Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

添加VPN_ANDROID_MTU_FIX=yes,安卓11设备连接L2TP/IPSec PSK仍只能ping通外网,不能访问网站 #426

Closed
6 tasks done
ENEN-YIN opened this issue Apr 24, 2024 · 2 comments
Closed
6 tasks done

添加VPN_ANDROID_MTU_FIX=yes,安卓11设备连接L2TP/IPSec PSK仍只能ping通外网,不能访问网站 #426

ENEN-YIN opened this issue Apr 24, 2024 · 2 comments

Comments

@ENEN-YIN
Copy link

任务列表

问题描述
安卓11设备,IPsec Xauth PSK、L2TP/IPSec PSK可以连接,未添加VPN_ANDROID_MTU_FIX=yes前,只能ping通外网都不能访问网站;
添加VPN_ANDROID_MTU_FIX=yes后,IPsec Xauth PSK正常访问网站,L2TP/IPSec PSK仍只能ping通外网不能访问网站。

重现步骤
重现该 bug 的步骤:

1.docker配置文件vpn.env

VPN_IPSEC_PSK=password
VPN_USER=testuser
VPN_PASSWORD=testpassword
VPN_ADDL_USERS=usera
VPN_ADDL_PASSWORDS=apassword
VPN_ENABLE_MODP1024=yes
VPN_ANDROID_MTU_FIX=yes

2.bash

sudo docker run \                                                 
    --name ipsec-vpn-server \
    --env-file ./vpn.env \
    --restart=always \
    -v ikev2-vpn-data:/etc/ipsec.d \
    -v ./lib/modules:/lib/modules:ro \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    hwdsl2/ipsec-vpn-server

期待的正确结果
L2TP/IPSec PSK 连接后能正常访问网站

日志
启用日志,检查 VPN 状态,并且添加错误日志以帮助解释该问题(如果适用)。

服务器信息(请填写以下信息)

  • Docker 主机操作系统: Armbian_24.5.0_rockchip_dg3399_jammy_6.1.87_server 6.1.87-ophub
  • 服务提供商(如果适用): [比如 GCP, AWS]

客户端信息(请填写以下信息)

  • 设备: Redmi K30pro / Xiaomi Pad 5pro
  • 操作系统: MIUI12.5.7(android11)/MIUI13.0.10(android11)
  • VPN 模式: IPsec/L2TP

其它信息
添加关于该 bug 的其它信息。
@hwdsl2
Copy link
Owner

hwdsl2 commented Apr 24, 2024

@ENEN-YIN 你好!感谢你提供详细的错误报告。VPN_ANDROID_MTU_FIX=yes的解决方案有其局限性,主要适用于 IPsec/XAuth ("Cisco IPsec") 和 IKEv2 模式。对于 IPsec/L2TP 模式,目前该问题并没有较好的解决方案。你可以编辑容器内的 /opt/src/run.sh 并尝试调整 mtu 和 mru 的值(当前为 1280),然后重启容器以生效。该方法不一定有效,你可以试一下。

请参见:

docker-ipsec-vpn-server/run.sh

Lines 594 to 606 in b8c056a

case $VPN_ANDROID_MTU_FIX in
[yY][eE][sS])
echo
echo "Applying fix for Android MTU/MSS issues..."
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \
-p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \
-p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
;;
esac

docker-ipsec-vpn-server/run.sh

Lines 479 to 480 in b8c056a

mtu 1280
mru 1280

@hwdsl2 hwdsl2 closed this as completed Apr 24, 2024
@ENEN-YIN
Copy link
Author

好的,感谢解答

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hwdsl2 @ENEN-YIN