1
0
mirror of synced 2024-11-28 15:56:01 +03:00

Update docs

- Add new section for advanced usage
- Clean up important notes section
- Update IKEv2 docs
This commit is contained in:
hwdsl2 2021-02-28 15:54:58 -06:00
parent 2e7b3f1bf4
commit ac86c8831c
4 changed files with 122 additions and 38 deletions

View File

@ -21,6 +21,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
- [下一步](#下一步) - [下一步](#下一步)
- [重要提示](#重要提示) - [重要提示](#重要提示)
- [升级Libreswan](#升级libreswan) - [升级Libreswan](#升级libreswan)
- [高级用法](#高级用法)
- [问题和反馈](#问题和反馈) - [问题和反馈](#问题和反馈)
- [卸载说明](#卸载说明) - [卸载说明](#卸载说明)
- [另见](#另见) - [另见](#另见)
@ -285,13 +286,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/433" target="_blank">#433</a> 对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/433" target="_blank">#433</a>
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd``/etc/ipsec.conf` 并替换 `8.8.8.8``8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1``VPN_DNS_SRV2`(可选)。 在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,请看[这里](#使用其他的-dns-服务器)。
使用内核支持有助于提高 IPsec/L2TP 性能。它在所有 [受支持的系统](#系统要求) 上可用。Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`)软件包并运行 `service xl2tpd restart`
如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
在使用 `IPsec/L2TP` 连接时VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`
这些脚本在更改现有的配置文件之前会先做备份,使用 `.old-日期-时间` 为文件名后缀。 这些脚本在更改现有的配置文件之前会先做备份,使用 `.old-日期-时间` 为文件名后缀。
@ -329,6 +324,53 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh
``` ```
</details> </details>
## 高级用法
- [使用其他的 DNS 服务器](#使用其他的-dns-服务器)
- [使用域名和服务器 IP 更改](#使用域名和服务器-ip-更改)
- [VPN 内网 IP 地址](#vpn-内网-ip-地址)
- [L2TP 内核支持](#l2tp-内核支持)
- [更改 IPTables 规则](#更改-iptables-规则)
### 使用其他的 DNS 服务器
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,你可以编辑以下文件:`/etc/ppp/options.xl2tpd`, `/etc/ipsec.conf``/etc/ipsec.d/ikev2.conf`(如果存在),并替换 `8.8.8.8``8.8.4.4`。然后运行 `service ipsec restart``service xl2tpd restart`
高级用户可以在运行 VPN 安装脚本和 <a href="docs/ikev2-howto-zh.md#使用辅助脚本" target="_blank">IKEv2 辅助脚本</a>时定义 `VPN_DNS_SRV1``VPN_DNS_SRV2`(可选)。比如你想使用 [Cloudflare 的 DNS 服务](https://1.1.1.1)
```
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.sh
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
```
### 使用域名和服务器 IP 更改
对于 `IPsec/L2TP``IPsec/XAuth ("Cisco IPsec")` 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后VPN 会继续正常工作,虽然可能需要重启服务器。
对于 `IKEv2` 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 <a href="docs/ikev2-howto-zh.md" target="_blank">配置 IKEv2</a> 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN)。示例如下:
```
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
另外,你也可以自定义 IKEv2 安装选项,通过在运行 <a href="docs/ikev2-howto-zh.md#使用辅助脚本" target="_blank">辅助脚本</a> 时去掉 `--auto` 参数来实现。
### VPN 内网 IP 地址
在使用 `IPsec/L2TP` 模式连接时VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。为客户端分配的内网 IP 在这个范围内:`192.168.42.10` 到 `192.168.42.250`。要找到为特定的客户端分配的 IP可以查看该 VPN 客户端上的连接状态。
在使用 `IPsec/XAuth ("Cisco IPsec")``IKEv2` 模式连接时VPN 服务器在虚拟网络 `192.168.43.0/24` 内 \*没有\* 内网 IP。为客户端分配的内网 IP 在这个范围内:`192.168.43.10` 到 `192.168.43.250`
你可以使用这些 VPN 内网 IP 进行通信。但是请注意,为客户端分配 IP 是动态的,而且许多 VPN 客户端的防火墙可能不允许这些流量。
### L2TP 内核支持
使用内核支持有助于提高 IPsec/L2TP 性能。它在所有 [受支持的系统](#系统要求) 上可用。Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`)软件包并运行 `service xl2tpd restart`
### 更改 IPTables 规则
如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
## 问题和反馈 ## 问题和反馈
- 有问题需要提问?请先搜索已有的留言,在 <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">这个 Gist</a> 以及 <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">我的博客</a> - 有问题需要提问?请先搜索已有的留言,在 <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">这个 Gist</a> 以及 <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">我的博客</a>

