Update docs
This commit is contained in:
parent
247298bb05
commit
e05cdb4b83
61
README-zh.md
61
README-zh.md
@ -71,7 +71,7 @@ wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh && sudo ikev2.sh -
|
|||||||
|
|
||||||
## 功能特性
|
## 功能特性
|
||||||
|
|
||||||
- **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 和 `IKEv2` 模式
|
- **新:** 增加支持更高效的 IPsec/XAuth ("Cisco IPsec") 和 IKEv2 模式
|
||||||
- **新:** 现在可以下载 VPN 服务器的预构建 <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md" target="_blank">Docker 镜像</a>
|
- **新:** 现在可以下载 VPN 服务器的预构建 <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md" target="_blank">Docker 镜像</a>
|
||||||
- 全自动的 IPsec VPN 服务器配置,无需用户输入
|
- 全自动的 IPsec VPN 服务器配置,无需用户输入
|
||||||
- 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持
|
- 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持
|
||||||
@ -96,7 +96,7 @@ wget https://git.io/vpnsetup-amzn -O vpn.sh && sudo sh vpn.sh && sudo ikev2.sh -
|
|||||||
|
|
||||||
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://aws.amazon.com/lightsail/" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud/virtual-servers" target="_blank">IBM Cloud</a>, <a href="https://www.ovh.com/world/vps/" target="_blank">OVH</a> 和 <a href="https://www.rackspace.com" target="_blank">Rackspace</a>。
|
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://aws.amazon.com/lightsail/" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud/virtual-servers" target="_blank">IBM Cloud</a>, <a href="https://www.ovh.com/world/vps/" target="_blank">OVH</a> 和 <a href="https://www.rackspace.com" target="_blank">Rackspace</a>。
|
||||||
|
|
||||||
<a href="aws/README-zh.md" target="_blank"><img src="docs/images/aws-deploy-button.png" alt="Deploy to AWS" /></a> <a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://cloud.linode.com/stackscripts/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
<a href="aws/README-zh.md" target="_blank"><img src="docs/images/aws-deploy-button.png" alt="Deploy to AWS" /></a> <a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Deploy to DigitalOcean" /></a> <a href="https://cloud.linode.com/stackscripts/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
||||||
|
|
||||||
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**» 我想建立并使用自己的 VPN ,但是没有可用的服务器**</a>
|
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**» 我想建立并使用自己的 VPN ,但是没有可用的服务器**</a>
|
||||||
|
|
||||||
@ -338,6 +338,7 @@ wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh
|
|||||||
- [使用其他的 DNS 服务器](#使用其他的-dns-服务器)
|
- [使用其他的 DNS 服务器](#使用其他的-dns-服务器)
|
||||||
- [域名和更改服务器 IP](#域名和更改服务器-ip)
|
- [域名和更改服务器 IP](#域名和更改服务器-ip)
|
||||||
- [VPN 内网 IP 和流量](#vpn-内网-ip-和流量)
|
- [VPN 内网 IP 和流量](#vpn-内网-ip-和流量)
|
||||||
|
- [VPN 分流](#vpn-分流)
|
||||||
- [访问 VPN 服务器的网段](#访问-vpn-服务器的网段)
|
- [访问 VPN 服务器的网段](#访问-vpn-服务器的网段)
|
||||||
- [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn)
|
- [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn)
|
||||||
- [更改 IPTables 规则](#更改-iptables-规则)
|
- [更改 IPTables 规则](#更改-iptables-规则)
|
||||||
@ -373,14 +374,14 @@ sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
|
|||||||
|
|
||||||
你可以使用这些 VPN 内网 IP 进行通信。但是请注意,为 VPN 客户端分配的 IP 是动态的,而且客户端设备上的防火墙可能会阻止这些流量。
|
你可以使用这些 VPN 内网 IP 进行通信。但是请注意,为 VPN 客户端分配的 IP 是动态的,而且客户端设备上的防火墙可能会阻止这些流量。
|
||||||
|
|
||||||
对于 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式,你可以将静态 IP 分配给 VPN 客户端。这是可选的。展开以查看详细信息。IKEv2 模式 **不支持** 此功能。
|
对于 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式,高级用户可以将静态 IP 分配给 VPN 客户端。这是可选的。展开以查看详细信息。IKEv2 模式 **不支持** 此功能。
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
IPsec/L2TP 模式:为 VPN 客户端分配静态 IP
|
IPsec/L2TP 模式:为 VPN 客户端分配静态 IP
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
高级用户可以将静态内网 IP 分配给 VPN 客户端。这是可选的。下面的示例步骤 **仅适用于** `IPsec/L2TP` 模式。这些命令必须用 `root` 账户运行。
|
下面的示例 **仅适用于** IPsec/L2TP 模式。这些命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
