From ac86c8831c2e904b13a51678b9b2ed85a7a9effc Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 28 Feb 2021 15:54:58 -0600 Subject: [PATCH] Update docs - Add new section for advanced usage - Clean up important notes section - Update IKEv2 docs --- README-zh.md | 56 ++++++++++++++++++++++++++++++++++++------ README.md | 56 ++++++++++++++++++++++++++++++++++++------ docs/ikev2-howto-zh.md | 24 +++++++++--------- docs/ikev2-howto.md | 24 +++++++++--------- 4 files changed, 122 insertions(+), 38 deletions(-) diff --git a/README-zh.md b/README-zh.md index 68033f8..e693314 100644 --- a/README-zh.md +++ b/README-zh.md @@ -21,6 +21,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 - [下一步](#下一步) - [重要提示](#重要提示) - [升级Libreswan](#升级libreswan) +- [高级用法](#高级用法) - [问题和反馈](#问题和反馈) - [卸载说明](#卸载说明) - [另见](#另见) @@ -285,13 +286,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 #433。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 - -使用内核支持有助于提高 IPsec/L2TP 性能。它在所有 [受支持的系统](#系统要求) 上可用。Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`)软件包并运行 `service xl2tpd restart`。 - -如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 - -在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请看[这里](#使用其他的-dns-服务器)。 这些脚本在更改现有的配置文件之前会先做备份,使用 `.old-日期-时间` 为文件名后缀。 @@ -329,6 +324,53 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh ``` +## 高级用法 + +- [使用其他的 DNS 服务器](#使用其他的-dns-服务器) +- [使用域名和服务器 IP 更改](#使用域名和服务器-ip-更改) +- [VPN 内网 IP 地址](#vpn-内网-ip-地址) +- [L2TP 内核支持](#l2tp-内核支持) +- [更改 IPTables 规则](#更改-iptables-规则) + +### 使用其他的 DNS 服务器 + +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,你可以编辑以下文件:`/etc/ppp/options.xl2tpd`, `/etc/ipsec.conf` 和 `/etc/ipsec.d/ikev2.conf`(如果存在),并替换 `8.8.8.8` 和 `8.8.4.4`。然后运行 `service ipsec restart` 和 `service xl2tpd restart`。 + +高级用户可以在运行 VPN 安装脚本和 IKEv2 辅助脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。比如你想使用 [Cloudflare 的 DNS 服务](https://1.1.1.1): + +``` +sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.sh +sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto +``` + +### 使用域名和服务器 IP 更改 + +对于 `IPsec/L2TP` 和 `IPsec/XAuth ("Cisco IPsec")` 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后,VPN 会继续正常工作,虽然可能需要重启服务器。 + +对于 `IKEv2` 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 配置 IKEv2 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN)。示例如下: + +``` +sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto +``` + +另外,你也可以自定义 IKEv2 安装选项,通过在运行 辅助脚本 时去掉 `--auto` 参数来实现。 + +### VPN 内网 IP 地址 + +在使用 `IPsec/L2TP` 模式连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。为客户端分配的内网 IP 在这个范围内:`192.168.42.10` 到 `192.168.42.250`。要找到为特定的客户端分配的 IP,可以查看该 VPN 客户端上的连接状态。 + +在使用 `IPsec/XAuth ("Cisco IPsec")` 或 `IKEv2` 模式连接时,VPN 服务器在虚拟网络 `192.168.43.0/24` 内 \*没有\* 内网 IP。为客户端分配的内网 IP 在这个范围内:`192.168.43.10` 到 `192.168.43.250`。 + +你可以使用这些 VPN 内网 IP 进行通信。但是请注意,为客户端分配 IP 是动态的,而且许多 VPN 客户端的防火墙可能不允许这些流量。 + +### L2TP 内核支持 + +使用内核支持有助于提高 IPsec/L2TP 性能。它在所有 [受支持的系统](#系统要求) 上可用。Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`)软件包并运行 `service xl2tpd restart`。 + +### 更改 IPTables 规则 + +如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 + ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 diff --git a/README.md b/README.md index 53a3eb9..96e0fc5 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ We will use Libreswan as th - [Next steps](#next-steps) - [Important notes](#important-notes) - [Upgrade Libreswan](#upgrade-libreswan) +- [Advanced usage](#advanced-usage) - [Bugs & Questions](#bugs--questions) - [Uninstallation](#uninstallation) - [See also](#see-also) @@ -285,13 +286,7 @@ If you wish to view or update VPN user accounts, see EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see #433. -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. - -Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package and run `service xl2tpd restart`. - -To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. - -When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, [read below](#use-alternative-dns-servers). The scripts will backup existing config files before making changes, with `.old-date-time` suffix. @@ -329,6 +324,53 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh ``` +## Advanced usage + +- [Use alternative DNS servers](#use-alternative-dns-servers) +- [Use DNS names and server IP changes](#use-dns-names-and-server-ip-changes) +- [Internal VPN IP addresses](#internal-vpn-ip-addresses) +- [L2TP kernel support](#l2tp-kernel-support) +- [Modify IPTables rules](#modify-iptables-rules) + +### Use alternative DNS servers + +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, you