View File

@ -21,6 +21,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
- [Next steps](#next-steps) - [Next steps](#next-steps)
- [Important notes](#important-notes) - [Important notes](#important-notes)
- [Upgrade Libreswan](#upgrade-libreswan) - [Upgrade Libreswan](#upgrade-libreswan)
- [Advanced usage](#advanced-usage)
- [Bugs & Questions](#bugs--questions) - [Bugs & Questions](#bugs--questions)
- [Uninstallation](#uninstallation) - [Uninstallation](#uninstallation)
- [See also](#see-also) - [See also](#see-also)
@ -285,13 +286,7 @@ If you wish to view or update VPN user accounts, see <a href="docs/manage-users.
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN. Aliyun users, see <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/433" target="_blank">#433</a>. For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN. Aliyun users, see <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/433" target="_blank">#433</a>.
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, [read below](#use-alternative-dns-servers).
Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package and run `service xl2tpd restart`.
To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.
The scripts will backup existing config files before making changes, with `.old-date-time` suffix. The scripts will backup existing config files before making changes, with `.old-date-time` suffix.
@ -329,6 +324,53 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh
``` ```
</details> </details>
## Advanced usage
- [Use alternative DNS servers](#use-alternative-dns-servers)
- [Use DNS names and server IP changes](#use-dns-names-and-server-ip-changes)
- [Internal VPN IP addresses](#internal-vpn-ip-addresses)
- [L2TP kernel support](#l2tp-kernel-support)
- [Modify IPTables rules](#modify-iptables-rules)
### Use alternative DNS servers
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, you may replace `8.8.8.8` and `8.8.4.4` in these files: `/etc/ppp/options.xl2tpd`, `/etc/ipsec.conf` and `/etc/ipsec.d/ikev2.conf` (if exists). Then run `service ipsec restart` and `service xl2tpd restart`.
Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script and <a href="docs/ikev2-howto.md#using-helper-scripts" target="_blank">IKEv2 helper script</a>. For example, if you wish to use [Cloudflare's DNS service](https://1.1.1.1):
```
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 sh vpn.sh
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
```
### Use DNS names and server IP changes
For `IPsec/L2TP` and `IPsec/XAuth ("Cisco IPsec")` modes, you may use a DNS name (e.g. `vpn.example.com`) to connect to the VPN server instead of its IP address, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required.
For `IKEv2` mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when <a href="docs/ikev2-howto.md" target="_blank">setting up IKEv2</a>. The DNS name must be a fully qualified domain name (FQDN). Example:
```
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
Alternatively, you may customize IKEv2 setup options by running the <a href="docs/ikev2-howto.md#using-helper-scripts" target="_blank">helper script</a> without the `--auto` parameter.
### Internal VPN IP addresses
When connecting using `IPsec/L2TP` mode, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. Clients are assigned internal IPs from `192.168.42.10` to `192.168.42.250`. To check which IP is assigned to a client, view the connection status on the VPN client.
When connecting using `IPsec/XAuth ("Cisco IPsec")` or `IKEv2` mode, the VPN server \*does not\* have an internal IP within the VPN subnet `192.168.43.0/24`. Clients are assigned internal IPs from `192.168.43.10` to `192.168.43.250`.
You may use these internal VPN IPs for communication. However, note that the IPs assigned to clients are dynamic, and many VPN clients have firewalls that may block such traffic.
### L2TP kernel support
Using kernel support could improve IPsec/L2TP performance. It is available on [all supported OS](#requirements). Ubuntu users should install the `linux-modules-extra-$(uname -r)` (or `linux-image-extra`) package and run `service xl2tpd restart`.
### Modify IPTables rules
If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
## Bugs & Questions ## Bugs & Questions
- Got a question? Please first search other people's comments <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">in this Gist</a> and <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">on my blog</a>. - Got a question? Please first search other people's comments <a href="https://gist.github.com/hwdsl2/9030462#comments" target="_blank">in this Gist</a> and <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread" target="_blank">on my blog</a>.

