diff --git a/README-zh.md b/README-zh.md index 024a69c..3ed2dd1 100644 --- a/README-zh.md +++ b/README-zh.md @@ -69,7 +69,7 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh - CentOS 8[\*\*](#centos-8-note) 或者 7, Rocky Linux 8 或者 AlmaLinux OS 8 - Red Hat Enterprise Linux (RHEL) 8 或者 7 - Amazon Linux 2 -- Alpine Linux 3.14 或者 3.15 +- Alpine Linux 3.15 或者 3.14 这也包括各种公共云服务中的 Linux 虚拟机,比如 [DigitalOcean](https://blog.ls20.com/digitalocean), [Vultr](https://blog.ls20.com/vultr), [Linode](https://blog.ls20.com/linode), [Microsoft Azure](https://azure.microsoft.com) 和 [OVH](https://www.ovhcloud.com/en/vps/)。[Amazon EC2](https://aws.amazon.com/ec2/) 用户可以使用 [CloudFormation](aws/README-zh.md) 或者 [用户数据](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup) 快速部署。 @@ -194,11 +194,11 @@ wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh - [使用其他的 DNS 服务器](docs/advanced-usage-zh.md#使用其他的-dns-服务器) - [域名和更改服务器 IP](docs/advanced-usage-zh.md#域名和更改服务器-ip) +- [仅限 IKEv2 的 VPN](docs/advanced-usage-zh.md#仅限-ikev2-的-vpn) - [VPN 内网 IP 和流量](docs/advanced-usage-zh.md#vpn-内网-ip-和流量) - [转发端口到 VPN 客户端](docs/advanced-usage-zh.md#转发端口到-vpn-客户端) - [VPN 分流](docs/advanced-usage-zh.md#vpn-分流) - [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段) -- [仅限 IKEv2 的 VPN](docs/advanced-usage-zh.md#仅限-ikev2-的-vpn) - [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则) ## 问题和反馈 diff --git a/README.md b/README.md index 5aa8f41..6f8295a 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ A dedicated server or virtual private server (VPS), freshly installed with one o - CentOS 8[\*\*](#centos-8-note) or 7, Rocky Linux 8 or AlmaLinux OS 8 - Red Hat Enterprise Linux (RHEL) 8 or 7 - Amazon Linux 2 -- Alpine Linux 3.14 or 3.15 +- Alpine Linux 3.15 or 3.14 This also includes Linux VMs in public clouds, such as [DigitalOcean](https://blog.ls20.com/digitalocean), [Vultr](https://blog.ls20.com/vultr), [Linode](https://blog.ls20.com/linode), [Microsoft Azure](https://azure.microsoft.com) and [OVH](https://www.ovhcloud.com/en/vps/). [Amazon EC2](https://aws.amazon.com/ec2/) users can deploy rapidly using [CloudFormation](aws/README.md) or [user data](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup). @@ -194,11 +194,11 @@ See [Advanced usage](docs/advanced-usage.md). - [Use alternative DNS servers](docs/advanced-usage.md#use-alternative-dns-servers) - [DNS name and server IP changes](docs/advanced-usage.md#dns-name-and-server-ip-changes) +- [IKEv2 only VPN](docs/advanced-usage.md#ikev2-only-vpn) - [Internal VPN IPs and traffic](docs/advanced-usage.md#internal-vpn-ips-and-traffic) - [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients) - [Split tunneling](docs/advanced-usage.md#split-tunneling) - [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet) -- [IKEv2 only VPN](docs/advanced-usage.md#ikev2-only-vpn) - [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules) ## Bugs & Questions diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index bda9416..9d3ffff 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -4,11 +4,11 @@ * [使用其他的 DNS 服务器](#使用其他的-dns-服务器) * [域名和更改服务器 IP](#域名和更改服务器-ip) +* [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn) * [VPN 内网 IP 和流量](#vpn-内网-ip-和流量) * [转发端口到 VPN 客户端](#转发端口到-vpn-客户端) * [VPN 分流](#vpn-分流) * [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) -* [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn) * [更改 IPTables 规则](#更改-iptables-规则) ## 使用其他的 DNS 服务器 @@ -36,6 +36,21 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto 另外,你也可以自定义 IKEv2 安装选项,通过在运行 [辅助脚本](ikev2-howto-zh.md#使用辅助脚本配置-ikev2) 时去掉 `--auto` 参数来实现。 +## 仅限 IKEv2 的 VPN + +Libreswan 4.2 和更新版本支持 `ikev1-policy` 配置选项。使用此选项,高级用户可以为 VPN 服务器启用仅限 IKEv2 的模式。当启用该模式时,VPN 客户端仅能使用 IKEv2 连接到 VPN 服务器。所有的 IKEv1 连接(包括 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式)将被丢弃。 + +要设置仅限 IKEv2 的 VPN,首先按照[自述文件](../README-zh.md)中的说明安装 VPN 服务器并且配置 IKEv2。然后运行这个[辅助脚本](../extras/ikev2onlymode.sh)并按提示操作: + +```bash +# 下载脚本 +wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode +# 运行脚本并按提示操作 +sudo bash ikev2onlymode.sh +``` + +另外,你也可以手动启用仅限 IKEv2 模式。首先使用 `ipsec --version` 命令检查 Libreswan 版本,并[更新 Libreswan](../README-zh.md#升级libreswan)(如果需要)。