1. 首先为要分配静态 IP 的每个 VPN 客户端创建一个新的 VPN 用户。参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本,以方便管理 VPN 用户。
|
1. 首先为要分配静态 IP 的每个 VPN 客户端创建一个新的 VPN 用户。参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本,以方便管理 VPN 用户。
|
||||||
1. 编辑 VPN 服务器上的 `/etc/xl2tpd/xl2tpd.conf`。将 `ip range = 192.168.42.10-192.168.42.250` 替换为比如 `ip range = 192.168.42.100-192.168.42.250`。这样可以缩小自动分配的 IP 地址池,从而使更多的 IP 可以作为静态 IP 分配给客户端。
|
1. 编辑 VPN 服务器上的 `/etc/xl2tpd/xl2tpd.conf`。将 `ip range = 192.168.42.10-192.168.42.250` 替换为比如 `ip range = 192.168.42.100-192.168.42.250`。这样可以缩小自动分配的 IP 地址池,从而使更多的 IP 可以作为静态 IP 分配给客户端。
|
||||||
@ -410,7 +411,7 @@ IPsec/L2TP 模式:为 VPN 客户端分配静态 IP
|
|||||||
IPsec/XAuth ("Cisco IPsec") 模式:为 VPN 客户端分配静态 IP
|
IPsec/XAuth ("Cisco IPsec") 模式:为 VPN 客户端分配静态 IP
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
高级用户可以将静态内网 IP 分配给 VPN 客户端。这是可选的。下面的示例步骤 **仅适用于** `IPsec/XAuth ("Cisco IPsec")` 模式。这些命令必须用 `root` 账户运行。
|
下面的示例 **仅适用于** IPsec/XAuth ("Cisco IPsec") 模式。这些命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
1. 首先为要分配静态 IP 的每个 VPN 客户端创建一个新的 VPN 用户。参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本,以方便管理 VPN 用户。
|
1. 首先为要分配静态 IP 的每个 VPN 客户端创建一个新的 VPN 用户。参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本,以方便管理 VPN 用户。
|
||||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为比如 `rightaddresspool=192.168.43.100-192.168.43.250`。这样可以缩小自动分配的 IP 地址池,从而使更多的 IP 可以作为静态 IP 分配给客户端。
|
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为比如 `rightaddresspool=192.168.43.100-192.168.43.250`。这样可以缩小自动分配的 IP 地址池,从而使更多的 IP 可以作为静态 IP 分配给客户端。
|
||||||
@ -443,6 +444,56 @@ iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j D
|
|||||||
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### VPN 分流
|
||||||
|
|
||||||
|
在启用 [VPN 分流 (split tunneling)](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling) 时,VPN 客户端将仅通过 VPN 隧道发送特定目标子网的流量。其他流量 **不会** 通过 VPN 隧道。VPN 分流 [有一些局限性](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling),而且并非所有的 VPN 客户端都支持。
|
||||||
|
|
||||||
|
高级用户可以为 <a href="docs/clients-xauth-zh.md" target="_blank">IPsec/XAuth ("Cisco IPsec")</a> 和/或 <a href="docs/ikev2-howto-zh.md" target="_blank">IKEv2</a> 模式启用 VPN 分流。这是可选的。IPsec/L2TP 模式 **不支持** 此功能。
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
IPsec/XAuth ("Cisco IPsec") 模式:启用 VPN 分流 (split tunneling)
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
下面的示例 **仅适用于** IPsec/XAuth ("Cisco IPsec") 模式。这些命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
|
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `conn xauth-psk` 小节中,将 `leftsubnet=0.0.0.0/0` 替换为你想要 VPN 客户端通过 VPN 隧道发送流量的子网。例如:
|
||||||
|
对于单个子网:
|
||||||
|
```
|
||||||
|
leftsubnet=10.123.123.0/24
|
||||||
|
```
|
||||||
|
对于多个子网(使用 `leftsubnets`):
|
||||||
|
```
|
||||||
|
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||||
|
```
|
||||||
|
1. **(重要)** 重启 IPsec 服务:
|
||||||
|
```
|
||||||
|
service ipsec restart
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
IKEv2 模式:启用 VPN 分流 (split tunneling)
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
下面的示例 **仅适用于** IKEv2 模式。这些命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
|
1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。在 `conn ikev2-cp` 小节中,将 `leftsubnet=0.0.0.0/0` 替换为你想要 VPN 客户端通过 VPN 隧道发送流量的子网。例如:
|
||||||
|
对于单个子网:
|
||||||
|
```
|
||||||
|
leftsubnet=10.123.123.0/24
|
||||||
|
```
|
||||||
|
对于多个子网(使用 `leftsubnets`):
|
||||||
|
```
|
||||||
|
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||||
|
```
|
||||||
|
1. **(重要)** 重启 IPsec 服务:
|
||||||
|
```
|
||||||
|
service ipsec restart
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
### 访问 VPN 服务器的网段
|
### 访问 VPN 服务器的网段
|
||||||
|
|
||||||
连接到 VPN 后,VPN 客户端通常可以访问与 VPN 服务器位于同一本地子网内的其他设备上运行的服务,而无需进行其他配置。例如,如果 VPN 服务器的本地子网为 `192.168.0.0/24`,并且一个 Nginx 服务器在 IP `192.168.0.2` 上运行,则 VPN 客户端可以使用 IP `192.168.0.2`来访问 Nginx 服务器。
|
