From c356a75bcac8645a4f7efdd013df8b0b43f2eac7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 4 Jan 2023 18:58:29 -0600 Subject: [PATCH] Update docs --- .github/ISSUE_TEMPLATE/00-bug-report.md | 2 +- .github/ISSUE_TEMPLATE/10-bug-report-zh.md | 2 +- .../ISSUE_TEMPLATE/20-enhancement-request.md | 2 +- .../30-enhancement-request-zh.md | 2 +- .github/workflows/check_urls.yml | 2 +- .github/workflows/cron.yml | 2 +- .github/workflows/main.yml | 2 +- .github/workflows/shellcheck.yml | 2 +- .github/workflows/test_set_1.yml | 2 +- .github/workflows/test_set_2.yml | 2 +- LICENSE.md | 2 +- README-zh.md | 22 +- README.md | 22 +- azure/README-zh.md | 2 +- azure/README.md | 2 +- docs/advanced-usage-zh.md | 2 +- docs/advanced-usage.md | 2 +- docs/clients-xauth-zh.md | 16 +- docs/clients-xauth.md | 16 +- docs/clients-zh.md | 438 +++++++++--------- docs/clients.md | 438 +++++++++--------- docs/ikev2-howto-zh.md | 34 +- docs/ikev2-howto.md | 34 +- docs/manage-users-zh.md | 2 +- docs/manage-users.md | 2 +- docs/uninstall-zh.md | 2 +- docs/uninstall.md | 2 +- extras/add_vpn_user.sh | 2 +- extras/del_vpn_user.sh | 2 +- extras/ikev2changeaddr.sh | 2 +- extras/ikev2onlymode.sh | 2 +- extras/ikev2setup.sh | 4 +- extras/quickstart.sh | 2 +- extras/update_vpn_users.sh | 2 +- extras/vpnuninstall.sh | 2 +- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_alpine.sh | 2 +- extras/vpnupgrade_amzn.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- extras/vpnupgrade_ubuntu.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_alpine.sh | 2 +- vpnsetup_amzn.sh | 2 +- vpnsetup_centos.sh | 2 +- vpnsetup_ubuntu.sh | 2 +- 45 files changed, 540 insertions(+), 556 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/00-bug-report.md b/.github/ISSUE_TEMPLATE/00-bug-report.md index 5a3c034..33a084b 100644 --- a/.github/ISSUE_TEMPLATE/00-bug-report.md +++ b/.github/ISSUE_TEMPLATE/00-bug-report.md @@ -12,7 +12,7 @@ assignees: '' - [ ] I read the [README](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md) - [ ] I read the [Important notes](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#important-notes) - [ ] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#next-steps) -- [ ] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#troubleshooting) and [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) +- [ ] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting) and [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [ ] I searched existing [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) - [ ] This bug is about the VPN setup scripts, and not IPsec VPN itself diff --git a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md index bc5216d..735254c 100644 --- a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md +++ b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md @@ -12,7 +12,7 @@ assignees: '' - [ ] 我已阅读 [自述文件](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) - [ ] 我已阅读 [重要提示](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#重要提示) - [ ] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#下一步) -- [ ] 我检查了 [故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#故障排除),[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) +- [ ] 我检查了 [IKEv1 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#ikev1-故障排除),[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#ikev2-故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) - [ ] 我搜索了已有的 [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) - [ ] 这个 bug 是关于 VPN 安装脚本,而不是 IPsec VPN 本身 diff --git a/.github/ISSUE_TEMPLATE/20-enhancement-request.md b/.github/ISSUE_TEMPLATE/20-enhancement-request.md index 5adb599..6baa7bd 100644 --- a/.github/ISSUE_TEMPLATE/20-enhancement-request.md +++ b/.github/ISSUE_TEMPLATE/20-enhancement-request.md @@ -14,7 +14,7 @@ assignees: '' - [ ] I read the [README](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md) - [ ] I read the [Important notes](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#important-notes) - [ ] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#next-steps) -- [ ] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting) and [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) +- [ ] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting) and [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) **Describe the enhancement request** A clear and concise description of your enhancement request. diff --git a/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md b/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md index 214f0b3..b8ebc7a 100644 --- a/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md +++ b/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md @@ -14,7 +14,7 @@ assignees: '' - [ ] 我已阅读 [自述文件](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) - [ ] 我已阅读 [重要提示](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#重要提示) - [ ] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#下一步) -- [ ] 我检查了 [故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) +- [ ] 我检查了 [IKEv1 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#ikev1-故障排除),[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#ikev2-故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) **描述改进建议** 使用清楚简明的语言描述你的改进建议。 diff --git a/.github/workflows/check_urls.yml b/.github/workflows/check_urls.yml index 40add0b..9e04907 100644 --- a/.github/workflows/check_urls.yml +++ b/.github/workflows/check_urls.yml @@ -1,5 +1,5 @@ # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index a2e35e9..d49e19c 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -1,5 +1,5 @@ # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 02d3913..7c1f935 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,5 +1,5 @@ # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index f2bfeb4..8ae6bdc 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,5 +1,5 @@ # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/.github/workflows/test_set_1.yml b/.github/workflows/test_set_1.yml index 3f9906c..6a401ba 100644 --- a/.github/workflows/test_set_1.yml +++ b/.github/workflows/test_set_1.yml @@ -1,5 +1,5 @@ # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/.github/workflows/test_set_2.yml b/.github/workflows/test_set_2.yml index f7b52d4..d6a5a48 100644 --- a/.github/workflows/test_set_2.yml +++ b/.github/workflows/test_set_2.yml @@ -1,5 +1,5 @@ # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/LICENSE.md b/LICENSE.md index a684d14..d2805d2 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,7 +1,7 @@ ### Creative Commons Attribution-ShareAlike 3.0 Unported License Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ -Copyright (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) +Copyright (C) 2014-2023 [Lin Song](https://github.com/hwdsl2) Based on [the work of Thomas Sarlandie](https://github.com/sarfata/voodooprivacy) (Copyright 2012) See the [azure/](azure/) subfolder for its authors. diff --git a/README-zh.md b/README-zh.md index cbd5714..d9da627 100644 --- a/README-zh.md +++ b/README-zh.md @@ -235,16 +235,16 @@ sudo ikev2.sh | IKEv2 参数\* |默认值 |自定义(环境变量)\*\* |自定义(交互式)\*\*\* | | ----------- | ---- | ------------------ | ----------------- | -|服务器地址(DNS域名)| - | VPN_DNS_NAME | ✔ | -|服务器地址(公网IP)|自动检测 | VPN_PUBLIC_IP | ✔ | -|第一个客户端的名称 | vpnclient | VPN_CLIENT_NAME | ✔ | -|客户端的 DNS 服务器 |Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✔ | -|保护客户端配置文件 |no | VPN_PROTECT_CONFIG=yes | ✔ | -|启用/禁用 MOBIKE |如果系统支持则启用 | ✘ | ✔ | -|客户端证书有效期 | 10 年(120 个月)| VPN_CLIENT_VALIDITY\*\*\*\* | ✔ | -| CA 和服务器证书有效期 | 10 年(120 个月)| ✘ | ✘ | -| CA 证书名称 | IKEv2 VPN CA | ✘ | ✘ | -|证书密钥长度 | 3072 bits | ✘ | ✘ | +|服务器地址(DNS域名)| - | VPN_DNS_NAME | ✅ | +|服务器地址(公网IP)|自动检测 | VPN_PUBLIC_IP | ✅ | +|第一个客户端的名称 | vpnclient | VPN_CLIENT_NAME | ✅ | +|客户端的 DNS 服务器 |Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✅ | +|保护客户端配置文件 |no | VPN_PROTECT_CONFIG=yes | ✅ | +|启用/禁用 MOBIKE |如果系统支持则启用 | ❌ | ✅ | +|客户端证书有效期 | 10 年(120 个月)| VPN_CLIENT_VALIDITY\*\*\*\* | ✅ | +| CA 和服务器证书有效期 | 10 年(120 个月)| ❌ | ❌ | +| CA 证书名称 | IKEv2 VPN CA | ❌ | ❌ | +|证书密钥长度 | 3072 bits | ❌ | ❌ | \* 这些 IKEv2 参数适用于 IKEv2 模式。 \*\* 在运行 vpn(setup).sh 时,或者在自动模式下配置 IKEv2 时 (`sudo ikev2.sh --auto`) 将这些定义为环境变量。 @@ -384,7 +384,7 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnuninstall.sh ## 授权协议 -版权所有 (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +版权所有 (C) 2014-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) 基于 [Thomas Sarlandie 的工作](https://github.com/sarfata/voodooprivacy) (版权所有 2012) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) diff --git a/README.md b/README.md index 0dbf2cf..44a05a2 100644 --- a/README.md +++ b/README.md @@ -235,16 +235,16 @@ For reference: List of IKEv1 and IKEv2 parameters. | IKEv2 parameter\* | Default value | Customize (env variable)\*\* | Customize (interactive)\*\*\* | | --------------------------- | --------------------- | ---------------------------- | ----------------------------- | -| Server address (DNS name) | - | VPN_DNS_NAME | ✔ | -| Server address (public IP) | Auto detect | VPN_PUBLIC_IP | ✔ | -| Name of first client | vpnclient | VPN_CLIENT_NAME | ✔ | -| DNS servers for clients | Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✔ | -| Protect client config files | no | VPN_PROTECT_CONFIG=yes | ✔ | -| Enable/Disable MOBIKE | Enable if supported | ✘ | ✔ | -| Client cert validity | 10 years (120 months) | VPN_CLIENT_VALIDITY\*\*\*\* | ✔ | -| CA & server cert validity | 10 years (120 months) | ✘ | ✘ | -| CA certificate name | IKEv2 VPN CA | ✘ | ✘ | -| Certificate key size | 3072 bits | ✘ | ✘ | +| Server address (DNS name) | - | VPN_DNS_NAME | ✅ | +| Server address (public IP) | Auto detect | VPN_PUBLIC_IP | ✅ | +| Name of first client | vpnclient | VPN_CLIENT_NAME | ✅ | +| DNS servers for clients | Google Public DNS | VPN_DNS_SRV1, VPN_DNS_SRV2 | ✅ | +| Protect client config files | no | VPN_PROTECT_CONFIG=yes | ✅ | +| Enable/Disable MOBIKE | Enable if supported | ❌ | ✅ | +| Client cert validity | 10 years (120 months) | VPN_CLIENT_VALIDITY\*\*\*\* | ✅ | +| CA & server cert validity | 10 years (120 months) | ❌ | ❌ | +| CA certificate name | IKEv2 VPN CA | ❌ | ❌ | +| Certificate key size | 3072 bits | ❌ | ❌ | \* These IKEv2 parameters are for IKEv2 mode. \*\* Define these as environment variables when running vpn(setup).sh, or when setting up IKEv2 in auto mode (`sudo ikev2.sh --auto`). @@ -384,7 +384,7 @@ For more information, see [Uninstall the VPN](docs/uninstall.md). ## License -Copyright (C) 2014-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Copyright (C) 2014-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) Based on [the work of Thomas Sarlandie](https://github.com/sarfata/voodooprivacy) (Copyright 2012) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) diff --git a/azure/README-zh.md b/azure/README-zh.md index 83e4593..82d3664 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -25,7 +25,7 @@ ## 作者 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) -版权所有 (C) 2017-2022 [Lin Song](https://github.com/hwdsl2) +版权所有 (C) 2017-2023 [Lin Song](https://github.com/hwdsl2) ## 屏幕截图 diff --git a/azure/README.md b/azure/README.md index 81069c3..f9d0ca6 100644 --- a/azure/README.md +++ b/azure/README.md @@ -25,7 +25,7 @@ When the deployment finishes, Azure displays a notification. Next steps: [Config ## Authors Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) -Copyright (C) 2017-2022 [Lin Song](https://github.com/hwdsl2) +Copyright (C) 2017-2023 [Lin Song](https://github.com/hwdsl2) ## Screenshot diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index 0e2c936..3c1c03e 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -334,7 +334,7 @@ VPN 服务器搭建完成后,可以通过部署 Google BBR 拥塞控制算法 ## 授权协议 -版权所有 (C) 2021-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +版权所有 (C) 2021-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) 这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 6e0abfa..cd091c6 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -335,7 +335,7 @@ For detailed deployment methods, please refer to [this document](bbr.md). ## License -Copyright (C) 2021-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Copyright (C) 2021-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) This work is licensed under the [Creative Commons Attribution-ShareAlike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 7e291b6..6f2f207 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -38,7 +38,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#ikev1-故障排除)。 ## OS X @@ -62,7 +62,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 要连接到 VPN:使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#ikev1-故障排除)。 ## Android @@ -92,7 +92,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#ikev1-故障排除)。 ## iOS @@ -112,7 +112,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](clients-zh.md#ikev1-故障排除)。 ## Linux @@ -143,16 +143,12 @@ Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用 `yum` 安装 `N 其它 Linux 版本用户可以使用 [IPsec/L2TP](clients-zh.md#linux) 模式连接。 -## 致谢 - -本文档是在 [Streisand](https://github.com/StreisandEffect/streisand) 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 - ## 授权协议 注: 这个协议仅适用于本文档。 -版权所有 (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) -基于 [Joshua Lund 的工作](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) (版权所有 2014-2016) +版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +受到 [Joshua Lund 的工作](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) 的启发 本程序为自由软件,在自由软件联盟发布的[ GNU 通用公共许可协议](https://www.gnu.org/licenses/gpl.html)的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index ebcbcd6..bdd5b43 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -38,7 +38,7 @@ Like this project? [:heart: Sponsor](https://github.com/sponsors/hwdsl2?metadata Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](clients.md#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](clients.md#ikev1-troubleshooting). ## OS X @@ -62,7 +62,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](clients.md#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](clients.md#ikev1-troubleshooting). ## Android @@ -92,7 +92,7 @@ After that, follow the steps below on your Android device: Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](clients.md#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](clients.md#ikev1-troubleshooting). ## iOS @@ -112,7 +112,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](clients.md#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](clients.md#ikev1-troubleshooting). ## Linux @@ -143,16 +143,12 @@ Once connected, you can verify that your traffic is being routed properly by [lo Other Linux users can connect using [IPsec/L2TP](clients.md#linux) mode. -## Credits - -This document was adapted from the [Streisand](https://github.com/StreisandEffect/streisand) project, maintained by Joshua Lund and contributors. - ## License Note: This license applies to this document only. -Copyright (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) -Based on [the work of Joshua Lund](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) (Copyright 2014-2016) +Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Inspired by [the work of Joshua Lund](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) This program is free software: you can redistribute it and/or modify it under the terms of the [GNU General Public License](https://www.gnu.org/licenses/gpl.html) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index f9efdbe..5d814e2 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -12,7 +12,7 @@ * [iOS (iPhone/iPad)](#ios) * [Chrome OS (Chromebook)](#chrome-os) * [Linux](#linux) -* [故障排除](#故障排除) +* [IKEv1 故障排除](#ikev1-故障排除) 喜欢这个项目?[:heart: 赞助](https://github.com/sponsors/hwdsl2?metadata_o=lz) 或 [:coffee: 支持](https://ko-fi.com/hwdsl2) 并访问 [额外内容](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC)。 @@ -39,7 +39,7 @@ 要连接到 VPN:单击 **连接** 按钮,或者单击系统托盘中的无线/网络图标,单击 **VPN**,然后选择新的 VPN 连接并单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 ### Windows 10 and 8 @@ -63,7 +63,7 @@ 要连接到 VPN:单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 另外,除了按照以上步骤操作,你也可以运行下面的 Windows PowerShell 命令来创建 VPN 连接。将 `你的 VPN 服务器 IP` 和 `你的 VPN IPsec PSK` 换成你自己的值,用单引号括起来: @@ -107,7 +107,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' 要连接到 VPN:单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 ## OS X @@ -133,7 +133,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' 要连接到 VPN:使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 ## Android @@ -164,7 +164,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 ## iOS @@ -184,7 +184,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v 连接成功后,会在通知栏显示图标。最后你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 ## Chrome OS @@ -205,7 +205,7 @@ Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-v 连接成功后,网络状态图标上会出现 VPN 指示。你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev1-故障排除)。 ## Linux @@ -243,217 +243,11 @@ Fedora 28(和更新版本)和 CentOS 8/7 用户可以使用 [IPsec/XAuth](cl ### 其它 Linux -首先看 [这里](https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Prebuilt-Packages) 以确认 `network-manager-l2tp` 和 `network-manager-l2tp-gnome` 软件包是否在你的 Linux 版本上可用。如果可用,安装它们(选择使用 strongSwan)并参见上面的说明。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 +首先看 [这里](https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Prebuilt-Packages) 以确认 `network-manager-l2tp` 和 `network-manager-l2tp-gnome` 软件包是否在你的 Linux 版本上可用。如果可用,安装它们(选择使用 strongSwan)并参见上面的说明。另外,你也可以使用命令行配置 Linux VPN 客户端。 -## 故障排除 +### 使用命令行配置 Linux VPN 客户端 -*其他语言版本: [English](clients.md#troubleshooting), [中文](clients-zh.md#故障排除)。