然后编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `config setup` 小节的末尾添加 `ikev1-policy=drop`,开头必须空两格。保存文件并运行 `service ipsec restart`。在完成后,你可以使用 `ipsec status` 命令来验证仅启用了 `ikev2-cp` 连接。 + ## VPN 内网 IP 和流量 在使用 [IPsec/L2TP](clients-zh.md) 模式连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有内网 IP `192.168.42.1`。为客户端分配的内网 IP 在这个范围内:`192.168.42.10` 到 `192.168.42.250`。要找到为特定的客户端分配的 IP,可以查看该 VPN 客户端上的连接状态。 @@ -250,12 +265,6 @@ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir ou iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE ``` -## 仅限 IKEv2 的 VPN - -Libreswan 4.2 和更新版本支持 `ikev1-policy` 配置选项。使用此选项,高级用户可以设置仅限 IKEv2 的 VPN,即 VPN 服务器仅接受 IKEv2 连接,而 IKEv1 连接(包括 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式)将被丢弃。 - -要设置仅限 IKEv2 的 VPN,首先按照 [自述文件](../README-zh.md) 中的说明安装 VPN 服务器并且配置 IKEv2。然后使用 `ipsec --version` 命令检查 Libreswan 版本并 [更新 Libreswan](../README-zh.md#升级libreswan)(如果需要)。下一步,编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `config setup` 小节的末尾添加 `ikev1-policy=drop`,开头必须空两格。保存文件并运行 `service ipsec restart`。在完成后,你可以使用 `ipsec status` 命令来验证仅启用了 `ikev2-cp` 连接。 - ## 更改 IPTables 规则 如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 5eb7974..e91702f 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -4,11 +4,11 @@ * [Use alternative DNS servers](#use-alternative-dns-servers) * [DNS name and server IP changes](#dns-name-and-server-ip-changes) +* [IKEv2 only VPN](#ikev2-only-vpn) * [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic) * [Port forwarding to VPN clients](#port-forwarding-to-vpn-clients) * [Split tunneling](#split-tunneling) * [Access VPN server's subnet](#access-vpn-servers-subnet) -* [IKEv2 only VPN](#ikev2-only-vpn) * [Modify IPTables rules](#modify-iptables-rules) ## Use alternative DNS servers @@ -36,6 +36,21 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto Alternatively, you may customize IKEv2 setup options by running the [helper script](ikev2-howto.md#set-up-ikev2-using-helper-script) without the `--auto` parameter. +## IKEv2 only VPN + +Libreswan 4.2 and newer versions support the `ikev1-policy` config option. Using this option, advanced users can enable IKEv2-only mode on the VPN server. With IKEv2-only mode enabled, VPN clients can only connect to the VPN server using IKEv2. All IKEv1 connections (including IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) will be dropped. + +To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in the [README](../README.md). Then run this [helper script](../extras/ikev2onlymode.sh) and follow the prompts: + +```bash +# Download the script +wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode +# Run the script and follow the prompts +sudo bash ikev2onlymode.sh +``` + +Alternatively, you may manually enable IKEv2-only mode. First check Libreswan version using `ipsec --version`, and [update Libreswan](../README.md#upgrade-libreswan) if needed. Then edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled. + ## Internal VPN IPs and traffic When connecting using [IPsec/L2TP](clients.md) mode, the VPN server has internal IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. Clients are assigned internal IPs from `192.168.42.10` to `192.168.42.250`. To check which IP is assigned to a client, view the connection status on the VPN client. @@ -251,12 +266,6 @@ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir ou iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE ``` -## IKEv2 only VPN - -Libreswan 4.2 and newer versions support the `ikev1-policy` config option. Using this option, advanced users can set up an IKEv2-only VPN, i.e. only IKEv2 connections are accepted by the VPN server, while IKEv1 connections (including the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) are dropped. - -To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in the [README](../README.md). Then check Libreswan version using `ipsec --version`, and [update Libreswan](../README.md#upgrade-libreswan) if needed. After that, edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled. - ## Modify IPTables rules If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.