Skip to content

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history
- Add an advanced usage section for customizing VPN subnets.
  Ref: hwdsl2#291
  • Loading branch information
hwdsl2 committed May 9, 2022
1 parent 446a45d commit 9f6ed2e
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 0 deletions.
1 change: 1 addition & 0 deletions README-zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,7 @@ docker exec -it ipsec-vpn-server ikev2.sh
- [访问 Docker 主机上的其它容器](docs/advanced-usage-zh.md#访问-docker-主机上的其它容器)
- [指定 VPN 服务器的公有 IP](docs/advanced-usage-zh.md#指定-vpn-服务器的公有-ip)
- [为 VPN 客户端指定静态 IP](docs/advanced-usage-zh.md#为-vpn-客户端指定静态-ip)
- [自定义 VPN 子网](docs/advanced-usage-zh.md#自定义-vpn-子网)
- [关于 host network 模式](docs/advanced-usage-zh.md#关于-host-network-模式)
- [启用 Libreswan 日志](docs/advanced-usage-zh.md#启用-libreswan-日志)
- [查看服务器状态](docs/advanced-usage-zh.md#查看服务器状态)
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@ See [Advanced usage](docs/advanced-usage.md).
- [Access other containers on the Docker host](docs/advanced-usage.md#access-other-containers-on-the-docker-host)
- [Specify VPN server's public IP](docs/advanced-usage.md#specify-vpn-servers-public-ip)
- [Assign static IPs to VPN clients](docs/advanced-usage.md#assign-static-ips-to-vpn-clients)
- [Customize VPN subnets](docs/advanced-usage.md#customize-vpn-subnets)
- [About host network mode](docs/advanced-usage.md#about-host-network-mode)
- [Enable Libreswan logs](docs/advanced-usage.md#enable-libreswan-logs)
- [Check server status](docs/advanced-usage.md#check-server-status)
Expand Down
28 changes: 28 additions & 0 deletions docs/advanced-usage-zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
- [访问 Docker 主机上的其它容器](#访问-docker-主机上的其它容器)
- [指定 VPN 服务器的公有 IP](#指定-vpn-服务器的公有-ip)
- [为 VPN 客户端指定静态 IP](#为-vpn-客户端指定静态-ip)
- [自定义 VPN 子网](#自定义-vpn-子网)
- [关于 host network 模式](#关于-host-network-模式)
- [启用 Libreswan 日志](#启用-libreswan-日志)
- [查看服务器状态](#查看服务器状态)
Expand Down Expand Up @@ -144,6 +145,33 @@ VPN_XAUTH_POOL=192.168.43.100-192.168.43.250

**注:** 在你的 `env` 文件中,**不要**为变量值添加 `""` 或者 `''`,或在 `=` 两边添加空格。**不要**在值中使用这些字符: `\ " '`

## 自定义 VPN 子网

默认情况下,IPsec/L2TP VPN 客户端将使用内部 VPN 子网 `192.168.42.0/24`,而 IPsec/XAuth ("Cisco IPsec") 和 IKEv2 VPN 客户端将使用内部 VPN 子网 `192.168.43.0/24`。有关更多详细信息,请阅读上一节。

对于大多数用例,没有必要也 **不建议** 自定义这些子网。但是,如果你的用例需要它,你可以在 `env` 文件中指定自定义子网,然后你必须重新创建 Docker 容器。

```
# 示例:为 IPsec/L2TP 模式指定自定义 VPN 子网
# 注:必须指定所有三个变量。
VPN_L2TP_NET=10.1.0.0/16
VPN_L2TP_LOCAL=10.1.0.1
VPN_L2TP_POOL=10.1.0.10-10.1.254.254
```

```
# 示例:为 IPsec/XAuth 和 IKEv2 模式指定自定义 VPN 子网
# 注:必须指定以下两个变量。
VPN_XAUTH_NET=10.2.0.0/16
VPN_XAUTH_POOL=10.2.0.10-10.2.254.254
```

