From 927e0ca7e34eb0e0fae0a6002623cfb9eb556278 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 14 Jan 2021 23:31:48 -0600 Subject: [PATCH] Update docs - Update IKEv2 docs for .mobileconfig support --- README-zh.md | 4 +-- README.md | 4 +-- docs/clients-zh.md | 4 ++- docs/clients.md | 4 ++- docs/ikev2-howto-zh.md | 59 +++++++++++++++++++++++++++++++++++++----- docs/ikev2-howto.md | 59 +++++++++++++++++++++++++++++++++++++----- 6 files changed, 114 insertions(+), 20 deletions(-) diff --git a/README-zh.md b/README-zh.md index cb243eb..23172a6 100644 --- a/README-zh.md +++ b/README-zh.md @@ -71,13 +71,13 @@ wget https://git.io/vpnsetup-amzn -O vpnsetup.sh && sudo sh vpnsetup.sh ## 功能特性 -- **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 模式 +- **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 和 `IKEv2` 模式 - **新:** 现在可以下载 VPN 服务器的预构建 Docker 镜像 - 全自动的 IPsec VPN 服务器配置,无需用户输入 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 20.04/18.04/16.04, Debian 10/9 和 CentOS 8/7 +- 已测试:Ubuntu, Debian, CentOS/RHEL 和 Amazon Linux 2 ## 系统要求 diff --git a/README.md b/README.md index ae878db..6198713 100644 --- a/README.md +++ b/README.md @@ -71,13 +71,13 @@ For other installation options and how to set up VPN clients, read the sections ## Features -- **New:** The faster `IPsec/XAuth ("Cisco IPsec")` mode is supported +- **New:** The faster `IPsec/XAuth ("Cisco IPsec")` and `IKEv2` modes are supported - **New:** A pre-built Docker image of the VPN server is now available - Fully automated IPsec VPN server setup, no user input needed - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9 and CentOS 8/7 +- Tested with Ubuntu, Debian, CentOS/RHEL and Amazon Linux 2 ## Requirements diff --git a/docs/clients-zh.md b/docs/clients-zh.md index d28105f..e599f34 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -334,7 +334,9 @@ OS X (macOS) 用户: 如果可以成功地使用 IPsec/L2TP 模式连接,但 ### iOS/Android 睡眠模式 -为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 故意设计的 并且不能被配置。如果你需要 VPN 在设备唤醒后自动重连,可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 +为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 故意设计的 并且不能被配置。 + +如果需要 VPN 在设备唤醒后自动重连,你可以 配置 IKEv2 并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 中不再可用。 另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 这里。 diff --git a/docs/clients.md b/docs/clients.md index b816dda..d0104ac 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -333,7 +333,9 @@ In addition, users running macOS Big Sur 11.0 should update to version 11.1 or n ### iOS/Android sleep mode -To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is by design and cannot be configured. If you need the VPN to auto-reconnect when the device wakes up, try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel". +To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is by design and cannot be configured. + +If you need the VPN to auto-reconnect when the device wakes up, you may set up IKEv2 and enable the "VPN On Demand" feature. Alternatively, you may try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel". Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo). Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more here. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 85d5800..c7a6656 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -5,9 +5,7 @@ * [导言](#导言) * [使用辅助脚本](#使用辅助脚本) * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) -* [添加一个客户端证书](#添加一个客户端证书) -* [导出一个客户端证书](#导出一个客户端证书) -* [吊销一个客户端证书](#吊销一个客户端证书) +* [管理客户端证书](#管理客户端证书) * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [已知问题](#已知问题) * [移除 IKEv2](#移除-ikev2) @@ -28,6 +26,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ## 使用辅助脚本 +**新:** 辅助脚本现在可以为 macOS 和 iOS 客户端创建 .mobileconfig 文件,以简化客户端设置并提高 VPN 性能。 + **重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。**Docker 用户请看 这里**。 你可以使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2: @@ -71,8 +71,24 @@ wget https://bit.ly/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 启用新的 VPN 连接,并且开始使用 IKEv2 VPN! https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect +连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + ### OS X (macOS) +首先,将生成的 `.mobileconfig` 文件安全地传送到你的 Mac,然后双击并按提示操作,以导入为 macOS 配置描述文件。在完成之后,检查并确保 "IKEv2 VPN configuration" 显示在系统偏好设置 -> 描述文件中。 + +1. 打开系统偏好设置并转到网络部分。 +1. 选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。 +1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 +1. 单击 **连接**。 + +(可选功能)你可以选择启用 VPN On Demand(按需连接) ,该功能在使用 Wi-Fi 网络时自动建立 VPN 连接。要启用它,选中 VPN 连接的 **按需连接** 复选框,然后单击 **应用**。 + +
