1
0
mirror of synced 2024-11-25 22:36:04 +03:00

Update docs

This commit is contained in:
hwdsl2 2022-01-02 12:57:55 -06:00
parent 0bcce9fb61
commit 1aae392e48
6 changed files with 31 additions and 15 deletions

View File

@ -82,7 +82,7 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
<a name="debian-10-note"></a> <a name="debian-10-note"></a>
\* Debian 11 或者 10 用户需要[使用标准的 Linux 内核](docs/clients-zh.md#debian-10-内核)。 \* Debian 11 或者 10 用户需要[使用标准的 Linux 内核](docs/clients-zh.md#debian-10-内核)。
<a name="centos-8-note"></a> <a name="centos-8-note"></a>
\*\* CentOS Linux 8 的支持[于 2021-12-31 结束](https://wiki.centos.org/About/Product) \*\* 对 CentOS Linux 8 的支持[已经结束](https://wiki.centos.org/About/Product)。你可以使用 Rocky Linux, AlmaLinux OS 或者 CentOS Stream 8
:warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上!

View File

@ -82,7 +82,7 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is
<a name="debian-10-note"></a> <a name="debian-10-note"></a>
\* Debian 11 or 10 users should [use the standard Linux kernel](docs/clients.md#debian-10-kernel). \* Debian 11 or 10 users should [use the standard Linux kernel](docs/clients.md#debian-10-kernel).
<a name="centos-8-note"></a> <a name="centos-8-note"></a>
\*\* CentOS Linux 8 [is only supported until 2021-12-31](https://wiki.centos.org/About/Product). \*\* CentOS Linux 8 [is no longer supported](https://wiki.centos.org/About/Product). Use Rocky Linux, AlmaLinux OS or CentOS Stream 8.
:warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server!
@ -194,7 +194,7 @@ See [Advanced usage](docs/advanced-usage.md).
- [Use alternative DNS servers](docs/advanced-usage.md#use-alternative-dns-servers) - [Use alternative DNS servers](docs/advanced-usage.md#use-alternative-dns-servers)
- [DNS name and server IP changes](docs/advanced-usage.md#dns-name-and-server-ip-changes) - [DNS name and server IP changes](docs/advanced-usage.md#dns-name-and-server-ip-changes)
- [IKEv2 only VPN](docs/advanced-usage.md#ikev2-only-vpn) - [IKEv2-only VPN](docs/advanced-usage.md#ikev2-only-vpn)
- [Internal VPN IPs and traffic](docs/advanced-usage.md#internal-vpn-ips-and-traffic) - [Internal VPN IPs and traffic](docs/advanced-usage.md#internal-vpn-ips-and-traffic)
- [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients) - [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients)
- [Split tunneling](docs/advanced-usage.md#split-tunneling) - [Split tunneling](docs/advanced-usage.md#split-tunneling)

