mirror of
https://github.com/hwdsl2/setup-ipsec-vpn.git
synced 2024-06-19 20:26:02 +02:00
Update README.md
This commit is contained in:
hwdsl2
parent
31d3d398b3
commit
3493ab62f4
21
README-zh.md
21
README-zh.md
|
|
@ -5,7 +5,7 @@
|
|||
使用 Linux Shell 脚本一键搭建 IPsec/L2TP VPN 服务器。适用于 Ubuntu 16.04/14.04/12.04,Debian 8 和 CentOS 6/7 系统。
|
||||
你只需提供以下的信息: `IPSEC_PSK` , `VPN_USER` 和 `VPN_PASSWORD` ,然后运行脚本自动完成安装。
|
||||
|
||||
我们将使用 <a href="https://libreswan.org/" target="_blank">Libreswan</a> 作为 IPsec 服务器,以及 <a href="https://www.xelerance.com/services/software/xl2tpd/" target="_blank">xl2tpd</a> 作为 L2TP 提供者。
|
||||
我们将使用 <a href="https://libreswan.org/" target="_blank">Libreswan</a> 作为 IPsec 服务器,以及 <a href="https://github.com/xelerance/xl2tpd" target="_blank">xl2tpd</a> 作为 L2TP 提供者。
|
||||
|
||||
#### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">详细的 VPN 教程请参见我的博客文章</a>
|
||||
|
||||
|
|
@ -26,10 +26,9 @@
|
|||
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates HVM</a>
|
||||
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates HVM</a>
|
||||
|
||||
**- 或者 -**
|
||||
**-或者-**
|
||||
|
||||
一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),使用以下操作系统:
|
||||
(注: 推荐在一个全新安装的系统上运行这些脚本)
|
||||
一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装:
|
||||
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
|
||||
- Debian 8 (Jessie)
|
||||
- Debian 7 (Wheezy) » 不推荐。必须先运行<a href="https://gist.github.com/hwdsl2/5a769b2c4436cdf02a90" target="_blank">另一个脚本</a>。
|
||||
|
|
@ -76,21 +75,19 @@ sudo sh vpnsetup_centos.sh
|
|||
|
||||
## 重要提示
|
||||
|
||||
**Windows 用户** 在首次连接之前可能需要<a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809" target="_blank">更改注册表</a>,以解决 VPN 服务器和客户端与 NAT (比如家用路由器)的兼容问题。另外如果遇到`Error 628`,请打开 VPN 连接属性的<a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/7#issuecomment-210084875" target="_blank">"安全"选项卡</a>,启用 `CHAP` 选项并禁用 `MS-CHAP v2`。
|
||||
**Windows 用户** 在首次连接之前需要<a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809" target="_blank">修改一次注册表</a>,以解决 VPN 服务器和客户端与 NAT (比如家用路由器)的兼容问题。另外如果遇到`Error 628`,请打开 VPN 连接属性的<a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/7#issuecomment-210084875" target="_blank">"安全"选项卡</a>,启用 `CHAP` 选项并禁用 `MS-CHAP v2`。
|
||||
|
||||
**Android 6 (Marshmallow) 用户**: 安装完成之后,请编辑文件 `/etc/ipsec.conf` 并在 `ike=` 和 `phase2alg=` 两行的结尾添加 `,aes256-sha2_256` 。另外<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">增加一行</a> `sha2-truncbug=yes` 。每行开头必须空两格。保存修改并运行 `service ipsec restart` 。
|
||||
**Android 6 (Marshmallow) 用户**: 请编辑 `/etc/ipsec.conf` 并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 。另外<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">增加一行</a> `sha2-truncbug=yes` 。每行开头必须空两格。保存修改并运行 `service ipsec restart` 。
|
||||
|
||||
**iPhone/iPad 用户**: 在 iOS 的设置菜单,选择 `L2TP` (而不是 `IPSec`) 作为 VPN 类型。如果无法连接,可编辑 `ipsec.conf` 并尝试用 `rightprotoport=17/0` 替换 `rightprotoport=17/%any` 。保存修改并重启 `ipsec` 服务。
|
||||
**iPhone/iPad 用户**: 在 iOS 的设置菜单请选择 `L2TP` (而不是 `IPSec`) 作为 VPN 类型。
|
||||
|
||||
如果要创建具有不同凭据的多个 VPN 用户,只需<a href="https://gist.github.com/hwdsl2/123b886f29f4c689f531" target="_blank">修改这几行的脚本</a>。
