mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-25 06:16:07 +03:00
Code Issues Projects Releases Wiki Activity

Update docs

Browse Source 
[ci skip]
This commit is contained in:
hwdsl2 2016-11-10 13:04:47 -06:00
parent 61bd1254ed
commit af1af539aa
11 changed files with 18 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README-zh.md
View File

@ -1,9 +1,6 @@
# IPsec VPN 服务器一键安装脚本 # IPsec VPN 服务器一键安装脚本
[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server)
[![Author](https://static.ls20.com/travis-ci/author.svg)](#作者)
[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers)
[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server)
使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 UbuntuDebian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 UbuntuDebian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。
@ -125,7 +122,7 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
**Windows 和 Android 用户** 如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a> **Windows 和 Android 用户** 如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>
同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 的局限性,在同一个 NAT 后面(比如家用路由器)一次只能连接一个设备到 VPN 服务器。即使你创建多个用户也是如此
如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a> 如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>
@ -133,7 +130,7 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/networking#firewalls" target="_blank">GCE</a>),请打开 UDP 端口 500 和 4500以及 TCP 端口 22 (用于 SSH 对于有外部防火墙的服务器(比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/networking#firewalls" target="_blank">GCE</a>),请打开 UDP 端口 500 和 4500以及 TCP 端口 22 (用于 SSH
如需更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。
在使用 `IPsec/L2TP` 连接时VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1` 在使用 `IPsec/L2TP` 连接时VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`

9
README.md
View File

@ -1,9 +1,6 @@
# IPsec VPN Server Auto Setup Scripts # IPsec VPN Server Auto Setup Scripts
[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server)
[![Author](https://static.ls20.com/travis-ci/author.svg)](#author)
[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers)
[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server)
Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest.
@ -125,7 +122,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
**Windows and Android users**: If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>. **Windows and Android users**: If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. The same VPN account can be used by your multiple devices. However, due to an IPsec limitation, only one device behind the same NAT (e.g. home router) can connect to the VPN server at a time. This applies even if you create multiple users.
If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>.
@ -133,7 +130,7 @@ Clients are set to use <a href="https://developers.google.com/speed/public-dns/"
For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/networking#firewalls" target="_blank">GCE</a>), open UDP ports 500 & 4500, and TCP port 22 (for SSH). For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/compute/docs/networking#firewalls" target="_blank">GCE</a>), open UDP ports 500 & 4500, and TCP port 22 (for SSH).
To change the IPTables rules, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server.
When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`.

4
docs/clients-zh.md
View File

@ -378,9 +378,11 @@ strongswan down myvpn
如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: 如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接:
1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>) 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
![Android VPN workaround](images/vpn-profile-Android.png)
### 其它错误 ### 其它错误
更多的故障排除信息请参见以下链接: 更多的故障排除信息请参见以下链接:

4
docs/clients.md
View File

@ -377,9 +377,11 @@ To fix this error, please follow these steps:
If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat):
1. Tap the "Settings" icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step.
1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>) 1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>)
![Android VPN workaround](images/vpn-profile-Android.png)
### Other Errors ### Other Errors
Refer to the links below for more troubleshooting tips: Refer to the links below for more troubleshooting tips:

6
docs/ikev2-howto-zh.md
View File

@ -17,14 +17,14 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
- strongSwan Android VPN 客户端 - strongSwan Android VPN 客户端
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server">iOS (iPhone/iPad) 和 OS X (macOS)</a> <-- 请参见 - <a href="https://github.com/gaomd/docker-ikev2-vpn-server">iOS (iPhone/iPad) 和 OS X (macOS)</a> <-- 请参见
下面举例说明如何在 Libreswan 上配置 IKEv2。 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
首先,请确保你已经成功地<a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建自己的 VPN 服务器</a>以下命令必须用 `root` 账户运行。 在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建自己的 VPN 服务器</a>
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
```bash ```bash
$ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP" $ echo "$PUBLIC_IP"
(Your public IP is displayed) (Your public IP is displayed)

6
docs/ikev2-howto.md
View File

@ -17,14 +17,14 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
- strongSwan Android VPN client - strongSwan Android VPN client
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server">iOS (iPhone/iPad) and OS X (macOS)</a> <-- See link - <a href="https://github.com/gaomd/docker-ikev2-vpn-server">iOS (iPhone/iPad) and OS X (macOS)</a> <-- See link
The following example shows how to configure IKEv2 with Libreswan. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>. Commands below must be run as `root`. Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.
1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. 1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
```bash ```bash
$ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP" $ echo "$PUBLIC_IP"
(Your public IP is displayed) (Your public IP is displayed)

BIN
docs/images/vpn-profile-Android.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
docs/images/vpn-properties-zh.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 84 KiB

BIN
docs/images/vpn-properties.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 93 KiB

2
docs/manage-users-zh.md
View File

@ -4,8 +4,6 @@
在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。
**注:** 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器,即使你创建多个用户也是如此。对于上述情形,你可以尝试使用 [Shadowsocks](https://github.com/shadowsocks/shadowsocks-libev) / [ShadowsocksR](https://github.com/breakwa11/shadowsocks-rss) 或者 [OpenVPN](https://github.com/Nyr/openvpn-install)。
首先IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK可以编辑此文件。 首先IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK可以编辑此文件。
```bash ```bash

2
docs/manage-users.md
View File

@ -4,8 +4,6 @@
By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document.
**Note:** The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. This applies even if you create multiple users. For the above use case, try [OpenVPN](https://github.com/Nyr/openvpn-install).
First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file.
```bash ```bash