* - -**另见:** [检查日志及 VPN 状态](#检查日志及-vpn-状态),[IKEv2 故障排除](ikev2-howto-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 - -* [Windows 错误 809](#windows-错误-809) -* [Windows 错误 789 或 691](#windows-错误-789-或-691) -* [Windows 错误 628 或 766](#windows-错误-628-或-766) -* [Windows 10 正在连接](#windows-10-正在连接) -* [Windows 10 升级](#windows-10-升级) -* [Windows DNS 泄漏和 IPv6](#windows-dns-泄漏和-ipv6) -* [Android MTU/MSS 问题](#android-mtumss-问题) -* [Android 6 和 7](#android-6-和-7) -* [macOS 通过 VPN 发送通信](#macos-通过-vpn-发送通信) -* [iOS 13+ 和 macOS 10.15/11+](#ios-13-和-macos-101511) -* [iOS/Android 睡眠模式](#iosandroid-睡眠模式) -* [Debian 11/10 内核](#debian-1110-内核) -* [其它错误](#其它错误) -* [检查日志及 VPN 状态](#检查日志及-vpn-状态) - -### Windows 错误 809 - -> 错误 809:无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。这可能是因为未将计算机与远程服务器之间的某种网络设备(如防火墙、NAT、路由器等)配置为允许 VPN 连接。请与管理员或服务提供商联系以确定哪种设备可能产生此问题。 - -**注:** 仅当你使用 IPsec/L2TP 模式连接到 VPN 时,才需要进行下面的注册表更改。对于 [IKEv2](ikev2-howto-zh.md) 和 [IPsec/XAuth](clients-xauth-zh.md) 模式,**不需要** 进行此更改。 - -要解决此错误,在首次连接之前需要[修改一次注册表](https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809),以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 [提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html) 并运行以下命令。**完成后必须重启计算机。** - -- 适用于 Windows Vista, 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) - - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) - - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -另外,某些个别的 Windows 系统配置禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启。 - -- 适用于 Windows XP, Vista, 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) - - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f - ``` - -### Windows 错误 789 或 691 - -> 错误 789:L2TP 连接尝试失败,因为安全层在初始化与远程计算机的协商时遇到一个处理错误。 - -> 错误 691:由于指定的用户名和/或密码无效而拒绝连接。下列条件可能会导致此情况:用户名和/或密码键入错误... - -对于错误 789,点击 [这里](https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789) 查看故障排除信息。对于错误 691,你可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 - -### Windows 错误 628 或 766 - -> 错误 628:在连接完成前,连接被远程计算机终止。 - -> 错误 766:找不到证书。使用通过 IPSec 的 L2TP 协议的连接要求安装一个机器证书。它也叫做计算机证书。 - -要解决这些错误,请按以下步骤操作: - -1. 右键单击系统托盘中的无线/网络图标。 -1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 -1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 和 "Microsoft CHAP 版本 2 (MS-CHAP v2)" 复选框。 -1. 单击 **高级设置** 按钮。 -1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 -1. 单击 **确定** 关闭 **高级设置**。 -1. 单击 **确定** 保存 VPN 连接的详细信息。 - -请参见 VPN 连接属性对话框的[屏幕截图](images/vpn-properties-zh.png)。 - -### Windows 10 正在连接 - -如果你使用 Windows 10 并且 VPN 卡在 "正在连接" 状态超过几分钟,尝试以下步骤: - -1. 右键单击系统托盘中的无线/网络图标。 -1. 选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击左侧的 **VPN**。 -1. 选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。 - -### Windows 10 升级 - -在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照上面的 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。 - -### Windows DNS 泄漏和 IPv6 - -Windows 8, 10 和 11 默认使用 "smart multi-homed name resolution" (智能多宿主名称解析)。如果你的因特网适配器的 DNS 服务器在本地网段上,在使用 Windows 自带的 IPsec VPN 客户端时可能会导致 "DNS 泄漏"。要解决这个问题,你可以 [禁用智能多宿主名称解析](https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/),或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后[清除 DNS 缓存](https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-)并且重启计算机。 - -另外,如果你的计算机启用了 IPv6,所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6,请看[这里](https://support.microsoft.com/zh-cn/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users)。如果你需要支持 IPv6 的 VPN,可以另外尝试 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md)。 - -### Android MTU/MSS 问题 - -某些 Android 设备有 MTU/MSS 问题,表现为使用 IPsec/XAuth ("Cisco IPsec") 模式可以连接到 VPN 但是无法打开网站。如果你遇到该问题,尝试在 VPN 服务器上运行以下命令。如果成功解决,你可以将这些命令添加到 `/etc/rc.local` 以使它们重启后继续有效。 - -``` -iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ - -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ - -j TCPMSS --set-mss 1360 -iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ - -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ - -j TCPMSS --set-mss 1360 - -echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc -``` - -**Docker 用户:** 要修复这个问题,不需要运行以上命令。你可以在[你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像)中添加 `VPN_ANDROID_MTU_FIX=yes`,然后重新创建 Docker 容器。 - -参考链接:[[1]](https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/)。 - -### Android 6 和 7 - -如果你的 Android 6.x 或者 7.x 设备无法连接,请尝试以下步骤: - -1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(参见[屏幕截图](images/vpn-profile-Android.png)),请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并切换它的值。也就是说,将 `sha2-truncbug=no` 替换为 `sha2-truncbug=yes`,或者将 `sha2-truncbug=yes` 替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 - -**Docker 用户:** 如需在 `/etc/ipsec.conf` 中设置 `sha2-truncbug=yes`(默认为 `no`),你可以在[你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像)中添加 `VPN_SHA2_TRUNCBUG=yes`,然后重新创建 Docker 容器。 - -### macOS 通过 VPN 发送通信 - -OS X (macOS) 用户: 如果可以成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成以下步骤。保存 VPN 配置然后重新连接。 - -1. 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 -1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 - -如果在尝试上面步骤之后,你的计算机仍然不能通过 VPN 连接发送通信,检查一下服务顺序。进入系统偏好设置中的网络部分,单击左侧连接列表下方的齿轮按钮,选择 "设定服务顺序"。然后将 VPN 连接拖动到顶端。 - -### iOS 13+ 和 macOS 10.15/11+ - -如果你的设备运行 iOS 13+, macOS 10.15 (Catalina), macOS 11 (Big Sur) 或以上版本,并且无法连接到 VPN,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 - -另外,macOS Big Sur 11.0 用户应该更新到版本 11.1 或以上,以修复 VPN 连接的某些问题。要检查 macOS 版本并安装更新,请看[这里](https://www.businessinsider.com/how-to-check-mac-os-version)。 - -### iOS/Android 睡眠模式 - -为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 [故意设计的](https://discussions.apple.com/thread/2333948) 并且不能被配置。 - -如果需要 VPN 在设备唤醒后自动重连,你可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md),它支持 [一些选项](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/) 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 - - -Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 和更新版本中不再可用。另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 [这里](https://support.google.com/android/answer/9089766?hl=zh-Hans)。 - -### Debian 11/10 内核 - -Debian 11 或者 10 用户:运行 `uname -r` 检查你的服务器的 Linux 内核版本。如果它包含 `cloud` 字样,并且 `/dev/ppp` 不存在,则该内核缺少 `ppp` 支持从而不能使用 IPsec/L2TP 模式。VPN 安装脚本会尝试检测此情形并显示警告。在这种情况下,你可以另外使用 [IKEv2](ikev2-howto-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接到 VPN。 - -要解决 IPsec/L2TP 模式的问题,你可以换用标准的 Linux 内核,通过安装比如 `linux-image-amd64` 软件包来实现。然后更新 GRUB 的内核默认值并重启服务器。 - -### 其它错误 - -如果你遇到其它错误,请参见以下链接: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn - -### 检查日志及 VPN 状态 - -以下命令需要使用 `root` 账户(或者 `sudo`)运行。 - -首先,重启 VPN 服务器上的相关服务: - -```bash -service ipsec restart -service xl2tpd restart -``` - -**Docker 用户:** 运行 `docker restart ipsec-vpn-server`。 - -然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接。请确保输入了正确的 VPN 服务器地址和 VPN 登录凭证。 - -对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。 - -检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS/RHEL, Rocky Linux, AlmaLinux, Oracle Linux & Amazon Linux 2 -grep pluto /var/log/secure -grep xl2tpd /var/log/messages - -# Alpine Linux -grep pluto /var/log/messages -grep xl2tpd /var/log/messages -``` - -检查 IPsec VPN 服务器状态: - -```bash -ipsec status -``` - -查看当前已建立的 VPN 连接: - -```bash -ipsec trafficstatus -``` - -## 使用命令行配置 Linux VPN 客户端 - -在成功 [搭建自己的 VPN 服务器](../README-zh.md) 之后,按照下面的步骤来使用命令行配置 Linux VPN 客户端。另外,你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐),或者 [使用图形界面配置](#linux) 。以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 +高级用户可以使用命令行配置 Linux VPN 客户端。另外,你也可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐),或者 [使用图形界面配置](#linux)。以下说明受到 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c) 的启发。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: @@ -635,16 +429,218 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## 致谢 +## IKEv1 故障排除 -本文档是在 [Streisand](https://github.com/StreisandEffect/streisand) 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +*其他语言版本: [English](clients.md#ikev1-troubleshooting), [中文](clients-zh.md#ikev1-故障排除)。* + +**另见:** [IKEv2 故障排除](ikev2-howto-zh.md#ikev2-故障排除) 和 [高级用法](advanced-usage-zh.md)。 + +* [检查日志及 VPN 状态](#检查日志及-vpn-状态) +* [Windows 错误 809](#windows-错误-809) +* [Windows 错误 789 或 691](#windows-错误-789-或-691) +* [Windows 错误 628 或 766](#windows-错误-628-或-766) +* [Windows 10 正在连接](#windows-10-正在连接) +* [Windows 10 升级](#windows-10-升级) +* [Windows DNS 泄漏和 IPv6](#windows-dns-泄漏和-ipv6) +* [Android MTU/MSS 问题](#android-mtumss-问题) +* [Android 6 和 7](#android-6-和-7) +* [macOS 通过 VPN 发送通信](#macos-通过-vpn-发送通信) +* [iOS 13+ 和 macOS 10.15/11+](#ios-13-和-macos-101511) +* [iOS/Android 睡眠模式](#iosandroid-睡眠模式) +* [Debian 11/10 内核](#debian-1110-内核) +* [其它错误](#其它错误) + +### 检查日志及 VPN 状态 + +以下命令需要使用 `root` 账户(或者 `sudo`)运行。 + +首先,重启 VPN 服务器上的相关服务: + +```bash +service ipsec restart +service xl2tpd restart +``` + +**Docker 用户:** 运行 `docker restart ipsec-vpn-server`。 + +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接。请确保输入了正确的 VPN 服务器地址和 VPN 登录凭证。 + +对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。 + +检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS/RHEL, Rocky Linux, AlmaLinux, Oracle Linux & Amazon Linux 2 +grep pluto /var/log/secure +grep xl2tpd /var/log/messages + +# Alpine Linux +grep pluto /var/log/messages +grep xl2tpd /var/log/messages +``` + +检查 IPsec VPN 服务器状态: + +```bash +ipsec status +``` + +查看当前已建立的 VPN 连接: + +```bash +ipsec trafficstatus +``` + +### Windows 错误 809 + +> 错误 809:无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。这可能是因为未将计算机与远程服务器之间的某种网络设备(如防火墙、NAT、路由器等)配置为允许 VPN 连接。请与管理员或服务提供商联系以确定哪种设备可能产生此问题。 + +**注:** 仅当你使用 IPsec/L2TP 模式连接到 VPN 时,才需要进行下面的注册表更改。对于 [IKEv2](ikev2-howto-zh.md) 和 [IPsec/XAuth](clients-xauth-zh.md) 模式,**不需要** 进行此更改。 + +要解决此错误,在首次连接之前需要[修改一次注册表](https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809),以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 [提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html) 并运行以下命令。**完成后必须重启计算机。** + +- 适用于 Windows Vista, 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- 仅适用于 Windows XP ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +另外,某些个别的 Windows 系统配置禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启。 + +- 适用于 Windows XP, Vista, 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows 错误 789 或 691 + +> 错误 789:L2TP 连接尝试失败,因为安全层在初始化与远程计算机的协商时遇到一个处理错误。 + +> 错误 691:由于指定的用户名和/或密码无效而拒绝连接。下列条件可能会导致此情况:用户名和/或密码键入错误... + +对于错误 789,点击 [这里](https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789) 查看故障排除信息。对于错误 691,你可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 + +### Windows 错误 628 或 766 + +> 错误 628:在连接完成前,连接被远程计算机终止。 + +> 错误 766:找不到证书。使用通过 IPSec 的 L2TP 协议的连接要求安装一个机器证书。它也叫做计算机证书。 + +要解决这些错误,请按以下步骤操作: + +1. 右键单击系统托盘中的无线/网络图标。 +1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。 +1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 +1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 和 "Microsoft CHAP 版本 2 (MS-CHAP v2)" 复选框。 +1. 单击 **高级设置** 按钮。 +1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 +1. 单击 **确定** 关闭 **高级设置**。 +1. 单击 **确定** 保存 VPN 连接的详细信息。 + +请参见 VPN 连接属性对话框的[屏幕截图](images/vpn-properties-zh.png)。 + +### Windows 10 正在连接 + +如果你使用 Windows 10 并且 VPN 卡在 "正在连接" 状态超过几分钟,尝试以下步骤: + +1. 右键单击系统托盘中的无线/网络图标。 +1. 选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击左侧的 **VPN**。 +1. 选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。 + +### Windows 10 升级 + +在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照上面的 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。 + +### Windows DNS 泄漏和 IPv6 + +Windows 8, 10 和 11 默认使用 "smart multi-homed name resolution" (智能多宿主名称解析)。如果你的因特网适配器的 DNS 服务器在本地网段上,在使用 Windows 自带的 IPsec VPN 客户端时可能会导致 "DNS 泄漏"。要解决这个问题,你可以 [禁用智能多宿主名称解析](https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/),或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后[清除 DNS 缓存](https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-)并且重启计算机。 + +另外,如果你的计算机启用了 IPv6,所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6,请看[这里](https://support.microsoft.com/zh-cn/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users)。如果你需要支持 IPv6 的 VPN,可以另外尝试 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md)。 + +### Android MTU/MSS 问题 + +某些 Android 设备有 MTU/MSS 问题,表现为使用 IPsec/XAuth ("Cisco IPsec") 模式可以连接到 VPN 但是无法打开网站。如果你遇到该问题,尝试在 VPN 服务器上运行以下命令。如果成功解决,你可以将这些命令添加到 `/etc/rc.local` 以使它们重启后继续有效。 + +``` +iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ + -j TCPMSS --set-mss 1360 +iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ + -j TCPMSS --set-mss 1360 + +echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc +``` + +**Docker 用户:** 要修复这个问题,不需要运行以上命令。你可以在[你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像)中添加 `VPN_ANDROID_MTU_FIX=yes`,然后重新创建 Docker 容器。 + +参考链接:[[1]](https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/)。 + +### Android 6 和 7 + +如果你的 Android 6.x 或者 7.x 设备无法连接,请尝试以下步骤: + +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(参见[屏幕截图](images/vpn-profile-Android.png)),请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并切换它的值。也就是说,将 `sha2-truncbug=no` 替换为 `sha2-truncbug=yes`,或者将 `sha2-truncbug=yes` 替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 + +**Docker 用户:** 如需在 `/etc/ipsec.conf` 中设置 `sha2-truncbug=yes`(默认为 `no`),你可以在[你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像)中添加 `VPN_SHA2_TRUNCBUG=yes`,然后重新创建 Docker 容器。 + +### macOS 通过 VPN 发送通信 + +OS X (macOS) 用户: 如果可以成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成以下步骤。保存 VPN 配置然后重新连接。 + +1. 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 +1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 + +如果在尝试上面步骤之后,你的计算机仍然不能通过 VPN 连接发送通信,检查一下服务顺序。进入系统偏好设置中的网络部分,单击左侧连接列表下方的齿轮按钮,选择 "设定服务顺序"。然后将 VPN 连接拖动到顶端。 + +### iOS 13+ 和 macOS 10.15/11+ + +如果你的设备运行 iOS 13+, macOS 10.15 (Catalina), macOS 11 (Big Sur) 或以上版本,并且无法连接到 VPN,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 + +另外,macOS Big Sur 11.0 用户应该更新到版本 11.1 或以上,以修复 VPN 连接的某些问题。要检查 macOS 版本并安装更新,请看[这里](https://www.businessinsider.com/how-to-check-mac-os-version)。 + +### iOS/Android 睡眠模式 + +为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 [故意设计的](https://discussions.apple.com/thread/2333948) 并且不能被配置。 + +如果需要 VPN 在设备唤醒后自动重连,你可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md),它支持 [一些选项](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/) 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 + + +Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 和更新版本中不再可用。另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 [这里](https://support.google.com/android/answer/9089766?hl=zh-Hans)。 + +### Debian 11/10 内核 + +Debian 11 或者 10 用户:运行 `uname -r` 检查你的服务器的 Linux 内核版本。如果它包含 `cloud` 字样,并且 `/dev/ppp` 不存在,则该内核缺少 `ppp` 支持从而不能使用 IPsec/L2TP 模式。VPN 安装脚本会尝试检测此情形并显示警告。在这种情况下,你可以另外使用 [IKEv2](ikev2-howto-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接到 VPN。 + +要解决 IPsec/L2TP 模式的问题,你可以换用标准的 Linux 内核,通过安装比如 `linux-image-amd64` 软件包来实现。然后更新 GRUB 的内核默认值并重启服务器。 + +### 其它错误 + +如果你遇到其它错误,请参见以下链接: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn ## 授权协议 注: 这个协议仅适用于本文档。 -版权所有 (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) -基于 [Joshua Lund 的工作](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) (版权所有 2014-2016) +版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +受到 [Joshua Lund 的工作](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) 的启发 本程序为自由软件,在自由软件联盟发布的[ GNU 通用公共许可协议](https://www.gnu.org/licenses/gpl.html)的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index e12932a..323298a 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -12,7 +12,7 @@ After [setting up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn * [iOS (iPhone/iPad)](#ios) * [Chrome OS (Chromebook)](#chrome-os) * [Linux](#linux) -* [Troubleshooting](#troubleshooting) +* [IKEv1 troubleshooting](#ikev1-troubleshooting) Like this project? [:heart: Sponsor](https://github.com/sponsors/hwdsl2?metadata_o=l) or [:coffee: Support](https://ko-fi.com/hwdsl2) and access [extra content](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J). @@ -39,7 +39,7 @@ Like this project? [:heart: Sponsor](https://github.com/sponsors/hwdsl2?metadata To connect to the VPN: Click the **Connect** button, or click on the wireless/network icon in your system tray, click **VPN**, then select the new VPN entry and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). ### Windows 10 and 8 @@ -63,7 +63,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace `Your VPN Server IP` and `Your VPN IPsec PSK` with your own values, enclosed in single quotes: @@ -107,7 +107,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' ^ To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). ## OS X @@ -132,7 +132,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). ## Android @@ -163,7 +163,7 @@ After that, follow the steps below on your Android device: Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). ## iOS @@ -183,7 +183,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). ## Chrome OS @@ -204,7 +204,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev1-troubleshooting). ## Linux @@ -242,217 +242,11 @@ Fedora 28 (and newer) and CentOS 8/7 users can connect using [IPsec/XAuth](clien ### Other Linux -First check [here](https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Prebuilt-Packages) to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). +First check [here](https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Prebuilt-Packages) to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may configure Linux VPN clients using the command line. -## Troubleshooting +### Configure Linux VPN clients using the command line -*Read this in other languages: [English](clients.md#troubleshooting), [中文](clients-zh.md#故障排除).