wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-06 20:13:11 +02:00
Code Issues Projects Releases Wiki Activity

mobileconfig implemented

Browse source
This commit is contained in:
Evgeniy Ivanov 2016-07-21 22:38:23 +03:00
parent 6a20e11b2e
commit 371b20a2ce
9 changed files with 180 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -1 +1,4 @@
*.retry *.retry
users/*.mobileconfig
users/*.p12
users/*.crt

2
common.yml
View file

@ -23,6 +23,8 @@
- git - git
- screen - screen
- apparmor-utils - apparmor-utils
- uuid-runtime
- coreutils
- name: Enable packet forwarding for IPv4 - name: Enable packet forwarding for IPv4
sysctl: name=net.ipv4.ip_forward value=1 sysctl: name=net.ipv4.ip_forward value=1

1
config.cfg
View file

@ -8,6 +8,7 @@ easyrsa_dir: /opt/easy-rsa-ipsec
easyrsa_curve: secp384r1 easyrsa_curve: secp384r1
easyrsa_ca_expire: 3650 easyrsa_ca_expire: 3650
easyrsa_cert_expire: 3650 easyrsa_cert_expire: 3650
easyrsa_p12_export_password: vpn
# if True re-init all existing certificates. Boolean # if True re-init all existing certificates. Boolean
easyrsa_reinit_existent: True easyrsa_reinit_existent: True

140
templates/mobileconfig.j2 Normal file
View file

@ -0,0 +1,140 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>19</integer>
<key>EncryptionAlgorithm</key>
<string>AES-128-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableMOBIKE</key>
<integer>0</integer>
<key>DisableRedirect</key>
<integer>0</integer>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnablePFS</key>
<true/>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>19</integer>
<key>EncryptionAlgorithm</key>
<string>AES-128-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>{{ item.0 }}</string>
<key>PayloadCertificateUUID</key>
<string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<key>RemoteAddress</key>
<string>{{ server_name }}</string>
<key>RemoteIdentifier</key>
<string>{{ server_name }}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>{{ server_name }} IKEv2</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
<dict>
<key>Password</key>
<string>{{ easyrsa_p12_export_password }}</string>
<key>PayloadCertificateFileName</key>
<string>{{ item.0 }}.p12</string>
<key>PayloadContent</key>
<data>
{{ item.1.stdout }}
</data>
<key>PayloadDescription</key>
<string>Adds a PKCS#12-formatted certificate</string>
<key>PayloadDisplayName</key>
<string>{{ item.0 }}.p12</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>ca.crt</string>
<key>PayloadContent</key>
<data>
{{ PayloadContentCA.stdout }}
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>{{ server_name }}</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>32EA3AAA-D19E-43EF-B357-608218745A38</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>{{ server_name }} IKEv2</string>
<key>PayloadIdentifier</key>
<string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>743B04A8-5725-45A2-B1BB-836F8C16DB0A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

0
users/.gitinit Normal file
View file

1
users/mr.smith Normal file
View file

@ -0,0 +1 @@
qwe11

1
users/mrs.smith Normal file
View file

@ -0,0 +1 @@
qwe

BIN
users/qwe Normal file
View file

Binary file not shown.

42
vpn.yml
View file

@ -67,7 +67,7 @@
notify: notify:
- restart strongswan - restart strongswan
- name: Build the server pair - name: Build the server pair # TODO: IP and DNS for sertificate
shell: | shell: |
./easyrsa build-server-full {{ server_name }} nopass ./easyrsa build-server-full {{ server_name }} nopass
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
@ -88,7 +88,7 @@
- name: Build the client's p12 - name: Build the client's p12
shell: | shell: |
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:vpn openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
args: args:
chdir: '{{ easyrsa_dir }}/easyrsa3/' chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -110,19 +110,37 @@
notify: notify:
- restart strongswan - restart strongswan
- name: Register p12 PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
register: PayloadContent
with_items: "{{ users }}"
- name: Register CA PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
register: PayloadContentCA
- name: Build the mobileconfigs
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
- name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=users/{{ server_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}"
- name: Fetch users mobileconfig
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=users/{{ server_name }}_{{ item }}.mobileconfig flat=yes
with_items: "{{ users }}"
- name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=users/{{ server_name }}_ca.crt flat=yes
handlers: handlers:
- name: restart strongswan - name: restart strongswan
service: name=strongswan state=restarted service: name=strongswan state=restarted
- name: restart apparmor - name: restart apparmor
service: name=apparmor state=restarted service: name=apparmor state=restarted