Read this in other languages: English, 简体中文. 📝
By default, a single user account for VPN login is created. If you wish to view or manage users for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, read this document. For IKEv2, see Manage client certificates.
- View or update the IPsec PSK
- View VPN users
- Manage VPN users using helper scripts
- Manually manage VPN users
The IPsec PSK (pre-shared key) is stored in /etc/ipsec.secrets. All VPN users will share the same IPsec PSK. The format of this file is:
%any %any : PSK "your_ipsec_pre_shared_key"To change to a new PSK, just edit this file. DO NOT use these special characters within values: \ " '
You must restart services when finished:
service ipsec restart
service xl2tpd restartBy default, the VPN setup scripts will create the same VPN user for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:
"username1" l2tpd "password1" *
"username2" l2tpd "password2" *
... ...For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. Passwords in this file are salted and hashed. See Manually manage VPN users for more details.
You may use these scripts to more easily manage VPN users: add_vpn_user.sh, del_vpn_user.sh and update_vpn_users.sh. They will update users for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"). Replace command parameters below with your own values. For IKEv2, see Manage client certificates.
Note: VPN users are stored in /etc/ppp/chap-secrets and /etc/ipsec.d/passwd. The scripts will backup these files before making changes, with .old-date-time suffix.
Add a new VPN user, or update an existing VPN user with a new password.
# Download the script
wget -O add_vpn_user.sh https://bit.ly/addvpnuser
# Run the script and follow the prompts
sudo bash add_vpn_user.shAlternatively, you can run the script with arguments:
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo bash add_vpn_user.sh 'username_to_add' 'password'
# OR
sudo bash add_vpn_user.sh 'username_to_update' 'new_password'Delete the specified VPN user.
# Download the script
wget -O del_vpn_user.sh https://bit.ly/delvpnuser
# Run the script and follow the prompts
sudo bash del_vpn_user.shAlternatively, you can run the script with arguments:
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo bash del_vpn_user.sh 'username_to_delete'Remove all existing VPN users and replace with the list of users you specify.
# Download the script
wget -O update_vpn_users.sh https://bit.ly/updatevpnusersTo use this script, choose one of the following options:
Important: This script will remove ALL existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below.
Option 1: Edit the script and enter VPN user details:
nano -w update_vpn_users.sh
[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS]
sudo bash update_vpn_users.shOption 2: Define VPN user details as environment variables:
# List of VPN usernames and passwords, separated by spaces
# All values MUST be placed inside 'single quotes'
# DO NOT use these special characters within values: \ " '
sudo \
VPN_USERS='username1 username2 ...' \
VPN_PASSWORDS='password1 password2 ...' \
bash update_vpn_users.shFor IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is:
"username1" l2tpd "password1" *
"username2" l2tpd "password2" *
... ...You can add more users, use one line for each user. DO NOT use these special characters within values: \ " '
For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is:
username1:password1hashed:xauth-psk
username2:password2hashed:xauth-psk
... ...Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility:
# The output will be password1hashed
# Put your password inside 'single quotes'
openssl passwd -1 'password1'Copyright (C) 2016-2022 Lin Song
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!
