diff --git a/README-zh.md b/README-zh.md index d34636d..53f553e 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,9 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://static.ls20.com/travis-ci/author.svg)](#作者) -[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) -[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) 使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 @@ -125,7 +122,7 @@ DigitalOcean 用户可以参考这个故障排除。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 的局限性,在同一个 NAT 后面(比如家用路由器)一次只能连接一个设备到 VPN 服务器。即使你创建多个用户也是如此。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 @@ -133,7 +130,7 @@ DigitalOcean 用户可以参考这个EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 -如需更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 +如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 788655b..7542a79 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://static.ls20.com/travis-ci/author.svg)](#author) -[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) -[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. @@ -125,7 +122,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: **Windows and Android users**: If you get an error when trying to connect, see Troubleshooting. -The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. +The same VPN account can be used by your multiple devices. However, due to an IPsec limitation, only one device behind the same NAT (e.g. home router) can connect to the VPN server at a time. This applies even if you create multiple users. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. @@ -133,7 +130,7 @@ Clients are set to use EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). -To change the IPTables rules, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. +To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4785bd5..8ab0b72 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -378,9 +378,11 @@ strongswan down myvpn 如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: -1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +![Android VPN workaround](images/vpn-profile-Android.png) + ### 其它错误 更多的故障排除信息请参见以下链接: diff --git a/docs/clients.md b/docs/clients.md index b9b7d7f..ce79f82 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -377,9 +377,11 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): -1. Tap the "Settings" icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. 1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) +![Android VPN workaround](images/vpn-profile-Android.png) + ### Other Errors Refer to the links below for more troubleshooting tips: diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2449bdc..a0cbe83 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -17,14 +17,14 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - strongSwan Android VPN 客户端 - iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 -下面举例说明如何在 Libreswan 上配置 IKEv2。 +下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -首先,请确保你已经成功地搭建了自己的 VPN 服务器。以下命令必须用 `root` 账户运行。 +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 ```bash - $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Your public IP is displayed) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 3aa9a79..4237303 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -17,14 +17,14 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - strongSwan Android VPN client - iOS (iPhone/iPad) and OS X (macOS) <-- See link -The following example shows how to configure IKEv2 with Libreswan. +The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. -First, make sure you have successfully set up your VPN server. Commands below must be run as `root`. +Before continuing, make sure you have successfully set up your VPN server. 1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. ```bash - $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Your public IP is displayed) diff --git a/docs/images/vpn-profile-Android.png b/docs/images/vpn-profile-Android.png new file mode 100644 index 0000000..6098500 Binary files /dev/null and b/docs/images/vpn-profile-Android.png differ diff --git a/docs/images/vpn-properties-zh.png b/docs/images/vpn-properties-zh.png index d8e9cda..7b2948e 100644 Binary files a/docs/images/vpn-properties-zh.png and b/docs/images/vpn-properties-zh.png differ diff --git a/docs/images/vpn-properties.png b/docs/images/vpn-properties.png index 31b3a68..c7dd884 100644 Binary files a/docs/images/vpn-properties.png and b/docs/images/vpn-properties.png differ diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 2569180..57aa64f 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,8 +4,6 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 -**注:** 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器,即使你创建多个用户也是如此。对于上述情形,你可以尝试使用 [Shadowsocks](https://github.com/shadowsocks/shadowsocks-libev) / [ShadowsocksR](https://github.com/breakwa11/shadowsocks-rss) 或者 [OpenVPN](https://github.com/Nyr/openvpn-install)。 - 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 ```bash diff --git a/docs/manage-users.md b/docs/manage-users.md index 2002d7d..3a2e2e6 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,8 +4,6 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -**Note:** The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. This applies even if you create multiple users. For the above use case, try [OpenVPN](https://github.com/Nyr/openvpn-install). - First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. ```bash