Add helper script

- Create a helper script for updating VPN users
- Update docs

README-zh.md

@@ -113,7 +113,8 @@ sudo sh vpnsetup.sh
 wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
 VPN_IPSEC_PSK='你的IPsec预共享密钥' \
 VPN_USER='你的VPN用户名' \
-VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
+VPN_PASSWORD='你的VPN密码' \
+sh vpnsetup.sh
 ```
 
 **注：** 如果无法通过 `wget` 下载，你也可以打开 <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (或者 <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>)，然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选， `Ctrl-C` 复制，然后粘贴到你喜欢的编辑器。
@@ -148,7 +149,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
 
 对于有外部防火墙的服务器（比如 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>），请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。
 
-如果需要添加，修改或者删除 VPN 用户账户，请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。
+如果需要添加，修改或者删除 VPN 用户账户，请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含一个辅助脚本，以方便更新 VPN 用户。
 
 在 VPN 已连接时，客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务，请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。
 

README.md

@@ -113,7 +113,8 @@ sudo sh vpnsetup.sh
 wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \
 VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
 VPN_USER='your_vpn_username' \
-VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh
+VPN_PASSWORD='your_vpn_password' \
+sh vpnsetup.sh
 ```
 
 **Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
@@ -148,7 +149,7 @@ The same VPN account can be used by your multiple devices. However, due to an IP
 
 For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_blank">EC2</a>/<a href="https://cloud.google.com/vpc/docs/firewalls" target="_blank">GCE</a>), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433).
 
-If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>.
+If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. A helper script is included for convenience.
 
 Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
 

docs/manage-users-zh.md

@@ -4,13 +4,15 @@
 
 在默认情况下，将只创建一个用于 VPN 登录的用户账户。如果你需要添加，更改或者删除用户，请阅读本文档。
 
+**注：** 现在提供一个辅助脚本，以方便更新 VPN 用户。请参见 [辅助脚本](#辅助脚本)。
+
 首先，IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK，可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。
 
 ```bash
 %any  %any  : PSK "你的IPsec预共享密钥"
 ```
 
-对于 `IPsec/L2TP`，VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下：
+对于 `IPsec/L2TP`，VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下：
 
 ```bash
 "你的VPN用户名1"  l2tpd  "你的VPN密码1"  *
@@ -20,7 +22,7 @@
 
 你可以添加更多用户，每个用户对应文件中的一行。**不要** 在用户名，密码或 PSK 中使用这些字符：`\ " '`
 
-对于 `IPsec/XAuth ("Cisco IPsec")`， VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下：
+对于 `IPsec/XAuth ("Cisco IPsec")`， VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下：
 
 ```bash
 你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk
@@ -41,3 +43,35 @@ openssl passwd -1 '你的VPN密码1'
 service ipsec restart
 service xl2tpd restart
 ```
+
+## 辅助脚本
+
+你可以使用 [这个辅助脚本](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) 来更新 VPN 用户。首先下载脚本：
+
+```bash
+wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh
+```
+
+要更新 VPN 用户，从以下选项中选择一个：
+
+**重要：** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的新用户。如果你需要保留当前的 VPN 用户，则必须将它们包含在下面的变量中。或者你也可以按照上面的说明手动更新 VPN 用户。
+
+**选项 1:** 编辑脚本并输入 VPN 用户信息：
+
+```bash
+nano -w update_vpn_users.sh
+[替换为你自己的值： YOUR_USERNAMES 和 YOUR_PASSWORDS]
+sudo sh update_vpn_users.sh
+```
+
+**选项 2:** 将 VPN 用户信息定义为环境变量：
+
+```bash
+# VPN用户名和密码列表，用空格分隔
+# 所有变量值必须用 '单引号' 括起来
+# *不要* 在值中使用这些字符：  \ " '
+sudo \
+VPN_USERS='用户名1 用户名2 ...' \
+VPN_PASSWORDS='密码1 密码2 ...' \
+sh update_vpn_users.sh
+```

docs/manage-users.md

@@ -4,6 +4,8 @@
 
 By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document.
 
+**Note:** A helper script to update VPN users is now available. See [Helper script](#helper-script).
+
 First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK.
 
