From 73a97f2ba457a06628e032160c9320004c2c8398 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 May 2018 21:18:58 -0500 Subject: [PATCH 01/18] Cleanup --- extras/vpnupgrade.sh | 3 --- vpnsetup.sh | 7 +++---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 9d81e59..274256c 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -163,9 +163,6 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" -if [ "$(uname -m | cut -c1-3)" = "arm" ]; then - PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" -fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 2b5df53..a30f596 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -81,7 +81,7 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then - if [ "$(uname -m | cut -c1-3)" != "arm" ]; then + if ! uname -m | grep -qi '^arm'; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -274,9 +274,8 @@ conn xauth-psk also=shared EOF -# Workarounds for systems with ARM CPU (e.g. Raspberry Pi) -# - Set "left" to private IP instead of "%defaultroute" -if [ "$(uname -m | cut -c1-3)" = "arm" ]; then +# Workaround for Raspberry Pi +if uname -m | grep -qi '^arm'; then PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi From 738f5d476482b1536f95cc889e193d53ba7ed661 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 May 2018 00:56:29 -0500 Subject: [PATCH 02/18] Improve check for apt/dpkg lock --- vpnsetup.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index a30f596..27198fa 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -134,17 +134,19 @@ bigecho "VPN setup in progress... Please be patient." mkdir -p /opt/src cd /opt/src || exiterr "Cannot enter /opt/src." -bigecho "Populating apt-get cache..." - -# Wait up to 60s for apt/dpkg lock count=0 -while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do - [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." +while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1 \ + || lsof /var/lib/apt/lists/lock >/dev/null 2>&1 \ + || lsof /var/lib/dpkg/lock >/dev/null 2>&1; do + [ "$count" = "0" ] && bigecho "Waiting for apt to be available..." + [ "$count" -ge "60" ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) printf '%s' '.' sleep 3 done +bigecho "Populating apt-get cache..." + export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." From 94ca6536c8651b77e9af5ea417f15156f37b3e5e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 May 2018 15:26:14 -0500 Subject: [PATCH 03/18] Update docs - Fix/Update links - Add reg files for Windows Error 809 fix - Move Linux client instructions --- README-zh.md | 8 +- README.md | 8 +- docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 12 +- docs/clients-zh.md | 220 ++++++++++++++++++------------------ docs/clients.md | 234 ++++++++++++++++++++------------------- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 4 +- 8 files changed, 254 insertions(+), 238 deletions(-) diff --git a/README-zh.md b/README-zh.md index f7de0a7..8a2a2c3 100644 --- a/README-zh.md +++ b/README-zh.md @@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVHRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -145,7 +145,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 @@ -173,7 +173,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 -- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 +- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -184,7 +184,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/README.md b/README.md index ae1cd27..c2ed73b 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Please see OpenVPN or Shadowsocks. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVH and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -145,7 +145,7 @@ For **Windows users**, this issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. @@ -173,7 +173,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. +- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -184,7 +184,7 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d2aa93d..821549e 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -99,14 +99,14 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a6358d9..5d61398 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -35,7 +35,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha 1. Enter `Your VPN Password` in the **Password** field. 1. Click **Connect**. -Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -57,7 +57,7 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -77,7 +77,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -95,18 +95,18 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index ae4a105..1e4d390 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -160,6 +160,118 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 提升权限命令提示符 并运行以下命令。**完成后必须重启计算机。** + +- 适用于 Windows Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- 仅适用于 Windows XP ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +另外,某些个别的 Windows 系统配置禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启。 + +- 适用于 Windows XP, Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows 错误 628 + +> 在连接完成前,连接被远程计算机终止。 + +要解决此错误,请按以下步骤操作: + +1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 +1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **高级设置** 按钮。 +1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 +1. 单击 **确定** 关闭 **高级设置**。 +1. 单击 **确定** 保存 VPN 连接的详细信息。 + +![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) + +### Android 6 及以上版本 + +如果你无法使用 Android 6 或以上版本连接: + +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook 连接问题 + +Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 + +### 其它错误 + +如果你遇到其它错误,请参见以下链接: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### 额外的步骤 + +请尝试下面这些额外的故障排除步骤: + +首先,重启 VPN 服务器上的相关服务: + +```bash +service ipsec restart +service xl2tpd restart +``` + +如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 + +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 + +检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +查看 IPsec VPN 服务器状态: + +```bash +ipsec status +ipsec verify +``` + +显示当前已建立的 VPN 连接: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN 客户端 + 以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: @@ -356,120 +468,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## 故障排除 - -*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows 错误 809 - -> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 - -要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 - -- 适用于 Windows Vista, 7, 8 和 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。 - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows 错误 628 - -> 在连接完成前,连接被远程计算机终止。 - -要解决此错误,请按以下步骤操作: - -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 -1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 -1. 单击 **高级设置** 按钮。 -1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 -1. 单击 **确定** 关闭 **高级设置**。 -1. 单击 **确定** 保存 VPN 连接的详细信息。 - -![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) - -### Android 6 及以上版本 - -如果你无法使用 Android 6 或以上版本连接: - -1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook 连接问题 - -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 - -### 其它错误 - -如果你遇到其它错误,请参见以下链接: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### 额外的步骤 - -请尝试下面这些额外的故障排除步骤: - -首先,重启 VPN 服务器上的相关服务: - -```bash -service ipsec restart -service xl2tpd restart -``` - -如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 - -然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 - -检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -查看 IPsec VPN 服务器状态: - -```bash -ipsec status -ipsec verify -``` - -显示当前已建立的 VPN 连接: - -```bash -ipsec whack --trafficstatus -``` - ## 致谢 -本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index a0fd24b..4c8b972 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -73,7 +73,7 @@ After settin **Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -96,7 +96,7 @@ If you get an error when trying to connect, see Troub 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. -To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -115,7 +115,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -133,7 +133,7 @@ If you get an error when trying to connect, see Troub 1. Tap **Done**. 1. Slide the **VPN** switch ON. -Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Chromebook @@ -150,16 +150,128 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y 1. Enter `Your VPN Password` for the **Password**. 1. Click **Connect**. -Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. ## Windows Phone -Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux +See [Linux VPN Clients](#linux-vpn-clients). + +## Troubleshooting + +*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* + +### Windows Error 809 + +> The network connection between your computer and the VPN server could not be established because the remote server is not responding. + +To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an elevated command prompt. **You must reboot your PC when finished.** + +- For Windows Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- For Windows XP ONLY ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. + +- For Windows XP, Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows Error 628 + +> The connection was terminated by the remote computer before it could be completed. + +To fix this error, please follow these steps: + +1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. +1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. +1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. +1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click the **Advanced settings** button. +1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. +1. Click **OK** to close the **Advanced settings**. +1. Click **OK** to save the VPN connection details. + +![Select CHAP in VPN connection properties](images/vpn-properties.png) + +### Android 6 and above + +If you are unable to connect using Android 6 or above: + +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook issues + +Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. + +### Other errors + +If you encounter other errors, refer to the links below: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### Additional steps + +Please try these additional troubleshooting steps: + +First, restart services on the VPN server: + +```bash +service ipsec restart +service xl2tpd restart +``` + +If using Docker, run `docker restart ipsec-vpn-server`. + +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. + +Check the Libreswan (IPsec) and xl2tpd logs for errors: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +Check status of the IPsec VPN server: + +```bash +ipsec status +ipsec verify +``` + +Show current established VPN connections: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN Clients + Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: @@ -317,7 +429,7 @@ Exclude your VPN server's IP from the new default route (replace with actual val route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` -If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X @@ -355,120 +467,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## Troubleshooting - -*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows Error 809 - -> The network connection between your computer and the VPN server could not be established because the remote server is not responding. - -To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC. - -- For Windows Vista, 7, 8.x and 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows Error 628 - -> The connection was terminated by the remote computer before it could be completed. - -To fix this error, please follow these steps: - -1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. -1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. -1. Click the **Advanced settings** button. -1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. -1. Click **OK** to close the **Advanced settings**. -1. Click **OK** to save the VPN connection details. - -![Select CHAP in VPN connection properties](images/vpn-properties.png) - -### Android 6 and above - -If you are unable to connect using Android 6 or above: - -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook issues - -Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. - -### Other errors - -If you encounter other errors, refer to the links below: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### Additional steps - -Please try these additional troubleshooting steps: - -First, restart services on the VPN server: - -```bash -service ipsec restart -service xl2tpd restart -``` - -If using Docker, run `docker restart ipsec-vpn-server`. - -Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. - -Check the Libreswan (IPsec) and xl2tpd logs for errors: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -Check status of the IPsec VPN server: - -```bash -ipsec status -ipsec verify -``` - -Show current established VPN connections: - -```bash -ipsec whack --trafficstatus -``` - ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 513f50e..1f2b1b7 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -181,7 +181,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 294b7a4..710e9f9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -181,7 +181,7 @@ Before continuing, make sure you have successfully this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. 1. Restart IPsec service: @@ -206,7 +206,7 @@ Before continuing, make sure you have successfully this registry key and reboot. -1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues From 3b7039ef7877021110fad332e8c853c4b32fc560 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 16 May 2018 22:34:33 -0500 Subject: [PATCH 04/18] Update Linux kernel check --- vpnsetup.sh | 9 +++++++-- vpnsetup_centos.sh | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 27198fa..2e00b2f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -70,8 +70,13 @@ if [ "$(id -u)" != 0 ]; then fi case "$(uname -r)" in - 4.14*|4.15*) - exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." + 4.14*) + if uname -m | grep -qi '^arm'; then + exiterr "Linux kernel 4.14 is not supported due to an xl2tpd issue." + fi + ;; + 4.15*) + exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." ;; esac diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c96ef5a..23d8a3a 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -61,9 +61,9 @@ if [ "$(id -u)" != 0 ]; then fi case "$(uname -r)" in - 4.14*|4.15*) + 4.15*) if grep -qs "release 6" /etc/redhat-release; then - exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." + exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." fi ;; esac From e3fe8b05bf79e973542b4c7e3d6292745b433d21 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 21 May 2018 00:58:24 -0500 Subject: [PATCH 05/18] Improve workaround - Specify "left=" in ipsec.conf for servers with 'src' in default route - Ref: https://github.com/libreswan/libreswan/issues/177 --- vpnsetup.sh | 3 +-- vpnsetup_centos.sh | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 2e00b2f..576f361 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -281,8 +281,7 @@ conn xauth-psk also=shared EOF -# Workaround for Raspberry Pi -if uname -m | grep -qi '^arm'; then +if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 23d8a3a..1923142 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -262,6 +262,11 @@ conn xauth-psk also=shared EOF +if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then + PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Tue, 22 May 2018 01:49:13 -0500 Subject: [PATCH 06/18] Update docs --- README-zh.md | 5 +++-- README.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README-zh.md b/README-zh.md index 8a2a2c3..3397df9 100644 --- a/README-zh.md +++ b/README-zh.md @@ -58,7 +58,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,7 +77,8 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 -**注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 内核 4.15 兼容性的 问题。 + +\* **注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 的 问题。你可以换用 这个 Docker 镜像。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index c2ed73b..65db8da 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,7 +77,8 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. -**Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux kernel 4.15. + +\* **Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue. Use this Docker image instead. