1
0
mirror of synced 2024-11-28 23:56:04 +03:00

Update docs

This commit is contained in:
hwdsl2 2023-08-17 01:19:56 -05:00
parent f084bcb046
commit a0dc2dde9d
4 changed files with 14 additions and 10 deletions

View File

@ -467,7 +467,7 @@ strongswan down myvpn
* [Windows 10 正在连接](#windows-10-正在连接) * [Windows 10 正在连接](#windows-10-正在连接)
* [Windows 10/11 升级](#windows-1011-升级) * [Windows 10/11 升级](#windows-1011-升级)
* [Windows DNS 泄漏和 IPv6](#windows-dns-泄漏和-ipv6) * [Windows DNS 泄漏和 IPv6](#windows-dns-泄漏和-ipv6)
* [Android MTU/MSS 问题](#android-mtumss-问题) * [Android/Linux MTU/MSS 问题](#androidlinux-mtumss-问题)
* [macOS 通过 VPN 发送通信](#macos-通过-vpn-发送通信) * [macOS 通过 VPN 发送通信](#macos-通过-vpn-发送通信)
* [iOS/Android 睡眠模式](#iosandroid-睡眠模式) * [iOS/Android 睡眠模式](#iosandroid-睡眠模式)
* [Debian 内核](#debian-内核) * [Debian 内核](#debian-内核)
@ -589,7 +589,7 @@ Windows 8, 10 和 11 默认使用 "smart multi-homed name resolution" (智能
另外,如果你的计算机启用了 IPv6所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6请看[这里](https://support.microsoft.com/zh-cn/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users)。如果你需要支持 IPv6 的 VPN可以另外尝试 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md)。 另外,如果你的计算机启用了 IPv6所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6请看[这里](https://support.microsoft.com/zh-cn/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users)。如果你需要支持 IPv6 的 VPN可以另外尝试 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md)。
### Android MTU/MSS 问题 ### Android/Linux MTU/MSS 问题
某些 Android 设备和 Linux 系统有 MTU/MSS 问题,表现为使用 IPsec/XAuth ("Cisco IPsec") 或者 IKEv2 模式可以连接到 VPN 但是无法打开网站。如果你遇到该问题,尝试在 VPN 服务器上运行以下命令。如果成功解决,你可以将这些命令添加到 `/etc/rc.local` 以使它们重启后继续有效。 某些 Android 设备和 Linux 系统有 MTU/MSS 问题,表现为使用 IPsec/XAuth ("Cisco IPsec") 或者 IKEv2 模式可以连接到 VPN 但是无法打开网站。如果你遇到该问题,尝试在 VPN 服务器上运行以下命令。如果成功解决,你可以将这些命令添加到 `/etc/rc.local` 以使它们重启后继续有效。

View File

@ -465,7 +465,7 @@ strongswan down myvpn
* [Windows 10 connecting](#windows-10-connecting) * [Windows 10 connecting](#windows-10-connecting)
* [Windows 10/11 upgrades](#windows-1011-upgrades) * [Windows 10/11 upgrades](#windows-1011-upgrades)
* [Windows DNS leaks and IPv6](#windows-dns-leaks-and-ipv6) * [Windows DNS leaks and IPv6](#windows-dns-leaks-and-ipv6)
* [Android MTU/MSS issues](#android-mtumss-issues) * [Android/Linux MTU/MSS issues](#androidlinux-mtumss-issues)
* [macOS send traffic over VPN](#macos-send-traffic-over-vpn) * [macOS send traffic over VPN](#macos-send-traffic-over-vpn)
* [iOS/Android sleep mode](#iosandroid-sleep-mode) * [iOS/Android sleep mode](#iosandroid-sleep-mode)
* [Debian kernel](#debian-kernel) * [Debian kernel](#debian-kernel)
@ -587,7 +587,7 @@ Windows 8, 10 and 11 use "smart multi-homed name resolution" by default, which m
In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to [disable IPv6](https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users) in Windows. If you need a VPN with IPv6 support, you could instead try [OpenVPN](https://github.com/hwdsl2/openvpn-install). In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to [disable IPv6](https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users) in Windows. If you need a VPN with IPv6 support, you could instead try [OpenVPN](https://github.com/hwdsl2/openvpn-install).
### Android MTU/MSS issues ### Android/Linux MTU/MSS issues
Some Android devices and Linux systems have MTU/MSS issues, that they are able to connect to the VPN using IPsec/XAuth ("Cisco IPsec") or IKEv2 mode, but cannot open websites. If you encounter this problem, try running the following commands on the VPN server. If successful, you may add these commands to `/etc/rc.local` to persist after reboot. Some Android devices and Linux systems have MTU/MSS issues, that they are able to connect to the VPN using IPsec/XAuth ("Cisco IPsec") or IKEv2 mode, but cannot open websites. If you encounter this problem, try running the following commands on the VPN server. If successful, you may add these commands to `/etc/rc.local` to persist after reboot.

