diff --git a/README-zh.md b/README-zh.md
index c9129e8..6c9277c 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -39,7 +39,7 @@ Ubuntu & Debian
```bash
-wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh
+wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh && sudo bash /opt/src/ikev2.sh --auto
```
@@ -49,7 +49,7 @@ CentOS & RHEL
```bash
-wget https://git.io/vpnsetup-centos -O vpn.sh && sudo sh vpn.sh
+wget https://git.io/vpnsetup-centos -O vpn.sh && sudo sh vpn.sh && sudo bash /opt/src/ikev2.sh --auto
```
@@ -59,18 +59,12 @@ Amazon Linux 2
```bash
-wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh
+wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh && sudo bash /opt/src/ikev2.sh --auto
```
你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。
-在安装成功之后,推荐 配置 IKEv2:
-
-```bash
-wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
-```
-
如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。
@@ -153,7 +147,11 @@ wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh
```
-在安装成功之后,推荐 配置 IKEv2。
+在安装成功之后,推荐 配置 IKEv2:
+
+```bash
+sudo bash /opt/src/ikev2.sh --auto
+```
**选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证:
@@ -199,7 +197,11 @@ sudo sh vpn.sh
**注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。
-在安装成功之后,推荐 配置 IKEv2。
+在安装成功之后,推荐 配置 IKEv2:
+
+```bash
+sudo bash /opt/src/ikev2.sh --auto
+```
**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量:
@@ -252,7 +254,11 @@ sh vpn.sh
```
-在安装成功之后,推荐 配置 IKEv2。
+在安装成功之后,推荐 配置 IKEv2:
+
+```bash
+sudo bash /opt/src/ikev2.sh --auto
+```
**注:** 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh,vpnsetup_centos.sh 或者 vpnsetup_amzn.sh,然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。
@@ -364,6 +370,13 @@ sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
你可以使用这些 VPN 内网 IP 进行通信。但是请注意,为 VPN 客户端分配的 IP 是动态的,而且客户端设备上的防火墙可能会阻止这些流量。
+在默认配置下,允许客户端之间的流量。如果你想要 \*不允许\* 客户端之间的流量,可以在 VPN 服务器上运行以下命令。将它们添加到 `/etc/rc.local` 以便在重启后继续有效。
+
+```
+iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
+iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
+```
+
### 更改 IPTables 规则
如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
diff --git a/README.md b/README.md
index 8d4262a..b39f367 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ Ubuntu & Debian
```bash
-wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh
+wget https://git.io/vpnsetup -O vpn.sh && sudo sh vpn.sh && sudo bash /opt/src/ikev2.sh --auto
```
@@ -49,7 +49,7 @@ CentOS & RHEL
```bash
-wget https://git.io/vpnsetup-centos -O vpn.sh && sudo sh vpn.sh
+wget https://git.io/vpnsetup-centos -O vpn.sh && sudo sh vpn.sh && sudo bash /opt/src/ikev2.sh --auto
```
@@ -59,18 +59,12 @@ Amazon Linux 2
```bash
-wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh
+wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh && sudo bash /opt/src/ikev2.sh --auto
```
Your VPN login details will be randomly generated, and displayed on the screen when finished.
-After successful installation, it is recommended to set up IKEv2:
-
-```bash
-wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
-```
-
For other installation options and how to set up VPN clients, read the sections below.
@@ -153,7 +147,11 @@ wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh
```
-After successful installation, it is recommended to set up IKEv2.
+After successful installation, it is recommended to set up IKEv2:
+
+```bash
+sudo bash /opt/src/ikev2.sh --auto
+```
**Option 2:** Edit the script and provide your own VPN credentials:
@@ -199,7 +197,11 @@ sudo sh vpn.sh
**Note:** A secure IPsec PSK should consist of at least 20 random characters.
-After successful installation, it is recommended to set up IKEv2.
+After successful installation, it is recommended to set up IKEv2:
+
+```bash
+sudo bash /opt/src/ikev2.sh --auto
+```
**Option 3:** Define your VPN credentials as environment variables:
@@ -252,7 +254,11 @@ sh vpn.sh
```
-After successful installation, it is recommended to set up IKEv2.
+After successful installation, it is recommended to set up IKEv2:
+
+```bash
+sudo bash /opt/src/ikev2.sh --auto
+```
**Note:** If unable to download via `wget`, you may also open vpnsetup.sh, vpnsetup_centos.sh or vpnsetup_amzn.sh, and click the **`Raw`** button on the right. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
@@ -364,6 +370,13 @@ When connecting using `IPsec/XAuth ("Cisco IPsec")` or `IKEv2` mode, the VPN ser
You may use these internal VPN IPs for communication. However, note that the IPs assigned to VPN clients are dynamic, and firewalls on client devices may block such traffic.