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! From 3f8e79b8e4d420c236b56ab57d0b0094f5d5cb1a Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 May 2018 00:38:01 -0500 Subject: [PATCH 07/18] Use xl2tpd 1.3.12 - Install xl2tpd 1.3.12 for systems with Linux kernel 4.14/4.15 - This version fixes an xl2tpd issue under the above Linux kernels - Remove Linux kernel check and notes which are no longer needed - Ref: xelerance/xl2tpd#147 - Ref: https://github.com/xelerance/xl2tpd/releases --- README-zh.md | 7 ++----- README.md | 7 ++----- vpnsetup.sh | 30 +++++++++++++++++++----------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/README-zh.md b/README-zh.md index 3397df9..fe0279d 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu 16.04/14.04 LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -58,7 +58,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,9 +77,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 - -\* **注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 的 问题。你可以换用 这个 Docker 镜像。 - :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! ## 安装说明 diff --git a/README.md b/README.md index 65db8da..3210566 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu 16.04/14.04 LTS, Debian or CentOS. +First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -58,7 +58,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,9 +77,6 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. - -\* **Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue. Use this Docker image instead. - :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! ## Installation diff --git a/vpnsetup.sh b/vpnsetup.sh index 576f361..b8d4867 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -69,17 +69,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$(uname -r)" in - 4.14*) - if uname -m | grep -qi '^arm'; then - exiterr "Linux kernel 4.14 is not supported due to an xl2tpd issue." - fi - ;; - 4.15*) - exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." - ;; -esac - net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -184,6 +173,25 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ libcurl4-nss-dev flex bison gcc make libnss3-tools \ libevent-dev ppp xl2tpd || exiterr2 +case "$(uname -r)" in + 4.14*|4.15*) + L2TP_VER=1.3.12 + l2tp_file="xl2tpd-$L2TP_VER.tar.gz" + l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" + l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" + apt-get -yq install libpcap0.8-dev || exiterr2 + if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then + exiterr "Cannot download xl2tpd source." + fi + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" + cd "xl2tpd-$L2TP_VER" || exiterr "Cannot enter xl2tpd source dir." + make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exiterr "Cannot enter /opt/src." + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + ;; +esac + bigecho "Installing Fail2Ban to protect SSH..." apt-get -yq install fail2ban || exiterr2 From 8e15eb683c0af5a736449c86a4aef89efdb3120d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 May 2018 01:39:53 -0500 Subject: [PATCH 08/18] Cleanup --- extras/vpnupgrade.sh | 8 +++---- extras/vpnupgrade_centos.sh | 8 +++---- vpnsetup.sh | 42 +++++++++++++++++-------------------- vpnsetup_centos.sh | 27 +++++++++++------------- 4 files changed, 39 insertions(+), 46 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 274256c..b7165d7 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -118,7 +118,7 @@ esac # Create and change to working dir mkdir -p /opt/src -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 # Update package index and install Wget export DEBIAN_FRONTEND=noninteractive @@ -136,11 +136,11 @@ swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exit 1 sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -154,7 +154,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 61d9d39..727051e 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -109,7 +109,7 @@ esac # Create and change to working dir mkdir -p /opt/src -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 # Install Wget yum -y install wget || exiterr2 @@ -138,11 +138,11 @@ swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exit 1 sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -153,7 +153,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." diff --git a/vpnsetup.sh b/vpnsetup.sh index b8d4867..2339ddd 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -73,8 +73,8 @@ net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then if ! uname -m | grep -qi '^arm'; then case "$def_iface" in wl*) @@ -85,13 +85,13 @@ if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then net_iface="$def_iface" fi -net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then +net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null 2>&1 \ - || lsof /var/lib/apt/lists/lock >/dev/null 2>&1 \ - || lsof /var/lib/dpkg/lock >/dev/null 2>&1; do +APT_LK=/var/lib/apt/lists/lock +PKG_LK=/var/lib/dpkg/lock +while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \ + || lsof "$APT_LK" >/dev/null 2>&1 || lsof "$PKG_LK" >/dev/null 2>&1; do [ "$count" = "0" ] && bigecho "Waiting for apt to be available..." [ "$count" -ge "60" ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) @@ -159,10 +160,8 @@ EOF # In case auto IP discovery fails, enter server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} -# Try to auto discover IP of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -# Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." @@ -181,13 +180,12 @@ case "$(uname -r)" in l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" apt-get -yq install libpcap0.8-dev || exiterr2 if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then - exiterr "Cannot download xl2tpd source." + exit 1 fi /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" - cd "xl2tpd-$L2TP_VER" || exiterr "Cannot enter xl2tpd source dir." - make -s 2>/dev/null && PREFIX=/usr make -s install - cd /opt/src || exiterr "Cannot enter /opt/src." + cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" ;; esac @@ -203,11 +201,11 @@ swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exit 1 sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -220,8 +218,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base -# Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -237,7 +234,7 @@ XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -# Create IPsec (Libreswan) config +# Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < "$IPT_FILE" iptables-save >> "$IPT_FILE" - # Update rules for iptables-persistent IPT_FILE2="/etc/iptables/rules.v4" if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1923142..91c35f4 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -72,8 +72,8 @@ net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -82,13 +82,13 @@ if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then net_iface="$def_iface" fi -net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then +net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -193,8 +191,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base -# Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -210,7 +207,7 @@ XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -# Create IPsec (Libreswan) config +# Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < Date: Wed, 23 May 2018 19:54:37 -0500 Subject: [PATCH 09/18] Improve VPN ciphers - Add back aes256-sha2_512 to phase2alg, required on some Android systems - Fixes #391 --- extras/vpnupgrade.sh | 5 ++++- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 6 +++++- vpnsetup_centos.sh | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index b7165d7..7d601a4 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -162,7 +162,10 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +if uname -m | grep -qi '^arm'; then + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 727051e..205599a 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -166,7 +166,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 2339ddd..9be9d09 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -258,7 +258,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk @@ -291,6 +291,10 @@ if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi +if uname -m | grep -qi '^arm'; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Wed, 23 May 2018 20:40:58 -0500 Subject: [PATCH 10/18] Use xl2tpd 1.3.12 - Install xl2tpd 1.3.12 for CentOS 6 with Linux kernel 4.14/4.15 - This version fixes an xl2tpd issue under the above Linux kernels - Remove Linux kernel check which is no longer needed - Ref: 3f8e79b (fix for Ubuntu/Debian) --- vpnsetup_centos.sh | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index fd71727..713f090 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,14 +60,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$(uname -r)" in - 4.15*) - if grep -qs "release 6" /etc/redhat-release; then - exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." - fi - ;; -esac - net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -166,6 +158,26 @@ else yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 fi +case "$(uname -r)" in + 4.14*|4.15*) + if grep -qs "release 6" /etc/redhat-release; then + L2TP_VER=1.3.12 + l2tp_file="xl2tpd-$L2TP_VER.tar.gz" + l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" + l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" + yum "$OPT1" "$OPT2" -y install libpcap-devel || exiterr2 + if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then + exit 1 + fi + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" + cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + fi + ;; +esac + bigecho "Installing Fail2Ban to protect SSH..." yum -y install fail2ban || exiterr2 From 3c84f8e2abb250d3a4048a90eb4804e53d5a2268 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 24 May 2018 22:04:27 -0500 Subject: [PATCH 11/18] Update docs - Add support for Ubuntu 18.04 --- README-zh.md | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index fe0279d..255995a 100644 --- a/README-zh.md +++ b/README-zh.md @@ -53,12 +53,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 16.04/14.04, Debian 9/8 和 CentOS 7/6 +- 已测试: Ubuntu 18.04/16.04/14.04, Debian 9/8 和 CentOS 7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -149,7 +149,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 -使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 diff --git a/README.md b/README.md index 3210566..acc34c9 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,12 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 16.04/14.04, Debian 9/8 and CentOS 7/6 +- Tested with Ubuntu 18.04/16.04/14.04, Debian 9/8 and CentOS 7/6 ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -149,7 +149,7 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. -Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users need to install the `` linux-image-extra-`uname -r` `` package and run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. From f838fcfe12144835177563b54e97c1b9d7cfa032 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 3 Jun 2018 23:24:37 -0500 Subject: [PATCH 12/18] Fix IP parsing - Fix parsing private IP on some systems such as Ubuntu 18.04 --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 9be9d09..38c617c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -287,7 +287,7 @@ conn xauth-psk EOF if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 713f090..aa28ec3 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -272,7 +272,7 @@ conn xauth-psk EOF if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi From 