Marown/setup-ipsec-vpn
1
0
Fork 0
mirror of https://github.com/hwdsl2/setup-ipsec-vpn.git synced 2024-09-21 00:00:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update important notes

Browse Source
This commit is contained in:
hwdsl2 2016-01-14 23:27:34 -06:00
parent 21629ae178
commit 7cfe17f1a2
3 changed files with 30 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -82,12 +82,14 @@ You may use `vpnupgrade_Libreswan.sh` (for Ubuntu/Debian) and `vpnupgrade_Libres
## Important Notes
For **Windows users**, a <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809" target="_blank">one-time registry change</a> is required for connections to a VPN server behind NAT (e.g. Amazon EC2).
**Android 6.0 users**: Edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to the end of both `ike=` and `phase2alg=`, then add a new line `sha2-truncbug=yes`. Start lines with two spaces. When finished, run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">Source</a>)
To support multiple VPN users with different credentials, just <a href="https://gist.github.com/hwdsl2/123b886f29f4c689f531" target="_blank">edit a few lines</a> in the scripts.
For **Windows users**, a <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809" target="_blank">one-time registry change</a> is required if the VPN server and/or client is behind NAT (e.g. home router).
**Android 6.0 users**: Edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to the end of both `ike=` and `phase2alg=`, then add a new line `sha2-truncbug=yes`. Must start lines with two spaces. Finally, run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">Ref</a>)
**iPhone/iOS users**: In iOS settings, choose `L2TP` (instead of `IPSec`) for the VPN type. In case you're unable to connect, try replacing this line in /etc/ipsec.conf: `rightprotoport=17/%any` with `rightprotoport=17/0`. Then restart `ipsec` service.
Clients are configured to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN connection is active. This setting is controlled by `ms-dns` in `/etc/ppp/options.xl2tpd`.
If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500** (for the VPN), and **TCP port 22** (optional, for SSH).
@ -96,8 +98,6 @@ If your server uses a custom SSH port (not 22), or if you wish to allow other se
The scripts will backup files `/etc/rc.local`, `/etc/sysctl.conf`, `/etc/iptables.rules` and `/etc/sysconfig/iptables` before overwriting them. Backups can be found under the same folder with `.old` suffix.
iPhone/iOS users: If unable to connect, try replacing `rightprotoport=17/%any` in `ipsec.conf` with `rightprotoport=17/0`.
## Copyright and license
Copyright (C) 2014&nbsp;Lin Song&nbsp;&nbsp;&nbsp;<a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_bluetxt_80x15.png" width="80" height="15" border="0" alt="View my profile on LinkedIn"></a>

25
vpnsetup.sh
View File

@ -46,21 +46,23 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
# For **Windows users**, a one-time registry change is required for connections
# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# To support multiple VPN users with different credentials, just edit a few lines below.
# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
# For **Windows users**, a one-time registry change is required if the VPN server
# and/or client is behind NAT (e.g. home router). Refer to "Error 809" on this page:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of both
# "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Start lines with two spaces.
# When finished, run "service ipsec restart". Source:
# https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with
# two spaces. Finally, run "service ipsec restart".
# To support multiple VPN users with different credentials, see:
# https://gist.github.com/hwdsl2/123b886f29f4c689f531
# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
# In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0". Then restart "ipsec" service.
# Clients are configured to use Google Public DNS when the VPN connection is active.
# Clients are configured to use "Google Public DNS" when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
@ -71,9 +73,6 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules
# before overwriting them. Backups can be found under the same folder with .old suffix.
# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0".
# Check for empty VPN variables
[ -z "$IPSEC_PSK" ] && { echo "'IPSEC_PSK' cannot be empty. Please edit the VPN script."; exit 1; }
[ -z "$VPN_USER" ] && { echo "'VPN_USER' cannot be empty. Please edit the VPN script."; exit 1; }

25
vpnsetup_centos.sh
View File

@ -55,21 +55,23 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
# For **Windows users**, a one-time registry change is required for connections
# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
# To support multiple VPN users with different credentials, just edit a few lines below.
# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
# For **Windows users**, a one-time registry change is required if the VPN server
# and/or client is behind NAT (e.g. home router). Refer to "Error 809" on this page:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of both
# "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Start lines with two spaces.
# When finished, run "service ipsec restart". Source:
# https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow
# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with
# two spaces. Finally, run "service ipsec restart".
# To support multiple VPN users with different credentials, see:
# https://gist.github.com/hwdsl2/123b886f29f4c689f531
# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
# In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0". Then restart "ipsec" service.
# Clients are configured to use Google Public DNS when the VPN connection is active.
# Clients are configured to use "Google Public DNS" when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
@ -80,9 +82,6 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
# before overwriting them. Backups can be found under the same folder with .old suffix.
# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
# "rightprotoport=17/%any" with "rightprotoport=17/0".
# Check for empty VPN variables
[ -z "$IPSEC_PSK" ] && { echo "'IPSEC_PSK' cannot be empty. Please edit the VPN script."; exit 1; }
[ -z "$VPN_USER" ] && { echo "'VPN_USER' cannot be empty. Please edit the VPN script."; exit 1; }