From 5c43fe48e643374ecf75ab56475907ebd8f016a7 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 17 Feb 2019 17:55:16 -0500 Subject: [PATCH] Make WireGuard the default for Apple devices --- README.md | 23 ++++------------------- docs/client-apple-ipsec.md | 15 +++++++++++++++ docs/client-macos-wireguard.md | 19 +++++++++++-------- 3 files changed, 30 insertions(+), 27 deletions(-) create mode 100644 docs/client-apple-ipsec.md diff --git a/README.md b/README.md index a3502eaa..39bf0f36 100644 --- a/README.md +++ b/README.md @@ -89,11 +89,7 @@ Certificates and configuration files that users will need are placed in the `con ### Apple Devices -Apple devices can connect to an Algo VPN via IPsec using their built-in IPsec support or via WireGuard by installing the WireGuard app. - -#### Install WireGuard - -Algo generates a WireGuard configuration file, `wireguard/.conf`, and a QR code, `wireguard/.png`, for each user defined in `config.cfg`. +WireGuard is used to provide VPN services on Apple devices. Algo generates a WireGuard configuration file, `wireguard/.conf`, and a QR code, `wireguard/.png`, for each user defined in `config.cfg`. On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device. @@ -101,21 +97,9 @@ On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/ap Enable "Connect on Demand" by editing the tunnel configuration in the WireGuard app. -For versions of macOS older than Mojave, installing WireGuard is a little more complicated. See [Using MacOS as a Client with WireGuard](docs/client-macos-wireguard.md). +Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md). -#### Configure IPsec - -Find the corresponding `mobileconfig` (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted. - -#### Enable the VPN - -On iOS, connect to the VPN by opening **Settings** and clicking the toggle next to "VPN" near the top of the list. If using WireGuard you can also enable the VPN from the WireGuard app. On macOS, connect to the VPN by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, and clicking "Connect." Check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar. - -#### Managing "Connect On Demand" - -If you enabled "Connect On Demand" the VPN will connect automatically whenever it is able. Most Apple users will want to enable "Connect On Demand", but if you do then simply disabling the VPN will not cause it to stay disabled; it will just "Connect On Demand" again. To disable the VPN you'll need to disable "Connect On Demand". - -On iOS, you can turn off "Connect On Demand" in **Settings** by clicking the (i) next to the entry for your Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "Connect On Demand" by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, unchecking the box for "Connect on demand", and clicking Apply. +If you prefer to use the built-in IPSEC VPN on Apple devices, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md). ### Android Devices @@ -214,6 +198,7 @@ After this process completes, the Algo VPN server will contain only the users li - Setup [Android](docs/client-android.md) clients - Setup [Generic/Linux](docs/client-linux.md) clients with Ansible - Setup Ubuntu clients to use [WireGuard](docs/client-linux-wireguard.md) + - Setup Apple devices to use [IPSEC](docs/client-apple-ipsec.md) * Cloud setup - Configure [Amazon EC2](docs/cloud-amazon-ec2.md) - Configure [Azure](docs/cloud-azure.md) diff --git a/docs/client-apple-ipsec.md b/docs/client-apple-ipsec.md new file mode 100644 index 00000000..e740b231 --- /dev/null +++ b/docs/client-apple-ipsec.md @@ -0,0 +1,15 @@ +# Using the built-in IPSEC VPN on Apple Devices + +## Configure IPsec + +Find the corresponding `mobileconfig` (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted. + +## Enable the VPN + +On iOS, connect to the VPN by opening **Settings** and clicking the toggle next to "VPN" near the top of the list. If using WireGuard you can also enable the VPN from the WireGuard app. On macOS, connect to the VPN by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, and clicking "Connect." Check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar. + +## Managing "Connect On Demand" + +If you enabled "Connect On Demand" the VPN will connect automatically whenever it is able. Most Apple users will want to enable "Connect On Demand", but if you do then simply disabling the VPN will not cause it to stay disabled; it will just "Connect On Demand" again. To disable the VPN you'll need to disable "Connect On Demand". + +On iOS, you can turn off "Connect On Demand" in **Settings** by clicking the (i) next to the entry for your Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "Connect On Demand" by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, unchecking the box for "Connect on demand", and clicking Apply. \ No newline at end of file diff --git a/docs/client-macos-wireguard.md b/docs/client-macos-wireguard.md index 0d1db781..cce6ccc4 100644 --- a/docs/client-macos-wireguard.md +++ b/docs/client-macos-wireguard.md @@ -1,31 +1,34 @@ -# Using MacOS as a Client with WireGuard +# MacOS WireGuard Client Setup + +The WireGuard macOS app is unavailable for older operating systems. Please update your operating system if you can. If you are on a macOS High Sierra (10.13) or earlier, then you can still use WireGuard via their userspace drivers via the process detailed below. ## Install WireGuard -To connect to your Algo VPN using [WireGuard](https://www.wireguard.com) from MacOS +Install the wireguard-go userspace driver: ``` -# Install the wireguard-go userspace driver brew install wireguard-tools ``` ## Locate the Config File -The Algo-generated config files for WireGuard are named `configs//wireguard/.conf` on the system where you ran `./algo`. One file was generated for each of the users you added to `config.cfg` before you ran `./algo`. Each Linux and Android client you connect to your Algo VPN must use a different WireGuard config file. Choose one of these files and copy it to your device. +Algo generates a WireGuard configuration file, `wireguard/.conf`, and a QR code, `wireguard/.png`, for each user defined in `config.cfg`. Find the configuration file and copy it to your device if you don't already have it. + +Note that each client you use to connect to Algo VPN must have a unique WireGuard config. ## Configure WireGuard -Finally, install the config file on your client as `/usr/local/etc/wireguard/wg0.conf` and start WireGuard: +You'll need to copy the appropriate WireGuard configuration file into a location where the userspace driver can find it. After it is in the right place, start the VPN, and verify connectivity. ``` -# Install the config file to the WireGuard configuration directory on your MacOS device +# Copy the config file to the WireGuard configuration directory on your macOS device mkdir /usr/local/etc/wireguard/ cp .conf /usr/local/etc/wireguard/wg0.conf -# Start the WireGuard VPN: +# Start the WireGuard VPN sudo wg-quick up wg0 -# Verify the connection to the Algo VPN: +# Verify the connection to the Algo VPN wg # See that your client is using the IP address of your Algo VPN: