mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 13:06:02 +03:00
Code Issues Projects Releases Wiki Activity

Improve VPN IPs

Browse Source 
- Use %defaultroute and iptables MASQUERADE, no need to detect private IP
- Use %any for the first field of ipsec.secrets, instead of public IP
- As a result, the VPN server should now better adapt to IP changes.
This commit is contained in:
hwdsl2 2017-02-10 18:00:29 -06:00
parent f7961242e4
commit 03007079e6
8 changed files with 30 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README-zh.md
View File

@ -51,7 +51,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
- 全自动的 IPsec VPN 服务器配置,无需用户输入 - 全自动的 IPsec VPN 服务器配置,无需用户输入
- 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持
- 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 可直接作为 Amazon EC2 实例创建时的用户数据使用
- 自动确定服务器的公网 IP 以及私有 IP 地址
- 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能
- 测试通过: Ubuntu 16.04/14.04/12.04 Debian 8 和 CentOS 7/6 - 测试通过: Ubuntu 16.04/14.04/12.04 Debian 8 和 CentOS 7/6

1
README.md
View File

@ -51,7 +51,6 @@ For other installation options and how to set up VPN clients, read the sections
- Fully automated IPsec VPN server setup, no user input needed - Fully automated IPsec VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol - Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance - Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes `sysctl.conf` optimizations for improved performance - Includes `sysctl.conf` optimizations for improved performance
- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6 - Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6

7
docs/ikev2-howto-zh.md
View File

@ -21,15 +21,12 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a> 在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同 1. 获取服务器的公共 IP 地址,并检查它是否正确。
```bash ```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP" $ echo "$PUBLIC_IP"
(检查显示的 public IP (检查显示的 public IP
$ echo "$PRIVATE_IP"
(检查显示的 private IP
``` ```
1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
@ -38,7 +35,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
$ cat >> /etc/ipsec.conf <<EOF $ cat >> /etc/ipsec.conf <<EOF
conn ikev2-cp conn ikev2-cp
left=$PRIVATE_IP left=%defaultroute
leftcert=$PUBLIC_IP leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP leftid=@$PUBLIC_IP
leftsendcert=always leftsendcert=always

7
docs/ikev2-howto.md
View File

@ -21,15 +21,12 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>. Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.
1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. 1. Find the public IP of your server, and make sure it is correct.
```bash ```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP" $ echo "$PUBLIC_IP"
(Check the displayed public IP) (Check the displayed public IP)
$ echo "$PRIVATE_IP"
(Check the displayed private IP)
``` ```
1. Add a new IKEv2 connection to `/etc/ipsec.conf`: 1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
@ -38,7 +35,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
$ cat >> /etc/ipsec.conf <<EOF $ cat >> /etc/ipsec.conf <<EOF
conn ikev2-cp conn ikev2-cp
left=$PRIVATE_IP left=%defaultroute
leftcert=$PUBLIC_IP leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP leftid=@$PUBLIC_IP
leftsendcert=always leftsendcert=always

2
docs/manage-users-zh.md
View File

@ -7,7 +7,7 @@
首先IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK可以编辑此文件。 首先IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK可以编辑此文件。
```bash ```bash
<VPN Server IP> %any : PSK "<VPN IPsec PSK>" %any %any : PSK "<VPN IPsec PSK>"
``` ```
对于 `IPsec/L2TP`VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: 对于 `IPsec/L2TP`VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:

2
docs/manage-users.md
View File

@ -7,7 +7,7 @@ By default, a single user account for VPN login is created. If you wish to add,
First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file.
```bash ```bash
<VPN Server IP> %any : PSK "<VPN IPsec PSK>" %any %any : PSK "<VPN IPsec PSK>"
``` ```
For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is: For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:

