Improve VPN IPs

- Use %defaultroute and iptables MASQUERADE, no need to detect private IP - Use %any for the first field of ipsec.secrets, instead of public IP - As a result, the VPN server should now better adapt to IP changes.
2024-11-21 20:46:10 +03:00 · 2017-02-10 18:00:29 -06:00 · 2017-02-10 18:00:29 -06:00 · 03007079e6
commit 03007079e6
parent f7961242e4
8 changed files with 30 additions and 52 deletions
--- a/README-zh.md
+++ b/README-zh.md
@ -51,7 +51,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
 - 全自动的 IPsec VPN 服务器配置，无需用户输入
 - 封装所有的 VPN 流量在 UDP 协议，不需要 ESP 协议支持
 - 可直接作为 Amazon EC2 实例创建时的用户数据使用
- 自动确定服务器的公网 IP 以及私有 IP 地址
 - 包含 `sysctl.conf` 优化设置，以达到更佳的传输性能
 - 测试通过： Ubuntu 16.04/14.04/12.04， Debian 8 和 CentOS 7/6

--- a/README.md
+++ b/README.md
@ -51,7 +51,6 @@ For other installation options and how to set up VPN clients, read the sections
 - Fully automated IPsec VPN server setup, no user input needed
 - Encapsulates all VPN traffic in UDP - does not need ESP protocol
 - Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
 - Includes `sysctl.conf` optimizations for improved performance
 - Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6

--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -21,15 +21,12 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来

 在继续之前，请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>。

-1. 获取服务器的公共和私有 IP 地址，并确保它们的值非空。注意，这两个 IP 地址可以相同。
+1. 获取服务器的公共 IP 地址，并检查它是否正确。

   ```bash
   $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
-   $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
   $ echo "$PUBLIC_IP"
   （检查显示的 public IP）
-   $ echo "$PRIVATE_IP"
-   （检查显示的 private IP）
   ```

 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
@ -38,7 +35,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
   $ cat >> /etc/ipsec.conf <<EOF

   conn ikev2-cp
-     left=$PRIVATE_IP
+     left=%defaultroute
     leftcert=$PUBLIC_IP
     leftid=@$PUBLIC_IP
     leftsendcert=always
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -21,15 +21,12 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo

 Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.

-1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
+1. Find the public IP of your server, and make sure it is correct.

   ```bash
   $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
-   $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
   $ echo "$PUBLIC_IP"
   (Check the displayed public IP)
-   $ echo "$PRIVATE_IP"
-   (Check the displayed private IP)
   ```

 1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
@ -38,7 +35,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
   $ cat >> /etc/ipsec.conf <<EOF

   conn ikev2-cp
-     left=$PRIVATE_IP
+     left=%defaultroute
     leftcert=$PUBLIC_IP
     leftid=@$PUBLIC_IP
     leftsendcert=always
--- a/docs/manage-users-zh.md
+++ b/docs/manage-users-zh.md
@ -7,7 +7,7 @@
 首先，IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK，可以编辑此文件。

 ```bash
-<VPN Server IP>  %any  : PSK "<VPN IPsec PSK>"
+%any  %any  : PSK "<VPN IPsec PSK>"
 ```

 对于 `IPsec/L2TP`，VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下：
--- a/docs/manage-users.md
+++ b/docs/manage-users.md
@ -7,7 +7,7 @@ By default, a single user account for VPN login is created. If you wish to add,
 First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. 

 ```bash
-<VPN Server IP>  %any  : PSK "<VPN IPsec PSK>"
+%any  %any  : PSK "<VPN IPsec PSK>"
 ```

 For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@ -133,27 +133,22 @@ print_status "Installing packages required for setup..."
 apt-get -yq install wget dnsutils openssl || exiterr2
 apt-get -yq install iproute gawk grep sed net-tools || exiterr2

-print_status "Trying to auto discover IPs of this server..."
+print_status "Trying to auto discover IP of this server..."

 cat <<'EOF'
 In case the script hangs here for more than a few minutes,
-use Ctrl-C to interrupt. Then edit it and manually enter IPs.
+use Ctrl-C to interrupt. Then edit it and manually enter IP.
 EOF

-# In case auto IP discovery fails, you may manually enter server IPs here.
-# If your server only has a public IP, put that public IP on both lines.
+# In case auto IP discovery fails, enter this server's public IP here.
 PUBLIC_IP=${VPN_PUBLIC_IP:-''}
-PRIVATE_IP=${VPN_PRIVATE_IP:-''}

-# Try to auto discover IPs of this server
+# Try to auto discover IP of this server
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
-[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')

-# Check IPs for correct format
+# Check IP for correct format
 check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
-check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs."
-check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
-check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
+check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."

 print_status "Installing packages required for the VPN..."

