mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-06 15:13:56 +02:00
Merge branch 'win10_support' #9
This commit is contained in:
commit
790bcb2efc
11 changed files with 61 additions and 4 deletions
|
@ -41,6 +41,14 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do
|
||||||
|
|
||||||
Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server.
|
Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server.
|
||||||
|
|
||||||
|
### Windows Devices
|
||||||
|
|
||||||
|
You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.<br>
|
||||||
|
Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:<br>
|
||||||
|
`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612
|
||||||
|
8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)<br>
|
||||||
|
Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine.
|
||||||
|
|
||||||
### Apple Devices
|
### Apple Devices
|
||||||
|
|
||||||
Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN.
|
Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN.
|
||||||
|
|
6
algo
6
algo
|
@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network?
|
||||||
OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
|
OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
|
||||||
if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
|
if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
|
||||||
|
|
||||||
|
read -p "
|
||||||
|
Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers)
|
||||||
|
[y/N]: " -r Win10_Enabled
|
||||||
|
Win10_Enabled=${Win10_Enabled:-n}
|
||||||
|
if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
deploy () {
|
deploy () {
|
||||||
|
|
|
@ -59,8 +59,6 @@ ipsec_config:
|
||||||
dpddelay: '35s'
|
dpddelay: '35s'
|
||||||
rekey: 'no'
|
rekey: 'no'
|
||||||
keyexchange: 'ikev2'
|
keyexchange: 'ikev2'
|
||||||
ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
|
|
||||||
esp: 'aes128gcm16-sha2_256-ecp256!'
|
|
||||||
compress: 'yes'
|
compress: 'yes'
|
||||||
fragmentation: 'yes'
|
fragmentation: 'yes'
|
||||||
|
|
||||||
|
|
|
@ -191,6 +191,8 @@
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ users }}"
|
- "{{ users }}"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: Fetch users P12
|
- name: Fetch users P12
|
||||||
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
@ -215,6 +217,16 @@
|
||||||
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
|
- name: Build the windows client powershell script
|
||||||
|
template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600
|
||||||
|
when: Win10_Enabled is defined and Win10_Enabled == "Y"
|
||||||
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
|
- name: Fetch users windows scripts
|
||||||
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes
|
||||||
|
when: Win10_Enabled is defined and Win10_Enabled == "Y"
|
||||||
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Restrict permissions
|
- name: Restrict permissions
|
||||||
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
|
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
|
||||||
with_items:
|
with_items:
|
||||||
|
|
|
@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }}
|
||||||
{{ key }}={{ value }}
|
{{ key }}={{ value }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
||||||
|
ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
|
||||||
|
esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
|
||||||
|
{% else %}
|
||||||
|
ike=aes128gcm16-sha2_256-prfsha256-ecp256
|
||||||
|
esp=aes128gcm16-sha2_256-ecp256
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
right={{ IP_subject_alt_name }}
|
right={{ IP_subject_alt_name }}
|
||||||
rightid={{ IP_subject_alt_name }}
|
rightid={{ IP_subject_alt_name }}
|
||||||
rightsubnet=0.0.0.0/0
|
rightsubnet=0.0.0.0/0
|
||||||
|
|
|
@ -1,2 +1,5 @@
|
||||||
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
||||||
|
{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key
|
||||||
|
{% else %}
|
||||||
{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
|
{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
|
||||||
|
{% endif %}
|
||||||
|
|
3
roles/vpn/templates/client_windows.ps1.j2
Normal file
3
roles/vpn/templates/client_windows.ps1.j2
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12
|
||||||
|
Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
|
||||||
|
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
|
|
@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only"
|
||||||
# * rsa
|
# * rsa
|
||||||
# * ec
|
# * ec
|
||||||
|
|
||||||
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
||||||
|
set_var EASYRSA_ALGO rsa
|
||||||
|
{% else %}
|
||||||
set_var EASYRSA_ALGO ec
|
set_var EASYRSA_ALGO ec
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Define the named curve, used in ec mode only:
|
# Define the named curve, used in ec mode only:
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,14 @@ conn %default
|
||||||
{{ key }}={{ value }}
|
{{ key }}={{ value }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
||||||
|
ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
|
||||||
|
esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
|
||||||
|
{% else %}
|
||||||
|
ike=aes128gcm16-sha2_256-prfsha256-ecp256!
|
||||||
|
esp=aes128gcm16-sha2_256-ecp256!
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
left=%any
|
left=%any
|
||||||
leftauth=pubkey
|
leftauth=pubkey
|
||||||
leftid={{ IP_subject_alt_name }}
|
leftid={{ IP_subject_alt_name }}
|
||||||
|
|
|
@ -1,2 +1,5 @@
|
||||||
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
||||||
|
: RSA {{ IP_subject_alt_name }}.key
|
||||||
|
{% else %}
|
||||||
: ECDSA {{ IP_subject_alt_name }}.key
|
: ECDSA {{ IP_subject_alt_name }}.key
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -90,7 +90,11 @@
|
||||||
<key>PayloadCertificateUUID</key>
|
<key>PayloadCertificateUUID</key>
|
||||||
<string>{{ pkcs12_PayloadCertificateUUID }}</string>
|
<string>{{ pkcs12_PayloadCertificateUUID }}</string>
|
||||||
<key>CertificateType</key>
|
<key>CertificateType</key>
|
||||||
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
||||||
|
<string>RSA2048</string>
|
||||||
|
{% else %}
|
||||||
<string>ECDSA256</string>
|
<string>ECDSA256</string>
|
||||||
|
{% endif %}
|
||||||
<key>ServerCertificateIssuerCommonName</key>
|
<key>ServerCertificateIssuerCommonName</key>
|
||||||
<string>{{ IP_subject_alt_name }}</string>
|
<string>{{ IP_subject_alt_name }}</string>
|
||||||
<key>RemoteAddress</key>
|
<key>RemoteAddress</key>
|
||||||
|
|
Loading…
Add table
Reference in a new issue