View File

@ -40,6 +40,18 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
<a href="../extras/ikev2setup.sh" target="_blank">脚本</a> 必须使用 `bash` 而不是 `sh` 运行。以上命令使用自动模式和默认选项运行辅助脚本。如果你想要自定义 IKEv2 安装选项,请在运行脚本时去掉 `--auto` 参数。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。 <a href="../extras/ikev2setup.sh" target="_blank">脚本</a> 必须使用 `bash` 而不是 `sh` 运行。以上命令使用自动模式和默认选项运行辅助脚本。如果你想要自定义 IKEv2 安装选项,请在运行脚本时去掉 `--auto` 参数。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下:
```
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
在 VPN 已连接时IKEv2 客户端默认配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。在使用自动模式安装 IKEv2 时,你可以指定另外的 DNS 服务器。这是可选的。示例如下:
```
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
```
<details> <details>
<summary> <summary>
单击此处以查看 IKEv2 辅助脚本的详细使用信息。 单击此处以查看 IKEv2 辅助脚本的详细使用信息。
@ -58,18 +70,6 @@ Options:
To customize IKEv2 or client options, run this script without arguments. To customize IKEv2 or client options, run this script without arguments.
``` ```
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下:
```
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
在 VPN 已连接时IKEv2 客户端默认配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。在使用自动模式安装 IKEv2 时,你可以指定另外的 DNS 服务器。这是可选的。示例如下:
```
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
```
</details> </details>
## 配置 IKEv2 VPN 客户端 ## 配置 IKEv2 VPN 客户端

View File

@ -40,6 +40,18 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
The <a href="../extras/ikev2setup.sh" target="_blank">script</a> must be run using `bash`, not `sh`. The command above runs the helper script in auto mode, using default options. Remove the `--auto` parameter if you want to customize IKEv2 setup options. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). The <a href="../extras/ikev2setup.sh" target="_blank">script</a> must be run using `bash`, not `sh`. The command above runs the helper script in auto mode, using default options. Remove the `--auto` parameter if you want to customize IKEv2 setup options. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients).
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example:
```
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
By default, IKEv2 clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. When running IKEv2 setup in auto mode, you may optionally specify custom DNS server(s). Example:
```
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
```
<details> <details>
<summary> <summary>
Click here to view detailed usage information for the IKEv2 helper script. Click here to view detailed usage information for the IKEv2 helper script.
@ -58,18 +70,6 @@ Options:
To customize IKEv2 or client options, run this script without arguments. To customize IKEv2 or client options, run this script without arguments.
``` ```
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example:
```
sudo VPN_DNS_NAME='vpn.example.com' bash ikev2.sh --auto
```
By default, IKEv2 clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. When running IKEv2 setup in auto mode, you may optionally specify custom DNS server(s). Example:
```
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
```
</details> </details>
## Configure IKEv2 VPN clients ## Configure IKEv2 VPN clients