连接到 VPN 后,VPN 客户端通常可以访问与 VPN 服务器位于同一本地子网内的其他设备上运行的服务,而无需进行其他配置。例如,如果 VPN 服务器的本地子网为 `192.168.0.0/24`,并且一个 Nginx 服务器在 IP `192.168.0.2` 上运行,则 VPN 客户端可以使用 IP `192.168.0.2`来访问 Nginx 服务器。
|
||||||
|
61
README.md
61
README.md
@ -71,7 +71,7 @@ For other installation options and how to set up VPN clients, read the sections
|
|||||||
|
|
||||||
## Features
|
## Features
|
||||||
|
|
||||||
- **New:** The faster `IPsec/XAuth ("Cisco IPsec")` and `IKEv2` modes are supported
|
- **New:** The faster IPsec/XAuth ("Cisco IPsec") and IKEv2 modes are supported
|
||||||
- **New:** A pre-built <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server" target="_blank">Docker image</a> of the VPN server is now available
|
- **New:** A pre-built <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server" target="_blank">Docker image</a> of the VPN server is now available
|
||||||
- Fully automated IPsec VPN server setup, no user input needed
|
- Fully automated IPsec VPN server setup, no user input needed
|
||||||
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
|
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
|
||||||
@ -96,7 +96,7 @@ A dedicated server or virtual private server (VPS), freshly installed with one o
|
|||||||
|
|
||||||
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://aws.amazon.com/lightsail/" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud/virtual-servers" target="_blank">IBM Cloud</a>, <a href="https://www.ovh.com/world/vps/" target="_blank">OVH</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
|
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://aws.amazon.com/lightsail/" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="https://www.ibm.com/cloud/virtual-servers" target="_blank">IBM Cloud</a>, <a href="https://www.ovh.com/world/vps/" target="_blank">OVH</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
|
||||||
|
|
||||||
<a href="aws/README.md" target="_blank"><img src="docs/images/aws-deploy-button.png" alt="Deploy to AWS" /></a> <a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://cloud.linode.com/stackscripts/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
<a href="aws/README.md" target="_blank"><img src="docs/images/aws-deploy-button.png" alt="Deploy to AWS" /></a> <a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Deploy to DigitalOcean" /></a> <a href="https://cloud.linode.com/stackscripts/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
||||||
|
|
||||||
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**» I want to run my own VPN but don't have a server for that**</a>
|
<a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#gettingavps" target="_blank">**» I want to run my own VPN but don't have a server for that**</a>
|
||||||
|
|
||||||
@ -338,6 +338,7 @@ wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh
|
|||||||
- [Use alternative DNS servers](#use-alternative-dns-servers)
|
- [Use alternative DNS servers](#use-alternative-dns-servers)
|
||||||
- [DNS name and server IP changes](#dns-name-and-server-ip-changes)
|
- [DNS name and server IP changes](#dns-name-and-server-ip-changes)
|
||||||
- [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic)
|
- [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic)
|
||||||
|
- [Split tunneling](#split-tunneling)
|
||||||
- [Access VPN server's subnet](#access-vpn-servers-subnet)
|
- [Access VPN server's subnet](#access-vpn-servers-subnet)
|
||||||
- [IKEv2 only VPN](#ikev2-only-vpn)
|
- [IKEv2 only VPN](#ikev2-only-vpn)
|
||||||
- [Modify IPTables rules](#modify-iptables-rules)
|
- [Modify IPTables rules](#modify-iptables-rules)
|
||||||
@ -373,14 +374,14 @@ When connecting using <a href="docs/clients-xauth.md" target="_blank">IPsec/XAut
|
|||||||
|
|
||||||
You may use these internal VPN IPs for communication. However, note that the IPs assigned to VPN clients are dynamic, and firewalls on client devices may block such traffic.