View File

@ -28,7 +28,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
对于 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后VPN 会继续正常工作,虽然可能需要重启服务器。 对于 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后VPN 会继续正常工作,虽然可能需要重启服务器。
对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 [配置 IKEv2](ikev2-howto-zh.md) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN)。它将包含在生成的服务器证书中,这是 VPN 客户端连接所必需的。示例如下: 对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 [配置 IKEv2](ikev2-howto-zh.md) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
``` ```
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
@ -38,9 +38,9 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
## 仅限 IKEv2 的 VPN ## 仅限 IKEv2 的 VPN
Libreswan 4.2 和更新版本支持 `ikev1-policy` 配置选项。使用此选项,高级用户可以为 VPN 服务器启用仅限 IKEv2 模式。当启用该模式时VPN 客户端仅能使用 IKEv2 连接到 VPN 服务器。所有的 IKEv1 连接(包括 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式)将被丢弃。 使用 Libreswan 4.2 或更新版本,高级用户可以为 VPN 服务器启用仅限 IKEv2 模式。当启用该模式时VPN 客户端仅能使用 IKEv2 连接到 VPN 服务器。所有的 IKEv1 连接(包括 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式)将被丢弃。
设置仅限 IKEv2 的 VPN,首先按照[自述文件](../README-zh.md)中的说明安装 VPN 服务器并且配置 IKEv2。然后运行这个[辅助脚本](../extras/ikev2onlymode.sh)并按提示操作 启用仅限 IKEv2 模式,首先按照[自述文件](../README-zh.md)中的说明安装 VPN 服务器并且配置 IKEv2。然后运行[辅助脚本](../extras/ikev2onlymode.sh)并按提示操作
```bash ```bash
# 下载脚本 # 下载脚本
@ -49,7 +49,15 @@ wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode
sudo bash ikev2onlymode.sh sudo bash ikev2onlymode.sh
``` ```
要禁用仅限 IKEv2 模式,再次运行辅助脚本并选择适当的选项。
<details>
<summary>
另外,你也可以手动启用仅限 IKEv2 模式。点这里查看详情。
</summary>
另外,你也可以手动启用仅限 IKEv2 模式。首先使用 `ipsec --version` 命令检查 Libreswan 版本,并[更新 Libreswan](../README-zh.md#升级libreswan)(如果需要)。然后编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `config setup` 小节的末尾添加 `ikev1-policy=drop`,开头必须空两格。保存文件并运行 `service ipsec restart`。在完成后,你可以使用 `ipsec status` 命令来验证仅启用了 `ikev2-cp` 连接。 另外,你也可以手动启用仅限 IKEv2 模式。首先使用 `ipsec --version` 命令检查 Libreswan 版本,并[更新 Libreswan](../README-zh.md#升级libreswan)(如果需要)。然后编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `config setup` 小节的末尾添加 `ikev1-policy=drop`,开头必须空两格。保存文件并运行 `service ipsec restart`。在完成后,你可以使用 `ipsec status` 命令来验证仅启用了 `ikev2-cp` 连接。
</details>
## VPN 内网 IP 和流量 ## VPN 内网 IP 和流量

View File

@ -4,7 +4,7 @@
* [Use alternative DNS servers](#use-alternative-dns-servers) * [Use alternative DNS servers](#use-alternative-dns-servers)
* [DNS name and server IP changes](#dns-name-and-server-ip-changes) * [DNS name and server IP changes](#dns-name-and-server-ip-changes)
* [IKEv2 only VPN](#ikev2-only-vpn) * [IKEv2-only VPN](#ikev2-only-vpn)
* [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic) * [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic)
* [Port forwarding to VPN clients](#port-forwarding-to-vpn-clients) * [Port forwarding to VPN clients](#port-forwarding-to-vpn-clients)
* [Split tunneling](#split-tunneling) * [Split tunneling](#split-tunneling)
@ -28,7 +28,7 @@ In certain circumstances, you may want VPN clients to use the specified DNS serv
For [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, you may use a DNS name (e.g. `vpn.example.com`) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required. For [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, you may use a DNS name (e.g. `vpn.example.com`) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required.
For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate, which is required for VPN clients to connect. Example: For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
``` ```
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
@ -36,11 +36,11 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
Alternatively, you may customize IKEv2 setup options by running the [helper script](ikev2-howto.md#set-up-ikev2-using-helper-script) without the `--auto` parameter. Alternatively, you may customize IKEv2 setup options by running the [helper script](ikev2-howto.md#set-up-ikev2-using-helper-script) without the `--auto` parameter.
## IKEv2 only VPN ## IKEv2-only VPN
Libreswan 4.2 and newer versions support the `ikev1-policy` config option. Using this option, advanced users can enable IKEv2-only mode on the VPN server. With IKEv2-only mode enabled, VPN clients can only connect to the VPN server using IKEv2. All IKEv1 connections (including IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) will be dropped. Using Libreswan 4.2 or newer, advanced users can enable IKEv2-only mode on the VPN server. With IKEv2-only mode enabled, VPN clients can only connect to the VPN server using IKEv2. All IKEv1 connections (including IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) will be dropped.
To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in the [README](../README.md). Then run this [helper script](../extras/ikev2onlymode.sh) and follow the prompts: To enable IKEv2-only mode, first install the VPN server and set up IKEv2 using instructions in the [README](../README.md). Then run the [helper script](../extras/ikev2onlymode.sh) and follow the prompts.
```bash ```bash
# Download the script # Download the script
@ -49,7 +49,15 @@ wget -O ikev2onlymode.sh https://bit.ly/ikev2onlymode
sudo bash ikev2onlymode.sh sudo bash ikev2onlymode.sh
``` ```
To disable IKEv2-only mode, run the helper script again and select the appropriate option.
<details>
<summary>
Alternatively, you may manually enable IKEv2-only mode. Click here for details.
</summary>
Alternatively, you may manually enable IKEv2-only mode. First check Libreswan version using `ipsec --version`, and [update Libreswan](../README.md#upgrade-libreswan) if needed. Then edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled. Alternatively, you may manually enable IKEv2-only mode. First check Libreswan version using `ipsec --version`, and [update Libreswan](../README.md#upgrade-libreswan) if needed. Then edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled.
</details>
## Internal VPN IPs and traffic ## Internal VPN IPs and traffic

View File

@ -40,7 +40,7 @@ sudo ikev2.sh --auto
sudo ikev2.sh sudo ikev2.sh
``` ```
在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。 在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。高级用户可以启用 [仅限 IKEv2 模式](advanced-usage-zh.md#仅限-ikev2-的-vpn)。这是可选的。
<details> <details>
<summary> <summary>
@ -61,7 +61,7 @@ sudo bash ~/ikev2.sh --auto
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。 你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。
</summary> </summary>
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。它将包含在生成的服务器证书中,这是 VPN 客户端连接所必需的。示例如下: 在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
``` ```
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto

View File

@ -40,7 +40,7 @@ sudo ikev2.sh --auto
sudo ikev2.sh sudo ikev2.sh
``` ```
When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Advanced users can optionally enable [IKEv2-only mode](advanced-usage.md#ikev2-only-vpn).
<details> <details>
<summary> <summary>
@ -61,7 +61,7 @@ sudo bash ~/ikev2.sh --auto
You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details. You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details.
</summary> </summary>
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate, which is required for VPN clients to connect. Example: When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
``` ```
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto