported From 898496fc04b10ccc004923b32aef3eb66cce23f0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 20 Feb 2022 21:50:52 -0600 Subject: [PATCH 07/22] Update tests --- .github/workflows/test_set_1.yml | 2 -- .github/workflows/test_set_2.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/test_set_1.yml b/.github/workflows/test_set_1.yml index 25825a1..6f4090a 100644 --- a/.github/workflows/test_set_1.yml +++ b/.github/workflows/test_set_1.yml @@ -228,7 +228,6 @@ jobs: vpnclient vpnclient2 - ANSWERS ls -ld /etc/ipsec.d/vpnclient2.mobileconfig @@ -241,7 +240,6 @@ jobs: 2 nonexistclient vpnclient2 - ANSWERS ls -ld /etc/ipsec.d/vpnclient2.mobileconfig diff --git a/.github/workflows/test_set_2.yml b/.github/workflows/test_set_2.yml index 6965b2f..31e0c18 100644 --- a/.github/workflows/test_set_2.yml +++ b/.github/workflows/test_set_2.yml @@ -247,7 +247,6 @@ jobs: vpnclient vpnclient2 - ANSWERS ls -ld /etc/ipsec.d/vpnclient2.mobileconfig @@ -260,7 +259,6 @@ jobs: 2 nonexistclient vpnclient2 - ANSWERS ls -ld /etc/ipsec.d/vpnclient2.mobileconfig From 4035d086cec9cd10b389eb40da9b41d89d8de182 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 21 Feb 2022 12:07:53 -0600 Subject: [PATCH 08/22] Update docs --- docs/ikev2-howto-zh.md | 20 +++++++++++++------- docs/ikev2-howto.md | 18 ++++++++++++------ 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index e3091ba..27584a1 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -31,7 +31,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ## 使用辅助脚本配置 IKEv2 -**重要:** 在继续之前,你应该已经成功地 [搭建自己的 VPN 服务器](../README-zh.md),并且(可选但推荐)[升级 Libreswan](../README-zh.md#升级libreswan)。**Docker 用户请看 [这里](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)**。 +**重要:** 在继续之前,你应该已经成功地 [搭建自己的 VPN 服务器](../README-zh.md)。**Docker 用户请看 [这里](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)**。 使用这个 [辅助脚本](../extras/ikev2setup.sh) 来自动地在 VPN 服务器上配置 IKEv2: @@ -112,7 +112,7 @@ To customize IKEv2 or client options, run this script without arguments. *其他语言版本: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端)。* -**注:** 如果要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用参数 `-h` 显示使用信息。 +**注:** 如果要添加或者导出 IKEv2 客户端,只需重新运行[辅助脚本](#使用辅助脚本配置-ikev2)。使用 `-h` 显示使用信息。IKEv2 客户端配置文件可以在导入后安全删除。 * [Windows 7, 8, 10 和 11](#windows-7-8-10-和-11) * [OS X (macOS)](#os-x-macos) @@ -129,13 +129,15 @@ To customize IKEv2 or client options, run this script without arguments. 1. 右键单击保存的脚本,选择 **属性**。单击对话框下方的 **解除锁定**,然后单击 **确定**。 1. 右键单击保存的脚本,选择 **以管理员身份运行** 并按提示操作。 -或者,你也可以手动导入 IKEv2 配置。这些步骤适用于 **Windows 7, 8, 10 和 11**。 +或者,**Windows 7, 8, 10 和 11** 用户可以手动导入 IKEv2 配置: -1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。要导入 `.p12` 文件,打开 [提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html) 并运行以下命令: +1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到证书存储。 + + 要导入 `.p12` 文件,打开 [提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html) 并运行以下命令: ```console # 导入 .p12 文件(换成你自己的值) - certutil -f -importpfx ".p12文件的位置和名称" NoExport + certutil -f -importpfx "\path\to\your\file.p12" NoExport ``` **注:** 如果客户端配置文件没有密码,请按回车键继续,或者在手动导入 `.p12` 文件时保持密码字段空白。 @@ -153,9 +155,13 @@ To customize IKEv2 or client options, run this script without arguments. powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force" ``` - **Windows 7** 不支持这些命令,你可以 [手动创建 VPN 连接](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config)。你输入的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。 + **Windows 7** 不支持这些命令,你可以 [手动创建 VPN 连接](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config)。 -1. **此步骤为必须,如果你手动创建了 VPN 连接。** 为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。更多信息请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048)。 + **注:** 你输入的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 **完全一致**。例如,如果你在配置 IKEv2 时指定了服务器的域名,则必须在 **Internet地址** 字段中输入该域名。 + +1. **此步骤为必须,如果你手动创建了 VPN 连接。** + + 为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。更多信息请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048)。 - 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 6600474..08f82c6 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -31,7 +31,7 @@ After following this guide, you will be able to connect to the VPN using IKEv2 i ## Set up IKEv2 using helper script -**Important:** Before continuing, you should have successfully [set up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn), and (optional but recommended) [updated Libreswan](../README.md#upgrade-libreswan). **Docker users, see [here](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn)**. +**Important:** Before continuing, you should have successfully [set up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn). **Docker users, see [here](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn)**. Use this [helper script](../extras/ikev2setup.sh) to automatically set up IKEv2 on the VPN server: @@ -112,7 +112,7 @@ To customize IKEv2 or client options, run this script without arguments. *Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* -**Note:** If you want to add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use option `-h` to show usage information. +**Note:** To add or export IKEv2 client(s), just run the [helper script](#set-up-ikev2-using-helper-script) again. Use `-h` to show usage information. IKEv2 client config files can be safely deleted after import. * [Windows 7, 8, 10 and 11](#windows-7-8-10-and-11) * [OS X (macOS)](#os-x-macos) @@ -129,9 +129,11 @@ To customize IKEv2 or client options, run this script without arguments. 1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**. 1. Right-click on the saved script, select **Run as administrator** and follow the prompts. -Alternatively, you may manually import IKEv2 configuration. These steps apply to **Windows 7, 8, 10 and 11**. +Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 configuration: -1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. To import the `.p12` file, run the following from an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/): +1. Securely transfer the generated `.p12` file to your computer, then import it into the certificate store. + + To import the `.p12` file, run the following from an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/): ```console # Import .p12 file (replace with your own value) @@ -153,9 +155,13 @@ Alternatively, you may manually import IKEv2 configuration. These steps apply to powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force" ``` - **Windows 7** does not support these commands, you can [manually create the VPN connection](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config). The server address you specify must **exactly match** the server address in the output of the IKEv2 helper script. For example, if you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field. + **Windows 7** does not support these commands, you can [manually create the VPN connection](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config). -1. **This step is required if you manually created the VPN connection.** Enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. Read more [here](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048). + **Note:** The server address you specify must **exactly match** the server address in the output of the IKEv2 helper script. For example, if you specified the server's DNS name during IKEv2 setup, you must enter the DNS name in the **Internet address** field. + +1. **This step is required if you manually created the VPN connection.** + + Enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. Read more [here](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048). - For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) From 98537d02ac137b7baccfccc33822b1b9cae335bd Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 21 Feb 2022 18:33:35 -0600 Subject: [PATCH 09/22] Update docs - Add a troubleshooting section for "Cannot open websites after connecting to IKEv2". Ref: #1000. --- docs/ikev2-howto-zh.md | 20 ++++++++++++++++++++ docs/ikev2-howto.md | 22 +++++++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 27584a1..672b962 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -129,6 +129,8 @@ To customize IKEv2 or client options, run this script without arguments. 1. 右键单击保存的脚本,选择 **属性**。单击对话框下方的 **解除锁定**,然后单击 **确定**。 1. 右键单击保存的脚本,选择 **以管理员身份运行** 并按提示操作。 +如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 + 或者,**Windows 7, 8, 10 和 11** 用户可以手动导入 IKEv2 配置: 1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到证书存储。 @@ -785,12 +787,30 @@ sudo ikev2.sh --revokeclient [client name] **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 +* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) * [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) * [参数错误 policy match error](#参数错误-policy-match-error) * [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) * [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) * [其它已知问题](#其它已知问题) +### 连接 IKEv2 后不能打开网站 + +如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: + +1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500,然后重新连接 IKEv2 客户端: + + ```bash + # 将 ens4 替换为你的服务器上的网络接口名称 + sudo ifconfig ens4 mtu 1500 + ``` + + 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 + +1. 如果更改 MTU 无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。 + +1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 + ### IKE 身份验证凭证不可接受 如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 08f82c6..71c8d06 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -129,6 +129,8 @@ To customize IKEv2 or client options, run this script without arguments. 1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**. 1. Right-click on the saved script, select **Run as administrator** and follow the prompts. +If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). + Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 configuration: 1. Securely transfer the generated `.p12` file to your computer, then import it into the certificate store. @@ -787,19 +789,37 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). +* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) * [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) * [Policy match error](#policy-match-error) * [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) * [Other known issues](#other-known-issues) +### Cannot open websites after connecting to IKEv2 + +If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: + +1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server, then re-connect the IKEv2 client: + + ```bash + # Replace ens4 with the network interface name on your server + sudo ifconfig ens4 mtu 1500 + ``` + + This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. + +1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues). + +1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. + ### IKE authentication credentials are unacceptable If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). ### Policy match error -To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. +To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. - For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) From 4020e0d8e16f6fe70463b69498040fcedd5ced18 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 21 Feb 2022 23:32:34 -0600 Subject: [PATCH 10/22] Update docs --- docs/ikev2-howto-zh.md | 9 ++++----- docs/ikev2-howto.md | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 672b962..b54f8b1 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -229,12 +229,11 @@ To customize IKEv2 or client options, run this script without arguments. 1. 使用 [文件共享](https://support.apple.com/zh-cn/HT210598) 功能上传到设备,然后打开 iOS 设备上的 "文件" App,将上传的文件移动到 "On My iPhone" 目录下。然后单击它并到 "设置" App 中导入,或者 1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 -在完成之后,检查并确保 "IKEv2 VPN" 显示在设置 -> 通用 -> 描述文件中。 +在完成之后,检查并确保 "IKEv2 VPN" 显示在设置 -> 通用 -> VPN 与设备管理(或者描述文件)中。 要连接到 VPN: -1. 进入设置 -> 通用 -> VPN。 -1. 选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。 +1. 进入设置 -> VPN。选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。 1. 启用 **VPN** 连接。 (可选功能)你可以选择启用 [VPN On Demand(按需连接)](https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules) ,该功能在使用 Wi-Fi 网络时自动建立 VPN 连接。要启用它,单击 VPN 连接右边的 "i" 图标,然后启用 **按需连接**。 @@ -250,9 +249,9 @@ To customize IKEv2 or client options, run this script without arguments. 1. 使用 [文件共享](https://support.apple.com/zh-cn/HT210598) 功能上传到设备,然后打开 iOS 设备上的 "文件" App,将上传的文件移动到 "On My iPhone" 目录下。然后逐个单击它们并到 "设置" App 中导入,或者 1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 -在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 +在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> VPN 与设备管理(或者描述文件)中。 -1. 进入设置 -> 通用 -> VPN。 +1. 进入设置 -> 通用 -> VPN 与设备管理 -> VPN。 1. 单击 **添加VPN配置...**。 1. 单击 **类型** 。选择 **IKEv2** 并返回。 1. 在 **描述** 字段中输入任意内容。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 71c8d06..bbb7ad1 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -229,12 +229,11 @@ First, securely transfer the generated `.mobileconfig` file to your iOS device, 1. Upload to your device using [File Sharing](https://support.apple.com/en-us/HT210598), then open the "Files" app on your iOS device, move the uploaded file to the "On My iPhone" folder. After that, tap the file and go to the "Settings" app to import, or 1. Host the file on a secure website of yours, then download and import it in Mobile Safari. -When finished, check to make sure "IKEv2 VPN" is listed under Settings -> General -> Profile(s). +When finished, check to make sure "IKEv2 VPN" is listed under Settings -> General -> VPN & Device Management or Profile(s). To connect to the VPN: -1. Go to Settings -> General -> VPN. -1. Select the VPN connection with `Your VPN Server IP` (or DNS name). +1. Go to Settings -> VPN. Select the VPN connection with `Your VPN Server IP` (or DNS name). 1. Slide the **VPN** switch ON. (Optional feature) You can choose to enable [VPN On Demand](https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules). This is an "always-on" feature that can automatically connect to the VPN while on Wi-Fi. To enable, tap the "i" icon on the right of the VPN connection, and enable **Connect On Demand**. @@ -250,9 +249,9 @@ First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your 1. Upload to your device using [File Sharing](https://support.apple.com/en-us/HT210598), then open the "Files" app on your iOS device, move the uploaded files to the "On My iPhone" folder. After that, tap each file and go to the "Settings" app to import, or 1. Host the files on a secure website of yours, then download and import them in Mobile Safari. -When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. +When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> VPN & Device Management or Profile(s). -1. Go to Settings -> General -> VPN. +1. Go to Settings -> General -> VPN & Device Management -> VPN. 1. Tap **Add VPN Configuration...