diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index ae98d0f..fbe1d08 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -42,7 +42,7 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto 你可以使用这些 VPN 内网 IP 进行通信。但是请注意,为 VPN 客户端分配的 IP 是动态的,而且客户端设备上的防火墙可能会阻止这些流量。 -对于 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式,高级用户可以将静态 IP 分配给 VPN 客户端。这是可选的。展开以查看详细信息。IKEv2 模式 **不支持** 此功能。 +高级用户可以将静态 IP 分配给 VPN 客户端。这是可选的。展开以查看详细信息。
@@ -60,7 +60,7 @@ IPsec/L2TP 模式:为 VPN 客户端分配静态 IP "username3" l2tpd "password3" * ``` - 假设你要为 VPN 用户 `username2` 分配静态 IP `192.168.42.2`,为 VPN 用户 `username3` 分配静态 IP `192.168.42.3`,同时保持 `username1` 不变(从池中自动分配)。在编辑完成后,文件内容应该如下所示: + 假设你要为 VPN 用户 `username2` 分配静态 IP `192.168.42.2`,为 VPN 用户 `username3` 分配静态 IP `192.168.42.3`,同时保持 `username1` 不变(从池中自动分配)。在编辑完成后,文件内容应该如下所示: ``` "username1" l2tpd "password1" * "username2" l2tpd "password2" 192.168.42.2 @@ -91,7 +91,7 @@ IPsec/XAuth ("Cisco IPsec") 模式:为 VPN 客户端分配静态 IP username3:password3hashed:xauth-psk ``` - 假设你要为 VPN 用户 `username2` 分配静态 IP `192.168.43.2`,为 VPN 用户 `username3` 分配静态 IP `192.168.43.3`,同时保持 `username1` 不变(从池中自动分配)。在编辑完成后,文件内容应该如下所示: + 假设你要为 VPN 用户 `username2` 分配静态 IP `192.168.43.2`,为 VPN 用户 `username3` 分配静态 IP `192.168.43.3`,同时保持 `username1` 不变(从池中自动分配)。在编辑完成后,文件内容应该如下所示: ``` username1:password1hashed:xauth-psk username2:password2hashed:xauth-psk:192.168.42.2 @@ -105,6 +105,47 @@ IPsec/XAuth ("Cisco IPsec") 模式:为 VPN 客户端分配静态 IP ```
+
+ +IKEv2 模式:为 VPN 客户端分配静态 IP + + +下面的示例 **仅适用于** IKEv2 模式。这些命令必须用 `root` 账户运行。 + +1. 首先为要分配静态 IP 的每个客户端创建一个新的 IKEv2 客户端证书,并且在纸上记下每个客户端的名称。参见 [添加客户端证书](ikev2-howto-zh.md#添加客户端证书)。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为比如 `rightaddresspool=192.168.43.100-192.168.43.250`。这样可以缩小自动分配的 IP 地址池,从而使更多的 IP 可以作为静态 IP 分配给客户端。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为与上一步 **相同的值**。 +1. 再次编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。例如,如果文件内容是: + ``` + conn ikev2-cp + left=%defaultroute + ... ... + ``` + + 假设你要为 IKEv2 客户端 `client1` 分配静态 IP `192.168.43.4`,为客户端 `client2` 分配静态 IP `192.168.43.5`,同时保持其它客户端不变(从池中自动分配)。在编辑完成后,文件内容应该如下所示: + ``` + conn ikev2-cp + left=%defaultroute + ... ... + + conn client1 + rightid=@client1 + rightaddresspool=192.168.43.4-192.168.43.4 + also=ikev2-cp + + conn client2 + rightid=@client2 + rightaddresspool=192.168.43.5-192.168.43.5 + also=ikev2-cp + ``` + + **注:** 为要分配静态 IP 的每个客户端添加一个新的 `conn` 小节。`rightid=` 右边的客户端名称必须添加 `@` 前缀。该客户端名称必须与你在[添加客户端证书](ikev2-howto-zh.md#添加客户端证书)时指定的名称完全一致。分配的静态 IP 必须来自子网 `192.168.43.0/24`,并且必须 **不是** 来自自动分配的 IP 地址池(参见上面的 `rightaddresspool`)。在上面的示例中,你只能分配 `192.168.43.1-192.168.43.99` 范围内的静态 IP。 +1. **(重要)** 重启 IPsec 服务: + ``` + service ipsec restart + ``` +