 ```bash
@@ -41,3 +43,35 @@ Finally, restart services if you changed to a new PSK. For add, edit or remove V
 service ipsec restart
 service xl2tpd restart
 ```
+
+## Helper script
+
+You may use [this helper script](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) to update VPN users. First download the script:
+
+```bash
+wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh
+```
+
+To update VPN users, choose one of the following options:
+
+**Important:** This script will remove **ALL** existing VPN users and replace them with the new users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. Or, you may update users manually (see above).
+
+**Option 1:** Edit the script and enter VPN user details:
+
+```bash
+nano -w update_vpn_users.sh
+[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS]
+sudo sh update_vpn_users.sh
+```
+
+**Option 2:** Define VPN user details as environment variables:
+
+```bash
+# List of VPN usernames and passwords, separated by spaces
+# All values MUST be placed inside 'single quotes'
+# DO NOT use these special characters within values: \ " '
+sudo \
+VPN_USERS='username1 username2 ...' \
+VPN_PASSWORDS='password1 password2 ...' \
+sh update_vpn_users.sh
+```

extras/update_vpn_users.sh

@@ -0,0 +1,174 @@
+#!/bin/sh
+#
+# Script to update VPN users for both IPsec/L2TP and Cisco IPsec
+#
+# Copyright (C) 2018 Lin Song <linsongui@gmail.com>
+#
+# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
+# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
+#
+# Attribution required: please include my name in any derivative and let me
+# know how you have improved it!
+
+# =====================================================
+
+# Define your own values for these variables
+# - List of VPN usernames and passwords, separated by spaces
+# - All values MUST be placed inside 'single quotes'
+# - DO NOT use these special characters within values: \ " '
+
+YOUR_USERNAMES=''
+YOUR_PASSWORDS=''
+
+# Example:
+# YOUR_USERNAMES='username1 username2'
+# YOUR_PASSWORDS='password1 password2'
+
+# =====================================================
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+SYS_DT="$(date +%F-%T)"
+
+exiterr()  { echo "Error: $1" >&2; exit 1; }
+conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
+onespace() { printf '%s' "$1" | tr -s ' '; }
+noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; }
+noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
+
+update_vpn_users() {
+
+if [ "$(id -u)" != 0 ]; then
+  exiterr "Script must be run as root. Try 'sudo sh $0'"
+fi
+
+if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then
+cat 1>&2 <<'EOF'
+Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist!
+       Your must first set up the VPN server before updating VPN users.
+       See: https://github.com/hwdsl2/setup-ipsec-vpn
+EOF
+  exit 1
+fi
+
+if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
+cat 1>&2 <<'EOF'
+Error: This script can only be used with VPN servers created using:
+       https://github.com/hwdsl2/setup-ipsec-vpn
+EOF
+  exit 1
+fi
+
+[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES"
+[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS"
+
+if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then
+  exiterr "All VPN credentials must be specified. Edit the script and re-enter them."
+fi
+
+VPN_USERS="$(noquotes "$VPN_USERS")"
+VPN_USERS="$(onespace "$VPN_USERS")"
+VPN_USERS="$(noquotes2 "$VPN_USERS")"
+VPN_PASSWORDS="$(noquotes "$VPN_PASSWORDS")"
+VPN_PASSWORDS="$(onespace "$VPN_PASSWORDS")"
+VPN_PASSWORDS="$(noquotes2 "$VPN_PASSWORDS")"
+
+if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then
+  exiterr "VPN credentials must not contain non-ASCII characters."
+fi
+
+case "$VPN_USERS $VPN_PASSWORDS" in
+  *[\\\"\']*)
+    exiterr "VPN credentials must not contain these special characters: \\ \" '"
+    ;;
+esac
+
+clear
+
+cat <<'EOF'
+
+Welcome! This script will update VPN user accounts
+for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec).
+
+WARNING: ALL existing VPN users will be removed
+  and replaced with the users listed below.
+  Please double check before continuing!
+
+==================================================
+
+Updated list of VPN users (username | password):
+
+EOF
+
+count=1
+vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
+vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
+while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
+cat <<EOF
+$vpn_user | $vpn_password
+EOF
+  count=$((count+1))
+  vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
+  vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
+done
+
+cat <<'EOF'
+
+==================================================
+
+EOF
+
+printf "Do you wish to continue? [y/N] "
+read -r response
+case $response in
+  [yY][eE][sS]|[yY])
+    echo
+    echo "Updating VPN users..."
+    echo
+    ;;
+  *)
+    echo
+    echo "Aborting. No changes were made."
+    echo
+    exit 1
+    ;;
+esac
+
+# Backup and remove config files
+conf_bk "/etc/ppp/chap-secrets"
+conf_bk "/etc/ipsec.d/passwd"
+/bin/rm -f /etc/ppp/chap-secrets /etc/ipsec.d/passwd
+
+# Update VPN users
+count=1
+vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1)
+vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1)
+while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do
+  vpn_password_enc=$(openssl passwd -1 "$vpn_password")
+cat >> /etc/ppp/chap-secrets <<EOF
+"$vpn_user" l2tpd "$vpn_password" *
+EOF
+cat >> /etc/ipsec.d/passwd <<EOF
+$vpn_user:$vpn_password_enc:xauth-psk
+EOF
+  count=$((count+1))
+  vpn_user=$(printf '%s' "$VPN_USERS" | cut -s -d ' ' -f "$count")
+  vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -s -d ' ' -f "$count")
+done
+
+# Update file attributes
+chmod 600 /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
+
+cat <<'EOF'
+Done!
+
+NOTE: All VPN users will share the same IPsec PSK.
+  If you forgot the PSK, check /etc/ipsec.secrets.
+
+EOF
+
+}
+
+## Defer until we have the complete script
+update_vpn_users "$@"
+
+exit 0