1
0
mirror of synced 2024-11-21 20:46:10 +03:00

Update docs

- Add instructions for Chrome OS (Chromebook) for IKEv2 mode
- Update instructions for Chrome OS for IPsec/L2TP mode
- Cleanup
This commit is contained in:
hwdsl2 2022-10-29 01:16:04 -05:00
parent 5943b2a041
commit 117d76b309
7 changed files with 128 additions and 38 deletions

View File

@ -63,7 +63,7 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/vpnsetup.sh
- 全自动的 IPsec VPN 服务器配置,无需用户输入
- 支持具有强大和快速加密算法(例如 AES-GCM的 IKEv2 模式
- 生成 VPN 配置文件以自动配置 iOS, macOS 和 Android 设备
- 支持 Windows, macOS, iOS, Android 和 Linux 作为 VPN 客户端
- 支持 Windows, macOS, iOS, Android, Chrome OS 和 Linux 客户端
- 包括辅助脚本以管理 VPN 用户和证书
## 系统要求

View File

@ -63,7 +63,7 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is
- Fully automated IPsec VPN server setup, no user input needed
- Supports IKEv2 with strong and fast ciphers (e.g. AES-GCM)
- Generates VPN profiles to auto-configure iOS, macOS and Android devices
- Supports Windows, macOS, iOS, Android and Linux as VPN clients
- Supports Windows, macOS, iOS, Android, Chrome OS and Linux as VPN clients
- Includes helper scripts to manage VPN users and certificates
## Requirements

View File

@ -44,7 +44,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP
1. 在 **Password** 字段中输入`你的 VPN 密码`。
1. 单击 **Connect**
VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。
@ -98,7 +98,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v
1. 选中 **保存帐户信息** 复选框。
1. 单击 **连接**
VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。
@ -118,7 +118,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](
1. 单击右上角的 **完成**
1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。
@ -145,7 +145,7 @@ Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用 `yum` 安装 `N
1. 单击 **Add** 保存 VPN 连接信息。
1. 启用 **VPN** 连接。
VPN 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
### 其它 Linux

View File

@ -10,7 +10,7 @@
* [OS X (macOS)](#os-x)
* [Android](#android)
* [iOS (iPhone/iPad)](#ios)
* [Chromebook](#chromebook)
* [Chrome OS (Chromebook)](#chrome-os)
* [Linux](#linux)
* [故障排除](#故障排除)
@ -170,7 +170,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v
1. 选中 **保存帐户信息** 复选框。
1. 单击 **连接**
VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
@ -190,26 +190,28 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](
1. 单击右上角的 **完成**
1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
## Chromebook
## Chrome OS
1. 如果你尚未登录 Chromebook请先登录。
1. 单击状态区(其中显示你的帐户头像)。
1. 单击 **设置**
1. 在 **互联网连接** 部分,单击 **添加连接**
1. 单击 **添加 OpenVPN / L2TP**
1. 在 **服务器主机名** 字段中输入`你的 VPN 服务器 IP`。
> 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
1. 进入设置 -> 网络。
1. 单击 **添加连接**,然后单击 **添加内置 VPN**
1. 在 **服务名称** 字段中输入任意内容。
1. 在 **供应商类型** 下拉菜单选择 **L2TP/IPsec + 预共享密钥**
1. 在 **预共享密钥** 字段中输入`你的 VPN IPsec PSK`。
1. 在 **提供商类型** 下拉菜单选择 **L2TP/IPsec**
1. 在 **服务器主机名** 字段中输入`你的 VPN 服务器 IP`。
1. 在 **身份验证类型** 下拉菜单选择 **预共享密钥**
1. 在 **用户名** 字段中输入`你的 VPN 用户名`。
1. 在 **密码** 字段中输入`你的 VPN 密码`。
1. 在 **预共享密钥** 字段中输入`你的 VPN IPsec PSK`。
1. 保持其他字段空白。
1. 启用 **保存身份信息和密码**
1. 单击 **连接**
VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,网络状态图标上会出现 VPN 指示。你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
@ -241,7 +243,7 @@ Ubuntu 18.04 和更新版本用户可以使用 `apt` 安装 [network-manager-l2t
如果在连接过程中遇到错误,请尝试 [这个解决方案](https://github.com/nm-l2tp/NetworkManager-l2tp/blob/2926ea0239fe970ff08cb8a7863f8cb519ece032/README.md#unable-to-establish-l2tp-connection-without-udp-source-port-1701)。
VPN 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
### Fedora 和 CentOS