+ 在默认配置下,允许客户端之间的流量。如果你想要 **不允许** 客户端之间的流量,可以在 VPN 服务器上运行以下命令。将它们添加到 `/etc/rc.local` 以便在重启后继续有效。 ``` @@ -116,28 +157,30 @@ iptables -I FORWARD 5 -s 192.168.43.0/24 -o ppp+ -j DROP ## 转发端口到 VPN 客户端 -在某些情况下,你可能想要将 VPN 服务器上的端口转发到一个已连接的 VPN 客户端。这可以通过在 VPN 服务器上添加 IPTables 规则来实现。如果要在重新启动后继续有效,你可以将这些命令添加到 `/etc/rc.local`。 +在某些情况下,你可能想要将 VPN 服务器上的端口转发到一个已连接的 VPN 客户端。这可以通过在 VPN 服务器上添加 IPTables 规则来实现。 -**警告:** 端口转发会将 VPN 客户端上的端口暴露给整个因特网,这可能会带来**安全风险**! +**警告:** 端口转发会将 VPN 客户端上的端口暴露给整个因特网,这可能会带来**安全风险**!**不建议**这样做,除非你的用例需要它。 **注:** 为 VPN 客户端分配的内网 IP 是动态的,而且客户端设备上的防火墙可能会阻止转发的流量。如果要将静态 IP 分配给 VPN 客户端,请参见上一节。要找到为特定的客户端分配的 IP,可以查看该 VPN 客户端上的连接状态。 示例 1:将 VPN 服务器上的 TCP 端口 443 转发到位于 `192.168.42.10` 的 IPsec/L2TP 客户端。 ``` # 获取默认网络接口名称 -ifname=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') -iptables -I FORWARD 2 -i "$ifname" -o ppp+ -p tcp --dport 443 -j ACCEPT +netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') +iptables -I FORWARD 2 -i "$netif" -o ppp+ -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.42.10 ``` 示例 2:将 VPN 服务器上的 UDP 端口 123 转发到位于 `192.168.43.10` 的 IKEv2(或 IPsec/XAuth)客户端。 ``` # 获取默认网络接口名称 -ifname=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') -iptables -I FORWARD 2 -i "$ifname" -d 192.168.43.0/24 -p udp --dport 123 -j ACCEPT +netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') +iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -p udp --dport 123 -j ACCEPT iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to 192.168.43.10 ``` +如果你想要这些规则在重启后仍然有效,可以将这些命令添加到 `/etc/rc.local`。要删除添加的 IPTables 规则,请再次运行这些命令,但是将 `-I FORWARD 2` 替换为 `-D FORWARD`,并且将 `-A PREROUTING` 替换为 `-D PREROUTING`。 + ## VPN 分流 在启用 [VPN 分流 (split tunneling)](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling) 时,VPN 客户端将仅通过 VPN 隧道发送特定目标子网的流量。其他流量 **不会** 通过 VPN 隧道。VPN 分流 [有一些局限性](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling),而且并非所有的 VPN 客户端都支持。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index ccac192..ec7e537 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -42,7 +42,7 @@ When connecting using [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) or [IKEv2] You may use these internal VPN IPs for communication. However, note that the IPs assigned to VPN clients are dynamic, and firewalls on client devices may block such traffic. -For the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, advanced users may optionally assign static IPs to VPN clients. Expand for details. IKEv2 mode does NOT support this feature. +Advanced users may optionally assign static IPs to VPN clients. Expand for details.