+ +如果你手动配置 IKEv2 而不是使用辅助脚本,点这里查看步骤。 + + 首先,将生成的 `.p12` 文件安全地传送到你的 Mac,然后双击以导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。单击左上角的红色 "X" 关闭窗口。根据提示使用触控 ID,或者输入密码并单击 "更新设置"。 在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 @@ -94,13 +110,35 @@ wget https://bit.ly/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 1. 单击 **应用** 保存VPN连接信息。 1. 单击 **连接**。 +
+ +连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ### iOS +首先,将生成的 `.mobileconfig` 文件安全地传送到你的 iOS 设备,并且导入为 iOS 配置描述文件。要传送文件,你可以使用: + +1. AirDrop(隔空投送),或者 +1. 使用 iTunes 的 "文件共享" 功能上传到设备,然后打开 iOS 设备上的 "文件" 应用程序,将上传的文件移动到 "On My iPhone" 目录下。然后单击它并到 "设置" 应用程序中导入,或者 +1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 + +在完成之后,检查并确保 "IKEv2 VPN configuration" 显示在设置 -> 通用 -> 描述文件中。 + +1. 进入设置 -> 通用 -> VPN。 +1. 选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。 +1. 启用 **VPN** 连接。 + +(可选功能)你可以选择启用 VPN On Demand(按需连接) ,该功能在使用 Wi-Fi 网络时自动建立 VPN 连接。要启用它,单击 VPN 连接右边的 "i" 图标,然后启用 **按需连接**。 + +
+ +如果你手动配置 IKEv2 而不是使用辅助脚本,点这里查看步骤。 + + 首先,将生成的 `ikev2vpnca.cer` 和 `.p12` 文件安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: 1. AirDrop(隔空投送),或者 -1. 上传到设备,在 "文件" 应用程序中单击它们(必须首先移动到 "On My iPhone" 目录下),然后按照提示导入,或者 +1. 使用 iTunes 的 "文件共享" 功能上传到设备,然后打开 iOS 设备上的 "文件" 应用程序,将上传的文件移动到 "On My iPhone" 目录下。然后逐个单击它们并到 "设置" 应用程序中导入,或者 1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 @@ -118,6 +156,7 @@ wget https://bit.ly/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 单击 **证书** 。选择新的客户端证书并返回。 1. 单击右上角的 **完成**。 1. 启用 **VPN** 连接。 +
连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 @@ -137,6 +176,8 @@ wget https://bit.ly/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 +连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + ### Android 4.x to 9.x 1. 将生成的 `.p12` 文件安全地传送到你的 Android 设备。 @@ -150,15 +191,19 @@ wget https://bit.ly/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 -## 添加一个客户端证书 +连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +## 管理客户端证书 + +### 添加一个客户端证书 如果要为更多的客户端生成证书,只需重新运行 [辅助脚本](#使用辅助脚本)。或者你可以看 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。 -## 导出一个客户端证书 +### 导出一个客户端证书 在默认情况下,IKEv2 [辅助脚本](#使用辅助脚本) 在运行后会导出客户端证书。如果你想要手动导出一个客户端证书,首先检查证书数据库:`certutil -L -d sql:/etc/ipsec.d`,然后参见 [这一小节](#手动在-vpn-服务器上配置-ikev2) 第 4 步中的 "导出 `.p12` 文件"。 -## 吊销一个客户端证书 +### 吊销一个客户端证书 在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。这可以通过 `crlutil` 实现。下面举例说明,这些命令必须用 `root` 账户运行。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 95efab9..9ad9603 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -5,9 +5,7 @@ * [Introduction](#introduction) * [Using helper scripts](#using-helper-scripts) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) -* [Add a client certificate](#add-a-client-certificate) -* [Export a client certificate](#export-a-client-certificate) -* [Revoke a client certificate](#revoke-a-client-certificate) +* [Manage client certificates](#manage-client-certificates) * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Known issues](#known-issues) * [Remove IKEv2](#remove-ikev2) @@ -28,6 +26,8 @@ After following this guide, you will be able to connect to the VPN using IKEv2 i ## Using helper scripts +**New:** For macOS and iOS clients, the helper script can now create .mobileconfig files to simplify client setup and improve VPN performance. + **Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. **Docker users, see here**. You may use this helper script to automatically set up IKEv2 on the VPN server: @@ -71,8 +71,24 @@ The script must be run usi 1. Start the new VPN connection, and enjoy your IKEv2 VPN! https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect +Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". + ### OS X (macOS) +First, securely transfer the generated `.mobileconfig` file to your Mac, then double-click and follow the prompts to import as a macOS profile. When finished, check to make sure "IKEv2 VPN configuration" is listed under System Preferences -> Profiles. + +1. Open System Preferences and go to the Network section. +1. Select the VPN connection with `Your VPN Server IP` (or DNS name). +1. Check the **Show VPN status in menu bar** checkbox. +1. Click **Connect**. + +(Optional feature) You can choose to enable VPN On Demand. This is an "always-on" feature that can automatically connect to the VPN while on Wi-Fi. To enable, check the **Connect on demand** checkbox for the VPN connection, and click **Apply**. + +
