From 9b541c6da31603f463fd014ab347c77d1eb23247 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 29 Jun 2016 14:35:28 -0500 Subject: [PATCH] Update docs [ci skip] --- README-zh.md | 43 +++++++++++++------ README.md | 39 +++++++++++------ docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 4 +- docs/clients-zh.md | 4 +- docs/clients.md | 2 +- docs/manage-users-zh.md | 2 +- docs/uninstall-zh.md | 26 +++++------ docs/uninstall.md | 22 +++++----- ...{vpnupgrade_Libreswan.sh => vpnupgrade.sh} | 0 ...breswan_centos.sh => vpnupgrade_centos.sh} | 0 11 files changed, 90 insertions(+), 56 deletions(-) rename extras/{vpnupgrade_Libreswan.sh => vpnupgrade.sh} (100%) rename extras/{vpnupgrade_Libreswan_centos.sh => vpnupgrade_centos.sh} (100%) diff --git a/README-zh.md b/README-zh.md index 57558a6..ddbed48 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,8 +1,8 @@ -# IPsec VPN 服务器一键安装脚本 Build status +# IPsec VPN 服务器一键安装脚本  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) *其他语言版本: [English](README.md), [简体中文](README-zh.md).* -使用这些 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 +使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 我们将使用 Libreswan 作为 IPsec 服务器,以及 xl2tpd 作为 L2TP 提供者。 @@ -17,7 +17,7 @@ - [CentOS & RHEL](#centos--rhel) - [下一步](#下一步) - [重要提示](#重要提示) -- [关于升级Libreswan](#关于升级libreswan) +- [升级Libreswan](#升级libreswan) - [问题和反馈](#问题和反馈) - [卸载说明](#卸载说明) - [另见](#另见) @@ -26,8 +26,8 @@ ## 功能特性 -- **NEW:** 新增支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 模式 -- **NEW:** 现在可以下载 VPN 服务器的预构建 Docker 镜像 +- **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 模式 +- **新:** 现在可以下载 VPN 服务器的预构建 [Docker 镜像](#另见) - 全自动的 IPsec VPN 服务器配置,无需用户输入 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 @@ -37,7 +37,7 @@ ## 系统要求 -一个新创建的 Amazon EC2 实例,使用这些 AMI: (详细步骤点这里) +一个新创建的 Amazon EC2 实例,使用这些 AMI: (详细步骤 点这里 ) - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images - CentOS 7 (x86_64) with Updates @@ -45,7 +45,7 @@ **-或者-** -一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可用 Debian 7 (Wheezy),但是必须首先运行 另一个脚本。 OpenVZ VPS 用户请使用其它的 VPN 软件,比如 OpenVPN。 +一个专用服务器,或者任何基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上系统之一。另外也可用 Debian 7 (Wheezy),但是必须首先运行 另一个脚本。 OpenVZ VPS 用户请使用其它的 VPN 软件,比如 Shadowsocks ( libev | rss )。 **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** @@ -57,6 +57,8 @@ 首先,更新你的系统: 运行 `apt-get update && apt-get dist-upgrade` 并重启。这一步是可选的,但推荐。 +要安装 VPN,请从以下选项中选择一个: + **选项 1:** 使用脚本随机生成的 VPN 登录凭证 (完成后会在屏幕上显示): ```bash @@ -72,20 +74,31 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` +**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量: + +```bash +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' +wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ +VPN_IPSEC_PSK='你的IPsec预共享密钥' \ +VPN_USER='你的VPN用户名' \ +VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh +``` + +**注:** 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 + ### CentOS & RHEL 首先,更新你的系统: 运行 `yum update` 并重启。这一步是可选的,但推荐。 按照与上面相同的步骤,但是将 `https://git.io/vpnsetup` 换成 `https://git.io/vpnsetup-centos`。 -注: 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 - ## 下一步 配置你的计算机或其它设备使用 VPN 。请参见: 配置 IPsec/L2TP VPN 客户端 -配置 IPsec/XAuth VPN 客户端 +配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端 开始使用自己的专属 VPN ! :sparkles::tada::rocket::sparkles: @@ -95,9 +108,11 @@ sudo sh vpnsetup.sh **Android 6 (Marshmallow) 用户** 请参考此文档中的注释: 配置 IPsec/L2TP VPN 客户端。 -如果需要添加,编辑或者删除 VPN 用户账户,请参见 管理 VPN 用户。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果要使用另外的 DNS 服务商,可以编辑文件 `options.xl2tpd` 和 `ipsec.conf` 并用新的服务器替换 `8.8.8.8` 和 `8.8.4.4`。然后重新启动系统。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 + +在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 对于有外部防火墙的服务器(比如 EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 @@ -105,9 +120,9 @@ sudo sh vpnsetup.sh 这些脚本在更改现有的配置文件之前会先做备份,使用 `.old-日期-时间` 为文件名后缀。 -## 关于升级Libreswan +## 升级Libreswan -提供额外的脚本 vpnupgrade_Libreswan.shvpnupgrade_Libreswan_centos.sh ,可用于升级 Libreswan (官网 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version` +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan (网站 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version` ## 问题和反馈 diff --git a/README.md b/README.md index 5eee9e5..38f70f0 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -# IPsec VPN Server Auto Setup Scripts Build status +# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) *Read this in other languages: [English](README.md), [简体中文](README-zh.md).