wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'win10_support' #9

Browse source
This commit is contained in:
Jack Ivanov 2016-11-30 17:00:03 +03:00
commit 790bcb2efc
11 changed files with 61 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -41,6 +41,14 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do
Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server.
### Windows Devices
You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.<br>
Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:<br>
`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612
8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)<br>
Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine.
### Apple Devices ### Apple Devices
Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN.

6
algo
View file

@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network?
OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
read -p "
Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers)
[y/N]: " -r Win10_Enabled
Win10_Enabled=${Win10_Enabled:-n}
if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
} }
deploy () { deploy () {

2
config.cfg
View file

@ -59,8 +59,6 @@ ipsec_config:
dpddelay: '35s' dpddelay: '35s'
rekey: 'no' rekey: 'no'
keyexchange: 'ikev2' keyexchange: 'ikev2'
ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
esp: 'aes128gcm16-sha2_256-ecp256!'
compress: 'yes' compress: 'yes'
fragmentation: 'yes' fragmentation: 'yes'

12
roles/vpn/tasks/main.yml
View file

@ -191,6 +191,8 @@
with_items: with_items:
- "{{ users }}" - "{{ users }}"
- name: Fetch users P12 - name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}" with_items: "{{ users }}"
@ -215,6 +217,16 @@
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Build the windows client powershell script
template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600
when: Win10_Enabled is defined and Win10_Enabled == "Y"
with_items: "{{ users }}"
- name: Fetch users windows scripts
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes
when: Win10_Enabled is defined and Win10_Enabled == "Y"
with_items: "{{ users }}"
- name: Restrict permissions - name: Restrict permissions
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
with_items: with_items:

8
roles/vpn/templates/client_ipsec.conf.j2
View file

@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }}
{{ key }}={{ value }} {{ key }}={{ value }}
{% endfor %} {% endfor %}
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
{% else %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256
esp=aes128gcm16-sha2_256-ecp256
{% endif %}
right={{ IP_subject_alt_name }} right={{ IP_subject_alt_name }}
rightid={{ IP_subject_alt_name }} rightid={{ IP_subject_alt_name }}
rightsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0

5
roles/vpn/templates/client_ipsec.secrets.j2
View file

@ -1,2 +1,5 @@
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key
{% else %}
{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
{% endif %}

3
roles/vpn/templates/client_windows.ps1.j2 Normal file
View file

@ -0,0 +1,3 @@
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12
Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none

4
roles/vpn/templates/easy-rsa.vars.j2
View file

@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only"
# * rsa # * rsa
# * ec # * ec
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
set_var EASYRSA_ALGO rsa
{% else %}
set_var EASYRSA_ALGO ec set_var EASYRSA_ALGO ec
{% endif %}
# Define the named curve, used in ec mode only: # Define the named curve, used in ec mode only:

8
roles/vpn/templates/ipsec.conf.j2
View file

@ -7,6 +7,14 @@ conn %default
{{ key }}={{ value }} {{ key }}={{ value }}
{% endfor %} {% endfor %}
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
{% else %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256!
esp=aes128gcm16-sha2_256-ecp256!
{% endif %}
left=%any left=%any
leftauth=pubkey leftauth=pubkey
leftid={{ IP_subject_alt_name }} leftid={{ IP_subject_alt_name }}

5
roles/vpn/templates/ipsec.secrets.j2
View file

@ -1,2 +1,5 @@
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
: RSA {{ IP_subject_alt_name }}.key
{% else %}
: ECDSA {{ IP_subject_alt_name }}.key : ECDSA {{ IP_subject_alt_name }}.key
{% endif %}

4
roles/vpn/templates/mobileconfig.j2
View file

@ -90,7 +90,11 @@
<key>PayloadCertificateUUID</key> <key>PayloadCertificateUUID</key>
<string>{{ pkcs12_PayloadCertificateUUID }}</string> <string>{{ pkcs12_PayloadCertificateUUID }}</string>
<key>CertificateType</key> <key>CertificateType</key>
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
<string>RSA2048</string>
{% else %}
<string>ECDSA256</string> <string>ECDSA256</string>
{% endif %}
<key>ServerCertificateIssuerCommonName</key> <key>ServerCertificateIssuerCommonName</key>
<string>{{ IP_subject_alt_name }}</string> <string>{{ IP_subject_alt_name }}</string>
<key>RemoteAddress</key> <key>RemoteAddress</key>