From 83b0663318fe6d061ea0a1217fbeb17c064b6400 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 22 Nov 2018 16:49:56 -0600 Subject: [PATCH] Add more helper scripts - Create additional helper scripts for managing VPN users - Update docs - Closes: #355 --- README-zh.md | 2 +- README.md | 2 +- docs/manage-users-zh.md | 92 +++++++++++++++---------- docs/manage-users.md | 92 +++++++++++++++---------- extras/add_vpn_user.sh | 136 ++++++++++++++++++++++++++++++++++++ extras/del_vpn_user.sh | 138 +++++++++++++++++++++++++++++++++++++ extras/update_vpn_users.sh | 2 + 7 files changed, 392 insertions(+), 72 deletions(-) create mode 100644 extras/add_vpn_user.sh create mode 100644 extras/del_vpn_user.sh diff --git a/README-zh.md b/README-zh.md index 65b974b..1034672 100644 --- a/README-zh.md +++ b/README-zh.md @@ -149,7 +149,7 @@ sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含一个辅助脚本,以方便更新 VPN 用户。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 diff --git a/README.md b/README.md index 5fb9f3b..ef7713a 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ The same VPN account can be used by your multiple devices. However, due to an IP For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. A helper script is included for convenience. +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Helper scripts are included for convenience. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 2096e4a..e329970 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,9 +4,63 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,更改或者删除用户,请阅读本文档。 -**注:** 现在提供一个辅助脚本,以方便更新 VPN 用户。请参见 [辅助脚本](#辅助脚本)。 +## 使用辅助脚本 -首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。 +你可以使用这些脚本来更方便地管理 VPN 用户:[add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) 和 [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh)。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth (Cisco IPsec) 模式的用户。如果你需要更新 IPsec PSK,请阅读下一节。 + +### 添加或者更新一个 VPN 用户 + +添加一个新 VPN 用户,或者为一个已有的 VPN 用户更新密码。 + +```bash +wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' +``` + +### 删除一个 VPN 用户 + +删除指定的 VPN 用户。 + +```bash +wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +sudo sh del_vpn_user.sh 'username_to_delete' +``` + +### 更新所有的 VPN 用户 + +移除所有的 VPN 用户并替换为你指定的列表中的用户。 + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +要使用这个脚本,从以下选项中选择一个: + +**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的列表中的用户。如果你需要保留已有的 VPN 用户,则必须将它们包含在下面的变量中。 + +**选项 1:** 编辑脚本并输入 VPN 用户信息: + +```bash +nano -w update_vpn_users.sh +[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**选项 2:** 将 VPN 用户信息定义为环境变量: + +```bash +# VPN用户名和密码列表,用空格分隔 +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' +sudo \ +VPN_USERS='用户名1 用户名2 ...' \ +VPN_PASSWORDS='密码1 密码2 ...' \ +sh update_vpn_users.sh +``` + +## 手动管理 VPN 用户和 PSK + +首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。完成后必须重启服务(见下面)。所有的 VPN 用户将共享同一个 IPsec PSK。 ```bash %any %any : PSK "你的IPsec预共享密钥" @@ -37,41 +91,9 @@ openssl passwd -1 '你的VPN密码1' ``` -最后,如果你更换了新的 PSK,则需要重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。 +最后,如果你更换了新的 PSK,则必须重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。 ```bash service ipsec restart service xl2tpd restart ``` - -## 辅助脚本 - -你可以使用 [这个辅助脚本](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) 来更新 VPN 用户。首先下载脚本: - -```bash -wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh -``` - -要更新 VPN 用户,从以下选项中选择一个: - -**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的新用户。如果你需要保留当前的 VPN 用户,则必须将它们包含在下面的变量中。或者你也可以按照上面的说明手动更新 VPN 用户。 - -**选项 1:** 编辑脚本并输入 VPN 用户信息: - -```bash -nano -w update_vpn_users.sh -[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS] -sudo sh update_vpn_users.sh -``` - -**选项 2:** 将 VPN 用户信息定义为环境变量: - -```bash -# VPN用户名和密码列表,用空格分隔 -# 所有变量值必须用 '单引号' 括起来 -# *不要* 在值中使用这些字符: \ " ' -sudo \ -VPN_USERS='用户名1 用户名2 ...' \ -VPN_PASSWORDS='密码1 密码2 ...' \ -sh update_vpn_users.sh -``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 56289d2..005d02a 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,9 +4,63 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -**Note:** A helper script to update VPN users is now available. See [Helper script](#helper-script). +## Using helper scripts -First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK. +You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) and [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh). They will update users for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec) modes. For updating the IPsec PSK, read the next section. + +### Add or update a VPN user + +Add a new VPN user or update an existing user with a new password. + +```bash +wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' +``` + +### Delete a VPN user + +Delete the specified VPN user. + +```bash +wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +sudo sh del_vpn_user.sh 'username_to_delete' +``` + +### Update all VPN users + +Remove all existing VPN users and replace with the list of users you specify. + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +To use this script, choose one of the following options: + +**Important:** This script will remove **ALL** existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. + +**Option 1:** Edit the script and enter VPN user details: + +```bash +nano -w update_vpn_users.sh +[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**Option 2:** Define VPN user details as environment variables: + +```bash +# List of VPN usernames and passwords, separated by spaces +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' +sudo \ +VPN_USERS='username1 username2 ...' \ +VPN_PASSWORDS='password1 password2 ...' \ +sh update_vpn_users.sh +``` + +## Manually manage VPN users and PSK + +First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. You must restart services when finished (see below). All VPN users will share the same IPsec PSK. ```bash %any %any : PSK "your_ipsec_pre_shared_key" @@ -37,41 +91,9 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t openssl passwd -1 'your_vpn_password_1' ``` -Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required. +Finally, you must restart services if changing to a new PSK. For adding, editing or removing VPN users, this is normally not required. ```bash service ipsec restart service xl2tpd restart ``` - -## Helper script - -You may use [this helper script](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) to update VPN users. First download the script: - -```bash -wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh -``` - -To update VPN users, choose one of the following options: - -**Important:** This script will remove **ALL** existing VPN users and replace them with the new users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. Or, you may update users manually (see above). - -**Option 1:** Edit the script and enter VPN user details: - -```bash -nano -w update_vpn_users.sh -[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS] -sudo sh update_vpn_users.sh -``` - -**Option 2:** Define VPN user details as environment variables: - -```bash -# List of VPN usernames and passwords, separated by spaces -# All values MUST be placed inside 'single quotes' -# DO NOT use these special characters within values: \ " ' -sudo \ -VPN_USERS='username1 username2 ...' \ -VPN_PASSWORDS='password1 password2 ...' \ -sh update_vpn_users.sh -``` diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh new file mode 100644 index 0000000..ca40a5d --- /dev/null +++ b/extras/add_vpn_user.sh @@ -0,0 +1,136 @@ +#!/bin/sh +# +# Script to add/update an VPN user for both IPsec/L2TP and Cisco IPsec +# +# Copyright (C) 2018 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + +add_vpn_user() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before adding VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +VPN_USER=$1 +VPN_PASSWORD=$2 + +if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then +cat 1>&2 <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd < +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + +del_vpn_user() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before deleting VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +VPN_USER=$1 + +if [ -z "$VPN_USER" ]; then +cat 1>&2 <&2 <<'EOF' +Error: The specified VPN user does not exist in /etc/ppp/chap-secrets + and/or /etc/ipsec.d/passwd. + Aborting. No changes were made. +EOF + exit 1 +fi + +if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ + || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then +cat 1>&2 <<'EOF' +Error: Cannot delete the only VPN user from /etc/ppp/chap-secrets + and/or /etc/ipsec.d/passwd. + Aborting. No changes were made. +EOF + exit 1 +fi + +clear + +cat <