ovpnmcgen.rb 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a7eecb8a62bc004485044c5ffcc87d38684dc999
-  data.tar.gz: 1c1dec6d4e95b295104435550d443c5aecf6bfef
+  metadata.gz: 367d863a65d76ef7131544d0cfeabe155b43ada8
+  data.tar.gz: 638bd7fb996c3f265005992d0d452d41fceb1ab3
 SHA512:
-  metadata.gz: d165dffd3e79a28e59292811e3dca883ffff50de6e44b615ee4c6e6e05fd0a789c073441d81759b3359afa1d71e0b5a03c3eb0903127f35a55dd2b25aa10688c
-  data.tar.gz: 80e881f3de0dba88a691d6391e049a3b6f944fefb4789746e0dce8467fd9b0e52d6396878fd0b9a14be7fafa88730441ccb71a4bdc5e1260d3ed1bca7269ebc2
+  metadata.gz: 11d4d579cb0a28ed0536afb99ba0c98c88c97923c0c1deaa7acc4dedd01dc8ef24f315a0bcc2fa2164511216c65164b39bdcdd7c97b6506ef7078e715aace314
+  data.tar.gz: f981db017988637593dc2b883531014040fefbe4b0846187a330519960a2e310690c757bd0e1a9020253a16dd139f4f0aa6cdbff8491ced055da851b1c27cd46

data/.gitignore

@@ -16,3 +16,5 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+.ruby-version
+.ruby-gemset

data/ChangeLog

@@ -0,0 +1,11 @@
+= 0.1.0 / 2014-03-27
+	* Added support for `--ovpnconfigfile`, `--port`, `--proto`.
+	* Shorter switches for `--[un]trusted-ssids`.
+	* Improved Documentation.
+
+= 0.0.2 / 2014-03-26
+	* Require ruby >= 1.9.3.
+	* Improved Documentation.
+
+= 0.0.1 / 2014-03-26
+	* Initial Release.

data/README.md

@@ -2,16 +2,56 @@
 
 OpenVPN iOS Configuration Profile Utility
 
-This utility generates configuration profiles that enables VPN-on-Demand, as documented by Apple in <https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27>.
+Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.
+
+Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`. The following algorithm is executed upon network changes, in order: 
+
+- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
+- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
+- Else if the primary network interface becomes Wifi (any SSID except those above), bring up the VPN connection.
+- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
+- Else, unconditionally bring up the VPN connection on the next network attempt.
+
+Note: The other match triggers, such as `DNSDomainMatch`, `DNSServerAddressMatch`, `URLStringProbe`, and per-connection domain inspection (`ActionParameters`), are not implemented. I reckon some kind of DSL will need to be built to support them; pull-requests are welcome.
 
 ## Installation
 
-Install it yourself as:
+Install the production version from Rubygems.org:
 
     $ gem install ovpnmcgen.rb
 
+### Local Development
+
+Clone the source:
+
+	$ git clone https://github.com/iphoting/ovpnmcgen.rb
+
+Build and install the gem:
+
+	$ cd ovpnmcgen.rb/
+	$ bundle install   # install dependencies
+	# Hack away...
+	$ rake install     # build and install gem
+
 ## Usage
 