@@ -105,6 +105,47 @@ The example below **ONLY** applies to IPsec/XAuth ("Cisco IPsec") mode. Commands ```
+
+ +IKEv2 mode: Assign static IPs to VPN clients + + +The example below **ONLY** applies to IKEv2 mode. Commands must be run as `root`. + +1. First, create a new IKEv2 client certificate for each client that you want to assign a static IP to, and write down the name of each IKEv2 client. Refer to [Add a client certificate](ikev2-howto.md#add-a-client-certificate). +1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. Replace `rightaddresspool=192.168.43.10-192.168.43.250` with e.g. `rightaddresspool=192.168.43.100-192.168.43.250`. This reduces the pool of auto-assigned IP addresses, so that more IPs are available to assign to clients as static IPs. +1. Edit `/etc/ipsec.conf` on the VPN server. Replace `rightaddresspool=192.168.43.10-192.168.43.250` with the **same value** as the previous step. +1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server again. For example, if the file contains: + ``` + conn ikev2-cp + left=%defaultroute + ... ... + ``` + + Let's assume that you want to assign static IP `192.168.43.4` to IKEv2 client `client1`, assign static IP `192.168.43.5` to client `client2`, while keeping other clients unchanged (auto-assign from the pool). After editing, the file should look like: + ``` + conn ikev2-cp + left=%defaultroute + ... ... + + conn client1 + rightid=@client1 + rightaddresspool=192.168.43.4-192.168.43.4 + also=ikev2-cp + + conn client2 + rightid=@client2 + rightaddresspool=192.168.43.5-192.168.43.5 + also=ikev2-cp + ``` + + **Note:** Add a new `conn` section for each client that you want to assign a static IP to. You must add a `@` prefix to the client name for `rightid=`. The client name must exactly match the name you specified when [adding the client certificate](ikev2-howto.md#add-a-client-certificate). The assigned static IP(s) must be from the subnet `192.168.43.0/24`, and must NOT be from the pool of auto-assigned IPs (see `rightaddresspool` above). In the example above, you can only assign static IP(s) from the range `192.168.43.1-192.168.43.99`. +1. **(Important)** Restart the IPsec service: + ``` + service ipsec restart + ``` +
+ Client-to-client traffic is allowed by default. If you want to **disallow** client-to-client traffic, run the following commands on the VPN server. Add them to `/etc/rc.local` to persist after reboot. ``` @@ -116,28 +157,30 @@ iptables -I FORWARD 5 -s 192.168.43.0/24 -o ppp+ -j DROP ## Port forwarding to VPN clients -In certain circumstances, you may want to forward port(s) on the VPN server to a connected VPN client. This can be done by adding IPTables rules on the VPN server. To persist after reboot, add these commands to `/etc/rc.local`. +In certain circumstances, you may want to forward port(s) on the VPN server to a connected VPN client. This can be done by adding IPTables rules on the VPN server. -**Warning:** Port forwarding will expose port(s) on the VPN client to the entire Internet, which could be a **security risk**! +**Warning:** Port forwarding will expose port(s) on the VPN client to the entire Internet, which could be a **security risk**! This is NOT recommended, unless your use case requires it. **Note:** The internal VPN IPs assigned to VPN clients are dynamic, and firewalls on client devices may block forwarded traffic. To assign static IPs to VPN clients, refer to the previous section. To check which IP is assigned to a client, view the connection status on the VPN client. Example 1: Forward TCP port 443 on the VPN server to the IPsec/L2TP client at `192.168.42.10`. ``` # Get default network interface name -ifname=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') -iptables -I FORWARD 2 -i "$ifname" -o ppp+ -p tcp --dport 443 -j ACCEPT +netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') +iptables -I FORWARD 2 -i "$netif" -o ppp+ -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.42.10 ``` Example 2: Forward UDP port 123 on the VPN server to the IKEv2 (or IPsec/XAuth) client at `192.168.43.10`. ``` # Get default network interface name -ifname=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') -iptables -I FORWARD 2 -i "$ifname" -d 192.168.43.0/24 -p udp --dport 123 -j ACCEPT +netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') +iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -p udp --dport 123 -j ACCEPT iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to 192.168.43.10 ``` +If you want the rules to persist after reboot, you may add these commands to `/etc/rc.local`. To remove the added IPTables rules, run the commands again, but replace `-I FORWARD 2` with `-D FORWARD`, and replace `-A PREROUTING` with `-D PREROUTING`. + ## Split tunneling With [split tunneling](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling), VPN clients will only send traffic for specific destination subnet(s) through the VPN tunnel. Other traffic will NOT go through the VPN tunnel. Split tunneling has [some limitations](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling), and is not supported by all VPN clients.