Read this in other languages: English, 简体中文.
By default, a single user account for VPN login is created. If you wish to view or manage users for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, read this document. For IKEv2, see Manage client certificates.
- View or update the IPsec PSK
- View VPN users
- Manage VPN users using helper scripts
- Manually manage VPN users
The IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets
. All VPN users will share the same IPsec PSK. The format of this file is:
%any %any : PSK "your_ipsec_pre_shared_key"
To change to a new PSK, just edit this file. DO NOT use these special characters within values: \ " '
You must restart services when finished:
service ipsec restart
service xl2tpd restart
By default, the VPN setup scripts will create the same VPN user for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets
. The format of this file is:
"username1" l2tpd "password1" *
"username2" l2tpd "password2" *
... ...
For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd
. Passwords in this file are salted and hashed. See Manually manage VPN users for more details.
You may use these scripts to more easily manage VPN users: add_vpn_user.sh, del_vpn_user.sh and update_vpn_users.sh. They will update users for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"). Replace command parameters below with your own values. For IKEv2, see Manage client certificates.
Note: VPN users are stored in /etc/ppp/chap-secrets
and /etc/ipsec.d/passwd
. The scripts will backup these files before making changes, with .old-date-time
suffix.
Add a new VPN user, or update an existing VPN user with a new password.
# Download the script
wget -O add_vpn_user.sh https://bit.ly/addvpnuser
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo sh add_vpn_user.sh 'username_to_add' 'password'
# OR
sudo sh add_vpn_user.sh 'username_to_update' 'new_password'
Delete the specified VPN user.
# Download the script
wget -O del_vpn_user.sh https://bit.ly/delvpnuser
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo sh del_vpn_user.sh 'username_to_delete'
Remove all existing VPN users and replace with the list of users you specify.
# Download the script
wget -O update_vpn_users.sh https://bit.ly/updatevpnusers
To use this script, choose one of the following options:
Important: This script will remove ALL existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below.
Option 1: Edit the script and enter VPN user details:
nano -w update_vpn_users.sh
[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS]
sudo sh update_vpn_users.sh
Option 2: Define VPN user details as environment variables:
# List of VPN usernames and passwords, separated by spaces
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo \
VPN_USERS='username1 username2 ...' \
VPN_PASSWORDS='password1 password2 ...' \
sh update_vpn_users.sh
For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets
. The format of this file is:
"username1" l2tpd "password1" *
"username2" l2tpd "password2" *
... ...
You can add more users, use one line for each user. DO NOT use these special characters within values: \ " '
For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd
. The format of this file is:
username1:password1hashed:xauth-psk
username2:password2hashed:xauth-psk
... ...
Passwords in this file are salted and hashed. This step can be done using e.g. the openssl
utility:
# The output will be password1hashed
# Put your password inside 'single quotes'
openssl passwd -1 'password1'
Copyright (C) 2016-2021 Lin Song
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!