|
You may use these internal VPN IPs for communication. However, note that the IPs assigned to VPN clients are dynamic, and firewalls on client devices may block such traffic.
|
||||||
|
|
||||||
For IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, you may optionally assign static IPs to VPN clients. Expand for details. IKEv2 mode does NOT support this feature.
|
For the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, advanced users may optionally assign static IPs to VPN clients. Expand for details. IKEv2 mode does NOT support this feature.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
IPsec/L2TP mode: Assign static IPs to VPN clients
|
IPsec/L2TP mode: Assign static IPs to VPN clients
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
Advanced users can optionally assign static internal IPs to VPN clients. The example steps below **ONLY** applies to `IPsec/L2TP` mode. Commands must be run as `root`.
|
The example below **ONLY** applies to IPsec/L2TP mode. Commands must be run as `root`.
|
||||||
|
|
||||||
1. First, create a new VPN user for each VPN client that you want to assign a static IP to. Refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
|
1. First, create a new VPN user for each VPN client that you want to assign a static IP to. Refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
|
||||||
1. Edit `/etc/xl2tpd/xl2tpd.conf` on the VPN server. Replace `ip range = 192.168.42.10-192.168.42.250` with e.g. `ip range = 192.168.42.100-192.168.42.250`. This reduces the pool of auto-assigned IP addresses, so that more IPs are available to assign to clients as static IPs.
|
1. Edit `/etc/xl2tpd/xl2tpd.conf` on the VPN server. Replace `ip range = 192.168.42.10-192.168.42.250` with e.g. `ip range = 192.168.42.100-192.168.42.250`. This reduces the pool of auto-assigned IP addresses, so that more IPs are available to assign to clients as static IPs.
|
||||||
@ -410,7 +411,7 @@ Advanced users can optionally assign static internal IPs to VPN clients. The exa
|
|||||||
IPsec/XAuth ("Cisco IPsec") mode: Assign static IPs to VPN clients
|
IPsec/XAuth ("Cisco IPsec") mode: Assign static IPs to VPN clients
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
Advanced users can optionally assign static internal IPs to VPN clients. The example steps below **ONLY** applies to `IPsec/XAuth ("Cisco IPsec")` mode. Commands must be run as `root`.
|
The example below **ONLY** applies to IPsec/XAuth ("Cisco IPsec") mode. Commands must be run as `root`.
|
||||||
|
|
||||||
1. First, create a new VPN user for each VPN client that you want to assign a static IP to. Refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
|
1. First, create a new VPN user for each VPN client that you want to assign a static IP to. Refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
|
||||||
1. Edit `/etc/ipsec.conf` on the VPN server. Replace `rightaddresspool=192.168.43.10-192.168.43.250` with e.g. `rightaddresspool=192.168.43.100-192.168.43.250`. This reduces the pool of auto-assigned IP addresses, so that more IPs are available to assign to clients as static IPs.
|
1. Edit `/etc/ipsec.conf` on the VPN server. Replace `rightaddresspool=192.168.43.10-192.168.43.250` with e.g. `rightaddresspool=192.168.43.100-192.168.43.250`. This reduces the pool of auto-assigned IP addresses, so that more IPs are available to assign to clients as static IPs.
|
||||||
@ -443,6 +444,56 @@ iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j D
|
|||||||
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Split tunneling
|
||||||
|
|
||||||
|
With [split tunneling](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling), VPN clients will only send traffic for specific destination subnet(s) through the VPN tunnel. Other traffic will NOT go through the VPN tunnel. Split tunneling has [some limitations](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling), and is not supported by all VPN clients.