+```
+Usage: ovpnmcgen.rb generate [options] <user> <device>
+
+  Options:
+    --cafile FILE        Path to OpenVPN CA file. (Required)
+    --tafile FILE        Path to TLS Key file. (Required)
+    --host HOSTNAME      Hostname of OpenVPN server. (Required)
+    --p12file FILE       Path to user PKCS#12 file. (Required)
+    --p12pass PASSWORD   Password to unlock PKCS#12 file.
+    --[no-]vod           Enable or Disable VPN-On-Demand. [Default: Enabled]
+    --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
+    --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
+    -o, --output FILE    Output to file. [Default: stdout]
+```
+
+## Examples
+
 ### Typical Usage
 	$ ovpnmcgen.rb gen --trusted-ssids home --host vpn.example.com \
 	--cafile path/to/ca.pem --tafile path/to/ta.key \
@@ -225,10 +265,29 @@ Output similar to above:
 </plist>
 ```
 
-### Using OpenSSL to generate a PKCS#12 file
+### Using OpenSSL to convert files into PKCS#12 (.p12)
 	openssl pkcs12 -export -out path/to/john-ipad.p12 \
 	-inkey path/to/john-ipad.key -in path/to/john-ipad.crt \
-	-passout pass:p12passphrase
+	-passout pass:p12passphrase -name john-ipad@vpn.example.com
+
+## TODO
+
+- Config file to specify global options, such as `--cafile`, `--tafile`, `--host`, `--[un]trusted-ssids`.
+- Batch-operation mode, with CSV-file as input, and a CSV UUID-index file to track generated profiles as output.
+
+	The same UUID should be used for profile updates, so that iOS knows which profile to replace, especially in MDM environments.
+
+- Adopt OpenVPN parameters from an OpenVPN-compatible client.conf input file.
+
+	Implemented, but lacks support for inline `<ca|tls-auth>` data enclosures.
+
+- Sign/Encrypt .mobileconfig.
+
+	Current workaround is to use a trusted MDM solution to securely push these unsigned, unencrypted profiles to iOS devices, through the encrypted MDM connected.
+
+## References
+
+- Apple, at <https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27>.
 
 ## Contributing
 

data/bin/ovpnmcgen.rb

@@ -13,44 +13,51 @@ never_trace!
  
 command :generate do |c|
   c.syntax = 'ovpnmcgen.rb generate [options] <user> <device>'
-  c.summary = 'Generates iOS Configuration Profiles'
-  c.description = 'Generates a .mobileconfig plist.'
+  c.summary = 'Generates iOS Configuration Profiles (.mobileconfig)'
+  c.description = 'Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.'
   c.example 'Typical Usage', 'ovpnmcgen.rb gen --trusted-ssids home --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
   c.example 'Extended Usage', 'ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
-  c.example 'Creating a .p12 file using OpenSSL', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase'
+  c.example 'Using OpenSSL to convert files into PKCS#12 (.p12)', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase -name john-ipad@vpn.example.com'
   c.option '--cafile FILE', 'Path to OpenVPN CA file. (Required)'
   c.option '--tafile FILE', 'Path to TLS Key file. (Required)'
   c.option '--host HOSTNAME', 'Hostname of OpenVPN server. (Required)'
+  c.option '--proto PROTO', 'OpenVPN server protocol. [Default: udp]'
+  c.option '-p', '--port PORT', 'OpenVPN server port. [Default: 1194]'
   c.option '--p12file FILE', 'Path to user PKCS#12 file. (Required)'
   c.option '--p12pass PASSWORD', 'Password to unlock PKCS#12 file.'
   c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. [Default: Enabled]'
-  c.option '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
-  c.option '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
+  c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
+  c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
+  c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
   c.option '-o', '--output FILE', 'Output to file. [Default: stdout]'
   c.action do |args, options|
-  	raise ArgumentError.new "Invalid arguments. Run #{File.basename(__FILE__)} help for guidance." if args.nil? or args.length < 2
-  	raise ArgumentError.new "Host is required." unless options.host
-  	raise ArgumentError.new "cafile is required." unless options.cafile
-  	raise ArgumentError.new "tafile is required." unless options.tafile
-    raise ArgumentError.new "PKCS#12 file is required." unless options.p12file
-  	options.default :vod => true
-  	user, device, p12file, p12pass = args
-  	inputs = {
-  		:user => user,
-  		:device => device,
-  		:p12file => options.p12file,
-  		:p12pass => options.p12pass,
-  		:cafile => options.cafile,
-  		:tafile => options.tafile,
-  		:host => options.host,
-  		:enableVOD => options.vod,
-  		:trusted_ssids => options.trusted_ssids,
-  		:untrusted_ssids => options.untrusted_ssids
-  	}
-  	unless options.output
-    	puts Ovpnmcgen.generate(inputs)
+    raise ArgumentError.new "Invalid arguments. Run '#{File.basename(__FILE__)} help generate' for guidance" if args.nil? or args.length < 2
+    raise ArgumentError.new "Host is required" unless options.host