View File

@ -10,7 +10,7 @@ After [setting up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn
* [OS X (macOS)](#os-x)
* [Android](#android)
* [iOS (iPhone/iPad)](#ios)
* [Chromebook](#chromebook)
* [Chrome OS (Chromebook)](#chrome-os)
* [Linux](#linux)
* [Troubleshooting](#troubleshooting)
@ -193,19 +193,21 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
## Chromebook
## Chrome OS
1. If you haven't already, sign in to your Chromebook.
1. Click the status area, where your account picture appears.
1. Click **Settings**.
1. In the **Internet connection** section, click **Add connection**.
1. Click **Add OpenVPN / L2TP**.
1. Enter `Your VPN Server IP` for the **Server hostname**.
> You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
1. Go to Settings -> Network.
1. Click **Add connection**, then click **Add built-in VPN**.
1. Enter anything you like for the **Service name**.
1. Make sure **Provider type** is **L2TP/IPSec + pre-shared key**.
1. Enter `Your VPN IPsec PSK` for the **Pre-shared key**.
1. Select **L2TP/IPsec** in the **Provider type** drop-down menu.
1. Enter `Your VPN Server IP` for the **Server hostname**.
1. Select **Pre-shared key** in the **Authentication type** drop-down menu.
1. Enter `Your VPN Username` for the **Username**.
1. Enter `Your VPN Password` for the **Password**.
1. Enter `Your VPN IPsec PSK` for the **Pre-shared key**.
1. Leave other fields blank.
1. Enable **Save identity and password**.
1. Click **Connect**.
Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".

View File

@ -16,7 +16,7 @@
现代操作系统支持 IKEv2 协议标准。因特网密钥交换英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较IKEv2 的 [功能改进](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) 包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于 Windows, macOS, iOS, Android, Linux 和 RouterOS。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于 Windows, macOS, iOS, Android, Chrome OS, Linux 和 RouterOS。
默认情况下,运行 VPN 安装脚本时会自动配置 IKEv2。如果你想了解有关配置 IKEv2 的更多信息,请参见 [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2)。Docker 用户请看 [配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。
@ -28,6 +28,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
* [OS X (macOS)](#os-x-macos)
* [iOS (iPhone/iPad)](#ios)
* [Android](#android)
* [Chrome OS (Chromebook)](#chrome-os)
* [Linux](#linux)
* [Mikrotik RouterOS](#routeros)
@ -355,6 +356,48 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
### Chrome OS
首先,在 VPN 服务器上导出 CA 证书到 `ikev2vpnca.cer`
```bash
sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
```
将生成的 `.p12` 文件和 `ikev2vpnca.cer` 文件安全地传送到你的 Chrome OS 设备。
安装用户证书和 CA 证书:
1. 在 Google Chrome 中打开新标签页。
1. 在地址栏中输入 **chrome://settings/certificates**
1. **(重要)** 单击 **导入并绑定** 而不是 **导入**
1. 在对话框中选择你从服务器传送过来的 `.p12` 文件并选择 **打开**
1. 如果证书没有密码,单击 **确定**。否则输入该证书的密码。
1. 单击上面的 **授权机构** 选项卡,然后单击 **导入**
1. 在对话框中左下角的下拉菜单选择 **所有文件**
1. 选择你从服务器传送过来的 `ikev2vpnca.cer` 文件并选择 **打开**
1. 保持默认选项并单击 **确定**
添加 VPN 连接:
1. 进入设置 -> 网络。
1. 单击 **添加连接**,然后单击 **添加内置 VPN**
1. 在 **服务名称** 字段中输入任意内容。
1. 在 **提供商类型** 下拉菜单选择 **IPsec (IKEv2)**
1. 在 **服务器主机名** 字段中输入 `你的 VPN 服务器 IP`(或者域名)。
1. 在 **身份验证类型** 下拉菜单选择 **用户证书**
1. 在 **服务器 CA 证书** 下拉菜单选择 **IKEv2 VPN CA [IKEv2 VPN CA]**
1. 在 **用户证书** 下拉菜单选择 **IKEv2 VPN CA [客户端名称]**
1. 保持其他字段空白。
1. 启用 **保存身份信息和密码**
1. 单击 **连接**
连接成功后,网络状态图标上会出现 VPN 指示。你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
(可选功能)你可以选择启用 Chrome OS 上的 "始终开启的 VPN" 功能。要管理该设置,进入设置 -> 网络,然后单击 **VPN**
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
### Linux
在配置 Linux 客户端之前,你必须更改 VPN 服务器上的以下设置:编辑服务器上的 `/etc/ipsec.d/ikev2.conf`。在 `conn ikev2-cp` 小节的末尾添加 `authby=rsa-sha1`,开头必须空两格。保存文件并运行 `service ipsec restart`