|
||||||
|
|
||||||
|
Advanced users can optionally enable split tunneling for the <a href="docs/clients-xauth.md" target="_blank">IPsec/XAuth ("Cisco IPsec")</a> and/or <a href="docs/ikev2-howto.md" target="_blank">IKEv2</a> modes. Expand for details. IPsec/L2TP mode does NOT support this feature.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
IPsec/XAuth ("Cisco IPsec") mode: Enable split tunneling
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
The example below **ONLY** applies to IPsec/XAuth ("Cisco IPsec") mode. Commands must be run as `root`.
|
||||||
|
|
||||||
|
1. Edit `/etc/ipsec.conf` on the VPN server. In the section `conn xauth-psk`, replace `leftsubnet=0.0.0.0/0` with the subnet(s) you want VPN clients to send traffic through the VPN tunnel. For example:
|
||||||
|
For a single subnet:
|
||||||
|
```
|
||||||
|
leftsubnet=10.123.123.0/24
|
||||||
|
```
|
||||||
|
For multiple subnets (use `leftsubnets` instead):
|
||||||
|
```
|
||||||
|
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||||
|
```
|
||||||
|
1. **(Important)** Restart the IPsec service:
|
||||||
|
```
|
||||||
|
service ipsec restart
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
IKEv2 mode: Enable split tunneling
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
The example below **ONLY** applies to IKEv2 mode. Commands must be run as `root`.
|
||||||
|
|
||||||
|
1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. In the section `conn ikev2-cp`, replace `leftsubnet=0.0.0.0/0` with the subnet(s) you want VPN clients to send traffic through the VPN tunnel. For example:
|
||||||
|
For a single subnet:
|
||||||
|
```
|
||||||
|
leftsubnet=10.123.123.0/24
|
||||||
|
```
|
||||||
|
For multiple subnets (use `leftsubnets` instead):
|
||||||
|
```
|
||||||
|
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||||
|
```
|
||||||
|
1. **(Important)** Restart the IPsec service:
|
||||||
|
```
|
||||||
|
service ipsec restart
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
### Access VPN server's subnet
|
### Access VPN server's subnet
|
||||||
|
|
||||||
After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. For example, if the VPN server's local subnet is `192.168.0.0/24`, and an Nginx server is running on IP `192.168.0.2`, VPN clients can use IP `192.168.0.2` to access the Nginx server.
|
After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. For example, if the VPN server's local subnet is `192.168.0.0/24`, and an Nginx server is running on IP `192.168.0.2`, VPN clients can use IP `192.168.0.2` to access the Nginx server.
|
||||||
|
@ -216,6 +216,8 @@ Fedora 28(和更新版本)和 CentOS 8/7 用户可以使用 [IPsec/XAuth](cl
|
|||||||
|
|
||||||
## 故障排除
|
## 故障排除
|
||||||
|
|
||||||
|
**另见:** [IKEv2 故障排除](ikev2-howto-zh.md#故障排除),[检查日志及 VPN 状态](#检查日志及-vpn-状态) 和 [高级用法](../README-zh.md#高级用法)。
|
||||||
|
|
||||||
*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).*
|
*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).*
|
||||||
|
|
||||||
* [Windows 错误 809](#windows-错误-809)
|
* [Windows 错误 809](#windows-错误-809)
|
||||||
@ -356,7 +358,7 @@ OS X (macOS) 用户: 如果可以成功地使用 IPsec/L2TP 模式连接,但
|
|||||||
|
|
||||||
为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 <a href="https://discussions.apple.com/thread/2333948" target="_blank">故意设计的</a> 并且不能被配置。
|
为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 <a href="https://discussions.apple.com/thread/2333948" target="_blank">故意设计的</a> 并且不能被配置。
|
||||||
|
|
||||||
如果需要 VPN 在设备唤醒后自动重连,你可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>,它支持 <a href="https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/" target="_blank">一些选项</a> 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。
|
如果需要 VPN 在设备唤醒后自动重连,你可以使用 [IKEv2](ikev2-howto-zh.md) 模式连接(推荐)并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>,它支持 <a href="https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/" target="_blank">一些选项</a> 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。
|
||||||
|
|
||||||
Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 和更新版本中不再可用。另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 <a href="https://support.google.com/android/answer/9089766?hl=zh-Hans" target="_blank">这里</a>。
|
Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 和更新版本中不再可用。另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 <a href="https://support.google.com/android/answer/9089766?hl=zh-Hans" target="_blank">这里</a>。
|
||||||
|
|
||||||
|
@ -217,6 +217,8 @@ First check <a href="https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Prebuil
|
|||||||
|
|
||||||
*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).*
|
*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).*
|
||||||
|
|
||||||
|
**See also:** [IKEv2 troubleshooting](ikev2-howto.md#troubleshooting), [check logs and VPN status](#check-logs-and-vpn-status) and [advanced usage](../README.md#advanced-usage).
