diff --git a/README-zh.md b/README-zh.md index f7de0a7..70e02ae 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu 16.04/14.04 LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -53,12 +53,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 16.04/14.04, Debian 9/8 和 CentOS 7/6 +- 已测试: Ubuntu 18.04/16.04/14.04, Debian 9/8 和 CentOS 7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVHRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -77,8 +77,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 -**注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 内核 4.15 兼容性的 问题。 - :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! ## 安装说明 @@ -143,15 +141,15 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器 和/或 客户端与 NAT(比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 -使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 @@ -173,7 +171,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 -- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 +- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -184,7 +182,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/README.md b/README.md index ae1cd27..6786b14 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu 16.04/14.04 LTS, Debian or CentOS. +First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -53,12 +53,12 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 16.04/14.04, Debian 9/8 and CentOS 7/6 +- Tested with Ubuntu 18.04/16.04/14.04, Debian 9/8 and CentOS 7/6 ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -69,7 +69,7 @@ Please see OpenVPN or Shadowsocks. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVH and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -77,8 +77,6 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. -**Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux kernel 4.15. - :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! ## Installation @@ -143,15 +141,15 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation and an Libreswan issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. -Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users need to install the `` linux-image-extra-`uname -r` `` package and run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. @@ -173,7 +171,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. +- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -184,7 +182,7 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d2aa93d..821549e 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -99,14 +99,14 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 7f6b90a..66aa019 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -36,7 +36,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha 1. Enter `Your VPN Password` in the **Password** field. 1. Click **Connect**. -Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -58,7 +58,7 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -78,7 +78,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -96,7 +96,7 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux @@ -137,14 +137,14 @@ Please also check https://help.ubuntu.com/community/VPNClient#VPNC for details h ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index ae4a105..1e4d390 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -160,6 +160,118 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 提升权限命令提示符 并运行以下命令。**完成后必须重启计算机。** + +- 适用于 Windows Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- 仅适用于 Windows XP ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +另外,某些个别的 Windows 系统配置禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启。 + +- 适用于 Windows XP, Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows 错误 628 + +> 在连接完成前,连接被远程计算机终止。 + +要解决此错误,请按以下步骤操作: + +1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 +1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **高级设置** 按钮。 +1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 +1. 单击 **确定** 关闭 **高级设置**。 +1. 单击 **确定** 保存 VPN 连接的详细信息。 + +![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) + +### Android 6 及以上版本 + +如果你无法使用 Android 6 或以上版本连接: + +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook 连接问题 + +Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 + +### 其它错误 + +如果你遇到其它错误,请参见以下链接: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### 额外的步骤 + +请尝试下面这些额外的故障排除步骤: + +首先,重启 VPN 服务器上的相关服务: + +```bash +service ipsec restart +service xl2tpd restart +``` + +如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 + +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 + +检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +查看 IPsec VPN 服务器状态: + +```bash +ipsec status +ipsec verify +``` + +显示当前已建立的 VPN 连接: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN 客户端 + 以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: @@ -356,120 +468,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## 故障排除 - -*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows 错误 809 - -> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 - -要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 - -- 适用于 Windows Vista, 7, 8 和 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。 - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows 错误 628 - -> 在连接完成前,连接被远程计算机终止。 - -要解决此错误,请按以下步骤操作: - -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 -1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 -1. 单击 **高级设置** 按钮。 -1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 -1. 单击 **确定** 关闭 **高级设置**。 -1. 单击 **确定** 保存 VPN 连接的详细信息。 - -![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) - -### Android 6 及以上版本 - -如果你无法使用 Android 6 或以上版本连接: - -1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook 连接问题 - -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 - -### 其它错误 - -如果你遇到其它错误,请参见以下链接: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### 额外的步骤 - -请尝试下面这些额外的故障排除步骤: - -首先,重启 VPN 服务器上的相关服务: - -```bash -service ipsec restart -service xl2tpd restart -``` - -如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 - -然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 - -检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -查看 IPsec VPN 服务器状态: - -```bash -ipsec status -ipsec verify -``` - -显示当前已建立的 VPN 连接: - -```bash -ipsec whack --trafficstatus -``` - ## 致谢 -本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index a0fd24b..4c8b972 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -73,7 +73,7 @@ After settin **Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -96,7 +96,7 @@ If you get an error when trying to connect, see Troub 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. -To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -115,7 +115,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -133,7 +133,7 @@ If you get an error when trying to connect, see Troub 1. Tap **Done**. 