+ +If you manually set up IKEv2 without using the helper script, click here to see instructions. + + First, securely transfer the generated `.p12` file to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. Close the dialog using the red "X" on the top-left corner. When prompted, use Touch ID or enter your password and click "Update Settings". When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. @@ -94,13 +110,35 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN 1. Check the **Show VPN status in menu bar** checkbox. 1. Click **Apply** to save the VPN connection information. 1. Click **Connect**. +
+ +Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ### iOS +First, securely transfer the generated `.mobileconfig` file to your iOS device, then import it as an iOS profile. To transfer the file, you may use: + +1. AirDrop, or +1. Upload to your device using "File Sharing" in iTunes, then open the "Files" app on your iOS device, move the uploaded file to the "On My iPhone" folder. After that, tap the file and go to "Settings" to import, or +1. Host the file on a secure website of yours, then download and import it in Mobile Safari. + +When finished, check to make sure "IKEv2 VPN configuration" is listed under Settings -> General -> Profile(s). + +1. Go to Settings -> General -> VPN. +1. Select the VPN connection with `Your VPN Server IP` (or DNS name). +1. Slide the **VPN** switch ON. + +(Optional feature) You can choose to enable VPN On Demand. This is an "always-on" feature that can automatically connect to the VPN while on Wi-Fi. To enable, tap the "i" icon on the right of the VPN connection, and enable **Connect On Demand**. + +
+ +If you manually set up IKEv2 without using the helper script, click here to see instructions. + + First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: 1. AirDrop, or -1. Upload to your device, tap them in the "Files" app (must first move to the "On My iPhone" folder), then follow the prompts to import, or +1. Upload to your device using "File Sharing" in iTunes, then open the "Files" app on your iOS device, move the uploaded files to the "On My iPhone" folder. After that, tap each file and go to "Settings" to import, or 1. Host the files on a secure website of yours, then download and import them in Mobile Safari. When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. @@ -118,6 +156,9 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN 1. Tap **Certificate**. Select the new client certificate and go back. 1. Tap **Done**. 1. Slide the **VPN** switch ON. +
+ +Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ### Android 10 and newer @@ -135,6 +176,8 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN 1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. +Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". + ### Android 4.x to 9.x 1. Securely transfer the generated `.p12` file to your Android device. @@ -150,15 +193,17 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -## Add a client certificate +## Manage client certificates + +### Add a client certificate If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server). -## Export a client certificate +### Export a client certificate By default, the IKEv2 [helper script](#using-helper-scripts) exports client certificates after running. If you want to manually export a client certificate, first check the database with `certutil -L -d sql:/etc/ipsec.d`, then refer to "export `.p12` file" in step 4 of [this section](#manually-set-up-ikev2-on-the-vpn-server). -## Revoke a client certificate +### Revoke a client certificate In certain circumstances, you may need to revoke a previously generated VPN client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`.