|
||||
如果要创建具有不同凭据的多个 VPN 用户,只需要<a href="https://gist.github.com/hwdsl2/123b886f29f4c689f531" target="_blank">修改这几行的脚本</a>。
|
||||
|
||||
在 VPN 已连接时,客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。此设置可在 `options.xl2tpd` 文件的 `ms-dns` 项更改。
|
||||
|
||||
仅适用于 Amazon EC2 实例:在<a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">安全组</a>设置中,请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (可选,用于 SSH )。
|
||||
如果服务器配置了自定义 SSH 端口(不是 22)或其他服务,请在运行脚本前编辑 <a href="vpnsetup.sh#L279" target="_blank">IPTables 防火墙规则</a>。
|
||||
|
||||
如果你配置了自定义 SSH 端口(不是 22)或希望允许其他服务,请在运行脚本之前编辑 <a href="vpnsetup.sh#L279" target="_blank">IPTables 防火墙规则</a>。
|
||||
|
||||
这些脚本在更改你现有的配置文件之前,会在同一目录下以 `.old-日期-时间` 为后缀做备份。
|
||||
这些脚本在更改现有的配置文件之前会先做备份,使用 `.old-日期-时间` 为文件名后缀。
|
||||
|
||||
## 关于升级Libreswan
|
||||
|
||||
|
|
|
|||
45
README.md
45
README.md
|
|
@ -4,29 +4,9 @@
|
|||
|
||||
Scripts for automatic configuration of an IPsec/L2TP VPN server on Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7. All you need to do is providing your own values for `IPSEC_PSK`, `VPN_USER` and `VPN_PASSWORD`, and let them handle the rest.
|
||||
|
||||
We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://www.xelerance.com/services/software/xl2tpd/" target="_blank">xl2tpd</a> as the L2TP provider.
|
||||
We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as the IPsec server, and <a href="https://github.com/xelerance/xl2tpd" target="_blank">xl2tpd</a> as the L2TP provider.
|
||||
|
||||
#### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">Link to my VPN tutorial with detailed usage instructions</a>
|
||||
|
||||
## Table of Contents
|
||||
|
||||
- [Author](#author)
|
||||
- [Features](#features)
|
||||
- [Requirements](#requirements)
|
||||
- [Installation](#installation)
|
||||
- [Ubuntu & Debian](#ubuntu--debian)
|
||||
- [CentOS & RHEL](#centos--rhel)
|
||||
- [Next Steps](#next-steps)
|
||||
- [Important Notes](#important-notes)
|
||||
- [Upgrading Libreswan](#upgrading-libreswan)
|
||||
- [Bugs & Questions](#bugs--questions)
|
||||
- [License](#license)
|
||||
|
||||
## Author
|
||||
|
||||
##### Lin Song
|
||||
- Final year U.S. PhD candidate seeking opportunities in the industry.
|
||||
- View my LinkedIn profile and contact me: <a href="https://www.linkedin.com/in/linsongui" target="_blank">www.linkedin.com/in/linsongui</a>
|
||||
#### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">Link to my VPN tutorial with detailed instructions</a>
|
||||
|
||||
## Features
|
||||
|
||||
|
|
@ -47,8 +27,7 @@ A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2
|
|||
|
||||
**-OR-**
|
||||
|
||||
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), with the following OS:
|
||||
(Note: Starting with a freshly installed system is recommended)
|
||||
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), with freshly installed:
|
||||
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
|
||||
- Debian 8 (Jessie)
|
||||
- Debian 7 (Wheezy) » Not recommended. Requires <a href="https://gist.github.com/hwdsl2/5a769b2c4436cdf02a90" target="_blank">this workaround</a> to work.
