forked from hwdsl2/setup-ipsec-vpn
-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathadd_vpn_user.sh
executable file
·130 lines (98 loc) · 3.11 KB
/
add_vpn_user.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
#
# Script to add/update a VPN user for both IPsec/L2TP and Cisco IPsec
#
# Copyright (C) 2018-2021 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
add_vpn_user() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before adding VPN users.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
command -v openssl >/dev/null 2>&1 || exiterr "'openssl' not found. Abort."
VPN_USER=$1
VPN_PASSWORD=$2
if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
cat 1>&2 <<EOF
Usage: sudo bash $0 'username_to_add' 'password'
sudo bash $0 'username_to_update' 'new_password'
EOF
exit 1
fi
if printf '%s' "$VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then
exiterr "VPN credentials must not contain non-ASCII characters."
fi
case "$VPN_USER $VPN_PASSWORD" in
*[\\\"\']*)
exiterr "VPN credentials must not contain these special characters: \\ \" '"
;;
esac
cat <<EOF
Welcome! Use this script to add or update a VPN user account for both
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
If the username you specified already exists, it will be updated
with the new password. Otherwise, a new VPN user will be added.
Please double check before continuing!
================================================
VPN user to add or update:
Username: $VPN_USER
Password: $VPN_PASSWORD
Write these down. You'll need them to connect!
Important notes: https://git.io/vpnnotes
Setup VPN clients: https://git.io/vpnclients
================================================
EOF
printf "Do you want to continue? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
echo
echo "Adding or updating VPN user..."
echo
;;
*)
echo "Abort. No changes were made."
exit 1
;;
esac
# Backup config files
conf_bk "/etc/ppp/chap-secrets"
conf_bk "/etc/ipsec.d/passwd"
# Add or update VPN user
sed -i "/^\"$VPN_USER\" /d" /etc/ppp/chap-secrets
cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
# shellcheck disable=SC2016
sed -i '/^'"$VPN_USER"':\$1\$/d' /etc/ipsec.d/passwd
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
# Update file attributes
chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
cat <<'EOF'
Done!
Note: All VPN users will share the same IPsec PSK.
If you forgot the PSK, check /etc/ipsec.secrets.
EOF
}
## Defer until we have the complete script
add_vpn_user "$@"
exit 0