From 29de003b2d47399c5f2f0a43bcccf02c339bd8b3 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Thu, 3 Nov 2016 18:05:56 +0300
Subject: [PATCH] inplemented #109

---
 algo                                | 20 +++++++++++++
 roles/vpn/templates/mobileconfig.j2 | 44 +++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)

diff --git a/algo b/algo
index 9acb841..4911274 100755
--- a/algo
+++ b/algo
@@ -35,6 +35,26 @@ Do you want each user to have their own account for SSH tunneling?
 ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
 if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi
 
+read -p "
+Do you want to enable VPN always when connected to Wi-Fi?
+[y/N]: " -r OnDemandEnabled_WIFI
+OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n}
+if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi
+
+if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then
+  read -p "
+Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi)
+: " -r OnDemandEnabled_WIFI_ECXLUDE
+  OnDemandEnabled_WIFI_ECXLUDE=${OnDemandEnabled_WIFI_ECXLUDE:-_null}
+  EXTRA_VARS+=" OnDemandEnabled_WIFI_ECXLUDE=$OnDemandEnabled_WIFI_ECXLUDE"
+fi
+
+read -p "
+Do you want to enable VPN always when connected to the cellular network?
+[y/N]: " -r OnDemandEnabled_Cellular
+OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
+if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
+
 }
 
 deploy () {
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index 762848a..d7ac899 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -6,7 +6,51 @@
     <array>
         <dict>
             <key>IKEv2</key>
+{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %}
             <dict>
+              <key>OnDemandEnabled</key>
+                <integer>1</integer>
+              <key>OnDemandRules</key>
+              <array>
+{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %}
+{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %}
+                  <dict>
+                      <key>Action</key>
+                      <string>Disconnect</string>
+                      <key>InterfaceTypeMatch</key>
+                      <string>WiFi</string>
+                      <key>SSIDMatch</key>
+                      <array>
+{% for network_name in WIFI_ECXLUDE_LIST %}
+                          <string>{{ network_name }}</string>
+{% endfor %}
+                      </array>
+                  </dict>
+{% else %}
+{% endif %}
+                  <dict>
+                    <key>Action</key>
+{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %}
+                      <string>Connect</string>
+  {% else %}
+                      <string>Disconnect</string>
+{% endif %}
+                    <key>InterfaceTypeMatch</key>
+                      <string>WiFi</string>
+                  </dict>
+                  <dict>
+                    <key>Action</key>
+{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %}
+                      <string>Connect</string>
+  {% else %}
+                      <string>Disconnect</string>
+{% endif %}
+                    <key>InterfaceTypeMatch</key>
+                      <string>Cellular</string>
+                  </dict>
+                </array>
+{% else %}
+{% endif %}
                 <key>AuthenticationMethod</key>
                 <string>Certificate</string>
                 <key>ChildSecurityAssociationParameters</key>