**. 1. Tap **Type**. Select **IKEv2** and go back. 1. Tap **Description** and enter anything you like. From 06c5e27080d6f32e088e217658bac216a5c39a74 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 Feb 2022 00:07:33 -0600 Subject: [PATCH 11/22] Fix for GCP MTU size - This fix is specifically for Google Cloud Platform (GCP) VMs. The default MTU size on GCP, 1460 bytes, could cause network issues such as "cannot open websites" with IKEv2 VPN clients. This issue was brought up multiple times in this repo, e.g. #1000. - The fix changes the MTU to 1500 (the default that is widely used), and updates dhclient.conf so that it is not reverted to 1460 by DHCP. - Refs: https://cloud.google.com/vpc/docs/vpc#mtu https://cloud.google.com/compute/docs/instances/detect-compute-engine https://linuxhint.com/how-to-change-mtu-size-in-linux/ https://git.io/ikev2#cannot-open-websites-after-connecting-to-ikev2 --- vpnsetup_centos.sh | 16 ++++++++++++++++ vpnsetup_ubuntu.sh | 16 ++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 865caf4..4dc7ef9 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -535,6 +535,21 @@ update_iptables() { fi } +apply_gcp_mtu_fix() { + if dmidecode -s system-product-name 2>/dev/null | grep -q "Google Compute Engine" \ + && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -q "mtu 1460"; then + bigecho "Applying fix for MTU size..." + ifconfig "$NET_IFACE" mtu 1500 + dh_file="/etc/dhcp/dhclient.conf" + if grep -qs "send host-name" "$dh_file" \ + && ! grep -qs "interface-mtu 1500" "$dh_file"; then + sed -i".old-$SYS_DT" \ + "/send host-name/a \interface \"$NET_IFACE\" {\ndefault interface-mtu 1500;\nsupersede interface-mtu 1500;\n}" \ + "$dh_file" + fi + fi +} + enable_on_boot() { bigecho "Enabling services on boot..." systemctl --now mask firewalld 2>/dev/null @@ -638,6 +653,7 @@ vpnsetup() { create_f2b_config update_sysctl update_iptables + apply_gcp_mtu_fix enable_on_boot start_services show_vpn_info diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index 345b7ed..89aa739 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -491,6 +491,21 @@ update_iptables() { fi } +apply_gcp_mtu_fix() { + if dmidecode -s system-product-name 2>/dev/null | grep -q "Google Compute Engine" \ + && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -q "mtu 1460"; then + bigecho "Applying fix for MTU size..." + ifconfig "$NET_IFACE" mtu 1500 + dh_file="/etc/dhcp/dhclient.conf" + if grep -qs "send host-name" "$dh_file" \ + && ! grep -qs "interface-mtu 1500" "$dh_file"; then + sed -i".old-$SYS_DT" \ + "/send host-name/a \interface \"$NET_IFACE\" {\ndefault interface-mtu 1500;\nsupersede interface-mtu 1500;\n}" \ + "$dh_file" + fi + fi +} + enable_on_boot() { bigecho "Enabling services on boot..." IPT_PST=/etc/init.d/iptables-persistent @@ -625,6 +640,7 @@ vpnsetup() { create_vpn_config update_sysctl update_iptables + apply_gcp_mtu_fix enable_on_boot start_services show_vpn_info From a4e452e9dff25a9bce410e75ebe961763ad7c6c6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 Feb 2022 00:08:45 -0600 Subject: [PATCH 12/22] Cleanup --- vpnsetup_alpine.sh | 2 +- vpnsetup_amzn.sh | 2 +- vpnsetup_centos.sh | 2 +- vpnsetup_ubuntu.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vpnsetup_alpine.sh b/vpnsetup_alpine.sh index 3c0b525..895ade1 100755 --- a/vpnsetup_alpine.sh +++ b/vpnsetup_alpine.sh @@ -516,10 +516,10 @@ vpnsetup() { detect_ip install_vpn_pkgs install_fail2ban + get_ikev2_script get_swan_ver get_libreswan install_libreswan - get_ikev2_script create_vpn_config update_sysctl update_iptables diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh index 4cc94be..db6474b 100755 --- a/vpnsetup_amzn.sh +++ b/vpnsetup_amzn.sh @@ -530,10 +530,10 @@ vpnsetup() { install_vpn_pkgs_1 install_vpn_pkgs_2 install_fail2ban + get_ikev2_script get_swan_ver get_libreswan install_libreswan - get_ikev2_script create_vpn_config create_f2b_config update_sysctl diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 4dc7ef9..f70bc0b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -645,10 +645,10 @@ vpnsetup() { install_vpn_pkgs_2 install_vpn_pkgs_3 install_fail2ban + get_ikev2_script get_swan_ver get_libreswan install_libreswan - get_ikev2_script create_vpn_config create_f2b_config update_sysctl diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index 89aa739..6156874 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -633,10 +633,10 @@ vpnsetup() { detect_ip install_vpn_pkgs install_fail2ban + get_ikev2_script get_swan_ver get_libreswan install_libreswan - get_ikev2_script create_vpn_config update_sysctl update_iptables From 3d6b685e0b31f479daf285a153463d13799b42cd Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 Feb 2022 00:13:29 -0600 Subject: [PATCH 13/22] Update docs --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index b54f8b1..2ef74ac 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -797,7 +797,7 @@ sudo ikev2.sh --revokeclient [client name] 如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: -1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500,然后重新连接 IKEv2 客户端: +1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: ```bash # 将 ens4 替换为你的服务器上的网络接口名称 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index bbb7ad1..77ccc7e 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -799,7 +799,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: -1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server, then re-connect the IKEv2 client: +1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: ```bash # Replace ens4 with the network interface name on your server From 79a344ec46ba2e7eb4e503a197c4bd4de4bb3203 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 24 Feb 2022 09:18:39 -0600 Subject: [PATCH 14/22] Cleanup --- vpnsetup_centos.sh | 4 ++-- vpnsetup_ubuntu.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index f70bc0b..9591aab 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -536,8 +536,8 @@ update_iptables() { } apply_gcp_mtu_fix() { - if dmidecode -s system-product-name 2>/dev/null | grep -q "Google Compute Engine" \ - && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -q "mtu 1460"; then + if dmidecode -s system-product-name 2>/dev/null | grep -qi 'Google Compute Engine' \ + && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -qi 'mtu 1460'; then bigecho "Applying fix for MTU size..." ifconfig "$NET_IFACE" mtu 1500 dh_file="/etc/dhcp/dhclient.conf" diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index 6156874..49a7411 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -492,8 +492,8 @@ update_iptables() { } apply_gcp_mtu_fix() { - if dmidecode -s system-product-name 2>/dev/null | grep -q "Google Compute Engine" \ - && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -q "mtu 1460"; then + if dmidecode -s system-product-name 2>/dev/null | grep -qi 'Google Compute Engine' \ + && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -qi 'mtu 1460'; then bigecho "Applying fix for MTU size..." ifconfig "$NET_IFACE" mtu 1500 dh_file="/etc/dhcp/dhclient.conf" From 32a55ec06a041a74fa140ea811470d8743b6252e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 25 Feb 2022 21:17:09 -0600 Subject: [PATCH 