may replace `8.8.8.8` and `8.8.4.4` in these files: `/etc/ppp/options.xl2tpd`, `/etc/ipsec.conf` and `/etc/ipsec.d/ikev2.conf` (if exists). Then run `service ipsec restart` and `service xl2tpd restart`. + +Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script and IKEv2 helper script. For example, if you wish to use [Cloudflare's DNS service](https://1.1.1.1): + +``` +sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.sh +sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto +``` + +### Use DNS names and server IP changes + +For `IPsec/L2TP` and `IPsec/XAuth ("Cisco IPsec")` modes, you may use a DNS name (e.g. `vpn.example.com`) to connect to the VPN server instead of its IP address, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required. + +For `IKEv2` mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when setting up IKEv2. The DNS name must be a fully qualified domain name (FQDN). Example: + +``` +sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto +``` + +Alternatively, you may customize IKEv2 setup options by running the helper script without the `--auto` parameter. + +### Internal VPN IP addresses + +When connecting using `IPsec/L2TP` mode, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. Clients are assigned internal IPs from `192.168.42.10` to `192.168.42.250`. To check which IP is assigned to a client, view the connection status on the VPN client. + +When connecting using `IPsec/XAuth ("Cisco IPsec")` or `IKEv2` mode, the VPN server \*does not\* have an internal IP within the VPN subnet `192.168.43.0/24`. Clients are assigned internal IPs from `192.168.43.10` to `192.168.43.250`. + +You may use these internal VPN IPs for communication. However, note that the IPs assigned to clients are dynamic, and many VPN clients have firewalls that may block such traffic. + +### L2TP kernel support + +Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package and run `service xl2tpd restart`. + +### Modify IPTables rules + +If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. + ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index c3de217..7c414fe 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -40,6 +40,18 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto 该 脚本 必须使用 `bash` 而不是 `sh` 运行。以上命令使用自动模式和默认选项运行辅助脚本。如果你想要自定义 IKEv2 安装选项,请在运行脚本时去掉 `--auto` 参数。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。 +在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下: + +``` +sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto +``` + +在 VPN 已连接时,IKEv2 客户端默认配置为使用 Google Public DNS。在使用自动模式安装 IKEv2 时,你可以指定另外的 DNS 服务器。这是可选的。示例如下: + +``` +sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto +``` +
单击此处以查看 IKEv2 辅助脚本的详细使用信息。 @@ -58,18 +70,6 @@ Options: To customize IKEv2 or client options, run this script without arguments. ``` - -在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下: - -``` -sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto -``` - -在 VPN 已连接时,IKEv2 客户端默认配置为使用 Google Public DNS。在使用自动模式安装 IKEv2 时,你可以指定另外的 DNS 服务器。这是可选的。示例如下: - -``` -sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto -```
## 配置 IKEv2 VPN 客户端 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index c8a4177..49bfe83 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -40,6 +40,18 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto The script must be run using `bash`, not `sh`. The command above runs the helper script in auto mode, using default options. Remove the `--auto` parameter if you want to customize IKEv2 setup options. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). +When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example: + +``` +sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto +``` + +By default, IKEv2 clients are set to use Google Public DNS when the VPN is active. When running IKEv2 setup in auto mode, you may optionally specify custom DNS server(s). Example: + +``` +sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto +``` +
Click here to view detailed usage information for the IKEv2 helper script. @@ -58,18 +70,6 @@ Options: To customize IKEv2 or client options, run this script without arguments. ``` - -When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example: - -``` -sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto -``` - -By default, IKEv2 clients are set to use Google Public DNS when the VPN is active. When running IKEv2 setup in auto mode, you may optionally specify custom DNS server(s). Example: - -``` -sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto -```
## Configure IKEv2 VPN clients