* -These scripts will let you set up your own IPsec VPN server, with IPsec/L2TP and Cisco IPsec on Ubuntu, Debian & CentOS. All you need to do is provide your own VPN credentials, and the scripts will handle the rest. +Set up your own IPsec VPN server in just a few minutes, with IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider. @@ -17,7 +17,7 @@ We will use Libreswan as th - [CentOS & RHEL](#centos--rhel) - [Next Steps](#next-steps) - [Important Notes](#important-notes) -- [Upgrading Libreswan](#upgrading-libreswan) +- [Upgrade Libreswan](#upgrade-libreswan) - [Bugs & Questions](#bugs--questions) - [Uninstallation](#uninstallation) - [See Also](#see-also) @@ -26,8 +26,8 @@ We will use Libreswan as th ## Features -- **NEW:** The faster `IPsec/XAuth ("Cisco IPsec")` mode is now supported -- **NEW:** A pre-built Docker image of the VPN server is now available +- **New:** The faster `IPsec/XAuth ("Cisco IPsec")` mode is now supported +- **New:** A pre-built [Docker image](#see-also) of the VPN server is now available - Fully automated IPsec VPN server setup, no user input needed - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance @@ -45,7 +45,7 @@ A newly created Amazon EC2 **-OR-** -A dedicated server or KVM/Xen-based Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS users should instead try OpenVPN. +A dedicated server or any KVM/Xen-based Virtual Private Server (VPS), freshly installed with one of the above systems. Additionally, Debian 7 (Wheezy) can be used with this workaround. OpenVZ VPS users should instead try OpenVPN. **» I want to run my own VPN but don't have a server for that** @@ -57,6 +57,8 @@ A dedicated server or KVM/Xen-based Virtual Private Server (VPS), freshly instal First, update your system with `apt-get update && apt-get dist-upgrade` and reboot. This is optional, but recommended. +To install the VPN, please choose one of the following options: + **Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished): ```bash @@ -72,20 +74,31 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` +**Option 3:** Define your VPN credentials as environment variables: + +```bash +# All values MUST be placed inside 'single quotes' +# DO NOT use these characters within values: \ " ' +wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ +VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ +VPN_USER='your_vpn_username' \ +VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh +``` + +**Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. + ### CentOS & RHEL First, update your system with `yum update` and reboot. This is optional, but recommended. Follow the same steps as above, but replace `https://git.io/vpnsetup` with `https://git.io/vpnsetup-centos`. -Note: If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. - ## Next Steps Get your computer or device to use the VPN. Please refer to: Configure IPsec/L2TP VPN Clients -Configure IPsec/XAuth VPN Clients +Configure IPsec/XAuth ("Cisco IPsec") VPN Clients Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: @@ -97,7 +110,9 @@ For **Windows users**, a one-ti If you wish to add, edit or remove VPN user accounts, refer to Manage VPN Users. -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `options.xl2tpd` and `ipsec.conf` with new ones. Then reboot your server. +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. + +When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). @@ -105,9 +120,9 @@ If your server has a custom SSH port (not 22) or other services, edit IPTables r The scripts will backup existing config files before making changes, with `.old-date-time` suffix. -## Upgrading Libreswan +## Upgrade Libreswan -The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to upgrade Libreswan (website | swan-announce). Update the `swan_ver` variable as necessary. Check installed version: `ipsec --version` +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (website | mailing list). Update the `swan_ver` variable as necessary. Check installed version: `ipsec --version` ## Bugs & Questions diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 9355df1..dc89975 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -4,9 +4,9 @@ *如需使用 IPsec/L2TP 模式连接,请参见: [配置 IPsec/L2TP VPN 客户端](clients-zh.md)* -在成功搭建自己的VPN服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录信息。 +在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -`IPsec/XAuth` 模式也称为 `Cisco IPsec`。和 `IPsec/L2TP` 相比较,它通常能够更高效地传输数据。 +`IPsec/XAuth` 模式也称为 "Cisco IPsec"。和 `IPsec/L2TP` 相比较,它通常能够更高效地传输数据。 --- * 平台名称 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 51347f3..3e756c0 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -4,9 +4,9 @@ *To connect using IPsec/L2TP mode, see: [Configure IPsec/L2TP VPN Clients](clients.md)* -After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. +After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -`IPsec/XAuth` mode is also called `Cisco IPsec`. Compared to `IPsec/L2TP`, it is generally faster with less overhead. +`IPsec/XAuth` mode is also called "Cisco IPsec". Compared to `IPsec/L2TP`, it is generally faster with less overhead. --- * Platforms diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 96a9540..1e61648 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,9 +2,9 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*如需使用 IPsec/XAuth 模式连接,请参见: [配置 IPsec/XAuth VPN 客户端](clients-xauth-zh.md)* +*如需使用 IPsec/XAuth ("Cisco IPsec") 模式连接,请参见: [配置 IPsec/XAuth VPN 客户端](clients-xauth-zh.md)* -在成功搭建自己的VPN服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录信息。 +在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 --- * 平台名称 diff --git a/docs/clients.md b/docs/clients.md index fd6f1c2..92620a7 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -*To connect using IPsec/XAuth mode, see: [Configure IPsec/XAuth VPN Clients](clients-xauth.md)* +*To connect using IPsec/XAuth ("Cisco IPsec") mode, see: [Configure IPsec/XAuth VPN Clients](clients-xauth.md)* After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 8caa54a..0f80c05 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -31,7 +31,7 @@ 这个文件中的密码以 salted and hashed 的形式保存。该步骤可以借助比如 `openssl` 工具来完成: ```bash -# The output will be +# 以下命令的输出为 openssl passwd -1 "" ``` diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index 8f9bfa2..05788c5 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -11,7 +11,7 @@ * [第三步](#第三步) * [第四步](#第四步) * [可选步骤](#可选步骤) -* [操作完成后](#操作完成后) +* [完成后](#完成后) ## 第一步 @@ -19,14 +19,15 @@ service ipsec stop service xl2tpd stop rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec -rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service +rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ + /etc/init.d/ipsec /usr/lib/systemd/system/ipsec.service ``` ## 第二步 ### Ubuntu/Debian -`apt-get remove xl2tpd` +`apt-get purge xl2tpd` ### CentOS/RHEL @@ -56,23 +57,24 @@ rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service 删除这些配置文件: -* /etc/ipsec.conf -* /etc/ipsec.secrets -* /etc/xl2tpd/xl2tpd.conf -* /etc/ppp/options.xl2tpd -* /etc/ppp/chap-secrets +* /etc/ipsec.conf* +* /etc/ipsec.secrets* +* /etc/ppp/chap-secrets* +* /etc/ppp/options.xl2tpd* * /etc/pam.d/pluto * /etc/sysconfig/pluto +* /etc/default/pluto * /etc/ipsec.d (目录) +* /etc/xl2tpd (目录) 要快速删除,可以复制并粘贴以下命令: ``` -rm -f /etc/ipsec.conf /etc/ipsec.secrets /etc/xl2tpd/xl2tpd.conf /etc/ppp/options.xl2tpd \ - /etc/ppp/chap-secrets /etc/pam.d/pluto /etc/sysconfig/pluto -rm -rf /etc/ipsec.d +rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ + /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto +rm -rf /etc/ipsec.d /etc/xl2tpd ``` -## 操作完成后 +## 完成后 重启你的服务器。 diff --git a/docs/uninstall.md b/docs/uninstall.md index 8c5da78..9da7f29 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -19,14 +19,15 @@ Follow these steps to remove the VPN. Commands must be run as `root`, or with `s service ipsec stop service xl2tpd stop rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec -rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service +rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ + /etc/init.d/ipsec /usr/lib/systemd/system/ipsec.service ``` ## Second step ### Ubuntu/Debian -`apt-get remove xl2tpd` +`apt-get purge xl2tpd` ### CentOS/RHEL @@ -56,21 +57,22 @@ Note: This step is optional. Remove these config files: -* /etc/ipsec.conf -* /etc/ipsec.secrets -* /etc/xl2tpd/xl2tpd.conf -* /etc/ppp/options.xl2tpd -* /etc/ppp/chap-secrets +* /etc/ipsec.conf* +* /etc/ipsec.secrets* +* /etc/ppp/chap-secrets* +* /etc/ppp/options.xl2tpd* * /etc/pam.d/pluto * /etc/sysconfig/pluto +* /etc/default/pluto * /etc/ipsec.d (directory) +* /etc/xl2tpd (directory) Copy and paste for fast removal: ``` -rm -f /etc/ipsec.conf /etc/ipsec.secrets /etc/xl2tpd/xl2tpd.conf /etc/ppp/options.xl2tpd \ - /etc/ppp/chap-secrets /etc/pam.d/pluto /etc/sysconfig/pluto -rm -rf /etc/ipsec.d +rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ + /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto +rm -rf /etc/ipsec.d /etc/xl2tpd ``` ## When finished diff --git a/extras/vpnupgrade_Libreswan.sh b/extras/vpnupgrade.sh similarity index 100% rename from extras/vpnupgrade_Libreswan.sh rename to extras/vpnupgrade.sh diff --git a/extras/vpnupgrade_Libreswan_centos.sh b/extras/vpnupgrade_centos.sh similarity index 100% rename from extras/vpnupgrade_Libreswan_centos.sh rename to extras/vpnupgrade_centos.sh