15/22] Update IKEv2 script - Make IKEv2 client address pool customizable using VPN_XAUTH_POOL, similar to vpnsetup.sh. This is for advanced users only. --- extras/ikev2setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index e1f1829..43e7c37 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -1032,6 +1032,7 @@ ANSWERS add_ikev2_connection() { bigecho2 "Adding a new IKEv2 connection..." + XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' "$IPSEC_CONF"; then echo >> "$IPSEC_CONF" echo 'include /etc/ipsec.d/*.conf' >> "$IPSEC_CONF" @@ -1046,7 +1047,7 @@ conn ikev2-cp leftrsasigkey=%cert right=%any rightid=%fromcert - rightaddresspool=192.168.43.10-192.168.43.250 + rightaddresspool=$XAUTH_POOL rightca=%same rightrsasigkey=%cert narrowing=yes From f7c5ecf50414c8641264d684a3cc974b270e3c91 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 25 Feb 2022 23:25:34 -0600 Subject: [PATCH 16/22] Update IKEv2 script - Create a client config README file under certain circumstances, such as when setting up IKEv2 automatically and users might not see the script's output. --- extras/ikev2setup.sh | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 43e7c37..6ea9496 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -150,7 +150,7 @@ confirm_or_abort() { show_header() { cat <<'EOF' -IKEv2 Script Copyright (c) 2020-2022 Lin Song 21 Feb 2022 +IKEv2 Script Copyright (c) 2020-2022 Lin Song 26 Feb 2022 EOF } @@ -1030,6 +1030,21 @@ ANSWERS fi } +create_config_readme() { + readme_file="$export_dir$client_name-README.txt" + if [ "$in_container" = "0" ] && [ "$use_config_password" = "0" ] \ + && [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then +cat > "$readme_file" <<'EOF' +These IKEv2 client config files were created during IPsec VPN setup. +To configure IKEv2 VPN clients, see: https://git.io/ikev2clients +EOF + if [ "$export_to_home_dir" = "1" ]; then + chown "$SUDO_USER:$SUDO_USER" "$readme_file" + fi + chmod 600 "$readme_file" + fi +} + add_ikev2_connection() { bigecho2 "Adding a new IKEv2 connection..." XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} @@ -1500,6 +1515,7 @@ ikev2setup() { create_ca_server_certs create_client_cert export_client_config + create_config_readme add_ikev2_connection if [ "$os_type" = "alpine" ]; then ipsec auto --add ikev2-cp >/dev/null From d37a2fb811bc32863404a5be08482d6ec3469eae Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 25 Feb 2022 23:41:49 -0600 Subject: [PATCH 17/22] Improve quick start script - The VPN quick start script now supports most of the environment variables (such as VPN_DNS_SRV1) that are currently supported by vpnsetup.sh and ikev2.sh. This change enables customization by advanced users when running the quick start script. --- extras/quickstart.sh | 89 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 88 insertions(+), 1 deletion(-) diff --git a/extras/quickstart.sh b/extras/quickstart.sh index b49d90d..40f2e50 100755 --- a/extras/quickstart.sh +++ b/extras/quickstart.sh @@ -17,10 +17,37 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! +# ===================================================== + +# Define your own values for these variables +# - IPsec pre-shared key, VPN username and password +# - All values MUST be placed inside 'single quotes' +# - DO NOT use these special characters within values: \ " ' + +YOUR_IPSEC_PSK='' +YOUR_USERNAME='' +YOUR_PASSWORD='' + +# Important notes: https://git.io/vpnnotes +# Setup VPN clients: https://git.io/vpnclients +# IKEv2 guide: https://git.io/ikev2 + +# ===================================================== + export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } +check_ip() { + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" +} + +check_dns_name() { + FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$' + printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX" +} + check_root() { if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" @@ -124,6 +151,53 @@ check_iface() { fi } +check_creds() { + [ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK" + [ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME" + [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" + + if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then + return 0 + fi + + if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then + exiterr "All VPN credentials must be specified. Edit the script and re-enter them." + fi + + if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." + fi + + case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in + *[\\\"\']*) + exiterr "VPN credentials must not contain these special characters: \\ \" '" + ;; + esac +} + +check_dns() { + if { [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; } \ + || { [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; }; then + exiterr "The DNS server specified is invalid." + fi +} + +check_server_dns() { + if [ -n "$VPN_DNS_NAME" ] && ! check_dns_name "$VPN_DNS_NAME"; then + exiterr "Invalid DNS name. 'VPN_DNS_NAME' must be a fully qualified domain name (FQDN)." + fi +} + +check_client_name() { + if [ -n "$VPN_CLIENT_NAME" ]; then + name_len="$(printf '%s' "$VPN_CLIENT_NAME" | wc -m)" + if [ "$name_len" -gt "64" ] || printf '%s' "$VPN_CLIENT_NAME" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ + || case $VPN_CLIENT_NAME in -*) true;; *) false;; esac; then + exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." + fi + fi +} + check_iptables() { if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then if [ -x /sbin/iptables ] && ! iptables -nL INPUT >/dev/null 2>&1; then @@ -192,9 +266,18 @@ run_setup() { if tmpdir=$(mktemp --tmpdir -d vpn.XXXXX 2>/dev/null); then if ( set -x; wget -t 3 -T 30 -q -O "$tmpdir/vpn.sh" "$setup_url" \ || curl -fsL "$setup_url" -o "$tmpdir/vpn.sh" 2>/dev/null ); then - if /bin/bash "$tmpdir/vpn.sh"; then + if VPN_IPSEC_PSK="$VPN_IPSEC_PSK" VPN_USER="$VPN_USER" VPN_PASSWORD="$VPN_PASSWORD" \ + VPN_PUBLIC_IP="$VPN_PUBLIC_IP" VPN_L2TP_NET="$VPN_L2TP_NET" \ + VPN_L2TP_LOCAL="$VPN_L2TP_LOCAL" VPN_L2TP_POOL="$VPN_L2TP_POOL" \ + VPN_XAUTH_NET="$VPN_XAUTH_NET" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ + VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ + /bin/bash "$tmpdir/vpn.sh"; then if [ -s /opt/src/ikev2.sh ] && [ ! -f /etc/ipsec.d/ikev2.conf ]; then sleep 1 + VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$VPN_PUBLIC_IP" \ + VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \ + VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \ + VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \ /bin/bash /opt/src/ikev2.sh --auto || status=1 fi else @@ -217,6 +300,10 @@ quickstart() { check_lxc check_os check_iface + check_creds + check_dns + check_server_dns + check_client_name check_iptables install_pkgs get_setup_url From 8be670c4c8b24cf805170a025328bda226cfcdaf Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 25 Feb 2022 23:50:55 -0600 Subject: [PATCH 18/22] Update templates - Update the AWS and Azure deployment template or script to use the VPN quick start script instead of vpnsetup.sh. The quick start script sets up IKEv2 automatically, so users don't need to manually set up IKEv2. --- aws/cloudformation-template-ipsec.json | 2 +- azure/install.sh | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/aws/cloudformation-template-ipsec.json b/aws/cloudformation-template-ipsec.json