@ -208,7 +203,7 @@ config setup
  uniqueids=no

 conn shared
-  left=$PRIVATE_IP
+  left=%defaultroute
  leftid=$PUBLIC_IP
  right=%any
  encapsulation=yes
@ -225,8 +220,6 @@ conn shared

 conn l2tp-psk
  auto=add
-  leftsubnet=$PRIVATE_IP/32
-  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
@ -254,7 +247,7 @@ EOF
 # Specify IPsec PSK
 conf_bk "/etc/ipsec.secrets"
 cat > /etc/ipsec.secrets <<EOF
-$PUBLIC_IP  %any  : PSK "$VPN_IPSEC_PSK"
+%any  %any  : PSK "$VPN_IPSEC_PSK"
 EOF

 # Create xl2tpd config
@ -347,8 +340,8 @@ print_status "Updating IPTables rules..."
 ipt_flag=0
 IPT_FILE="/etc/iptables.rules"
 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
-   || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null \
-   || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then
+   || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \
+   || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
  ipt_flag=1
 fi

@ -371,8 +364,8 @@ if [ "$ipt_flag" = "1" ]; then
  # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
  # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
  iptables -A FORWARD -j DROP
-  iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP"
-  iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP"
+  iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE
+  iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE
  echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
  iptables-save >> "$IPT_FILE"

--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -112,27 +112,22 @@ print_status "Installing packages required for setup..."
 yum -y install wget bind-utils openssl || exiterr2
 yum -y install iproute gawk grep sed net-tools || exiterr2

-print_status "Trying to auto discover IPs of this server..."
+print_status "Trying to auto discover IP of this server..."

 cat <<'EOF'
 In case the script hangs here for more than a few minutes,
-use Ctrl-C to interrupt. Then edit it and manually enter IPs.
+use Ctrl-C to interrupt. Then edit it and manually enter IP.
 EOF

-# In case auto IP discovery fails, you may manually enter server IPs here.
-# If your server only has a public IP, put that public IP on both lines.
+# In case auto IP discovery fails, enter this server's public IP here.
 PUBLIC_IP=${VPN_PUBLIC_IP:-''}
-PRIVATE_IP=${VPN_PRIVATE_IP:-''}

-# Try to auto discover IPs of this server
+# Try to auto discover IP of this server
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
-[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')

-# Check IPs for correct format
+# Check IP for correct format
 check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
-check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs."
-check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
-check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
+check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."

 print_status "Adding the EPEL repository..."

@ -195,7 +190,7 @@ config setup
  uniqueids=no

 conn shared
-  left=$PRIVATE_IP
+  left=%defaultroute
  leftid=$PUBLIC_IP
  right=%any
  encapsulation=yes
@ -212,8 +207,6 @@ conn shared

 conn l2tp-psk
  auto=add
-  leftsubnet=$PRIVATE_IP/32
-  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
@ -241,7 +234,7 @@ EOF
 # Specify IPsec PSK
 conf_bk "/etc/ipsec.secrets"
 cat > /etc/ipsec.secrets <<EOF
-$PUBLIC_IP  %any  : PSK "$VPN_IPSEC_PSK"
+%any  %any  : PSK "$VPN_IPSEC_PSK"
 EOF

 # Create xl2tpd config
@ -334,8 +327,8 @@ print_status "Updating IPTables rules..."
 ipt_flag=0
 IPT_FILE="/etc/sysconfig/iptables"
 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
-   || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null \
-   || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then
+   || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \
+   || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
  ipt_flag=1
 fi

@ -358,8 +351,8 @@ if [ "$ipt_flag" = "1" ]; then
  # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
  # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
  iptables -A FORWARD -j DROP
-  iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP"
-  iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP"
+  iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE
+  iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE
  echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
  iptables-save >> "$IPT_FILE"
 fi