wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 22:54:01 +02:00
Code Issues Projects Releases Wiki Activity

Enhance PS1 script (#510)

Browse source 
update docs

Update README.md

update readme
This commit is contained in:
Jack Ivanov 2017-05-23 17:31:53 +02:00 committed by Dan Guido
parent e6c8f19d3c
commit 0131505195
3 changed files with 51 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
README.md
View file

@ -102,31 +102,16 @@ No version of Android supports IKEv2. Install the [strongSwan VPN Client for And
### Windows
Windows clients have a more complicated setup than most others. Follow the steps below to set one up:
#### Scripted installation
1. Copy the CA certificate (`cacert.pem`), user certificate (`$user.p12`), and the user PowerShell script (`windows_$user.ps1`) to the client computer.
2. Import the CA certificate to the local machine Trusted Root certificate store.
3. Open PowerShell as Administrator. Navigate to your copied files.
4. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run.
```powershell
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
Copy your powershell script `windows_{username}.ps1` and p12 certificate `{username}.p12` to the Windows machine and run the following command as Administrator to configure the VPN connection.
```
powershell -ExecutionPolicy ByPass -File windows_{username}.ps1 Add
```
5. In the same PowerShell window, run the included PowerShell script to import the user certificate, set up a VPN connection, and activate stronger ciphers on it.
6. After you execute the user script, set the Execution Policy back before you close the PowerShell window.
#### Manual installation
```powershell
Set-ExecutionPolicy Restricted -Scope CurrentUser
```
Your VPN is now installed and ready to use.
If you want to perform these steps by hand, you will need to import the user certificate to the Personal certificate store, add an IKEv2 connection in the network settings, then activate stronger ciphers on it via the following PowerShell script:
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256
```
See the [Windows setup instructions](/docs/client-windows.md) for more a more detailed walkthrough.
### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop)

27
docs/client-windows.md Normal file
View file

@ -0,0 +1,27 @@
# Windows client manual setup
Windows clients have a more complicated setup than most others. Follow the steps below to set one up:
1. Copy the CA certificate (`cacert.pem`), user certificate (`$user.p12`), and the user PowerShell script (`windows_$user.ps1`) to the client computer.
2. Import the CA certificate to the local machine Trusted Root certificate store.
3. Open PowerShell as Administrator. Navigate to your copied files.
4. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run.
```powershell
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
```
5. In the same PowerShell window, run the included PowerShell script to import the user certificate, set up a VPN connection, and activate stronger ciphers on it.
6. After you execute the user script, set the Execution Policy back before you close the PowerShell window.
```powershell
Set-ExecutionPolicy Restricted -Scope CurrentUser
```
Your VPN is now installed and ready to use.
If you want to perform these steps by hand, you will need to import the user certificate to the Personal certificate store, add an IKEv2 connection in the network settings, then activate stronger ciphers on it via the following PowerShell script:
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256
```

21
roles/vpn/templates/client_windows.ps1.j2
View file

@ -1,3 +1,18 @@
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12
Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256
function AddAlgoVPN {
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12
Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256 -Force
}
function RemoveAlgoVPN {
Get-ChildItem cert:LocalMachine/Root | Where-Object { $_.Subject -match '^CN={{ IP_subject_alt_name }}$' -and $_.Issuer -match '^CN={{ IP_subject_alt_name }}$' } | Remove-Item
Get-ChildItem cert:LocalMachine/My | Where-Object { $_.Subject -match '^CN={{ item }}$' -and $_.Issuer -match '^CN={{ IP_subject_alt_name }}$' } | Remove-Item
Remove-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -Force
}
switch ($args[0]) {
"Add" { AddAlgoVPN }
"Remove" { RemoveAlgoVPN }
default { Write-Host Usage: $MyInvocation.MyCommand.Name "(Add|Remove)" }
}