index 82af91d..7d137b4 100644 --- a/aws/cloudformation-template-ipsec.json +++ b/aws/cloudformation-template-ipsec.json @@ -387,7 +387,7 @@ "Ref": "VpnPassword" }, "'\n", - "wget -t 3 -T 30 -nv -O vpn.sh https://git.io/vpnsetup\n", + "wget -t 3 -T 30 -nv -O vpn.sh https://git.io/vpnstart\n", "sh vpn.sh\n", "cfn-signal -e 0 ", " --stack ", diff --git a/azure/install.sh b/azure/install.sh index 7a64340..bf83550 100755 --- a/azure/install.sh +++ b/azure/install.sh @@ -4,7 +4,4 @@ export VPN_IPSEC_PSK=$1 export VPN_USER=$2 export VPN_PASSWORD=$3 -# Wait 60 seconds for apt/dpkg lock -sleep 60 - -wget https://git.io/vpnsetup -O vpn.sh && sh vpn.sh +wget -t 3 -T 30 -nv -O vpn.sh https://git.io/vpnstart && sh vpn.sh From d1f15684bed8ea7e7022f3266fb90313d3aaded1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 26 Feb 2022 00:48:31 -0600 Subject: [PATCH 19/22] Update docs - Re-add DigitalOcean deploy button. Ref: carlfriess/DigitalOceanVPNSetup#11 617f981 --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 0db2e78..d90bd93 100644 --- a/README-zh.md +++ b/README-zh.md @@ -83,7 +83,7 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh 这也包括各种公共云服务中的 Linux 虚拟机,比如 [DigitalOcean](https://blog.ls20.com/digitalocean), [Vultr](https://blog.ls20.com/vultr), [Linode](https://blog.ls20.com/linode), [Microsoft Azure](https://azure.microsoft.com) 和 [OVH](https://www.ovhcloud.com/en/vps/)。[Amazon EC2](https://aws.amazon.com/ec2/) 用户可以使用 [CloudFormation](aws/README-zh.md) 或者 [用户数据](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup) 快速部署。 -[![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README-zh.md)  [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README-zh.md)  [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239) +[![Deploy to DigitalOcean](docs/images/do-install-button.png)](http://dovpn.carlfriess.com) [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239) [![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README-zh.md) [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README-zh.md) [**» 我想建立并使用自己的 VPN ,但是没有可用的服务器**](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps) diff --git a/README.md b/README.md index 70ae100..cbe470a 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ A dedicated server or virtual private server (VPS), freshly installed with one o This also includes Linux VMs in public clouds, such as [DigitalOcean](https://blog.ls20.com/digitalocean), [Vultr](https://blog.ls20.com/vultr), [Linode](https://blog.ls20.com/linode), [Microsoft Azure](https://azure.microsoft.com) and [OVH](https://www.ovhcloud.com/en/vps/). [Amazon EC2](https://aws.amazon.com/ec2/) users can deploy rapidly using [CloudFormation](aws/README.md) or [user data](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup). -[![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README.md)  [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README.md)  [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239) +[![Deploy to DigitalOcean](docs/images/do-install-button.png)](http://dovpn.carlfriess.com) [![Deploy to Linode](docs/images/linode-deploy-button.png)](https://cloud.linode.com/stackscripts/37239) [![Deploy to AWS](docs/images/aws-deploy-button.png)](aws/README.md) [![Deploy to Azure](docs/images/azure-deploy-button.png)](azure/README.md) [**» I want to run my own VPN but don't have a server for that**](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps) From 38ba5f0f7e571830f7627c3d68e3ecf72d351171 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 26 Feb 2022 18:11:54 -0600 Subject: [PATCH 20/22] Update template - Remove CentOS 8 from AWS template, which is EOL. --- aws/cloudformation-template-ipsec.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/aws/cloudformation-template-ipsec.json b/aws/cloudformation-template-ipsec.json index 7d137b4..9e742ab 100644 --- a/aws/cloudformation-template-ipsec.json +++ b/aws/cloudformation-template-ipsec.json @@ -14,9 +14,6 @@ "CentOS7": { "HelperInstallationCommands": "yum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n" }, - "CentOS8": { - "HelperInstallationCommands": "yum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n" - }, "AmazonLinux2": { "HelperInstallationCommands": "export PATH=\"$PATH:/opt/aws/bin\"\n" } @@ -651,7 +648,6 @@ " 'Ubuntu2004': 'ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*',", " 'Debian9': 'debian-stretch-hvm-x86_64-gp2-*',", " 'CentOS7': 'CentOS 7.9.2009 x86_64',", - " 'CentOS8': 'CentOS 8.3.2011 x86_64',", " 'AmazonLinux2': 'amzn2-ami-hvm-*.*-x86_64-gp2',", " }[distribution]", " response = ec2.describe_images(Filters=[{'Name':'name', 'Values':[AMIName]}], Owners=['099720109477', '379101102735', '125523088429', 'amazon'])", @@ -805,7 +801,6 @@ "Ubuntu1804", "Debian9", "CentOS7", - "CentOS8", "AmazonLinux2" ] }, From ec089cf800401f31a7427bf915fefaab6f55f719 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 26 Feb 2022 18:12:47 -0600 Subject: [PATCH 21/22] Update docs --- aws/README-zh.md | 8 +++++--- aws/README.md | 10 ++++++---- azure/README-zh.md | 2 ++ azure/README.md | 2 ++ 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/aws/README-zh.md b/aws/README-zh.md index 2a2e760..ddb0865 100644 --- a/aws/README-zh.md +++ b/aws/README-zh.md @@ -8,7 +8,7 @@ - Amazon EC2 实例类型 > **注:** 在某些 AWS 区域中,此模版提供的某些实例类型可能不可用。比如 `m5a.large` 可能无法在 `ap-east-1` 区域部署(仅为假设)。在此情况下,你会在部署过程中遇到此错误:`The requested configuration is currently not supported. Please check the documentation for supported configurations`。新开放的 AWS 区域更容易出现此问题,因为它们提供的实例类型较少。如需了解更多关于实例可用性的信息,请参见 [https://instances.vantage.sh/](https://instances.vantage.sh/)。 -- VPN 服务器的操作系统(Ubuntu 20.04/18.04, Debian 9, CentOS 8/7, Amazon Linux 2) +- VPN 服务器的操作系统(Ubuntu 20.04/18.04, Debian 9, CentOS 7, Amazon Linux 2) > **注:** 在 EC2 上使用 Debian 9 映像之前,你需要先在 AWS Marketplace 上订阅:[Debian 9](https://aws.amazon.com/marketplace/pp/B073HW9SP3)。 - 你的 VPN 用户名 - 你的 VPN 密码 @@ -36,7 +36,9 @@ 要指定一个 AWS 区域,你可以使用导航栏上你的帐户信息右侧的选择器。当你在最后一步中点击 "create stack" 之后,请等待堆栈创建和 VPN 安装完成,可能需要最多 15 分钟。一旦堆栈的部署状态变成 **"CREATE_COMPLETE"** ,你就可以连接到 VPN 服务器了。单击 **Outputs** 选项卡以查看你的 VPN 登录信息,然后继续下一步:[配置 VPN 客户端](../README-zh.md#下一步)。 -> **注**:如果你删除使用此模板部署的 CloudFormation 堆栈,在部署期间添加的密钥对将不会自动被清理。要管理你的密钥对,请转到 EC2 控制台 -> 密钥对。 +> **注:** IKEv2 模式的客户端配置文件可以在你的 VPN 服务器的 `/root` 目录中找到。要使用 SSH 连接到服务器,请参见下面的 "常见问题" 小节。 + +> **注:** 如果你删除使用此模板部署的 CloudFormation 堆栈,在部署期间添加的密钥对将不会自动被清理。要管理你的密钥对,请转到 EC2 控制台 -> 密钥对。 ## 常见问题 @@ -56,7 +58,7 @@ EC2 上的每个 Linux 服务器发行版本都有它自己的默认登录用户 | --- | --- | | Ubuntu (`Ubuntu *.04`) | `ubuntu` | | Debian (`Debian 9`) | `admin` | -| CentOS (`CenOS 7/8`) | `centos` | +| CentOS (`CenOS 7`) | `centos` | | Amazon Linux 2 | `ec2-user` | 此模板在部署期间为你生成一个密钥对,并且在成功创建堆栈后,其中的私钥将在 **Outputs** 选项卡下以文本形式提供。 