From 80295518c6ef89593fbeb8f3d39188410f10dcb4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 21 May 2016 19:23:41 -0500 Subject: [PATCH] Add instructions to manage VPN users --- README-zh.md | 45 ++++++++++++++++++++++++++++++++-- README.md | 45 ++++++++++++++++++++++++++++++++-- docs/enable-multiple-users.txt | 26 -------------------- 3 files changed, 86 insertions(+), 30 deletions(-) delete mode 100644 docs/enable-multiple-users.txt diff --git a/README-zh.md b/README-zh.md index b4fd6ab..1a842ce 100644 --- a/README-zh.md +++ b/README-zh.md @@ -20,6 +20,7 @@ - [CentOS & RHEL](#centos--rhel) - [下一步](#下一步) - [重要提示](#重要提示) +- [管理 VPN 用户](#管理-vpn-用户) - [关于升级Libreswan](#关于升级libreswan) - [问题和反馈](#问题和反馈) - [另见](#另见) @@ -108,14 +109,54 @@ sudo sh vpnsetup_centos.sh **Android 6 (Marshmallow) 用户** 请参考此文档中的注释: 配置 IPsec/L2TP VPN 客户端。 -如果要创建具有不同凭据的多个 VPN 用户,只需要修改这几行的脚本。 - 在 VPN 已连接时,客户端配置为使用 Google Public DNS。此设置可通过编辑文件 `options.xl2tpd` 和 `ipsec.conf` 来更改。 如果服务器配置了自定义 SSH 端口(不是 22)或其他服务,请在运行脚本前编辑 IPTables 防火墙规则。 这些脚本在更改现有的配置文件之前会先做备份,使用 `.old-日期-时间` 为文件名后缀。 +## 管理 VPN 用户 + +在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,编辑或者删除用户,请阅读本节。 + +首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 + +```bash + %any : PSK "" +``` + +对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: + +```bash +"" l2tpd "" * +"" l2tpd "" * +... ... +``` + +你可以添加更多用户,每个用户对应文件中的一行。**不要**在用户名和密码中使用这些字符:`\ "` + +对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: + +```bash +::xauth-psk +::xauth-psk +... ... +``` + +这个文件中的密码以 salted and hashed 的形式保存。该步骤可以借助比如 `openssl` 工具来完成: + +```bash +# The output will be +openssl passwd -1 "" +``` + +在完成修改之后,你必须重新启动相关服务: + +```bash +service ipsec restart +service xl2tpd restart +``` + ## 关于升级Libreswan 提供两个额外的脚本 vpnupgrade_Libreswan.shvpnupgrade_Libreswan_centos.sh ,可用于升级 Libreswan。请关注官方网站,并在运行前根据需要更新 `swan_ver` 变量。 diff --git a/README.md b/README.md index 0e60ffc..e56588a 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ We will use Libreswan as th - [CentOS & RHEL](#centos--rhel) - [Next Steps](#next-steps) - [Important Notes](#important-notes) +- [Manage VPN Users](#manage-vpn-users) - [Upgrading Libreswan](#upgrading-libreswan) - [Bugs & Questions](#bugs--questions) - [See Also](#see-also) @@ -108,14 +109,54 @@ For **Windows users**, a one-ti **Android 6 (Marshmallow) users**: Please see notes in Configure IPsec/L2TP VPN Clients. -To create multiple VPN users with different credentials, just edit a few lines in the scripts. - Clients are set to use Google Public DNS when the VPN is active. To change, edit `options.xl2tpd` and `ipsec.conf`. For servers with a custom SSH port (not 22) or other services, edit the IPTables rules before using. The scripts will backup existing config files before making changes, with `.old-date-time` suffix. +## Manage VPN Users + +By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this section. + +First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. + +```bash + %any : PSK "" +``` + +For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is: + +```bash +"" l2tpd "" * +"" l2tpd "" * +... ... +``` + +You can add more users, use one line for each user. DO NOT use the characters `\` and `"` inside username or password. + +For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: + +```bash +::xauth-psk +::xauth-psk +... ... +``` + +Passwords in this file are salted and hashed. This step can be done using e.g. the `openssl` utility: + +```bash +# The output will be +openssl passwd -1 "" +``` + +When finished, you must restart services with: + +```bash +service ipsec restart +service xl2tpd restart +``` + ## Upgrading Libreswan The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to upgrade Libreswan. Check the official website and update the `swan_ver` variable as necessary. diff --git a/docs/enable-multiple-users.txt b/docs/enable-multiple-users.txt deleted file mode 100644 index 518823a..0000000 --- a/docs/enable-multiple-users.txt +++ /dev/null @@ -1,26 +0,0 @@ -To create multiple VPN users with different credentials for IPsec/L2TP, - find and replace these lines in the script: - -cat > /etc/ppp/chap-secrets < /etc/ppp/chap-secrets <