+Client-to-client traffic is allowed by default. If you want to \*disallow\* client-to-client traffic, run the following commands on the VPN server. Add them to `/etc/rc.local` to persist after reboot.
+
+```
+iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
+iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
+```
+
### Modify IPTables rules
If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md
index f05689c..42e8530 100644
--- a/docs/clients-xauth-zh.md
+++ b/docs/clients-xauth-zh.md
@@ -2,7 +2,7 @@
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
-**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/L2TP 模式](clients-zh.md) 连接。
+**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。
在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
@@ -18,7 +18,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP
## Windows
-**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/L2TP 模式](clients-zh.md) 连接。无需安装额外的软件。
+**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。无需安装额外的软件。
1. 下载并安装免费的 Shrew Soft VPN 客户端。在安装时请选择 **Standard Edition**。
**注:** 该 VPN 客户端 **不支持** Windows 10。
diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md
index dd8abcb..a08e04a 100644
--- a/docs/clients-xauth.md
+++ b/docs/clients-xauth.md
@@ -2,7 +2,7 @@
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/L2TP mode](clients.md).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode.
After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
@@ -18,7 +18,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster t
## Windows
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/L2TP mode](clients.md). No additional software is required.
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. No additional software is required.
1. Download and install the free Shrew Soft VPN client. When prompted during install, select **Standard Edition**.
**Note:** This VPN client does NOT support Windows 10.
diff --git a/docs/clients-zh.md b/docs/clients-zh.md
index 1c7da5f..e91a7a8 100644
--- a/docs/clients-zh.md
+++ b/docs/clients-zh.md
@@ -2,7 +2,7 @@
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
-**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。
+**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
@@ -18,7 +18,7 @@
## Windows
-**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐)。
+**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)。
### Windows 10 and 8.x
@@ -88,7 +88,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
## OS X
-**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。
+**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。
@@ -114,7 +114,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
## Android
-**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。
+**注:** 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
1. 启动 **设置** 应用程序。
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。
@@ -139,7 +139,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 故意设计的 并且不能被配置。
-如果需要 VPN 在设备唤醒后自动重连,你可以 配置 IKEv2 并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。
+如果需要 VPN 在设备唤醒后自动重连,你可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。
Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 和更新版本中不再可用。另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 这里。
@@ -410,7 +410,7 @@ ipsec whack --trafficstatus
## 使用命令行配置 Linux VPN 客户端
-在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来使用命令行配置 Linux VPN 客户端。另外,你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者 [使用图形界面](#linux) 配置。以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。
+在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来使用命令行配置 Linux VPN 客户端。另外,你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐),或者 [使用图形界面配置](#linux) 。以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。
要配置 VPN 客户端,首先安装以下软件包:
diff --git a/docs/clients.md b/docs/clients.md
index 4e54660..85c07db 100644
--- a/docs/clients.md
+++ b/docs/clients.md
@@ -2,7 +2,7 @@
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/XAuth mode](clients-xauth.md).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
@@ -18,7 +18,7 @@ After settin
## Windows
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
### Windows 10 and 8.x
@@ -88,7 +88,7 @@ If you get an error when trying to connect, see Troub
## OS X
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/XAuth mode](clients-xauth.md).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window.
@@ -113,7 +113,7 @@ If you get an error when trying to connect, see Troub
## Android
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/XAuth mode](clients-xauth.md).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
1. Launch the **Settings** application.
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
@@ -138,7 +138,7 @@ If you get an error when trying to connect, see Troub
## iOS
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/XAuth mode](clients-xauth.md).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode.
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.
@@ -177,7 +177,7 @@ If you get an error when trying to connect, see Troub
## Linux
-**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended).
+**Note:** You may also connect using [IKEv2](ikev2-howto.md) mode (recommended).
### Ubuntu Linux
@@ -345,7 +345,7 @@ In addition, users running macOS Big Sur 11.0 should update to version 11.1 or n
To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is by design and cannot be configured.
-If you need the VPN to auto-reconnect when the device wakes up, you may set up IKEv2 and enable the "VPN On Demand" feature. Alternatively, you may try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel".
+If you need the VPN to auto-reconnect when the device wakes up, you may connect using [IKEv2](ikev2-howto.md) mode (recommended) and enable the "VPN On Demand" feature. Alternatively, you may try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel".
Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo) and newer. Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more here.
@@ -409,7 +409,7 @@ ipsec whack --trafficstatus
## Configure Linux VPN clients using the command line
-After setting up your own VPN server, follow these steps to configure Linux VPN clients using the command line. Alternatively, you may [set up IKEv2](ikev2-howto.md) (recommended), or configure [using the GUI](#linux). Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client.
+After setting up your own VPN server, follow these steps to configure Linux VPN clients using the command line. Alternatively, you may connect using [IKEv2](ikev2-howto.md) mode (recommended), or [configure using the GUI](#linux). Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client.
To set up the VPN client, first install the following packages: