Add instructions to manage VPN users

README-zh.md

@@ -20,6 +20,7 @@
   - [CentOS & RHEL](#centos--rhel)
 - [下一步](#下一步)
 - [重要提示](#重要提示)
+- [管理 VPN 用户](#管理-vpn-用户)
 - [关于升级Libreswan](#关于升级libreswan)
 - [问题和反馈](#问题和反馈)
 - [另见](#另见)
@@ -108,14 +109,54 @@ sudo sh vpnsetup_centos.sh
 
 **Android 6 (Marshmallow) 用户** 请参考此文档中的注释： <a href="docs/clients-zh.md#android" target="_blank">配置 IPsec/L2TP VPN 客户端</a>。
 
-如果要创建具有不同凭据的多个 VPN 用户，只需要<a href="docs/enable-multiple-users.txt" target="_blank">修改这几行的脚本</a>。
-
 在 VPN 已连接时，客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。此设置可通过编辑文件 `options.xl2tpd` 和 `ipsec.conf` 来更改。
 
 如果服务器配置了自定义 SSH 端口（不是 22）或其他服务，请在运行脚本前编辑 <a href="vpnsetup.sh#L336" target="_blank">IPTables 防火墙规则</a>。
 
 这些脚本在更改现有的配置文件之前会先做备份，使用 `.old-日期-时间` 为文件名后缀。
 
+## 管理 VPN 用户
+
+在默认情况下，将只创建一个用于 VPN 登录的用户账户。如果你需要添加，编辑或者删除用户，请阅读本节。
+
+首先，IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK，可以编辑此文件。
+
+```bash
+<VPN Server IP>  %any  : PSK "<VPN IPsec PSK>"
+```
+
+对于 `IPsec/L2TP`，VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下：
+
+```bash
+"<VPN User 1>"  l2tpd  "<VPN Password 1>"  *
+"<VPN User 2>"  l2tpd  "<VPN Password 2>"  *
+... ...
+```
+
+你可以添加更多用户，每个用户对应文件中的一行。**不要**在用户名和密码中使用这些字符：`\ "`
+
+对于 `IPsec/XAuth ("Cisco IPsec")`， VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下：
+
+```bash
+<VPN User 1>:<VPN Password 1 (hashed)>:xauth-psk
+<VPN User 2>:<VPN Password 2 (hashed)>:xauth-psk
+... ...
+```
+
+这个文件中的密码以 salted and hashed 的形式保存。该步骤可以借助比如 `openssl` 工具来完成：
+
+```bash
+# The output will be <VPN Password 1 (hashed)>
+openssl passwd -1 "<VPN Password 1>"
+```
+
+在完成修改之后，你必须重新启动相关服务：
+
+```bash
+service ipsec restart
+service xl2tpd restart
+```
+
 ## 关于升级Libreswan
 
 提供两个额外的脚本 <a href="extras/vpnupgrade_Libreswan.sh" target="_blank">vpnupgrade_Libreswan.sh</a> 和 <a href="extras/vpnupgrade_Libreswan_centos.sh" target="_blank">vpnupgrade_Libreswan_centos.sh</a> ，可用于升级 Libreswan。请关注<a href="https://libreswan.org" target="_blank">官方网站</a>，并在运行前根据需要更新 `swan_ver` 变量。

README.md

@@ -20,6 +20,7 @@ We will use <a href="https://libreswan.org/" target="_blank">Libreswan</a> as th
   - [CentOS & RHEL](#centos--rhel)
 - [Next Steps](#next-steps)
 - [Important Notes](#important-notes)
+- [Manage VPN Users](#manage-vpn-users)
 - [Upgrading Libreswan](#upgrading-libreswan)
 - [Bugs & Questions](#bugs--questions)
 - [See Also](#see-also)
@@ -108,14 +109,54 @@ For **Windows users**, a <a href="docs/clients.md#regkey" target="_blank">one-ti
 
 **Android 6 (Marshmallow) users**： Please see notes in <a href="docs/clients.md#android" target="_blank">Configure IPsec/L2TP VPN Clients</a>.
 
-To create multiple VPN users with different credentials, just <a href="docs/enable-multiple-users.txt" target="_blank">edit a few lines</a> in the scripts.
-
 Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. To change, edit `options.xl2tpd` and `ipsec.conf`.
 
 For servers with a custom SSH port (not 22) or other services, edit the <a href="vpnsetup.sh#L336" target="_blank">IPTables rules</a> before using.
 
 The scripts will backup existing config files before making changes, with `.old-date-time` suffix.
 
+## Manage VPN Users
+
+By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this section.
+
+First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. 
+
+```bash
+<VPN Server IP>  %any  : PSK "<VPN IPsec PSK>"
+```
+
+For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is:
+
+```bash
+"<VPN User 1>"  l2tpd  "<VPN Password 1>"  *
+"<VPN User 2>"  l2tpd  "<VPN Password 2>"  *
+... ...
+```
+
+You can add more users, use one line for each user. DO NOT use the characters `\` and `"` inside username or password.
+
+For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is:
+
+```bash
+<VPN User 1>:<VPN Password 1 (hashed)>:xauth-psk
+<VPN User 2>:<VPN Password 2 (hashed)>:xauth-psk
+... ...
+```
+
+Passwords in this file are salted and hashed. This step can be done using e.g. the `openssl` utility:
+
+```bash
+# The output will be <VPN Password 1 (hashed)>
+openssl passwd -1 "<VPN Password 1>"
+```
+
+When finished, you must restart services with:
+
+```bash
+service ipsec restart
+service xl2tpd restart
+```
+
 ## Upgrading Libreswan
 
 The additional scripts <a href="extras/vpnupgrade_Libreswan.sh" target="_blank">vpnupgrade_Libreswan.sh</a> and <a href="extras/vpnupgrade_Libreswan_centos.sh" target="_blank">vpnupgrade_Libreswan_centos.sh</a> can be used to upgrade Libreswan. Check the <a href="https://libreswan.org" target="_blank">official website</a> and update the `swan_ver` variable as necessary.

docs/enable-multiple-users.txt

@@ -1,26 +0,0 @@
-To create multiple VPN users with different credentials for IPsec/L2TP,
- find and replace these lines in the script:
-
-cat > /etc/ppp/chap-secrets <<EOF
-# Secrets for authentication using CHAP
-# client server secret IP addresses
-"$VPN_USER" l2tpd "$VPN_PASSWORD" *
-EOF
-
-with the following:
-
-cat > /etc/ppp/chap-secrets <<EOF
-"user1"  l2tpd  "password1"  *
-"user2"  l2tpd  "password2"  *
-EOF
-
------------------
- IMPORTANT NOTES
------------------
-1. Make sure there is NO SPACE after both EOF above!
-2. This example shows user1 with password1, and user2 with password2.
-   You can add more users, use one line for each user.
-3. The characters \ and " within your username/password (if present)
-   MUST be escaped as \\ and \", respectively.
-4. To create multiple VPN users for IPsec/XAuth, add more lines to file
-   "/etc/ipsec.d/passwd". Refer to the VPN script for correct format.