|
||||||
|
|
||||||
* [Windows error 809](#windows-error-809)
|
* [Windows error 809](#windows-error-809)
|
||||||
* [Windows error 789 or 691](#windows-error-789-or-691)
|
* [Windows error 789 or 691](#windows-error-789-or-691)
|
||||||
* [Windows error 628 or 766](#windows-error-628-or-766)
|
* [Windows error 628 or 766](#windows-error-628-or-766)
|
||||||
@ -355,7 +357,7 @@ In addition, users running macOS Big Sur 11.0 should update to version 11.1 or n
|
|||||||
|
|
||||||
To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is <a href="https://discussions.apple.com/thread/2333948" target="_blank">by design</a> and cannot be configured.
|
To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is <a href="https://discussions.apple.com/thread/2333948" target="_blank">by design</a> and cannot be configured.
|
||||||
|
|
||||||
If you need the VPN to auto-reconnect when the device wakes up, you may connect using [IKEv2](ikev2-howto.md) mode (recommended) and enable the "VPN On Demand" feature. Alternatively, you may try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> instead, which <a href="https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/" target="_blank">has support for options</a> such as "Reconnect on Wakeup" and "Seamless Tunnel".
|
If you need the VPN to auto-reconnect when the device wakes up, you may connect using [IKEv2](ikev2-howto.md) mode (recommended) and enable the "VPN On Demand" feature. Alternatively, you may try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> instead, which <a href="https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/" target="_blank">has support for options</a> such as "Reconnect on Wakeup" and "Seamless Tunnel".
|
||||||
|
|
||||||
Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo) and newer. Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more <a href="https://support.google.com/android/answer/9089766?hl=en" target="_blank">here</a>.
|
Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo) and newer. Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more <a href="https://support.google.com/android/answer/9089766?hl=en" target="_blank">here</a>.
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
*其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).*
|
*其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).*
|
||||||
|
|
||||||
在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要查看或管理 `IPsec/L2TP` 和 `IPsec/XAuth ("Cisco IPsec")` 模式的用户,请阅读本文档。对于 IKEv2,参见 [管理客户端证书](ikev2-howto-zh.md#管理客户端证书)。
|
在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要查看或管理 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式的用户,请阅读本文档。对于 IKEv2,参见 [管理客户端证书](ikev2-howto-zh.md#管理客户端证书)。
|
||||||
|
|
||||||
- [查看或更改 IPsec PSK](#查看或更改-ipsec-psk)
|
- [查看或更改 IPsec PSK](#查看或更改-ipsec-psk)
|
||||||
- [查看 VPN 用户](#查看-vpn-用户)
|
- [查看 VPN 用户](#查看-vpn-用户)
|
||||||
@ -28,9 +28,9 @@ service xl2tpd restart
|
|||||||
|
|
||||||
## 查看 VPN 用户
|
## 查看 VPN 用户
|
||||||
|
|
||||||
在默认情况下,VPN 安装脚本将为 `IPsec/L2TP` 和 `IPsec/XAuth ("Cisco IPsec")` 模式创建相同的用户。
|
在默认情况下,VPN 安装脚本将为 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式创建相同的用户。
|
||||||
|
|
||||||
对于 `IPsec/L2TP`,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
|
对于 IPsec/L2TP,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
"用户名1" l2tpd "密码1" *
|
"用户名1" l2tpd "密码1" *
|
||||||
@ -38,7 +38,7 @@ service xl2tpd restart
|
|||||||
... ...
|
... ...