View File

@ -552,10 +552,12 @@ sudo chmod 600 ca.cer client.cer client.key
### 无法连接到 VPN 服务器 ### 无法连接到 VPN 服务器
首先,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。参见下面的小节以及 [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)。 首先,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。
[检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)是否有错误。如果你遇到 retransmission 相关错误并且无法连接,说明 VPN 客户端和服务器之间的网络可能有问题。如果你从中国大陆进行连接,请考虑改用 IPsec VPN 以外的其他解决方案。
### 无法连接多个 IKEv2 客户端 ### 无法连接多个 IKEv2 客户端
如果要同时连接在同一个 NAT比如家用路由器后面的多个 IKEv2 客户端,你需要为每个客户端生成唯一的证书。否则,你可能会遇到稍后连接的客户端影响现有客户端的 VPN 连接,从而导致无法访问 Internet 的问题。 如果要同时连接在同一个 NAT比如家用路由器后面的多个 IKEv2 客户端,你需要为每个客户端生成唯一的证书。否则,你可能会遇到稍后连接的客户端影响现有客户端的 VPN 连接,从而导致无法访问 Internet 的问题。
@ -597,9 +599,9 @@ REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2
此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。
1. 如果你的 Android 或 Linux VPN 客户端可以连接到 IKEv2 但是无法打开网站,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 中的解决方案。 1. 如果你的 Android 或 Linux VPN 客户端可以连接到 IKEv2 但是无法打开网站,请尝试 [Android/Linux MTU/MSS 问题](clients-zh.md#androidlinux-mtumss-问题) 中的解决方案。
1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 1. Windows VPN 客户端在连接后可能不使用 IKEv2 指定的 DNS 服务器,如果该客户端的因特网适配器的 DNS 服务器在本地网段上。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。更多信息请参见 [Windows DNS 泄漏和 IPv6](clients-zh.md#windows-dns-泄漏和-ipv6)。
### Windows 10 正在连接 ### Windows 10 正在连接

View File

@ -554,10 +554,12 @@ for the entire network, or use `192.168.0.10` for just one device, and so on.
### Cannot connect to the VPN server ### Cannot connect to the VPN server
First, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. Refer to the sections below and [Check logs and VPN status](clients.md#check-logs-and-vpn-status). First, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433).
[Check logs and VPN status](clients.md#check-logs-and-vpn-status) for errors. If you encounter retransmission related errors and are unable to connect, there may be network issues between the VPN client and server. If you are connecting from mainland China, consider switching to alternative solutions other than IPsec VPN.
### Unable to connect multiple IKEv2 clients ### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients from behind the same NAT (e.g. home router) at the same time, you will need to generate a unique certificate for each client. Otherwise, you could encounter the issue where a later connected client affects the VPN connection of an existing client, which may lose Internet access. To connect multiple IKEv2 clients from behind the same NAT (e.g. home router) at the same time, you will need to generate a unique certificate for each client. Otherwise, you could encounter the issue where a later connected client affects the VPN connection of an existing client, which may lose Internet access.
@ -599,9 +601,9 @@ If your VPN client device cannot open websites after successfully connecting to
This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web.
1. If your Android or Linux VPN client can connect using IKEv2 mode, but cannot open websites, try the fix in [Android MTU/MSS issues](clients.md#android-mtumss-issues). 1. If your Android or Linux VPN client can connect using IKEv2 mode, but cannot open websites, try the fix in [Android/Linux MTU/MSS issues](clients.md#androidlinux-mtumss-issues).
1. In certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. 1. Windows VPN clients may not use the DNS servers specified by IKEv2 after connecting, if the client's configured DNS servers on the Internet adapter are from the local network segment. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. For more information, see [Windows DNS leaks and IPv6](clients.md#windows-dns-leaks-and-ipv6).
### Windows 10 connecting ### Windows 10 connecting