* - -**See also:** [Check logs and VPN status](#check-logs-and-vpn-status), [IKEv2 troubleshooting](ikev2-howto.md#troubleshooting) and [Advanced usage](advanced-usage.md). - -* [Windows error 809](#windows-error-809) -* [Windows error 789 or 691](#windows-error-789-or-691) -* [Windows error 628 or 766](#windows-error-628-or-766) -* [Windows 10 connecting](#windows-10-connecting) -* [Windows 10 upgrades](#windows-10-upgrades) -* [Windows DNS leaks and IPv6](#windows-dns-leaks-and-ipv6) -* [Android MTU/MSS issues](#android-mtumss-issues) -* [Android 6 and 7](#android-6-and-7) -* [macOS send traffic over VPN](#macos-send-traffic-over-vpn) -* [iOS 13+ and macOS 10.15/11+](#ios-13-and-macos-101511) -* [iOS/Android sleep mode](#iosandroid-sleep-mode) -* [Debian 11/10 kernel](#debian-1110-kernel) -* [Other errors](#other-errors) -* [Check logs and VPN status](#check-logs-and-vpn-status) - -### Windows error 809 - -> Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. - -**Note:** The registry change below is only required if you use IPsec/L2TP mode to connect to the VPN. It is NOT required for the [IKEv2](ikev2-howto.md) and [IPsec/XAuth](clients-xauth.md) modes. - -To fix this error, a [one-time registry change](https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809) is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/). **You must reboot your PC when finished.** - -- For Windows Vista, 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) - - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) - - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. - -- For Windows XP, Vista, 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) - - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f - ``` - -### Windows error 789 or 691 - -> Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer. - -> Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server. - -For error 789, click [here](https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789) for troubleshooting information. For error 691, you may try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. - -### Windows error 628 or 766 - -> Error 628: The connection was terminated by the remote computer before it could be completed. - -> Error 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. - -To fix these errors, please follow these steps: - -1. Right-click on the wireless/network icon in your system tray. -1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. -1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes. -1. Click the **Advanced settings** button. -1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. -1. Click **OK** to close the **Advanced settings**. -1. Click **OK** to save the VPN connection details. - -For reference, see [this screenshot](images/vpn-properties.png) of the VPN connection properties dialog. - -### Windows 10 connecting - -If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps: - -1. Right-click on the wireless/network icon in your system tray. -1. Select **Open Network & Internet settings**, then on the page that opens, click **VPN** on the left. -1. Select the new VPN entry, then click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. - -### Windows 10 upgrades - -After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. - -### Windows DNS leaks and IPv6 - -Windows 8, 10 and 11 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either [disable smart multi-homed name resolution](https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/), or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, [clear the DNS cache](https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-) and reboot your PC. - -In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to [disable IPv6](https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users) in Windows. If you need a VPN with IPv6 support, you could instead try [OpenVPN](https://github.com/hwdsl2/openvpn-install). - -### Android MTU/MSS issues - -Some Android devices have MTU/MSS issues, that they are able to connect to the VPN using IPsec/XAuth ("Cisco IPsec") mode, but cannot open websites. If you encounter this problem, try running the following commands on the VPN server. If successful, you may add these commands to `/etc/rc.local` to persist after reboot. - -``` -iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ - -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ - -j TCPMSS --set-mss 1360 -iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ - -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ - -j TCPMSS --set-mss 1360 - -echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc -``` - -**Docker users:** Instead of running the commands above, you may apply this fix by adding `VPN_ANDROID_MTU_FIX=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container. - -Reference: [[1]](https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/). - -### Android 6 and 7 - -If your Android 6.x or 7.x device cannot connect, try these steps: - -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists ([see screenshot](images/vpn-profile-Android.png)), enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value. i.e. Replace `sha2-truncbug=no` with `sha2-truncbug=yes`, or replace `sha2-truncbug=yes` with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. - -**Docker users:** You may set `sha2-truncbug=yes` (default is `no`) in `/etc/ipsec.conf` by adding `VPN_SHA2_TRUNCBUG=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container. - -### macOS send traffic over VPN - -OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete these steps. Save VPN configuration and re-connect. - -1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. -1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. - -After trying the steps above, if your computer is still not sending traffic over the VPN, check the service order. From the main network preferences screen, select "set service order" in the cog drop down under the list of connections. Drag the VPN connection to the top. - -### iOS 13+ and macOS 10.15/11+ - -If your device running iOS 13+, macOS 10.15 (Catalina), macOS 11 (Big Sur) or above cannot connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. - -In addition, users running macOS Big Sur 11.0 should update to version 11.1 or newer, to fix some issues with VPN connections. To check your macOS version and update, refer to [this article](https://www.businessinsider.com/how-to-check-mac-os-version). - -### iOS/Android sleep mode - -To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is [by design](https://discussions.apple.com/thread/2333948) and cannot be configured. - -If you need the VPN to auto-reconnect when the device wakes up, you may connect using [IKEv2](ikev2-howto.md) mode (recommended) and enable the "VPN On Demand" feature. Alternatively, you may try [OpenVPN](https://github.com/hwdsl2/openvpn-install) instead, which [has support for options](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/) such as "Reconnect on Wakeup" and "Seamless Tunnel". - - -Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo) and newer. Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more [here](https://support.google.com/android/answer/9089766?hl=en). - -### Debian 11/10 kernel - -Debian 11 or 10 users: Run `uname -r` to check your server's Linux kernel version. If it contains the word "cloud", and `/dev/ppp` is missing, then the kernel lacks `ppp` support and cannot use IPsec/L2TP mode. The VPN setup scripts try to detect this and show a warning. In this case, you may instead use [IKEv2](ikev2-howto.md) or [IPsec/XAuth](clients-xauth.md) mode to connect to the VPN. - -To fix the issue with IPsec/L2TP mode, you may switch to the standard Linux kernel by installing e.g. the `linux-image-amd64` package. Then update the default kernel in GRUB and reboot your server. - -### Other errors - -If you encounter other errors, refer to the links below: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn - -### Check logs and VPN status - -Commands below must be run as `root` (or using `sudo`). - -First, restart services on the VPN server: - -```bash -service ipsec restart -service xl2tpd restart -``` - -**Docker users:** Run `docker restart ipsec-vpn-server`. - -Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection. Make sure that the VPN server address and VPN credentials are entered correctly. - -For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)), open UDP ports 500 and 4500 for the VPN. - -Check the Libreswan (IPsec) and xl2tpd logs for errors: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS/RHEL, Rocky Linux, AlmaLinux, Oracle Linux & Amazon Linux 2 -grep pluto /var/log/secure -grep xl2tpd /var/log/messages - -# Alpine Linux -grep pluto /var/log/messages -grep xl2tpd /var/log/messages -``` - -Check the status of the IPsec VPN server: - -```bash -ipsec status -``` - -Show currently established VPN connections: - -```bash -ipsec trafficstatus -``` - -## Configure Linux VPN clients using the command line - -After [setting up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn), follow these steps to configure Linux VPN clients using the command line. Alternatively, you may connect using [IKEv2](ikev2-howto.md) mode (recommended), or [configure using the GUI](#linux). Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. +Advanced users can configure Linux VPN clients using the command line. Alternatively, you may connect using [IKEv2](ikev2-howto.md) mode (recommended), or [configure using the GUI](#linux). Instructions below are inspired by [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: @@ -633,16 +427,218 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## Credits +## IKEv1 troubleshooting -This document was adapted from the [Streisand](https://github.com/StreisandEffect/streisand) project, maintained by Joshua Lund and contributors. +*Read this in other languages: [English](clients.md#ikev1-troubleshooting), [中文](clients-zh.md#ikev1-故障排除).* + +**See also:** [IKEv2 troubleshooting](ikev2-howto.md#ikev2-troubleshooting) and [Advanced usage](advanced-usage.md). + +* [Check logs and VPN status](#check-logs-and-vpn-status) +* [Windows error 809](#windows-error-809) +* [Windows error 789 or 691](#windows-error-789-or-691) +* [Windows error 628 or 766](#windows-error-628-or-766) +* [Windows 10 connecting](#windows-10-connecting) +* [Windows 10 upgrades](#windows-10-upgrades) +* [Windows DNS leaks and IPv6](#windows-dns-leaks-and-ipv6) +* [Android MTU/MSS issues](#android-mtumss-issues) +* [Android 6 and 7](#android-6-and-7) +* [macOS send traffic over VPN](#macos-send-traffic-over-vpn) +* [iOS 13+ and macOS 10.15/11+](#ios-13-and-macos-101511) +* [iOS/Android sleep mode](#iosandroid-sleep-mode) +* [Debian 11/10 kernel](#debian-1110-kernel) +* [Other errors](#other-errors) + +### Check logs and VPN status + +Commands below must be run as `root` (or using `sudo`). + +First, restart services on the VPN server: + +```bash +service ipsec restart +service xl2tpd restart +``` + +**Docker users:** Run `docker restart ipsec-vpn-server`. + +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection. Make sure that the VPN server address and VPN credentials are entered correctly. + +For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)), open UDP ports 500 and 4500 for the VPN. + +Check the Libreswan (IPsec) and xl2tpd logs for errors: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS/RHEL, Rocky Linux, AlmaLinux, Oracle Linux & Amazon Linux 2 +grep pluto /var/log/secure +grep xl2tpd /var/log/messages + +# Alpine Linux +grep pluto /var/log/messages +grep xl2tpd /var/log/messages +``` + +Check the status of the IPsec VPN server: + +```bash +ipsec status +``` + +Show currently established VPN connections: + +```bash +ipsec trafficstatus +``` + +### Windows error 809 + +> Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. + +**Note:** The registry change below is only required if you use IPsec/L2TP mode to connect to the VPN. It is NOT required for the [IKEv2](ikev2-howto.md) and [IPsec/XAuth](clients-xauth.md) modes. + +To fix this error, a [one-time registry change](https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809) is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/). **You must reboot your PC when finished.** + +- For Windows Vista, 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- For Windows XP ONLY ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. + +- For Windows XP, Vista, 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows error 789 or 691 + +> Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer. + +> Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server. + +For error 789, click [here](https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789) for troubleshooting information. For error 691, you may try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. + +### Windows error 628 or 766 + +> Error 628: The connection was terminated by the remote computer before it could be completed. + +> Error 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. + +To fix these errors, please follow these steps: + +1. Right-click on the wireless/network icon in your system tray. +1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. +1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. +1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. +1. Click **Allow these protocols**. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes. +1. Click the **Advanced settings** button. +1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. +1. Click **OK** to close the **Advanced settings**. +1. Click **OK** to save the VPN connection details. + +For reference, see [this screenshot](images/vpn-properties.png) of the VPN connection properties dialog. + +### Windows 10 connecting + +If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps: + +1. Right-click on the wireless/network icon in your system tray. +1. Select **Open Network & Internet settings**, then on the page that opens, click **VPN** on the left. +1. Select the new VPN entry, then click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. + +### Windows 10 upgrades + +After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. + +### Windows DNS leaks and IPv6 + +Windows 8, 10 and 11 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either [disable smart multi-homed name resolution](https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/), or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, [clear the DNS cache](https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-) and reboot your PC. + +In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to [disable IPv6](https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users) in Windows. If you need a VPN with IPv6 support, you could instead try [OpenVPN](https://github.com/hwdsl2/openvpn-install). + +### Android MTU/MSS issues + +Some Android devices have MTU/MSS issues, that they are able to connect to the VPN using IPsec/XAuth ("Cisco IPsec") mode, but cannot open websites. If you encounter this problem, try running the following commands on the VPN server. If successful, you may add these commands to `/etc/rc.local` to persist after reboot. + +``` +iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ + -j TCPMSS --set-mss 1360 +iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ + -j TCPMSS --set-mss 1360 + +echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc +``` + +**Docker users:** Instead of running the commands above, you may apply this fix by adding `VPN_ANDROID_MTU_FIX=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container. + +Reference: [[1]](https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/). + +### Android 6 and 7 + +If your Android 6.x or 7.x device cannot connect, try these steps: + +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists ([see screenshot](images/vpn-profile-Android.png)), enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value. i.e. Replace `sha2-truncbug=no` with `sha2-truncbug=yes`, or replace `sha2-truncbug=yes` with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. + +**Docker users:** You may set `sha2-truncbug=yes` (default is `no`) in `/etc/ipsec.conf` by adding `VPN_SHA2_TRUNCBUG=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container. + +### macOS send traffic over VPN + +OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete these steps. Save VPN configuration and re-connect. + +1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. +1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. + +After trying the steps above, if your computer is still not sending traffic over the VPN, check the service order. From the main network preferences screen, select "set service order" in the cog drop down under the list of connections. Drag the VPN connection to the top. + +### iOS 13+ and macOS 10.15/11+ + +If your device running iOS 13+, macOS 10.15 (Catalina), macOS 11 (Big Sur) or above cannot connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. + +In addition, users running macOS Big Sur 11.0 should update to version 11.1 or newer, to fix some issues with VPN connections. To check your macOS version and update, refer to [this article](https://www.businessinsider.com/how-to-check-mac-os-version). + +### iOS/Android sleep mode + +To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is [by design](https://discussions.apple.com/thread/2333948) and cannot be configured. + +If you need the VPN to auto-reconnect when the device wakes up, you may connect using [IKEv2](ikev2-howto.md) mode (recommended) and enable the "VPN On Demand" feature. Alternatively, you may try [OpenVPN](https://github.com/hwdsl2/openvpn-install) instead, which [has support for options](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/) such as "Reconnect on Wakeup" and "Seamless Tunnel". + + +Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo) and newer. Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more [here](https://support.google.com/android/answer/9089766?hl=en). + +### Debian 11/10 kernel + +Debian 11 or 10 users: Run `uname -r` to check your server's Linux kernel version. If it contains the word "cloud", and `/dev/ppp` is missing, then the kernel lacks `ppp` support and cannot use IPsec/L2TP mode. The VPN setup scripts try to detect this and show a warning. In this case, you may instead use [IKEv2](ikev2-howto.md) or [IPsec/XAuth](clients-xauth.md) mode to connect to the VPN. + +To fix the issue with IPsec/L2TP mode, you may switch to the standard Linux kernel by installing e.g. the `linux-image-amd64` package. Then update the default kernel in GRUB and reboot your server. + +### Other errors + +If you encounter other errors, refer to the links below: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn ## License Note: This license applies to this document only. -Copyright (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) -Based on [the work of Joshua Lund](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) (Copyright 2014-2016) +Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Inspired by [the work of Joshua Lund](https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2) This program is free software: you can redistribute it and/or modify it under the terms of the [GNU General Public License](https://www.gnu.org/licenses/gpl.html) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 3141ada..46266e0 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -4,7 +4,7 @@ * [导言](#导言) * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) -* [故障排除](#故障排除) +* [IKEv2 故障排除](#ikev2-故障排除) * [管理 IKEv2 客户端](#管理-ikev2-客户端) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) * [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) @@ -56,11 +56,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 要连接到 VPN:单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。 #### 手动导入配置 -[[支持者] **屏幕录影:** 在 Windows 上手动导入 IKEv2 配置](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) +[**屏幕录影:** 在 Windows 上手动导入 IKEv2 配置](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) 或者,**Windows 7, 8, 10 和 11** 用户可以手动导入 IKEv2 配置: @@ -109,7 +109,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 要连接到 VPN:单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。
@@ -139,7 +139,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ### OS X (macOS) -[[支持者] **屏幕录影:** 在 macOS 上导入 IKEv2 配置并连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) +[**屏幕录影:** 在 macOS 上导入 IKEv2 配置并连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) 首先,将生成的 `.mobileconfig` 文件安全地传送到你的 Mac,然后双击并按提示操作,以导入为 macOS 配置描述文件。如果你的 Mac 运行 macOS Big Sur 或更新版本,打开系统偏好设置并转到描述文件部分以完成导入。在完成之后,检查并确保 "IKEv2 VPN" 显示在系统偏好设置 -> 描述文件中。 @@ -183,7 +183,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。
@@ -195,7 +195,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ### iOS -[[支持者] **屏幕录影:** 在 iOS (iPhone & iPad) 上导入 IKEv2 配置并连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) +[**屏幕录影:** 在 iOS (iPhone & iPad) 上导入 IKEv2 配置并连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) 首先,将生成的 `.mobileconfig` 文件安全地传送到你的 iOS 设备,并且导入为 iOS 配置描述文件。要传送文件,你可以使用: @@ -243,7 +243,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。
@@ -255,7 +255,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ### Android -[[支持者] **屏幕录影:** 使用 Android strongSwan VPN 客户端连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) +[**屏幕录影:** 使用 Android strongSwan VPN 客户端连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) 1. 将生成的 `.sswan` 文件安全地传送到你的 Android 设备。 1. 从 [**Google Play**](https://play.google.com/store/apps/details?id=org.strongswan.android),[**F-Droid**](https://f-droid.org/en/packages/org.strongswan.android/) 或 [**strongSwan 下载网站**](https://download.strongswan.org/Android/)下载并安装 strongSwan VPN 客户端。 @@ -273,7 +273,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 或者,Android 11+ 用户也可以使用系统自带的 IKEv2 客户端连接。 -[[支持者] **屏幕录影:** 使用 Android 11+ 系统自带的 VPN 客户端连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) +[**屏幕录影:** 使用 Android 11+ 系统自带的 VPN 客户端连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) 1. 将生成的 `.p12` 文件安全地传送到你的 Android 设备。 1. 启动 **设置** App。 @@ -346,7 +346,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。 ### Chrome OS @@ -388,7 +388,7 @@ sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ca.cer (可选功能)你可以选择启用 Chrome OS 上的 "始终开启的 VPN" 功能。要管理该设置,进入设置 -> 网络,然后单击 **VPN**。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。 ### Linux @@ -452,7 +452,7 @@ sudo chmod 600 ca.cer client.cer client.key 连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 +如果在连接过程中遇到错误,请参见 [故障排除](#ikev2-故障排除)。 ### RouterOS @@ -528,11 +528,11 @@ sudo chmod 600 ca.cer client.cer client.key > mar/02/2022 12:52:57 by RouterOS 6.48 > RouterBOARD 941-2nD -## 故障排除 +## IKEv2 故障排除 -*其他语言版本: [English](ikev2-howto.md#troubleshooting), [中文](ikev2-howto-zh.md#故障排除)。* +*其他语言版本: [English](ikev2-howto.md#ikev2-troubleshooting), [中文](ikev2-howto-zh.md#ikev2-故障排除)。* -**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 +**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#ikev1-故障排除) 和 [高级用法](advanced-usage-zh.md)。 * [无法连接到 VPN 服务器](#无法连接到-vpn-服务器) * [无法连接多个 IKEv2 客户端](#无法连接多个-ikev2-客户端) @@ -1183,7 +1183,7 @@ sudo ikev2.sh --removeikev2 ## 授权协议 -版权所有 (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) 这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 06c6bd2..6676e30 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -4,7 +4,7 @@ * [Introduction](#introduction) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) -* [Troubleshooting](#troubleshooting) +* [IKEv2 troubleshooting](#ikev2-troubleshooting) * [Manage IKEv2 clients](#manage-ikev2-clients) * [Change IKEv2 server address](#change-ikev2-server-address) * [Update IKEv2 helper script](#update-ikev2-helper-script) @@ -56,11 +56,11 @@ In certain circumstances, you may need to change the IKEv2 server address. For e To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting). #### Manually import configuration -[[Supporters] **Screencast:** IKEv2 Manually Import Configuration on Windows](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) +[**Screencast:** IKEv2 Manually Import Configuration on Windows](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 configuration: @@ -109,7 +109,7 @@ Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 confi To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting).
@@ -139,7 +139,7 @@ Using the following steps, you can remove the VPN connection and optionally rest ### OS X (macOS) -[[Supporters] **Screencast:** IKEv2 Import Configuration and Connect on macOS](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) +[**Screencast:** IKEv2 Import Configuration and Connect on macOS](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) First, securely transfer the generated `.mobileconfig` file to your Mac, then double-click and follow the prompts to import as a macOS profile. If your Mac runs macOS Big Sur or newer, open System Preferences and go to the Profiles section to finish importing. When finished, check to make sure "IKEv2 VPN" is listed under System Preferences -> Profiles. @@ -183,7 +183,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting).
@@ -195,7 +195,7 @@ To remove the IKEv2 VPN connection, open System Preferences -> Profiles and remo ### iOS -[[Supporters] **Screencast:** IKEv2 Import Configuration and Connect on iOS (iPhone & iPad)](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) +[**Screencast:** IKEv2 Import Configuration and Connect on iOS (iPhone & iPad)](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) First, securely transfer the generated `.mobileconfig` file to your iOS device, then import it as an iOS profile. To transfer the file, you may use: @@ -243,7 +243,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting).