31
vpnsetup.sh
View File

@ -133,27 +133,22 @@ print_status "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl || exiterr2 apt-get -yq install wget dnsutils openssl || exiterr2
apt-get -yq install iproute gawk grep sed net-tools || exiterr2 apt-get -yq install iproute gawk grep sed net-tools || exiterr2
print_status "Trying to auto discover IPs of this server..." print_status "Trying to auto discover IP of this server..."
cat <<'EOF' cat <<'EOF'
In case the script hangs here for more than a few minutes, In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IPs. use Ctrl-C to interrupt. Then edit it and manually enter IP.
EOF EOF
# In case auto IP discovery fails, you may manually enter server IPs here. # In case auto IP discovery fails, enter this server's public IP here.
# If your server only has a public IP, put that public IP on both lines.
PUBLIC_IP=${VPN_PUBLIC_IP:-''} PUBLIC_IP=${VPN_PUBLIC_IP:-''}
PRIVATE_IP=${VPN_PRIVATE_IP:-''}
# Try to auto discover IPs of this server # Try to auto discover IP of this server
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
# Check IPs for correct format # Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
print_status "Installing packages required for the VPN..." print_status "Installing packages required for the VPN..."
@ -208,7 +203,7 @@ config setup
uniqueids=no uniqueids=no
conn shared conn shared
left=$PRIVATE_IP left=%defaultroute
leftid=$PUBLIC_IP leftid=$PUBLIC_IP
right=%any right=%any
encapsulation=yes encapsulation=yes
@ -225,8 +220,6 @@ conn shared
conn l2tp-psk conn l2tp-psk
auto=add auto=add
leftsubnet=$PRIVATE_IP/32
leftnexthop=%defaultroute
leftprotoport=17/1701 leftprotoport=17/1701
rightprotoport=17/%any rightprotoport=17/%any
type=transport type=transport
@ -254,7 +247,7 @@ EOF
# Specify IPsec PSK # Specify IPsec PSK
conf_bk "/etc/ipsec.secrets" conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$VPN_IPSEC_PSK" %any %any : PSK "$VPN_IPSEC_PSK"
EOF EOF
# Create xl2tpd config # Create xl2tpd config
@ -347,8 +340,8 @@ print_status "Updating IPTables rules..."
ipt_flag=0 ipt_flag=0
IPT_FILE="/etc/iptables.rules" IPT_FILE="/etc/iptables.rules"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null \ || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1 ipt_flag=1
fi fi
@ -371,8 +364,8 @@ if [ "$ipt_flag" = "1" ]; then
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
iptables -A FORWARD -j DROP iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE" iptables-save >> "$IPT_FILE"

31
vpnsetup_centos.sh
View File

@ -112,27 +112,22 @@ print_status "Installing packages required for setup..."
yum -y install wget bind-utils openssl || exiterr2 yum -y install wget bind-utils openssl || exiterr2
yum -y install iproute gawk grep sed net-tools || exiterr2 yum -y install iproute gawk grep sed net-tools || exiterr2
print_status "Trying to auto discover IPs of this server..." print_status "Trying to auto discover IP of this server..."
cat <<'EOF' cat <<'EOF'
In case the script hangs here for more than a few minutes, In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IPs. use Ctrl-C to interrupt. Then edit it and manually enter IP.
EOF EOF
# In case auto IP discovery fails, you may manually enter server IPs here. # In case auto IP discovery fails, enter this server's public IP here.
# If your server only has a public IP, put that public IP on both lines.
PUBLIC_IP=${VPN_PUBLIC_IP:-''} PUBLIC_IP=${VPN_PUBLIC_IP:-''}
PRIVATE_IP=${VPN_PRIVATE_IP:-''}
# Try to auto discover IPs of this server # Try to auto discover IP of this server
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
# Check IPs for correct format # Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
print_status "Adding the EPEL repository..." print_status "Adding the EPEL repository..."
@ -195,7 +190,7 @@ config setup
uniqueids=no uniqueids=no
conn shared conn shared
left=$PRIVATE_IP left=%defaultroute
leftid=$PUBLIC_IP leftid=$PUBLIC_IP
right=%any right=%any
encapsulation=yes encapsulation=yes
@ -212,8 +207,6 @@ conn shared
conn l2tp-psk conn l2tp-psk
auto=add auto=add
leftsubnet=$PRIVATE_IP/32
leftnexthop=%defaultroute
leftprotoport=17/1701 leftprotoport=17/1701
rightprotoport=17/%any rightprotoport=17/%any
type=transport type=transport
@ -241,7 +234,7 @@ EOF
# Specify IPsec PSK # Specify IPsec PSK
conf_bk "/etc/ipsec.secrets" conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets <<EOF cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$VPN_IPSEC_PSK" %any %any : PSK "$VPN_IPSEC_PSK"
EOF EOF
# Create xl2tpd config # Create xl2tpd config
@ -334,8 +327,8 @@ print_status "Updating IPTables rules..."
ipt_flag=0 ipt_flag=0
IPT_FILE="/etc/sysconfig/iptables" IPT_FILE="/etc/sysconfig/iptables"
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \
|| ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null \ || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \
|| ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1 ipt_flag=1
fi fi
@ -358,8 +351,8 @@ if [ "$ipt_flag" = "1" ]; then
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
iptables -A FORWARD -j DROP iptables -A FORWARD -j DROP
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE" iptables-save >> "$IPT_FILE"
fi fi