1
0
mirror of synced 2024-11-25 22:36:04 +03:00

Improve DNS servers

- Improve modecfgdns format
- Better parsing of DNS servers in upgrade scripts
- Add usage of DNS server variables to README and allow users to specify
  only one or both alternative DNS servers
This commit is contained in:
hwdsl2 2018-12-17 00:07:04 -06:00
parent 4f64a72ed1
commit ddaa0ee99c
8 changed files with 44 additions and 28 deletions

View File

@ -151,7 +151,7 @@ sh vpnsetup.sh
如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本,以方便管理 VPN 用户。 如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本,以方便管理 VPN 用户。
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd``/etc/ipsec.conf` 并替换 `8.8.8.8``8.8.4.4`。然后重启服务器 在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd``/etc/ipsec.conf` 并替换 `8.8.8.8``8.8.4.4`,然后重启服务器。或者,你也可以在运行 VPN 脚本时定义变量 `VPN_DNS_SRV1``VPN_DNS_SRV2`(可选)
使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart` 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`

View File

@ -151,7 +151,7 @@ For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com
If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience. If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Alternatively, you may define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script.
Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`.

View File

@ -74,7 +74,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
```bash ```bash
cat >> /etc/ipsec.conf <<EOF cat >> /etc/ipsec.conf <<EOF
modecfgdns="8.8.8.8, 8.8.4.4" modecfgdns="8.8.8.8 8.8.4.4"
encapsulation=yes encapsulation=yes
mobike=no mobike=no
EOF EOF

View File

@ -74,7 +74,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
```bash ```bash
cat >> /etc/ipsec.conf <<EOF cat >> /etc/ipsec.conf <<EOF
modecfgdns="8.8.8.8, 8.8.4.4" modecfgdns="8.8.8.8 8.8.4.4"
encapsulation=yes encapsulation=yes
mobike=no mobike=no
EOF EOF

View File

@ -67,11 +67,12 @@ case "$SWAN_VER" in
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5
;; ;;
3.19|3.2[012]) 3.19|3.2[012])
DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1) DNS_SRVS=$(printf '%s' "$DNS_SRVS" | cut -d '"' -f 2 | cut -d "'" -f 2 | sed 's/,/ /g' | tr -s ' ')
DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ' ' -f 1)
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -s -d ' ' -f 2)
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=3
[ -n "$DNS_SRV1" ] && [ -z "$DNS_SRV2" ] && dns_state=4
[ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6
;; ;;
esac esac
@ -227,10 +228,10 @@ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2/d" /etc/ipsec.conf -e "/modecfgdns2/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf sed -i "s/modecfgdns1=.*/modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
elif [ "$dns_state" = "3" ]; then elif [ "$dns_state" = "3" ]; then
sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
@ -263,7 +264,7 @@ IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
with a single line like this: with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2" modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
@ -273,7 +274,7 @@ cat <<'EOF'
IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
and replace all occurrences of this line: and replace all occurrences of this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2" modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
with two lines like this: with two lines like this:

View File

@ -58,11 +58,12 @@ case "$SWAN_VER" in
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5 [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5
;; ;;
3.19|3.2[012]) 3.19|3.2[012])
DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1) DNS_SRVS=$(printf '%s' "$DNS_SRVS" | cut -d '"' -f 2 | cut -d "'" -f 2 | sed 's/,/ /g' | tr -s ' ')
DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ' ' -f 1)
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -s -d ' ' -f 2)
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=3
[ -n "$DNS_SRV1" ] && [ -z "$DNS_SRV2" ] && dns_state=4
[ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6
;; ;;
esac esac
@ -225,10 +226,10 @@ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
if [ "$dns_state" = "1" ]; then if [ "$dns_state" = "1" ]; then
sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
-e "/modecfgdns2/d" /etc/ipsec.conf -e "/modecfgdns2/d" /etc/ipsec.conf
elif [ "$dns_state" = "2" ]; then elif [ "$dns_state" = "2" ]; then
sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf sed -i "s/modecfgdns1=.*/modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
elif [ "$dns_state" = "3" ]; then elif [ "$dns_state" = "3" ]; then
sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
@ -261,7 +262,7 @@ IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
with a single line like this: with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2" modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".
@ -271,7 +272,7 @@ cat <<'EOF'
IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
and replace all occurrences of this line: and replace all occurrences of this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2" modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
with two lines like this: with two lines like this:

View File

@ -234,6 +234,8 @@ XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'}
XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'}
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config # Create IPsec config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
@ -274,7 +276,7 @@ conn xauth-psk
auto=add auto=add
leftsubnet=0.0.0.0/0 leftsubnet=0.0.0.0/0
rightaddresspool=$XAUTH_POOL rightaddresspool=$XAUTH_POOL
modecfgdns="$DNS_SRV1, $DNS_SRV2" modecfgdns=$DNS_SRVS
leftxauthserver=yes leftxauthserver=yes
rightxauthclient=yes rightxauthclient=yes
leftmodecfgserver=yes leftmodecfgserver=yes
@ -320,8 +322,6 @@ cat > /etc/ppp/options.xl2tpd <<EOF
+mschap-v2 +mschap-v2
ipcp-accept-local ipcp-accept-local
ipcp-accept-remote ipcp-accept-remote
ms-dns $DNS_SRV1
ms-dns $DNS_SRV2
noccp noccp
auth auth
mtu 1280 mtu 1280
@ -330,8 +330,15 @@ proxyarp
lcp-echo-failure 4 lcp-echo-failure 4
lcp-echo-interval 30 lcp-echo-interval 30
connect-delay 5000 connect-delay 5000
ms-dns $DNS_SRV1
EOF EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2
EOF
fi
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF

View File

@ -221,6 +221,8 @@ XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'}
XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'}
DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
# Create IPsec config # Create IPsec config
conf_bk "/etc/ipsec.conf" conf_bk "/etc/ipsec.conf"
@ -261,7 +263,7 @@ conn xauth-psk
auto=add auto=add
leftsubnet=0.0.0.0/0 leftsubnet=0.0.0.0/0
rightaddresspool=$XAUTH_POOL rightaddresspool=$XAUTH_POOL
modecfgdns="$DNS_SRV1, $DNS_SRV2" modecfgdns=$DNS_SRVS
leftxauthserver=yes leftxauthserver=yes
rightxauthclient=yes rightxauthclient=yes
leftmodecfgserver=yes leftmodecfgserver=yes
@ -303,8 +305,6 @@ cat > /etc/ppp/options.xl2tpd <<EOF
+mschap-v2 +mschap-v2
ipcp-accept-local ipcp-accept-local
ipcp-accept-remote ipcp-accept-remote
ms-dns $DNS_SRV1
ms-dns $DNS_SRV2
noccp noccp
auth auth
mtu 1280 mtu 1280
@ -313,8 +313,15 @@ proxyarp
lcp-echo-failure 4 lcp-echo-failure 4
lcp-echo-interval 30 lcp-echo-interval 30
connect-delay 5000 connect-delay 5000
ms-dns $DNS_SRV1
EOF EOF
if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
cat >> /etc/ppp/options.xl2tpd <<EOF
ms-dns $DNS_SRV2
EOF
fi
# Create VPN credentials # Create VPN credentials
conf_bk "/etc/ppp/chap-secrets" conf_bk "/etc/ppp/chap-secrets"
cat > /etc/ppp/chap-secrets <<EOF cat > /etc/ppp/chap-secrets <<EOF