|
||||
|
|
@ -97,19 +76,17 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
|
|||
|
||||
For **Windows users**, a <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809" target="_blank">one-time registry change</a> is required if the VPN server and/or client is behind NAT (e.g. home router). In case you see `Error 628`, go to <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/7#issuecomment-210084875" target="_blank">the "Security" tab</a> of VPN connection properties, enable `CHAP` and disable `MS-CHAP v2`.
|
||||
|
||||
**Android 6 (Marshmallow) users**: After install, edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to both `ike=` and `phase2alg=`. Then <a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">add a new line</a> `sha2-truncbug=yes`. Indent lines with two spaces. Finally, run `service ipsec restart`.
|
||||
**Android 6 (Marshmallow) users**: Edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to both `ike=` and `phase2alg=`. Then <a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">add a new line</a> `sha2-truncbug=yes`. Indent lines with two spaces. Finally, run `service ipsec restart`.
|
||||
|
||||
**iPhone/iPad users**: In iOS settings, choose `L2TP` (instead of `IPSec`) as the VPN type. In case you are unable to connect, edit `ipsec.conf` and replace `rightprotoport=17/%any` with `rightprotoport=17/0`. Then restart `ipsec` service.
|
||||
**iPhone/iPad users**: In iOS settings, choose `L2TP` (instead of `IPSec`) as the VPN type.
|
||||
|
||||
If you wish to create multiple VPN users with different credentials, just <a href="https://gist.github.com/hwdsl2/123b886f29f4c689f531" target="_blank">edit a few lines</a> in the scripts.
|
||||
To enable multiple VPN users with different credentials, just <a href="https://gist.github.com/hwdsl2/123b886f29f4c689f531" target="_blank">edit a few lines</a> in the scripts.
|
||||
|
||||
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. To change, set `ms-dns` in `options.xl2tpd`.
|
||||
|
||||
For Amazon EC2 instances only: In the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">security group</a>, open UDP ports 500 & 4500 and TCP port 22 (optional, for SSH).
|
||||
For servers with a custom SSH port (not 22) or other services, edit the <a href="vpnsetup.sh#L279" target="_blank">IPTables rules</a> before using.
|
||||
|
||||
If you configured a custom SSH port (not 22) or wish to allow other services, edit <a href="vpnsetup.sh#L279" target="_blank">IPTables rules</a> before using the scripts.
|
||||
|
||||
The scripts will backup your existing config files before making changes, to the same folder with `.old-date-time` suffix.
|
||||
The scripts will backup existing config files before making changes, with `.old-date-time` suffix.
|
||||
|
||||
## Upgrading Libreswan
|
||||
|
||||
|
|
@ -121,6 +98,12 @@ The additional scripts <a href="vpnupgrade_Libreswan.sh" target="_blank">vpnupgr
|
|||
- Ask Libreswan (IPsec) related questions <a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">on the mailing list</a>, or read these wikis: <a href="https://libreswan.org/wiki/Main_Page" target="_blank">[1]</a> <a href="https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server" target="_blank">[2]</a> <a href="https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup" target="_blank">[3]</a> <a href="https://help.ubuntu.com/community/L2TPServer" target="_blank">[4]</a> <a href="https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation" target="_blank">[5]</a>.
|
||||
- If you found a reproducible bug, open a <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues" target="_blank">GitHub Issue</a> to submit a bug report.
|
||||
|
||||
## Author
|
||||
|
||||
##### Lin Song
|
||||
- Final year U.S. PhD candidate seeking opportunities in Software or Systems Engineering.
|
||||
- View my LinkedIn profile and contact me: <a href="https://www.linkedin.com/in/linsongui" target="_blank">www.linkedin.com/in/linsongui</a>
|
||||
|
||||
## License
|
||||
|
||||
Copyright (C) 2014-2016 Lin Song <a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png" width="160" height="25" border="0" alt="View my profile on LinkedIn"></a>
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user