diff --git a/README-zh.md b/README-zh.md
index 4f81c50..406794d 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -51,7 +51,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
- 全自动的 IPsec VPN 服务器配置,无需用户输入
- 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持
- 可直接作为 Amazon EC2 实例创建时的用户数据使用
-- 自动确定服务器的公网 IP 以及私有 IP 地址
- 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能
- 测试通过: Ubuntu 16.04/14.04/12.04, Debian 8 和 CentOS 7/6
diff --git a/README.md b/README.md
index 3b32d3b..aac9934 100644
--- a/README.md
+++ b/README.md
@@ -51,7 +51,6 @@ For other installation options and how to set up VPN clients, read the sections
- Fully automated IPsec VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
-- Automatically determines public IP and private IP of server
- Includes `sysctl.conf` optimizations for improved performance
- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 79237b0..a1e16c3 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -21,15 +21,12 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。
-1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
+1. 获取服务器的公共 IP 地址,并检查它是否正确。
```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
- $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP"
(检查显示的 public IP)
- $ echo "$PRIVATE_IP"
- (检查显示的 private IP)
```
1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
@@ -38,7 +35,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
$ cat >> /etc/ipsec.conf <set up your VPN server.
-1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
+1. Find the public IP of your server, and make sure it is correct.
```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
- $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP"
(Check the displayed public IP)
- $ echo "$PRIVATE_IP"
- (Check the displayed private IP)
```
1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
@@ -38,7 +35,7 @@ Before continuing, make sure you have successfully "
+%any %any : PSK ""
```
对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下:
diff --git a/docs/manage-users.md b/docs/manage-users.md
index fdb7dc1..daf2793 100644
--- a/docs/manage-users.md
+++ b/docs/manage-users.md
@@ -7,7 +7,7 @@ By default, a single user account for VPN login is created. If you wish to add,
First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file.
```bash
- %any : PSK ""
+%any %any : PSK ""
```
For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 8d10555..0189234 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -133,27 +133,22 @@ print_status "Installing packages required for setup..."
apt-get -yq install wget dnsutils openssl || exiterr2
apt-get -yq install iproute gawk grep sed net-tools || exiterr2
-print_status "Trying to auto discover IPs of this server..."
+print_status "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
-use Ctrl-C to interrupt. Then edit it and manually enter IPs.
+use Ctrl-C to interrupt. Then edit it and manually enter IP.
EOF
-# In case auto IP discovery fails, you may manually enter server IPs here.
-# If your server only has a public IP, put that public IP on both lines.
+# In case auto IP discovery fails, enter this server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
-PRIVATE_IP=${VPN_PRIVATE_IP:-''}
-# Try to auto discover IPs of this server
+# Try to auto discover IP of this server
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
-[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
-# Check IPs for correct format
+# Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
-check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs."
-check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
-check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
+check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
print_status "Installing packages required for the VPN..."
@@ -208,7 +203,7 @@ config setup
uniqueids=no
conn shared
- left=$PRIVATE_IP
+ left=%defaultroute
leftid=$PUBLIC_IP
right=%any
encapsulation=yes
@@ -225,8 +220,6 @@ conn shared
conn l2tp-psk
auto=add
- leftsubnet=$PRIVATE_IP/32
- leftnexthop=%defaultroute
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
@@ -254,7 +247,7 @@ EOF
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets </dev/null \
- || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then
+ || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \
+ || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
@@ -371,8 +364,8 @@ if [ "$ipt_flag" = "1" ]; then
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
iptables -A FORWARD -j DROP
- iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP"
- iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP"
+ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE
+ iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 020bbc6..692de36 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -112,27 +112,22 @@ print_status "Installing packages required for setup..."
yum -y install wget bind-utils openssl || exiterr2
yum -y install iproute gawk grep sed net-tools || exiterr2
-print_status "Trying to auto discover IPs of this server..."
+print_status "Trying to auto discover IP of this server..."
cat <<'EOF'
In case the script hangs here for more than a few minutes,
-use Ctrl-C to interrupt. Then edit it and manually enter IPs.
+use Ctrl-C to interrupt. Then edit it and manually enter IP.
EOF
-# In case auto IP discovery fails, you may manually enter server IPs here.
-# If your server only has a public IP, put that public IP on both lines.
+# In case auto IP discovery fails, enter this server's public IP here.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
-PRIVATE_IP=${VPN_PRIVATE_IP:-''}
-# Try to auto discover IPs of this server
+# Try to auto discover IP of this server
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
-[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
-# Check IPs for correct format
+# Check IP for correct format
check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
-check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs."
-check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
-check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs."
+check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it."
print_status "Adding the EPEL repository..."
@@ -195,7 +190,7 @@ config setup
uniqueids=no
conn shared
- left=$PRIVATE_IP
+ left=%defaultroute
leftid=$PUBLIC_IP
right=%any
encapsulation=yes
@@ -212,8 +207,6 @@ conn shared
conn l2tp-psk
auto=add
- leftsubnet=$PRIVATE_IP/32
- leftnexthop=%defaultroute
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
@@ -241,7 +234,7 @@ EOF
# Specify IPsec PSK
conf_bk "/etc/ipsec.secrets"
cat > /etc/ipsec.secrets </dev/null \
- || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then
+ || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \
+ || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then
ipt_flag=1
fi
@@ -358,8 +351,8 @@ if [ "$ipt_flag" = "1" ]; then
# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
iptables -A FORWARD -j DROP
- iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP"
- iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP"
+ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE
+ iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
fi