wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-05-28 10:43:57 +02:00
Code Issues Projects Releases Wiki Activity
algo/docs/client-windows.md
Micah R Ledbetter e944ee993a Embed certs into Windows deployment scripts (#840) 
- Obviate need to copy separate script and certificate files
- Allow execution from any directory, not just the script's parent
  directory (no assumption of any particular working directory)
- Fix docs that neglected to mention copying cacert.pem
- Fix docs that incorrectly referred to the user cert store

As part of this work, rewrite the windows_client.ps1.j2 deployment
script template

- Add comment-based help
- Require admin privileges
- Use a Param() block
- Use parameter sets with -Add and -Remove switches
- Add the -GetInstalledCerts switch, to list any Algo certificates
  installed the machine's cert store
- Add the -SaveCerts switch, to save the embedded certificates to files
- Put Jinja2 variables inside Powershell variables,
- Use native Powershell cmdlets rather than shell out to certutil.exe
- Add a playbook to regenerate the windows_USER.ps1 scripts
2018-03-28 11:20:43 -07:00

2.5 KiB
Raw Blame History

Windows client manual setup

Automatic installtion

To install automatically, use the generated user Powershell script.

  1. Copy the user PowerShell script (windows_USER.ps1) to the client computer.
  2. Open Powershell as Administrator.
  3. Run the following command:
powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add
  1. The command has help information available. To view its full help, run this from Powershell:
Get-Help -Name .\windows_USER.ps1 -Full | more

Manual installation

  1. Copy the CA certificate (cacert.pem) and user certificate (USER.p12) to the client computer
  2. Open PowerShell as Administrator. Navigate to your copied files.
  3. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run.
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
  1. In the same window, run the necessary commands to install the certificates and create the VPN configuration. Note the lines at the top defining the VPN address, USER.p12 file location, and CA certificate location - change those lines to the IP address of your Algo server and the location you saved those two files. Also note that it will prompt for the "User p12 password", which is printed at the end of a successful Algo deployment.
$VpnServerAddress = "1.2.3.4"
$UserP12Path = "$Home\Downloads\USER.p12"
$CaCertPath = "$Home\Downloads\cacert.pem"
$VpnName = "Algo VPN $VpnServerAddress IKEv2"
$p12Pass = Read-Host -AsSecureString -Prompt "User p12 password"

Import-PfxCertificate -FilePath $UserP12Path -CertStoreLocation Cert:\LocalMachine\My -Password $p12Pass
Import-Certificate -FilePath $CaCertPath -CertStoreLocation Cert:\LocalMachine\Root

$addVpnParams = @{
    Name = $VpnName
    ServerAddress = $VpnServerAddress
    TunnelType = "IKEv2"
    AuthenticationMethod = "MachineCertificate"
    EncryptionLevel = "Required"
}
Add-VpnConnection @addVpnParams

$setVpnParams = @{
    ConnectionName = $VpnName
    AuthenticationTransformConstants = "GCMAES128"
    CipherTransformConstants = "GCMAES128"
    EncryptionMethod = "AES128"
    IntegrityCheckMethod = "SHA384"
    DHGroup = "ECP256"
    PfsGroup = "ECP256"
    Force = $true
}
Set-VpnConnectionIPsecConfiguration @setVpnParams
  1. After you execute the user script, set the Execution Policy back before you close the PowerShell window.
Set-ExecutionPolicy Restricted -Scope CurrentUser

Your VPN is now installed and ready to use.