**注:** 在你的 `env` 文件中,**不要**为变量值添加 `""` 或者 `''`,或在 `=` 两边添加空格。

在上面的例子中,`VPN_L2TP_LOCAL` 是在 IPsec/L2TP 模式下的 VPN 服务器的内部 IP。`VPN_L2TP_POOL``VPN_XAUTH_POOL` 是为 VPN 客户端自动分配的 IP 地址池。

请注意,如果你在 `env` 文件中指定了 `VPN_XAUTH_POOL`,并且在 Docker 容器中已经配置了 IKEv2,你 **必须** 在重新创建 Docker 容器之前手动编辑容器内的 `/etc/ipsec.d/ikev2.conf` 并将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为与 `VPN_XAUTH_POOL` **相同的值**。否则 IKEv2 可能会停止工作。

## 关于 host network 模式

高级用户可以使用 [host network 模式](https://docs.docker.com/network/host/) 运行本镜像,通过为 `docker run` 命令添加 `--network=host` 参数来实现。另外,如果 [不启用 privileged 模式运行](#不启用-privileged-模式运行),你可能还需要将 `eth0` 替换为你的 Docker 主机的网络接口名称。
Expand Down
28 changes: 28 additions & 0 deletions docs/advanced-usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
- [Access other containers on the Docker host](#access-other-containers-on-the-docker-host)
- [Specify VPN server's public IP](#specify-vpn-servers-public-ip)
- [Assign static IPs to VPN clients](#assign-static-ips-to-vpn-clients)
- [Customize VPN subnets](#customize-vpn-subnets)
- [About host network mode](#about-host-network-mode)
- [Enable Libreswan logs](#enable-libreswan-logs)
- [Check server status](#check-server-status)
Expand Down Expand Up @@ -144,6 +145,33 @@ Note that if you specify `VPN_XAUTH_POOL` in the `env` file, and IKEv2 is alread

**Note:** In your `env` file, DO NOT put `""` or `''` around values, or add space around `=`. DO NOT use these special characters within values: `\ " '`.

## Customize VPN subnets

By default, IPsec/L2TP VPN clients will use internal VPN subnet `192.168.42.0/24`, while IPsec/XAuth ("Cisco IPsec") and IKEv2 VPN clients will use internal VPN subnet `192.168.43.0/24`. For more details, read the previous section.

For most use cases, it is NOT necessary and NOT recommended to customize these subnets. If your use case requires it, however, you may specify custom subnet(s) in your `env` file, then you must re-create the Docker container.

```
# Example: Specify custom VPN subnet for IPsec/L2TP mode
# Note: All three variables must be specified.
VPN_L2TP_NET=10.1.0.0/16
VPN_L2TP_LOCAL=10.1.0.1
VPN_L2TP_POOL=10.1.0.10-10.1.254.254
```

```
# Example: Specify custom VPN subnet for IPsec/XAuth and IKEv2 modes
# Note: Both variables must be specified.
VPN_XAUTH_NET=10.2.0.0/16
VPN_XAUTH_POOL=10.2.0.10-10.2.254.254
```

**Note:** In your `env` file, DO NOT put `""` or `''` around values, or add space around `=`.

In the examples above, `VPN_L2TP_LOCAL` is the VPN server's internal IP for IPsec/L2TP mode. `VPN_L2TP_POOL` and `VPN_XAUTH_POOL` are the pools of auto-assigned IP addresses for VPN clients.

Note that if you specify `VPN_XAUTH_POOL` in the `env` file, and IKEv2 is already set up in the Docker container, you **must** manually edit `/etc/ipsec.d/ikev2.conf` inside the container and replace `rightaddresspool=192.168.43.10-192.168.43.250` with the **same value** as `VPN_XAUTH_POOL`, before re-creating the Docker container. Otherwise, IKEv2 may stop working.

## About host network mode

Advanced users can run this image in [host network mode](https://docs.docker.com/network/host/), by adding `--network=host` to the `docker run` command. In addition, if [running without privileged mode](#run-without-privileged-mode), you may also need to replace `eth0` with the network interface name of your Docker host.
Expand Down

0 comments on commit 9f6ed2e

Please sign in to comment.