diff --git a/aws/README.md b/aws/README.md index 5bad6f8..0c579d9 100644 --- a/aws/README.md +++ b/aws/README.md @@ -7,8 +7,8 @@ This template will create a fully-working IPsec VPN server on Amazon Elastic Com Available customization parameters: - Amazon EC2 instance type -> **Note**: It is possible that not all instance type options offered by this template are available in a specific AWS region. For example, you may not be able to deploy an `m5a.large` instance in `ap-east-1` (hypothetically). In that case, you might experience the following error during deployment: `The requested configuration is currently not supported. Please check the documentation for supported configurations`. Newly released regions are more prone to having this problem as there are less variety of instances. For more info about instance type availability, refer to [https://instances.vantage.sh/](https://instances.vantage.sh/). -- OS for your VPN server (Ubuntu 20.04/18.04, Debian 9, CentOS 8/7, Amazon Linux 2) +> **Note:** It is possible that not all instance type options offered by this template are available in a specific AWS region. For example, you may not be able to deploy an `m5a.large` instance in `ap-east-1` (hypothetically). In that case, you might experience the following error during deployment: `The requested configuration is currently not supported. Please check the documentation for supported configurations`. Newly released regions are more prone to having this problem as there are less variety of instances. For more info about instance type availability, refer to [https://instances.vantage.sh/](https://instances.vantage.sh/). +- OS for your VPN server (Ubuntu 20.04/18.04, Debian 9, CentOS 7, Amazon Linux 2) > **Note:** Before using the Debian 9 image on EC2, you need to first subscribe at the AWS Marketplace: [Debian 9](https://aws.amazon.com/marketplace/pp/B073HW9SP3). - Your VPN username - Your VPN password @@ -36,7 +36,9 @@ Click the icon below to start: You may choose an AWS region using the selector to the right of your account information on the navigation bar. After you click "create stack" in the final step, please wait for the stack creation and VPN setup to complete, which may take up to 15 minutes. As soon as the stack's status changes to **"CREATE_COMPLETE"**, you are ready to connect to the VPN server. Click the **Outputs** tab to view your VPN login details. Then continue to [Next steps: Configure VPN Clients](../README.md#next-steps). -> **Note**: If you delete a CloudFormation stack deployed using this template, the key pair that was added during deployment won't be automatically cleaned up. To manage your key pairs, go to EC2 console -> Key Pairs. +> **Note:** Client configuration files for IKEv2 mode can be found in the `/root` folder of your VPN server. To connect to the VPN server using SSH, refer to the FAQs section below. + +> **Note:** If you delete a CloudFormation stack deployed using this template, the key pair that was added during deployment won't be automatically cleaned up. To manage your key pairs, go to EC2 console -> Key Pairs. ## FAQs @@ -56,7 +58,7 @@ List of default usernames: | --- | --- | | Ubuntu (`Ubuntu *.04`) | `ubuntu` | | Debian (`Debian 9`) | `admin` | -| CentOS (`CenOS 7/8`) | `centos` | +| CentOS (`CenOS 7`) | `centos` | | Amazon Linux 2 | `ec2-user` | This template generates a key pair for you during deployment, and the private key will be available as text under the **Outputs** tab after the stack is successfully created. diff --git a/azure/README-zh.md b/azure/README-zh.md index 95077e9..7bb0e05 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -20,6 +20,8 @@ 在完成部署之后,Azure 会有提示。下一步:[配置 VPN 客户端](../README-zh.md#下一步)。 +**注:** IKEv2 模式的客户端配置文件可以在你的 VPN 服务器的 `/root` 目录中找到。在使用 SSH 连接到服务器时,请使用你在部署模板中指定的用户名和密码。 + ## 作者 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) diff --git a/azure/README.md b/azure/README.md index effbf31..70d88af 100644 --- a/azure/README.md +++ b/azure/README.md @@ -20,6 +20,8 @@ Press this button to start: When the deployment finishes, Azure displays a notification. Next steps: [Configure VPN Clients](../README.md#next-steps). +**Note:** Client configuration files for IKEv2 mode can be found in the `/root` folder of your VPN server. When connecting to the server using SSH, use the username and password you specified in the deployment template. + ## Authors Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) From a03f2d556b0cc82820caf0824ed224c6b14475b2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 27 Feb 2022 11:00:03 -0600 Subject: [PATCH 22/22] Update docs - Simplify VPN setup: Switch to use the quick start script, which automatically sets up IKEv2 as part of the IPsec VPN setup. The quick start script was updated and users can specify variables similar to vpnsetup.sh. Ref: d37a2fb - Other minor updates --- README-zh.md | 55 ++---------- README.md | 55 ++---------- docs/ikev2-howto-zh.md | 197 ++++++++++++++++++++++------------------- docs/ikev2-howto.md | 197 ++++++++++++++++++++++------------------- 4 files changed, 224 insertions(+), 280 deletions(-) diff --git a/README-zh.md b/README-zh.md index d90bd93..fe3dc5c 100644 --- a/README-zh.md +++ b/README-zh.md @@ -102,32 +102,16 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh 要安装 VPN,请从以下选项中选择一个: -
- -选项 1: 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。 - +**选项 1:** 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。 ```bash -wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh ``` -在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): +**选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证。 ```bash -# 使用默认选项配置 IKEv2 -sudo ikev2.sh --auto -# 或者你也可以自定义 IKEv2 选项 -sudo ikev2.sh -``` -
- -
- -选项 2: 编辑脚本并提供你自己的 VPN 登录凭证。 - - -```bash -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh nano -w vpn.sh [替换为你自己的值: YOUR_IPSEC_PSK, YOUR_USERNAME 和 YOUR_PASSWORD] sudo sh vpn.sh @@ -135,41 +119,18 @@ sudo sh vpn.sh **注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 -在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): - -```bash -# 使用默认选项配置 IKEv2 -sudo ikev2.sh --auto -# 或者你也可以自定义 IKEv2 选项 -sudo ikev2.sh -``` -
- -
- -选项 3: 将你自己的 VPN 登录凭证定义为环境变量。 - +**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量。 ```bash # 所有变量值必须用 '单引号' 括起来 # *不要* 在值中使用这些字符: \ " ' -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh sudo VPN_IPSEC_PSK='你的IPsec预共享密钥' \ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' \ sh vpn.sh ``` -在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): - -```bash -# 使用默认选项配置 IKEv2 -sudo ikev2.sh --auto -# 或者你也可以自定义 IKEv2 选项 -sudo ikev2.sh -``` -
-
如果无法通过 wget 下载,点这里查看解决方案。 @@ -178,11 +139,11 @@ sudo ikev2.sh 你也可以使用 `curl` 下载。例如: ```bash -curl -fsSL https://git.io/vpnsetup -o vpn.sh +curl -fsSL https://git.io/vpnstart -o vpn.sh sudo sh vpn.sh ``` -或者,打开 [vpnsetup.sh](vpnsetup.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。 +或者,打开 [quickstart.sh](extras/quickstart.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。
## 下一步 diff --git a/README.md b/README.md index cbe470a..df314ac 100644 --- a/README.md +++ b/README.md @@ -102,32 +102,16 @@ First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade To install the VPN, please choose one of the following options: -
- -Option 1: Have the script generate random VPN credentials for you (will be displayed when finished). - +**Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished). ```bash -wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh ``` -After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): +**Option 2:** Edit the script and provide your own VPN credentials. ```bash -# Set up IKEv2 using default options -sudo ikev2.sh --auto -# Alternatively, you may customize IKEv2 options -sudo ikev2.sh -``` -
- -