1. Slide the **VPN** switch ON. -Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Chromebook @@ -150,16 +150,128 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y 1. Enter `Your VPN Password` for the **Password**. 1. Click **Connect**. -Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. ## Windows Phone -Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux +See [Linux VPN Clients](#linux-vpn-clients). + +## Troubleshooting + +*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* + +### Windows Error 809 + +> The network connection between your computer and the VPN server could not be established because the remote server is not responding. + +To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an elevated command prompt. **You must reboot your PC when finished.** + +- For Windows Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- For Windows XP ONLY ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. + +- For Windows XP, Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows Error 628 + +> The connection was terminated by the remote computer before it could be completed. + +To fix this error, please follow these steps: + +1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. +1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. +1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. +1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click the **Advanced settings** button. +1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. +1. Click **OK** to close the **Advanced settings**. +1. Click **OK** to save the VPN connection details. + +![Select CHAP in VPN connection properties](images/vpn-properties.png) + +### Android 6 and above + +If you are unable to connect using Android 6 or above: + +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook issues + +Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. + +### Other errors + +If you encounter other errors, refer to the links below: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### Additional steps + +Please try these additional troubleshooting steps: + +First, restart services on the VPN server: + +```bash +service ipsec restart +service xl2tpd restart +``` + +If using Docker, run `docker restart ipsec-vpn-server`. + +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. + +Check the Libreswan (IPsec) and xl2tpd logs for errors: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +Check status of the IPsec VPN server: + +```bash +ipsec status +ipsec verify +``` + +Show current established VPN connections: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN Clients + Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: @@ -317,7 +429,7 @@ Exclude your VPN server's IP from the new default route (replace with actual val route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` -If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X @@ -355,120 +467,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## Troubleshooting - -*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows Error 809 - -> The network connection between your computer and the VPN server could not be established because the remote server is not responding. - -To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC. - -- For Windows Vista, 7, 8.x and 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows Error 628 - -> The connection was terminated by the remote computer before it could be completed. - -To fix this error, please follow these steps: - -1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. -1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. -1. Click the **Advanced settings** button. -1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. -1. Click **OK** to close the **Advanced settings**. -1. Click **OK** to save the VPN connection details. - -![Select CHAP in VPN connection properties](images/vpn-properties.png) - -### Android 6 and above - -If you are unable to connect using Android 6 or above: - -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook issues - -Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. - -### Other errors - -If you encounter other errors, refer to the links below: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### Additional steps - -Please try these additional troubleshooting steps: - -First, restart services on the VPN server: - -```bash -service ipsec restart -service xl2tpd restart -``` - -If using Docker, run `docker restart ipsec-vpn-server`. - -Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. - -Check the Libreswan (IPsec) and xl2tpd logs for errors: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -Check status of the IPsec VPN server: - -```bash -ipsec status -ipsec verify -``` - -Show current established VPN connections: - -```bash -ipsec whack --trafficstatus -``` - ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 513f50e..1f2b1b7 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -181,7 +181,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 294b7a4..710e9f9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -181,7 +181,7 @@ Before continuing, make sure you have successfully this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. 1. Restart IPsec service: @@ -206,7 +206,7 @@ Before continuing, make sure you have successfully this registry key and reboot. -1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 9d81e59..5537249 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.23 +SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -47,11 +47,18 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + +ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then +if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo @@ -68,37 +75,54 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then esac fi +is_downgrade_to_322=0 +if [ "$SWAN_VER" = "3.22" ]; then + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322=1 + fi +fi + clear cat < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 @@ -154,7 +180,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -162,8 +188,8 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" -if [ "$(uname -m | cut -c1-3)" = "arm" ]; then +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +if uname -m | grep -qi '^arm'; then PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" fi