1ff393b91c6eec784fa0f1cbdb16633d87edbbc7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 6 Jun 2018 00:40:09 -0500 Subject: [PATCH 13/18] Use Libreswan 3.22 - Use Libreswan 3.22 instead of 3.23 due to an issue with connecting multiple IPsec/XAuth VPN clients from behind the same NAT - Ref: c982502 0cf01c0 --- extras/vpnupgrade.sh | 31 +++++++++++++++++++++++-------- extras/vpnupgrade_centos.sh | 31 +++++++++++++++++++++++-------- vpnsetup.sh | 7 ++++--- vpnsetup_centos.sh | 7 ++++--- 4 files changed, 54 insertions(+), 22 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 7d601a4..f92d4fa 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.23 +SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -78,6 +78,15 @@ This is intended for use on servers running an older version of Libreswan. EOF +if [ "$SWAN_VER" = "3.23" ]; then +cat <<'EOF' +WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth + VPN clients from behind the same NAT (e.g. home router). + Do not upgrade to 3.23 if your use cases include the above. + +EOF +fi + cat <<'EOF' IMPORTANT NOTES: @@ -141,6 +150,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -179,15 +189,20 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo +case "$SWAN_VER" in + 3.2[3-9]) cat <<'EOF' -Note: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +NOTE: Users upgrading to Libreswan 3.23 or newer should edit + "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". + EOF + ;; +esac } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 205599a..a40a425 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.23 +SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -69,6 +69,15 @@ This is intended for use on servers running an older version of Libreswan. EOF +if [ "$SWAN_VER" = "3.23" ]; then +cat <<'EOF' +WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth + VPN clients from behind the same NAT (e.g. home router). + Do not upgrade to 3.23 if your use cases include the above. + +EOF +fi + cat <<'EOF' IMPORTANT NOTES: @@ -143,6 +152,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -180,15 +190,20 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo +case "$SWAN_VER" in + 3.2[3-9]) cat <<'EOF' -Note: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +NOTE: Users upgrading to Libreswan 3.23 or newer should edit + "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". + EOF + ;; +esac } diff --git a/vpnsetup.sh b/vpnsetup.sh index 38c617c..b101599 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -196,7 +196,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.23 +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -206,7 +206,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/docker-targets\.mk/d' Makefile +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -273,7 +273,8 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns="$DNS_SRV1, $DNS_SRV2" + modecfgdns1=$DNS_SRV1 + modecfgdns2=$DNS_SRV2 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index aa28ec3..29863ac 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -184,7 +184,7 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.23 +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -194,7 +194,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/docker-targets\.mk/d' Makefile +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -258,7 +258,8 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns="$DNS_SRV1, $DNS_SRV2" + modecfgdns1=$DNS_SRV1 + modecfgdns2=$DNS_SRV2 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes From d5a01f52f2f5cd59b2febb2a93d14fd1634608d8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 6 Jun 2018 00:42:58 -0500 Subject: [PATCH 14/18] Update docs --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 255995a..70e02ae 100644 --- a/README-zh.md +++ b/README-zh.md @@ -141,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器 和/或 客户端与 NAT(比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 diff --git a/README.md b/README.md index acc34c9..6786b14 100644 --- a/README.md +++ b/README.md @@ -141,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation and an Libreswan issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. From 59f817575c6cd9c381a7d707b1b6ed7eec2a323b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 10 Jun 2018 16:08:12 -0500 Subject: [PATCH 15/18] Create rundir - Create /run/pluto which is used as rundir in Libreswan 3.22 and newer - Fixes #407 --- extras/vpnupgrade.sh | 1 + extras/vpnupgrade_centos.sh | 1 + vpnsetup.sh | 1 + vpnsetup_centos.sh | 1 + 4 files changed, 4 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index f92d4fa..4adcb3d 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -183,6 +183,7 @@ sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service +mkdir -p /run/pluto service ipsec restart echo diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index a40a425..9f9fdb2 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -184,6 +184,7 @@ sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service +mkdir -p /run/pluto service ipsec restart echo diff --git a/vpnsetup.sh b/vpnsetup.sh index b101599..45b9f2c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -475,6 +475,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* iptables-restore < "$IPT_FILE" # Restart services +mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 29863ac..678b11e 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -469,6 +469,7 @@ if grep -qs "release 7" /etc/redhat-release; then fi # Restart services +mkdir -p /run/pluto modprobe -q pppol2tp service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null