@@ -255,7 +255,7 @@ To remove the IKEv2 VPN connection, open Settings -> General -> VPN & Device Man ### Android -[[Supporters] **Screencast:** Connect using Android strongSwan VPN Client](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) +[**Screencast:** Connect using Android strongSwan VPN Client](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) 1. Securely transfer the generated `.sswan` file to your Android device. 1. Install strongSwan VPN Client from [**Google Play**](https://play.google.com/store/apps/details?id=org.strongswan.android), [**F-Droid**](https://f-droid.org/en/packages/org.strongswan.android/) or [**strongSwan download server**](https://download.strongswan.org/Android/). @@ -273,7 +273,7 @@ To remove the IKEv2 VPN connection, open Settings -> General -> VPN & Device Man Alternatively, Android 11+ users can also connect using the native IKEv2 client. -[[Supporters] **Screencast:** Connect using Native VPN Client on Android 11+](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) +[**Screencast:** Connect using Native VPN Client on Android 11+](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) 1. Securely transfer the generated `.p12` file to your Android device. 1. Launch the **Settings** application. @@ -346,7 +346,7 @@ If you manually set up IKEv2 without using the helper script, click here for ins Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting). ### Chrome OS @@ -388,7 +388,7 @@ Once connected, you will see a VPN icon overlay on the network status icon. You (Optional feature) You can choose to enable the "Always-on VPN" feature on Chrome OS. To manage this setting, go to Settings -> Network, then click **VPN**. -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting). ### Linux @@ -454,7 +454,7 @@ You can then set up and enable the VPN connection: Once connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`". -If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). +If you get an error when trying to connect, see [Troubleshooting](#ikev2-troubleshooting). ### RouterOS @@ -530,11 +530,11 @@ for the entire network, or use `192.168.0.10` for just one device, and so on. > mar/02/2022 12:52:57 by RouterOS 6.48 > RouterBOARD 941-2nD -## Troubleshooting +## IKEv2 troubleshooting -*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [中文](ikev2-howto-zh.md#故障排除).* +*Read this in other languages: [English](ikev2-howto.md#ikev2-troubleshooting), [中文](ikev2-howto-zh.md#ikev2-故障排除).* -**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). +**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#ikev1-troubleshooting) and [Advanced usage](advanced-usage.md). * [Cannot connect to the VPN server](#cannot-connect-to-the-vpn-server) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) @@ -1185,7 +1185,7 @@ To manually remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients. ## License -Copyright (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) This work is licensed under the [Creative Commons Attribution-ShareAlike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/) diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index fa873a5..5e91538 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -178,7 +178,7 @@ openssl passwd -1 '密码1' ## 授权协议 -版权所有 (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) 这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 diff --git a/docs/manage-users.md b/docs/manage-users.md index bbcf983..b729465 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -178,7 +178,7 @@ openssl passwd -1 'password1' ## License -Copyright (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) This work is licensed under the [Creative Commons Attribution-ShareAlike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/) diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index a698e25..1bd6f96 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -143,7 +143,7 @@ apk del fail2ban ## 授权协议 -版权所有 (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) 这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 diff --git a/docs/uninstall.md b/docs/uninstall.md index 1315215..4fcb9c0 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -143,7 +143,7 @@ Reboot your server. ## License -Copyright (C) 2016-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) +Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) [![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) This work is licensed under the [Creative Commons Attribution-ShareAlike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index 3234b5d..fc9af73 100755 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -2,7 +2,7 @@ # # Script to add/update a VPN user for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018-2022 Lin Song +# Copyright (C) 2018-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index 199d06a..544c554 100755 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -2,7 +2,7 @@ # # Script to delete a VPN user for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018-2022 Lin Song +# Copyright (C) 2018-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/ikev2changeaddr.sh b/extras/ikev2changeaddr.sh index c0800bd..1227865 100755 --- a/extras/ikev2changeaddr.sh +++ b/extras/ikev2changeaddr.sh @@ -5,7 +5,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2022 Lin Song +# Copyright (C) 2022-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/ikev2onlymode.sh b/extras/ikev2onlymode.sh index 369d308..f747d95 100755 --- a/extras/ikev2onlymode.sh +++ b/extras/ikev2onlymode.sh @@ -2,7 +2,7 @@ # # Script to enable or disable IKEv2-only mode # -# Copyright (C) 2022 Lin Song +# Copyright (C) 2022-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index e79c969..5ef799b 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ @@ -157,7 +157,7 @@ confirm_or_abort() { show_header() { cat <<'EOF' -IKEv2 Script Copyright (c) 2020-2022 Lin Song 1 Dec 2022 +IKEv2 Script Copyright (c) 2020-2023 Lin Song 4 Jan 2023 EOF } diff --git a/extras/quickstart.sh b/extras/quickstart.sh index 0593eb1..eb4bf3e 100755 --- a/extras/quickstart.sh +++ b/extras/quickstart.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2021-2022 Lin Song +# Copyright (C) 2021-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index 4a4dd50..ec3dbef 100755 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -2,7 +2,7 @@ # # Script to update VPN users for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018-2022 Lin Song +# Copyright (C) 2018-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnuninstall.sh b/extras/vpnuninstall.sh index 24a8aa3..1478c78 100755 --- a/extras/vpnuninstall.sh +++ b/extras/vpnuninstall.sh @@ -7,7 +7,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2021-2022 Lin Song +# Copyright (C) 2021-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index deb0682..7b4308d 100755 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -6,7 +6,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2021-2022 Lin Song +# Copyright (C) 2021-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh index cfaf907..f4c8fe9 100755 --- a/extras/vpnupgrade_alpine.sh +++ b/extras/vpnupgrade_alpine.sh @@ -5,7 +5,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2021-2022 Lin Song +# Copyright (C) 2021-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh index 69e6bd8..0e62a83 100755 --- a/extras/vpnupgrade_amzn.sh +++ b/extras/vpnupgrade_amzn.sh @@ -5,7 +5,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f93505c..6531180 100755 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -5,7 +5,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2016-2022 Lin Song +# Copyright (C) 2016-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh index 9ed902a..d22348e 100755 --- a/extras/vpnupgrade_ubuntu.sh +++ b/extras/vpnupgrade_ubuntu.sh @@ -5,7 +5,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2016-2022 Lin Song +# Copyright (C) 2016-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup.sh b/vpnsetup.sh index 0593eb1..eb4bf3e 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2021-2022 Lin Song +# Copyright (C) 2021-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup_alpine.sh b/vpnsetup_alpine.sh index 993e1b9..c6fdc8d 100755 --- a/vpnsetup_alpine.sh +++ b/vpnsetup_alpine.sh @@ -7,7 +7,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2021-2022 Lin Song +# Copyright (C) 2021-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh index 9d8edac..2c2485c 100755 --- a/vpnsetup_amzn.sh +++ b/vpnsetup_amzn.sh @@ -7,7 +7,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2020-2022 Lin Song +# Copyright (C) 2020-2023 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 6cb5eb4..711b0fc 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2015-2022 Lin Song +# Copyright (C) 2015-2023 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh index a8eea7c..fbdb601 100755 --- a/vpnsetup_ubuntu.sh +++ b/vpnsetup_ubuntu.sh @@ -7,7 +7,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2014-2022 Lin Song +# Copyright (C) 2014-2023 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0