sed -i".old-$(date +%F-%T)" \ @@ -173,21 +199,38 @@ sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service +mkdir -p /run/pluto service ipsec restart echo echo "Libreswan $SWAN_VER was installed successfully! " echo +case "$SWAN_VER" in + 3.2[3-9]) cat <<'EOF' -Note: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". + EOF + ;; +esac + +if [ "$is_downgrade_to_322" = "1" ]; then +cat <<'EOF' +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + with two lines like this: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + Then run "service ipsec restart". + +EOF +fi } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 61d9d39..e1726e6 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.23 +SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -38,11 +38,18 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + +ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then +if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo @@ -59,37 +66,54 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then esac fi +is_downgrade_to_322=0 +if [ "$SWAN_VER" = "3.22" ]; then + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322=1 + fi +fi + clear cat < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -166,7 +192,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ @@ -174,21 +200,38 @@ sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service +mkdir -p /run/pluto service ipsec restart echo echo "Libreswan $SWAN_VER was installed successfully! " echo +case "$SWAN_VER" in + 3.2[3-9]) cat <<'EOF' -Note: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". + EOF + ;; +esac + +if [ "$is_downgrade_to_322" = "1" ]; then +cat <<'EOF' +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + with two lines like this: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + Then run "service ipsec restart". + +EOF +fi } diff --git a/vpnsetup.sh b/vpnsetup.sh index f83d35f..ff3bbcc 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -70,19 +70,13 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$(uname -r)" in - 4.14*|4.15*) - exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." - ;; -esac - net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then - if [ "$(uname -m | cut -c1-3)" != "arm" ]; then +def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then + if ! uname -m | grep -qi '^arm'; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -92,13 +86,13 @@ if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then net_iface="$def_iface" fi -net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then +net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null 2>&1; do - [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." +APT_LK=/var/lib/apt/lists/lock +PKG_LK=/var/lib/dpkg/lock +while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \ + || lsof "$APT_LK" >/dev/null 2>&1 || lsof "$PKG_LK" >/dev/null 2>&1; do + [ "$count" = "0" ] && bigecho "Waiting for apt to be available..." + [ "$count" -ge "60" ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) printf '%s' '.' sleep 3 done +bigecho "Populating apt-get cache..." + export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." @@ -165,10 +162,8 @@ EOF # In case auto IP discovery fails, enter server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} -# Try to auto discover IP of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -# Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." @@ -179,23 +174,41 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ libcurl4-nss-dev flex bison gcc make libnss3-tools \ libevent-dev ppp xl2tpd || exiterr2 +case "$(uname -r)" in + 4.14*|4.15*) + L2TP_VER=1.3.12 + l2tp_file="xl2tpd-$L2TP_VER.tar.gz" + l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" + l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" + apt-get -yq install libpcap0.8-dev || exiterr2 + if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then + exit 1 + fi + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" + cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + ;; +esac + bigecho "Installing Fail2Ban to protect SSH..." apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.23 +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/docker-targets\.mk/d' Makefile +cd "libreswan-$SWAN_VER" || exit 1 +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -207,8 +220,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base -# Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -224,7 +236,7 @@ XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -# Create IPsec (Libreswan) config +# Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf </dev/null | grep -qs ' src '; then + PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi +if uname -m | grep -qi '^arm'; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < "$IPT_FILE" iptables-save >> "$IPT_FILE" - # Update rules for iptables-persistent IPT_FILE2="/etc/iptables/rules.v4" if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" @@ -481,6 +496,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* iptables-restore < "$IPT_FILE" # Restart services +mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c96ef5a..678b11e 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,20 +60,12 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$(uname -r)" in - 4.14*|4.15*) - if grep -qs "release 6" /etc/redhat-release; then - exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." - fi - ;; -esac - net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -82,13 +74,13 @@ if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then net_iface="$def_iface" fi -net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then +net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + fi + ;; +esac + bigecho "Installing Fail2Ban to protect SSH..." yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.23 +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/docker-targets\.mk/d' Makefile +cd "libreswan-$SWAN_VER" || exit 1 +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -193,8 +203,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base -# Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -210,7 +219,7 @@ XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -# Create IPsec (Libreswan) config +# Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf </dev/null | grep -qs ' src '; then + PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') + check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets </dev/null service ipsec restart 2>/dev/null