mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-25 06:16:07 +03:00
Code Issues Projects Releases Wiki Activity

Update IKEv2 docs

Browse Source
This commit is contained in:
hwdsl2 2021-04-10 16:25:13 -05:00
parent 5076f9ec03
commit 848ff7ba0a
2 changed files with 94 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
docs/ikev2-howto-zh.md
View File

@ -29,8 +29,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
## 使用辅助脚本
**新:** 辅助脚本现在可以为 macOS 和 iOS 客户端创建 .mobileconfig 文件,以简化客户端设置并提高 VPN 性能。
**重要:** 在继续之前,你应该已经成功地 <a href="../README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>,并且(可选但推荐)<a href="../README-zh.md#升级libreswan" target="_blank">升级 Libreswan</a>。**Docker 用户请看 <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn" target="_blank">这里</a>**。
使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2
@ -43,7 +41,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
<details>
<summary>
你可以指定一个域名和/或另外的 DNS 服务器。这是可选的。点这里查看详情。
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。
</summary>
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下:
@ -52,6 +50,12 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
类似地,你可以指定第一个 IKEv2 客户端的名称。这是可选的。如果未指定,则使用默认值 `vpnclient`
```
sudo VPN_CLIENT_NAME='your_client_name' bash ikev2.sh --auto
```
在 VPN 已连接时IKEv2 客户端默认配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。在使用自动模式安装 IKEv2 时,你可以指定另外的 DNS 服务器。这是可选的。示例如下:
```
@ -362,6 +366,46 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
在默认情况下,[IKEv2 辅助脚本](#使用辅助脚本) 在运行后会导出客户端配置。如果之后你想要为一个已有的客户端导出配置,重新运行辅助脚本并选择适当的选项。参见上面的使用信息。
### 删除一个客户端证书
**重要:** 从 IPsec 数据库中删除一个客户端证书 **并不能** 阻止 VPN 客户端使用该证书连接!对于此用例,你 **必须** [吊销该客户端证书](#吊销一个客户端证书),而不是删除证书。
<details>
<summary>
首先,请阅读上面的重要说明。然后点这里查看详情。
</summary>
**重要:** 请先阅读上面的重要说明。如果你仍然想要删除证书,参见下面的步骤。
如果要从 IPsec 数据库删除一个客户端证书:
1. 列出 IPsec 证书数据库中的证书:
```bash
certutil -L -d sql:/etc/ipsec.d
```
示例输出:
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IKEv2 VPN CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient u,u,u
```
1. 删除客户端证书和私钥。将下面的 "Nickname" 替换为你想要删除的客户端证书的昵称,例如 `vpnclient`
```bash
certutil -F -d sql:/etc/ipsec.d -n "Nickname"
certutil -D -d sql:/etc/ipsec.d -n "Nickname" 2>/dev/null
```
1. (可选步骤)删除之前为该客户端生成的配置文件(`.p12`, `.mobileconfig``.sswan` 文件),如果存在。
</details>
### 吊销一个客户端证书
在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。这可以通过 `crlutil` 实现。下面举例说明,这些命令必须用 `root` 账户运行。

50
docs/ikev2-howto.md
View File

@ -29,8 +29,6 @@ After following this guide, you will be able to connect to the VPN using IKEv2 i
## Using helper scripts
**New:** For macOS and iOS clients, the helper script can now create .mobileconfig files to simplify client setup and improve VPN performance.
**Important:** Before continuing, you should have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your own VPN server</a>, and (optional but recommended) <a href="../README.md#upgrade-libreswan" target="_blank">updated Libreswan</a>. **Docker users, see <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn" target="_blank">here</a>**.
Use this helper script to automatically set up IKEv2 on the VPN server:
@ -43,7 +41,7 @@ The <a href="../extras/ikev2setup.sh" target="_blank">script</a> must be run usi
<details>
<summary>
You may optionally specify a DNS name and/or custom DNS servers. Click here for details.
You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details.
</summary>
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example:
@ -52,6 +50,12 @@ When running IKEv2 setup in auto mode, advanced users can optionally specify a D
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
Similarly, you may optionally specify a name for the first IKEv2 client. The default is `vpnclient` if not specified.
```
sudo VPN_CLIENT_NAME='your_client_name' bash ikev2.sh --auto
```
By default, IKEv2 clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. When running IKEv2 setup in auto mode, you may optionally specify custom DNS server(s). Example:
```
@ -364,6 +368,46 @@ To generate certificates for additional IKEv2 clients, just run the [helper scri
By default, the [IKEv2 helper script](#using-helper-scripts) exports client configuration after running. If later you want to export configuration for an existing client, run the helper script again and select the appropriate option. Refer to the usage information above.
### Delete a client certificate
**Important:** Deleting a client certificate from the IPsec database **WILL NOT** prevent VPN client(s) from connecting using that certificate! For this use case, you **MUST** [revoke the client certificate](#revoke-a-client-certificate) instead of deleting it.
<details>
<summary>
First, read the important note above. Then click here for instructions.
</summary>
**Important:** Please first read the important note above. If you still want to delete a certificate, refer to the steps below.
To delete a client certificate from the IPsec database:
1. List certificates in the IPsec database:
```bash
certutil -L -d sql:/etc/ipsec.d
```
Example output:
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IKEv2 VPN CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient u,u,u
```
1. Delete the client certificate and private key. Replace "Nickname" below with the nickname of the client certificate you want to delete, e.g. `vpnclient`.
```bash
certutil -F -d sql:/etc/ipsec.d -n "Nickname"
certutil -D -d sql:/etc/ipsec.d -n "Nickname" 2>/dev/null
```
1. (Optional) Delete the previously generated client configuration files (`.p12`, `.mobileconfig` and `.sswan` files) for this VPN client, if any.
</details>
### Revoke a client certificate
In certain circumstances, you may need to revoke a previously generated VPN client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`.