From 1834b792eba104efe4d19b5ddde3d3f6d1253ad2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 8 May 2022 23:04:55 -0500 Subject: [PATCH] Update docs - Add an advanced usage section for customizing VPN subnets. --- README-zh.md | 1 + README.md | 1 + docs/advanced-usage-zh.md | 34 ++++++++++++++++++++++++++++++++++ docs/advanced-usage.md | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 70 insertions(+) diff --git a/README-zh.md b/README-zh.md index 3c35fa6..1720793 100644 --- a/README-zh.md +++ b/README-zh.md @@ -252,6 +252,7 @@ curl -fsSL https://get.vpnsetup.net/upg -o vpnup.sh && sudo sh vpnup.sh - [域名和更改服务器 IP](docs/advanced-usage-zh.md#域名和更改服务器-ip) - [仅限 IKEv2 的 VPN](docs/advanced-usage-zh.md#仅限-ikev2-的-vpn) - [VPN 内网 IP 和流量](docs/advanced-usage-zh.md#vpn-内网-ip-和流量) +- [自定义 VPN 子网](docs/advanced-usage-zh.md#自定义-vpn-子网) - [转发端口到 VPN 客户端](docs/advanced-usage-zh.md#转发端口到-vpn-客户端) - [VPN 分流](docs/advanced-usage-zh.md#vpn-分流) - [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段) diff --git a/README.md b/README.md index 11fe0fb..8d17f8e 100644 --- a/README.md +++ b/README.md @@ -252,6 +252,7 @@ See [Advanced usage](docs/advanced-usage.md). - [DNS name and server IP changes](docs/advanced-usage.md#dns-name-and-server-ip-changes) - [IKEv2-only VPN](docs/advanced-usage.md#ikev2-only-vpn) - [Internal VPN IPs and traffic](docs/advanced-usage.md#internal-vpn-ips-and-traffic) +- [Customize VPN subnets](docs/advanced-usage.md#customize-vpn-subnets) - [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients) - [Split tunneling](docs/advanced-usage.md#split-tunneling) - [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet) diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index c89e62d..89e90ec 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -6,6 +6,7 @@ * [域名和更改服务器 IP](#域名和更改服务器-ip) * [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn) * [VPN 内网 IP 和流量](#vpn-内网-ip-和流量) +* [自定义 VPN 子网](#自定义-vpn-子网) * [转发端口到 VPN 客户端](#转发端口到-vpn-客户端) * [VPN 分流](#vpn-分流) * [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) @@ -188,6 +189,39 @@ iptables -I FORWARD 4 -i ppp+ -d 192.168.43.0/24 -j DROP iptables -I FORWARD 5 -s 192.168.43.0/24 -o ppp+ -j DROP ``` +## 自定义 VPN 子网 + +默认情况下,IPsec/L2TP VPN 客户端将使用内部 VPN 子网 `192.168.42.0/24`,而 IPsec/XAuth ("Cisco IPsec") 和 IKEv2 VPN 客户端将使用内部 VPN 子网 `192.168.43.0/24`。有关更多详细信息,请阅读上一节。 + +对于大多数用例,没有必要也 **不建议** 自定义这些子网。但是,如果你的用例需要它,你可以在安装 VPN 时指定自定义子网。 + +**重要:** 你只能在 **初始 VPN 安装时** 指定自定义子网。如果 IPsec VPN 已安装,你 **必须** 首先 [卸载 VPN](uninstall-zh.md),然后指定自定义子网并重新安装。否则,VPN 可能会停止工作。 + +
+ +首先,请阅读上面的重要说明。然后点这里查看示例。 + + +``` +# 示例:为 IPsec/L2TP 模式指定自定义 VPN 子网 +# 注:必须指定所有三个变量。 +sudo VPN_L2TP_NET=10.1.0.0/16 \ +VPN_L2TP_LOCAL=10.1.0.1 \ +VPN_L2TP_POOL=10.1.0.10-10.1.254.254 \ +sh vpn.sh +``` + +``` +# 示例:为 IPsec/XAuth 和 IKEv2 模式指定自定义 VPN 子网 +# 注:必须指定以下两个变量。 +sudo VPN_XAUTH_NET=10.2.0.0/16 \ +VPN_XAUTH_POOL=10.2.0.10-10.2.254.254 \ +sh vpn.sh +``` + +在上面的例子中,`VPN_L2TP_LOCAL` 是在 IPsec/L2TP 模式下的 VPN 服务器的内网 IP。`VPN_L2TP_POOL` 和 `VPN_XAUTH_POOL` 是为 VPN 客户端自动分配的 IP 地址池。 +
+ ## 转发端口到 VPN 客户端 在某些情况下,你可能想要将 VPN 服务器上的端口转发到一个已连接的 VPN 客户端。这可以通过在 VPN 服务器上添加 IPTables 规则来实现。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 6f70472..8c0f186 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -6,6 +6,7 @@ * [DNS name and server IP changes](#dns-name-and-server-ip-changes) * [IKEv2-only VPN](#ikev2-only-vpn) * [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic) +* [Customize VPN subnets](#customize-vpn-subnets) * [Port forwarding to VPN clients](#port-forwarding-to-vpn-clients) * [Split tunneling](#split-tunneling) * [Access VPN server's subnet](#access-vpn-servers-subnet) @@ -188,6 +189,39 @@ iptables -I FORWARD 4 -i ppp+ -d 192.168.43.0/24 -j DROP iptables -I FORWARD 5 -s 192.168.43.0/24 -o ppp+ -j DROP ``` +## Customize VPN subnets + +By default, IPsec/L2TP VPN clients will use internal VPN subnet `192.168.42.0/24`, while IPsec/XAuth ("Cisco IPsec") and IKEv2 VPN clients will use internal VPN subnet `192.168.43.0/24`. For more details, read the previous section. + +For most use cases, it is NOT necessary and NOT recommended to customize these subnets. If your use case requires it, however, you may specify custom subnet(s) when installing the VPN. + +**Important:** You may only specify custom subnets **during initial VPN install**. If the IPsec VPN is already installed, you **must** first [uninstall the VPN](uninstall.md), then specify custom subnets and re-install. Otherwise, the VPN may stop working. + +
+ +First, read the important note above. Then click here for examples. + + +``` +# Example: Specify custom VPN subnet for IPsec/L2TP mode +# Note: All three variables must be specified. +sudo VPN_L2TP_NET=10.1.0.0/16 \ +VPN_L2TP_LOCAL=10.1.0.1 \ +VPN_L2TP_POOL=10.1.0.10-10.1.254.254 \ +sh vpn.sh +``` + +``` +# Example: Specify custom VPN subnet for IPsec/XAuth and IKEv2 modes +# Note: Both variables must be specified. +sudo VPN_XAUTH_NET=10.2.0.0/16 \ +VPN_XAUTH_POOL=10.2.0.10-10.2.254.254 \ +sh vpn.sh +``` + +In the examples above, `VPN_L2TP_LOCAL` is the VPN server's internal IP for IPsec/L2TP mode. `VPN_L2TP_POOL` and `VPN_XAUTH_POOL` are the pools of auto-assigned IP addresses for VPN clients. +
+ ## Port forwarding to VPN clients In certain circumstances, you may want to forward port(s) on the VPN server to a connected VPN client. This can be done by adding IPTables rules on the VPN server.