|
||||||
```
|
```
|
||||||
|
|
||||||
对于 `IPsec/XAuth ("Cisco IPsec")`,VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。这个文件中的密码以加盐哈希值的形式保存。更多详情请见 [手动管理 VPN 用户](#手动管理-vpn-用户)。
|
对于 IPsec/XAuth ("Cisco IPsec"),VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。这个文件中的密码以加盐哈希值的形式保存。更多详情请见 [手动管理 VPN 用户](#手动管理-vpn-用户)。
|
||||||
|
|
||||||
## 使用辅助脚本管理 VPN 用户
|
## 使用辅助脚本管理 VPN 用户
|
||||||
|
|
||||||
@ -113,7 +113,7 @@ sh update_vpn_users.sh
|
|||||||
|
|
||||||
## 手动管理 VPN 用户
|
## 手动管理 VPN 用户
|
||||||
|
|
||||||
对于 `IPsec/L2TP`,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
|
对于 IPsec/L2TP,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
"用户名1" l2tpd "密码1" *
|
"用户名1" l2tpd "密码1" *
|
||||||
@ -123,7 +123,7 @@ sh update_vpn_users.sh
|
|||||||
|
|
||||||
你可以添加更多用户,每个用户对应文件中的一行。**不要**在值中使用这些字符:`\ " '`
|
你可以添加更多用户,每个用户对应文件中的一行。**不要**在值中使用这些字符:`\ " '`
|
||||||
|
|
||||||
对于 `IPsec/XAuth ("Cisco IPsec")`,VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
|
对于 IPsec/XAuth ("Cisco IPsec"),VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
用户名1:密码1的加盐哈希值:xauth-psk
|
用户名1:密码1的加盐哈希值:xauth-psk
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
*Read this in other languages: [English](manage-users.md), [简体中文](manage-users-zh.md).*
|
*Read this in other languages: [English](manage-users.md), [简体中文](manage-users-zh.md).*
|
||||||
|
|
||||||
By default, a single user account for VPN login is created. If you wish to view or manage users for the `IPsec/L2TP` and `IPsec/XAuth ("Cisco IPsec")` modes, read this document. For IKEv2, see [Manage client certificates](ikev2-howto.md#manage-client-certificates).
|
By default, a single user account for VPN login is created. If you wish to view or manage users for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, read this document. For IKEv2, see [Manage client certificates](ikev2-howto.md#manage-client-certificates).
|
||||||
|
|
||||||
- [View or update the IPsec PSK](#view-or-update-the-ipsec-psk)
|
- [View or update the IPsec PSK](#view-or-update-the-ipsec-psk)
|
||||||
- [View VPN users](#view-vpn-users)
|
- [View VPN users](#view-vpn-users)
|
||||||
@ -28,9 +28,9 @@ service xl2tpd restart
|
|||||||
|
|
||||||
## View VPN users
|
## View VPN users
|
||||||
|
|
||||||
By default, the VPN setup scripts will create the same VPN user for both `IPsec/L2TP` and `IPsec/XAuth ("Cisco IPsec")` modes.
|
By default, the VPN setup scripts will create the same VPN user for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
|
||||||
|
|
||||||
For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
|
For IPsec/L2TP, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
"username1" l2tpd "password1" *
|
"username1" l2tpd "password1" *
|
||||||
@ -38,7 +38,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format
|
|||||||
... ...
|
... ...
|
||||||
```
|
```
|
||||||
|
|
||||||
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. Passwords in this file are salted and hashed. See [Manually manage VPN users](#manually-manage-vpn-users) for more details.
|
For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in `/etc/ipsec.d/passwd`. Passwords in this file are salted and hashed. See [Manually manage VPN users](#manually-manage-vpn-users) for more details.
|
||||||
|
|
||||||
## Manage VPN users using helper scripts
|
## Manage VPN users using helper scripts
|
||||||
|
|
||||||
@ -113,7 +113,7 @@ sh update_vpn_users.sh
|
|||||||
|
|
||||||
## Manually manage VPN users
|
## Manually manage VPN users
|
||||||
|
|
||||||
For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
|
For IPsec/L2TP, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
"username1" l2tpd "password1" *
|
"username1" l2tpd "password1" *
|
||||||
@ -123,7 +123,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format
|
|||||||
|
|
||||||
You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '`
|
You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '`
|
||||||
|
|
||||||
For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:
|
For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
username1:password1hashed:xauth-psk
|
username1:password1hashed:xauth-psk
|
||||||
|
Loading…
Reference in New Issue
Block a user