From d56472d15e906502acaf450dc55446e72f12ce9c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 24 Feb 2024 14:44:36 -0600 Subject: [PATCH] Update docs - Add instructions for enabling split tunneling on Windows. Thanks @userofjack for contributing the steps in #1530. - Minor updates to IKEv1 troubleshooting section. --- docs/advanced-usage-zh.md | 28 +++++++++++++++++++++++++--- docs/advanced-usage.md | 28 +++++++++++++++++++++++++--- docs/clients-zh.md | 6 ++++-- docs/clients.md | 6 ++++-- 4 files changed, 58 insertions(+), 10 deletions(-) diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index 3be5b48..ebae5f7 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -283,9 +283,9 @@ iptables -t nat -A PREROUTING -i "$netif" ! -s 192.168.43.0/24 -p udp --dport 12 在启用 VPN 分流 (split tunneling) 时,VPN 客户端将仅通过 VPN 隧道发送特定目标子网的流量。其他流量 **不会** 通过 VPN 隧道。VPN 分流有一些局限性,而且并非所有的 VPN 客户端都支持。 -高级用户可以为 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 和/或 [IKEv2](ikev2-howto-zh.md) 模式启用 VPN 分流。这是可选的。IPsec/L2TP 模式 **不支持** 此功能。 +高级用户可以为 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 和/或 [IKEv2](ikev2-howto-zh.md) 模式启用 VPN 分流。这是可选的。IPsec/L2TP 模式不支持此功能(Windows 除外,见下文)。 -
+
IPsec/XAuth ("Cisco IPsec") 模式:启用 VPN 分流 (split tunneling) @@ -302,7 +302,7 @@ IPsec/XAuth ("Cisco IPsec") 模式:启用 VPN 分流 (split tunneling) ```
-
+
IKEv2 模式:启用 VPN 分流 (split tunneling) @@ -321,6 +321,28 @@ IKEv2 模式:启用 VPN 分流 (split tunneling) **注:** 高级用户可以为特定的 IKEv2 客户端设置不同的 VPN 分流配置。请参见 [VPN 内网 IP 和流量](#vpn-内网-ip-和流量) 部分并展开 "IKEv2 模式:为 VPN 客户端分配静态 IP"。在该部分中的示例的基础上,你可以将 `leftsubnet=...` 选项添加到特定 IKEv2 客户端的 `conn` 小节,然后重启 IPsec 服务。
+另外,Windows 用户也可以通过手动添加路由的方式启用 VPN 分流: + +1. 右键单击系统托盘中的无线/网络图标。 +1. **Windows 11:** 选择 **网络和 Internet 设置**,然后在打开的页面中单击 **高级网络设置**。单击 **更多网络适配器选项**。 + **Windows 10:** 选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。单击左侧的 **更改适配器设置**。 + **Windows 8/7:** 选择 **打开网络和共享中心**。单击左侧的 **更改适配器设置**。 +1. 右键单击新的 VPN 连接,并选择 **属性**。 +1. 单击 **网络** 选项卡,选择 **Internet Protocol Version 4 (TCP/IPv4)**,然后单击 **属性**。 +1. 单击 **高级**,然后取消选中 **在远程网络上使用默认网关**。 +1. 单击 **确定** 以关闭 **属性** 对话框。 +1. **(重要)** 断开 VPN 连接,然后重新连接。 +1. 假设你想要 VPN 客户端通过 VPN 隧道发送流量的子网是 `10.123.123.0/24`。打开[提升权限命令提示符](http://www.cnblogs.com/xxcanghai/p/4610054.html)并运行以下命令。 + 对于 IKEv2 和 IPsec/XAuth ("Cisco IPsec") 模式: + ``` + route add -p 10.123.123.0 mask 255.255.255.0 192.168.43.1 + ``` + 对于 IPsec/L2TP 模式: + ``` + route add -p 10.123.123.0 mask 255.255.255.0 192.168.42.1 + ``` +1. 完成后,VPN 客户端将通过 VPN 隧道仅发送指定子网的流量。其他流量将绕过 VPN。 + ## 访问 VPN 服务器的网段 连接到 VPN 后,VPN 客户端通常可以访问与 VPN 服务器位于同一本地子网内的其他设备上运行的服务,而无需进行其他配置。例如,如果 VPN 服务器的本地子网为 `192.168.0.0/24`,并且一个 Nginx 服务器在 IP `192.168.0.2` 上运行,则 VPN 客户端可以使用 IP `192.168.0.2`来访问 Nginx 服务器。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 9983528..83c94d4 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -283,9 +283,9 @@ If you want the rules to persist after reboot, you may add these commands to `/e With split tunneling, VPN clients will only send traffic for a specific destination subnet through the VPN tunnel. Other traffic will NOT go through the VPN tunnel. Split tunneling has some limitations, and is not supported by all VPN clients. -Advanced users can optionally enable split tunneling for the [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) and/or [IKEv2](ikev2-howto.md) modes. Expand for details. IPsec/L2TP mode does NOT support this feature. +Advanced users can optionally enable split tunneling for the [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) and/or [IKEv2](ikev2-howto.md) modes. IPsec/L2TP mode does not support this feature (except on Windows, see below). -
+
IPsec/XAuth ("Cisco IPsec") mode: Enable split tunneling @@ -302,7 +302,7 @@ The example below **ONLY** applies to IPsec/XAuth ("Cisco IPsec") mode. Commands ```
-
+
IKEv2 mode: Enable split tunneling @@ -321,6 +321,28 @@ The example below **ONLY** applies to IKEv2 mode. Commands must be run as `root` **Note:** Advanced users can set a different split tunneling configuration for specific IKEv2 client(s). Refer to section [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic) and expand "IKEv2 mode: Assign static IPs to VPN clients". Based on the example in that section, you may add the `leftsubnet=...` option to the `conn` section of the specific IKEv2 client, then restart the IPsec service.
+Alternatively, Windows users can enable split tunneling by manually adding routes: + +1. Right-click on the wireless/network icon in your system tray. +1. **Windows 11:** Select **Network and Internet settings**, then on the page that opens, click **Advanced network settings**. Click **More network adapter options**. + **Windows 10:** Select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. On the left, click **Change adapter settings**. + **Windows 8/7:** Select **Open Network and Sharing Center**. On the left, click **Change adapter settings**. +1. Right-click on the new VPN connection, and choose **Properties**. +1. Click the **Network** tab. Select **Internet Protocol Version 4 (TCP/IPv4)**, then click **Properties**. +1. Click **Advanced**. Uncheck **Use default gateway on remote network**. +1. Click **OK** to close the **Properties** window. +1. **(Important)** Disconnect the VPN, then re-connect. +1. Assume that the subnet you want VPN clients to send traffic through the VPN tunnel is `10.123.123.0/24`. Open an [elevated command prompt](http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/) and run the following commands: + For IKEv2 and IPsec/XAuth ("Cisco IPsec") modes: + ``` + route add -p 10.123.123.0 mask 255.255.255.0 192.168.43.1 + ``` + For IPsec/L2TP mode: + ``` + route add -p 10.123.123.0 mask 255.255.255.0 192.168.42.1 + ``` +1. When finished, VPN clients will send traffic through the VPN tunnel for the specified subnet only. Other traffic will bypass the VPN. + ## Access VPN server's subnet After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. For example, if the VPN server's local subnet is `192.168.0.0/24`, and an Nginx server is running on IP `192.168.0.2`, VPN clients can use IP `192.168.0.2` to access the Nginx server. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index a65393d..77bcc1f 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -562,8 +562,10 @@ ipsec trafficstatus 要解决这些错误,请按以下步骤操作: 1. 右键单击系统托盘中的无线/网络图标。 -1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. **Windows 11:** 选择 **网络和 Internet 设置**,然后在打开的页面中单击 **高级网络设置**。单击 **更多网络适配器选项**。 + **Windows 10:** 选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。单击左侧的 **更改适配器设置**。 + **Windows 8/7:** 选择 **打开网络和共享中心**。单击左侧的 **更改适配器设置**。 +1. 右键单击新的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 和 "Microsoft CHAP 版本 2 (MS-CHAP v2)" 复选框。 1. 单击 **高级设置** 按钮。 diff --git a/docs/clients.md b/docs/clients.md index 9f9b206..314ad43 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -560,8 +560,10 @@ For error 789, click [here](https://documentation.meraki.com/MX/Client_VPN/Troub To fix these errors, please follow these steps: 1. Right-click on the wireless/network icon in your system tray. -1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. +1. **Windows 11:** Select **Network and Internet settings**, then on the page that opens, click **Advanced network settings**. Click **More network adapter options**. + **Windows 10:** Select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. On the left, click **Change adapter settings**. + **Windows 8/7:** Select **Open Network and Sharing Center**. On the left, click **Change adapter settings**. +1. Right-click on the new VPN connection, and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. 1. Click **Allow these protocols**. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes. 1. Click the **Advanced settings** button.