1
0
mirror of synced 2024-11-25 22:36:04 +03:00
setup-ipsec-vpn/docs/manage-users.md
hwdsl2 da7697a5b0 Cleanup
- Update scripts to use bash instead of sh
- Update docs
2021-08-27 23:35:31 -05:00

5.2 KiB

Manage VPN Users

Read this in other languages: English, 简体中文.

By default, a single user account for VPN login is created. If you wish to view or manage users for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, read this document. For IKEv2, see Manage client certificates.

View or update the IPsec PSK

The IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets. All VPN users will share the same IPsec PSK. The format of this file is:

%any  %any  : PSK "your_ipsec_pre_shared_key"

To change to a new PSK, just edit this file. DO NOT use these special characters within values: \ " '

You must restart services when finished:

service ipsec restart
service xl2tpd restart

View VPN users

By default, the VPN setup scripts will create the same VPN user for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.

For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:

"username1"  l2tpd  "password1"  *
"username2"  l2tpd  "password2"  *
... ...

For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. Passwords in this file are salted and hashed. See Manually manage VPN users for more details.

Manage VPN users using helper scripts

You may use these scripts to more easily manage VPN users: add_vpn_user.sh, del_vpn_user.sh and update_vpn_users.sh. They will update users for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"). Replace command parameters below with your own values. For IKEv2, see Manage client certificates.

Note: VPN users are stored in /etc/ppp/chap-secrets and /etc/ipsec.d/passwd. The scripts will backup these files before making changes, with .old-date-time suffix.

Add or edit a VPN user

Add a new VPN user, or update an existing VPN user with a new password.

# Download the script
wget -O add_vpn_user.sh https://bit.ly/addvpnuser
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo bash add_vpn_user.sh 'username_to_add' 'password'
# OR
sudo bash add_vpn_user.sh 'username_to_update' 'new_password'

Delete a VPN user

Delete the specified VPN user.

# Download the script
wget -O del_vpn_user.sh https://bit.ly/delvpnuser
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo bash del_vpn_user.sh 'username_to_delete'

Update all VPN users

Remove all existing VPN users and replace with the list of users you specify.

# Download the script
wget -O update_vpn_users.sh https://bit.ly/updatevpnusers

To use this script, choose one of the following options:

Important: This script will remove ALL existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below.

Option 1: Edit the script and enter VPN user details:

nano -w update_vpn_users.sh
[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS]
sudo bash update_vpn_users.sh

Option 2: Define VPN user details as environment variables:

# List of VPN usernames and passwords, separated by spaces
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo \
VPN_USERS='username1 username2 ...' \
VPN_PASSWORDS='password1 password2 ...' \
bash update_vpn_users.sh

Manually manage VPN users

For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:

"username1"  l2tpd  "password1"  *
"username2"  l2tpd  "password2"  *
... ...

You can add more users, use one line for each user. DO NOT use these special characters within values: \ " '

For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is:

username1:password1hashed:xauth-psk
username2:password2hashed:xauth-psk
... ...

Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility:

# The output will be password1hashed
# Put your password inside 'single quotes'
openssl passwd -1 'password1'

License

Copyright (C) 2016-2021 Lin Song View my profile on LinkedIn

Creative Commons License
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!