- -Option 2: Edit the script and provide your own VPN credentials. - - -```bash -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh nano -w vpn.sh [Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD] sudo sh vpn.sh @@ -135,41 +119,18 @@ sudo sh vpn.sh **Note:** A secure IPsec PSK should consist of at least 20 random characters. -After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): - -```bash -# Set up IKEv2 using default options -sudo ikev2.sh --auto -# Alternatively, you may customize IKEv2 options -sudo ikev2.sh -``` -
- -
- -Option 3: Define your VPN credentials as environment variables. - +**Option 3:** Define your VPN credentials as environment variables. ```bash # All values MUST be placed inside 'single quotes' # DO NOT use these special characters within values: \ " ' -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' \ sh vpn.sh ``` -After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): - -```bash -# Set up IKEv2 using default options -sudo ikev2.sh --auto -# Alternatively, you may customize IKEv2 options -sudo ikev2.sh -``` -
-
Click here if you are unable to download using wget. @@ -178,11 +139,11 @@ Click here if you are unable to download using wget. You may also use `curl` to download. For example: ```bash -curl -fsSL https://git.io/vpnsetup -o vpn.sh +curl -fsSL https://git.io/vpnstart -o vpn.sh sudo sh vpn.sh ``` -Alternatively, open [vpnsetup.sh](vpnsetup.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor. +Alternatively, open [quickstart.sh](extras/quickstart.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor.
## Next steps diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2ef74ac..6ba7f89 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,10 +8,10 @@ * [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2) * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) * [管理客户端证书](#管理客户端证书) -* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [故障排除](#故障排除) -* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) +* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) +* [手动配置 IKEv2](#手动配置-ikev2) * [移除 IKEv2](#移除-ikev2) * [参考链接](#参考链接) @@ -42,6 +42,8 @@ sudo ikev2.sh --auto sudo ikev2.sh ``` +**注:** 如果 IKEv2 已经配置完成,但是你想要自定义 IKEv2 选项,首先 [移除 IKEv2](#移除-ikev2),然后运行 `sudo ikev2.sh` 重新配置。 + 在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。高级用户可以启用 [仅限 IKEv2 模式](advanced-usage-zh.md#仅限-ikev2-的-vpn)。这是可选的。
@@ -89,6 +91,13 @@ sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
+了解如何更改 IKEv2 服务器地址。 + + +在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要了解更多信息,参见 [这一小节](#更改-ikev2-服务器地址)。 +
+
+ 查看 IKEv2 脚本的使用信息。 @@ -421,7 +430,7 @@ sudo ikev2.sh --listclients sudo ikev2.sh --addclient [client name] ``` -另外,你也可以手动添加客户端证书。参见 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。 +另外,你也可以手动添加客户端证书。参见 [这一小节](#手动配置-ikev2) 的第 4 步。 ### 导出已有的客户端的配置 @@ -569,9 +578,99 @@ sudo ikev2.sh --revokeclient [client name] ```
-## 手动在 VPN 服务器上配置 IKEv2 +## 故障排除 -除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动配置 IKEv2。在继续之前,推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。 +*其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除)。* + +**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 + +* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) +* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) +* [参数错误 policy match error](#参数错误-policy-match-error) +* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) +* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) +* [其它已知问题](#其它已知问题) + +### 连接 IKEv2 后不能打开网站 + +如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: + +1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: + + ```bash + # 将 ens4 替换为你的服务器上的网络接口名称 + sudo ifconfig ens4 mtu 1500 + ``` + + 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 + +1. 如果更改 MTU 无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。 + +1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 + +### IKE 身份验证凭证不可接受 + +如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 + +### 参数错误 policy match error + +要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 + +- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + +### IKEv2 在一小时后断开连接 + +如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: + +``` + ikelifetime=24h + salifetime=24h +``` + +保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。 + +### 无法同时连接多个 IKEv2 客户端 + +如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 + +如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 + +### 其它已知问题 + +1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 + +## 更改 IKEv2 服务器地址 + +在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。请注意,你在 VPN 客户端指定的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 **完全一致**,否则客户端可能无法连接。 + +要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 + +```bash +# 下载脚本 +wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr +# 运行脚本并按照提示操作 +sudo bash ikev2changeaddr.sh +``` + +**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址以及 Remote ID(如果适用)。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。 + +## 更新 IKEv2 辅助脚本 + +IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + +## 手动配置 IKEv2 + +除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动在 VPN 服务器上配置 IKEv2。在继续之前,推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。 下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 @@ -780,94 +879,6 @@ sudo ikev2.sh --revokeclient [client name] 在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
-## 故障排除 - -*其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除)。* - -**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 - -* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) -* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) -* [参数错误 policy match error](#参数错误-policy-match-error) -* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) -* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) -* [其它已知问题](#其它已知问题) - -### 连接 IKEv2 后不能打开网站 - -如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: - -1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: - - ```bash - # 将 ens4 替换为你的服务器上的网络接口名称 - sudo ifconfig ens4 mtu 1500 - ``` - - 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 - -1. 如果更改 MTU 无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。 - -1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 - -### IKE 身份验证凭证不可接受 - -如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 - -### 参数错误 policy match error - -要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 - -- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f -``` - -### IKEv2 在一小时后断开连接 - -如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: - -``` - ikelifetime=24h - salifetime=24h -``` - -保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。 - -### 无法同时连接多个 IKEv2 客户端 - -如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 - -如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 - -### 其它已知问题 - -1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 -1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 - -## 更新 IKEv2 辅助脚本 - -IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` - -## 更改 IKEv2 服务器地址 - -在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 - -```bash -# 下载脚本 -wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr -# 运行脚本并按照提示操作 -sudo bash ikev2changeaddr.sh -``` - -**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。 - ## 移除 IKEv2 如果你想要从 VPN 服务器移除 IKEv2,但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式(如果已安装),请重新运行 [辅助脚本](#使用辅助脚本配置-ikev2) 并选择 "Remove IKEv2" 选项。**警告:** 这将**永久删除**所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**! diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 77ccc7e..1e9a87f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -8,10 +8,10 @@ * [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) * [Manage client certificates](#manage-client-certificates) -* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Troubleshooting](#troubleshooting) -* [Update IKEv2 helper script](#update-ikev2-helper-script) * [Change IKEv2 server address](#change-ikev2-server-address) +* [Update IKEv2 helper script](#update-ikev2-helper-script) +* [Manually set up IKEv2](#manually-set-up-ikev2) * [Remove IKEv2](#remove-ikev2) * [References](#references) @@ -42,6 +42,8 @@ sudo ikev2.sh --auto sudo ikev2.sh ``` +**Note:** If IKEv2 is already set up, but you want to customize IKEv2 options, first [remove IKEv2](#remove-ikev2), then set it up again using `sudo ikev2.sh`. + When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Advanced users can optionally enable [IKEv2-only mode](advanced-usage.md#ikev2-only-vpn).
