From 8ae80788ada7a7da9e9e14351cf2debecd2d0b8c Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Oct 2016 23:05:20 +0200 Subject: [PATCH] better user instructions --- README.md | 29 ++++++++++++++++++++--------- config.cfg | 5 ++++- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3e832b0..e746888 100644 --- a/README.md +++ b/README.md @@ -42,21 +42,32 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. +After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. -* [adsf].mobileconfig: Apple Configuration Profiles. These are all-in-one configuration files for iOS and macOS devices. Open them to a compatible device to fully configure the VPN. Note that they can be installed via AirDrop. -* asdf -* asdf +### Apple Devices + +Find the corresponding mobileconfig (Apple Profile) for the user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. Installing a profile will fully configure the VPN. + +### StrongSwan Clients (e.g., OpenWRT) + +Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. + +### Other Devices + +* ca.crt: CA Certificate +* user_ipsec.conf: StrongSwan client configuration +* user_ipsec.secrets: StrongSwan client configuration +* user.crt: User Certificate +* user.key: User Private Key +* user.mobileconfig: Apple Profile +* user.p12: User Certificate and Private Key (in PKCS#12 format) +* user.ssh.pem (optional): SSH authorized_key file ## Setup an SSH Tunnel If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. -Use the following command to SSH tunnel through the server: - -```asdf``` - -asdf then explain the options used +Make sure to access the server using 'ssh -N' for any limited accounts. ## Adding or Removing Users diff --git a/config.cfg b/config.cfg index e6c6b9a..c9cedd8 100644 --- a/config.cfg +++ b/config.cfg @@ -8,12 +8,15 @@ users: # Add an email address to send logs if you're using auditd for monitoring, auditd_action_mail_acct: email@example.com +# Exported certificates will be protected by the password below: +easyrsa_p12_export_password: vpnpws + + ### Advanced users only below this line ### easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 -easyrsa_p12_export_password: vpnpws # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False