View File

@ -16,7 +16,7 @@
Modern operating systems support the IKEv2 standard. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains [improvements](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) such as Standard Mobility support through MOBIKE, and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with Windows, macOS, iOS, Android, Linux and RouterOS.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with Windows, macOS, iOS, Android, Chrome OS, Linux and RouterOS.
By default, IKEv2 is automatically set up when running the VPN setup script. If you want to learn more about setting up IKEv2, see [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn).
@ -28,6 +28,7 @@ By default, IKEv2 is automatically set up when running the VPN setup script. If
* [OS X (macOS)](#os-x-macos)
* [iOS (iPhone/iPad)](#ios)
* [Android](#android)
* [Chrome OS (Chromebook)](#chrome-os)
* [Linux](#linux)
* [Mikrotik RouterOS](#routeros)
@ -61,7 +62,7 @@ In certain circumstances, you may need to change the IKEv2 server address. For e
1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**.
1. Right-click on the saved script, select **Run as administrator** and follow the prompts.
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
@ -114,7 +115,7 @@ Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 confi
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
@ -188,7 +189,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
1. Click **Connect**.
</details>
Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
@ -248,7 +249,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
1. Slide the **VPN** switch ON.
</details>
Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
@ -351,7 +352,49 @@ If you manually set up IKEv2 without using the helper script, click here for ins
1. Save the new VPN connection, then tap to connect.
</details>
Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### Chrome OS
First, on your VPN server, export the CA certificate as `ikev2vpnca.cer`:
```bash
sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
```
Securely transfer the generated `.p12` and `ikev2vpnca.cer` files to your Chrome OS device.
Install user and CA certificates:
1. Open a new tab in Google Chrome.
1. In the address bar, enter **chrome://settings/certificates**
1. **(Important)** Click **Import and Bind**, not **Import**.
1. In the box that opens, choose the `.p12` file you transferred from the VPN server and select **Open**.
1. Click **OK** if the certificate does not have a password. Otherwise, enter the certificate's password.
1. Click the **Authorities** tab. Then click **Import**.
1. In the box that opens, select **All files** in the drop-down menu at the bottom left.
1. Choose the `ikev2vpnca.cer` file you transferred from the VPN server and select **Open**.
1. Keep the default options and click **OK**.
Add a new VPN connection:
1. Go to Settings -> Network.
1. Click **Add connection**, then click **Add built-in VPN**.
1. Enter anything you like for the **Service name**.
1. Select **IPsec (IKEv2)** in the **Provider type** drop-down menu.
1. Enter `Your VPN Server IP` (or DNS name) for the **Server hostname**.
1. Select **User certificate** in the **Authentication type** drop-down menu.
1. Select **IKEv2 VPN CA [IKEv2 VPN CA]** in the **Server CA certificate** drop-down menu.
1. Select **IKEv2 VPN CA [client name]** in the **User certificate** drop-down menu.
1. Leave other fields blank.
1. Enable **Save identity and password**.
1. Click **Connect**.
Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
(Optional feature) You can choose to enable the "Always-on VPN" feature on Chrome OS. To manage this setting, go to Settings -> Network, then click **VPN**.
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
@ -415,7 +458,7 @@ You can then set up and enable the VPN connection:
1. Click **Add** to save the VPN connection information.
1. Turn the **VPN** switch ON.
Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).