@@ -89,6 +91,13 @@ sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
+Learn how to change the IKEv2 server address. + + +In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Learn more in [this section](#change-ikev2-server-address). +
+
+ View usage information for the IKEv2 script. @@ -423,7 +432,7 @@ To generate certificates for additional IKEv2 clients, just run the [helper scri sudo ikev2.sh --addclient [client name] ``` -Alternatively, you may manually add a client certificate. Refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server). +Alternatively, you may manually add a client certificate. Refer to step 4 in [this section](#manually-set-up-ikev2). ### Export configuration for an existing client @@ -571,9 +580,99 @@ Alternatively, you may manually revoke a client certificate. This can be done us ```
-## Manually set up IKEv2 on the VPN server +## Troubleshooting -As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version. +*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).* + +**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). + +* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) +* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) +* [Policy match error](#policy-match-error) +* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) +* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) +* [Other known issues](#other-known-issues) + +### Cannot open websites after connecting to IKEv2 + +If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: + +1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: + + ```bash + # Replace ens4 with the network interface name on your server + sudo ifconfig ens4 mtu 1500 + ``` + + This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. + +1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues). + +1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. + +### IKE authentication credentials are unacceptable + +If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). + +### Policy match error + +To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. + +- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + +### IKEv2 disconnects after one hour + +If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: + +``` + ikelifetime=24h + salifetime=24h +``` + +Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix. + +### Unable to connect multiple IKEv2 clients + +To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. + +If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. + +### Other known issues + +1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. +1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. + +## Change IKEv2 server address + +In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Note that the server address you specify on VPN client devices must **exactly match** the server address in the output of the IKEv2 helper script. Otherwise, devices may be unable to connect. + +To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts. + +```bash +# Download the script +wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr +# Run the script and follow the prompts +sudo bash ikev2changeaddr.sh +``` + +**Important:** After running this script, you must manually update the server address (and remote ID, if applicable) on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script). + +## Update IKEv2 helper script + +The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + +## Manually set up IKEv2 + +As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2 on the VPN server. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version. The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -782,94 +881,6 @@ View example steps for manually configuring IKEv2 with Libreswan. Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
-## Troubleshooting - -*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).* - -**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). - -* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) -* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) -* [Policy match error](#policy-match-error) -* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) -* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) -* [Other known issues](#other-known-issues) - -### Cannot open websites after connecting to IKEv2 - -If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: - -1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: - - ```bash - # Replace ens4 with the network interface name on your server - sudo ifconfig ens4 mtu 1500 - ``` - - This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. - -1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues). - -1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. - -### IKE authentication credentials are unacceptable - -If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). - -### Policy match error - -To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. - -- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f -``` - -### IKEv2 disconnects after one hour - -If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: - -``` - ikelifetime=24h - salifetime=24h -``` - -Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix. - -### Unable to connect multiple IKEv2 clients - -To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. - -If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. - -### Other known issues - -1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. -1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. - -## Update IKEv2 helper script - -The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` - -## Change IKEv2 server address - -In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts. - -```bash -# Download the script -wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr -# Run the script and follow the prompts -sudo bash ikev2changeaddr.sh -``` - -**Important:** After running this script, you must manually update the server address on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script). - ## Remove IKEv2 If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes (if installed), run the [helper script](#set-up-ikev2-using-helper-script) again and select the "Remove IKEv2" option. **Warning:** All IKEv2 configuration including certificates and keys will be **permanently deleted**. This **cannot be undone**!