From 0c151515fe694991c11e8f8a22f84ba6503fec81 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 28 Jun 2018 00:03:42 -0500 Subject: [PATCH 16/18] Improve upgrade scripts - Add note for users downgrading to 3.22 - Add check for Libreswan 3.25 (not yet supported) - Print Libreswan versions and improve message - Cleanup --- extras/vpnupgrade.sh | 72 +++++++++++++++++++++++++------------ extras/vpnupgrade_centos.sh | 72 +++++++++++++++++++++++++------------ 2 files changed, 98 insertions(+), 46 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 4adcb3d..6a3ffff 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,11 +47,16 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then +if [ "$SWAN_VER" = "3.25" ]; then + exiterr "Libreswan 3.25 is not yet supported." +fi + +ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then +if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo @@ -68,13 +73,23 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then esac fi +is_downgrade_to_322=0 +if [ "$SWAN_VER" = "3.22" ]; then + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322=1 + fi +fi + clear cat </dev/null | grep -q "Libreswan"; then +if [ "$SWAN_VER" = "3.25" ]; then + exiterr "Libreswan 3.25 is not yet supported." +fi + +ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then +if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo @@ -59,13 +64,23 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then esac fi +is_downgrade_to_322=0 +if [ "$SWAN_VER" = "3.22" ]; then + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322=1 + fi +fi + clear cat < Date: Thu, 28 Jun 2018 00:49:49 -0500 Subject: [PATCH 17/18] Add new version - Add support for upgrading to new Libreswan version 3.25 - "USE_GLIBC_KERN_FLIP_HEADERS = true" is required for compilation - Fixes #412 --- extras/vpnupgrade.sh | 5 +---- extras/vpnupgrade_centos.sh | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 6a3ffff..28a37ab 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,10 +47,6 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if [ "$SWAN_VER" = "3.25" ]; then - exiterr "Libreswan 3.25 is not yet supported." -fi - ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -168,6 +164,7 @@ sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 22a32a1..81e3ace 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,10 +38,6 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if [ "$SWAN_VER" = "3.25" ]; then - exiterr "Libreswan 3.25 is not yet supported." -fi - ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -170,6 +166,7 @@ sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 From 145f29b4773e0c7d162dcb0116198604c05e5eac Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 30 Jun 2018 00:42:08 -0500 Subject: [PATCH 18/18] Improve version check - Add check for some Libreswan versions that are not available - Include Libreswan 3.25 in multiple IPsec/XAuth clients warning - Cleanup notes --- extras/vpnupgrade.sh | 40 ++++++++++++++++++++----------------- extras/vpnupgrade_centos.sh | 40 ++++++++++++++++++++----------------- 2 files changed, 44 insertions(+), 36 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 28a37ab..5537249 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,6 +47,12 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -89,11 +95,11 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ]; then +if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then cat <<'EOF' -WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth - VPN clients from behind the same NAT (e.g. home router). - Do not upgrade to 3.23 if your use cases include the above. +WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF fi @@ -103,14 +109,14 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: - auth=esp + auth=esp with the following: - phase2=esp + phase2=esp Replace this line: - forceencaps=yes + forceencaps=yes with the following: - encapsulation=yes + encapsulation=yes Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, @@ -203,12 +209,11 @@ echo case "$SWAN_VER" in 3.2[3-9]) cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" Then run "service ipsec restart". EOF @@ -217,12 +222,11 @@ esac if [ "$is_downgrade_to_322" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit - "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 Then run "service ipsec restart". EOF diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 81e3ace..e1726e6 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,6 +38,12 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -80,11 +86,11 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ]; then +if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then cat <<'EOF' -WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth - VPN clients from behind the same NAT (e.g. home router). - Do not upgrade to 3.23 if your use cases include the above. +WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF fi @@ -94,14 +100,14 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: - auth=esp + auth=esp with the following: - phase2=esp + phase2=esp Replace this line: - forceencaps=yes + forceencaps=yes with the following: - encapsulation=yes + encapsulation=yes Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, @@ -204,12 +210,11 @@ echo case "$SWAN_VER" in 3.2[3-9]) cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" Then run "service ipsec restart". EOF @@ -218,12 +223,11 @@ esac if [ "$is_downgrade_to_322" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit - "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 Then run "service ipsec restart". EOF