+    raise ArgumentError.new "cafile is required" unless options.cafile
+    raise ArgumentError.new "tafile is required" unless options.tafile
+    raise ArgumentError.new "PKCS#12 file is required" unless options.p12file
+    options.default :vod => true, :proto => 'udp', :port => 1194
+    user, device, p12file, p12pass = args
+    inputs = {
+      :user => user,
+      :device => device,
+      :p12file => options.p12file,
+      :p12pass => options.p12pass,
+      :cafile => options.cafile,
+      :tafile => options.tafile,
+      :host => options.host,
+      :proto => options.proto,
+      :port => options.port,
+      :enableVOD => options.vod,
+      :trusted_ssids => options.trusted_ssids,
+      :untrusted_ssids => options.untrusted_ssids
+    }
+    inputs[:ovpnconfigfile] = options.ovpnconfigfile if options.ovpnconfigfile
+
+    unless options.output
+      puts Ovpnmcgen.generate(inputs)
     else
-    	# write to file
+      # write to file
       begin
         File.write(options.output, Ovpnmcgen.generate(inputs))
       rescue Errno::ENOENT

data/lib/ovpnmcgen.rb

@@ -1,4 +1,5 @@
 require "ovpnmcgen/version"
+require "ovpnmcgen/ovpnconfig"
 require 'plist'
 require 'base64'
 
@@ -13,8 +14,7 @@ module Ovpnmcgen
     identifier = inputs[:identifier] || inputs[:host].split('.').reverse!.join('.')
     port = inputs[:port] || 1194
     certUUID = inputs[:certUUID] || `uuidgen`.chomp.upcase
-    user, device, domain, host = inputs[:user], inputs[:device], inputs[:host], inputs[:host]
-    enableVOD = inputs[:enableVOD]
+    user, device, domain, host, proto, enableVOD = inputs[:user], inputs[:device], inputs[:host], inputs[:host], inputs[:proto], inputs[:enableVOD]
     p12pass = inputs[:p12pass] || ''
     trusted_ssids = inputs[:trusted_ssids] || false
     untrusted_ssids = inputs[:untrusted_ssids] || false
@@ -40,6 +40,21 @@ module Ovpnmcgen
       exit
     end
 
+    unless inputs[:ovpnconfigfile].nil?
+      ovpnconfighash = Ovpnmcgen.getOVPNVendorConfigHash(inputs[:ovpnconfigfile])
+    else # Bare minimum configuration
+      ovpnconfighash = {
+        'client' => 'NOARGS',
+        'comp-lzo' => 'NOARGS',
+        'dev' => 'tun',
+        'key-direction' => '1',
+        'remote-cert-tls' => 'server'
+      }
+    end
+    ovpnconfighash['remote'] = "#{host} #{port} #{proto}"
+    ovpnconfighash['ca'] = ca_cert
+    ovpnconfighash['tls-auth'] = tls_auth
+
     vpnOnDemandRules = Array.new
     vodTrusted = { # Trust only Wifi SSID
       'SSIDMatch' => trusted_ssids,
@@ -93,21 +108,7 @@ module Ovpnmcgen
       },
       'VPNSubType' => 'net.openvpn.OpenVPN-Connect.vpnplugin',
       'VPNType' => 'VPN',
-      'VendorConfig' => {
-        'ca' => ca_cert,
-        'client' => 'NOARGS',
-        'comp-lzo' => 'NOARGS',
-        'dev' => 'tun',
-        'key-direction' => '1',
-        'persist-key' => 'NOARGS',
-        'persist-tun' => 'NOARGS',
-        'proto' => 'udp',
-        'remote' => "#{host} #{port} udp",
-        'remote-cert-tls' => 'server',
-        'resolv-retry' => 'infinite',
-        'tls-auth' => tls_auth,
-        'verb' => '3'
-      }
+      'VendorConfig' => ovpnconfighash
     }
 
     plistPayloadContent = [vpn, cert] # to encrypt this array

data/lib/ovpnmcgen/ovpnconfig.rb

@@ -0,0 +1,51 @@
+
+module Ovpnmcgen
+  def getOVPNVendorConfigHash(ovpnfilepath)
+    ovpnfile = ""
+    begin
+      # get rid of comments in the file.
+      ovpnfile = File.readlines(ovpnfilepath).delete_if { |l| ; l.start_with?('#') or l.start_with?(';') or l.chomp.empty? }
+
+      # TODO: [Warning] Get rid of/handle <ca>...</ca>, <cert>...</cert>, <key>...</key>, <tls-auth>...</tls-auth> inline cert/key enclosures.
+      # Bail when inline cert/key enclosures are detected.
+      ovpnfile.each do |l|
+        r = l.chomp.match(/<.*>/)
+        raise ArgumentError.new "OpenVPN client config file contains inline data enclosures: #{r.to_a.join(', ')}!\nSuch files are not yet supported. Remove them and try again" unless r.nil?
+      end
+
+      # TODO: Handle multiple remote lines.
+      # Currently, the last remote line will be used.
+
+      # map to key => value pairs for plist purposes. Singular verbs will be: 'verb' => 'NOARGS'.
+      ovpnhash = Hash[ovpnfile.map do |l|
+        a = l.split
+        if a.length == 1
+          a << "NOARGS"
+        elsif a.length > 2
+          b = a.take(1)
+          c = a.drop(1).join ' '
+          a.replace(b << c)
+        end
+        a
+      end]
+
+      # delete obviously unsupported keys.
+      ovpnhash.delete_if do |key, value|
+        case key
+        when 'fragment', 'mssfix', 'secret', 'socks-proxy', 'persist-key', 'persist-tun', 'resolv-retry', 'nobind', 'verb', 'user', 'group', 'pull', 'mute'
+          true
+        when 'remote', 'ca', 'pkcs12', 'tls-auth', 'cert', 'key', 'proto' # specified with switches.
+          true
+        else
+          false
+        end
+      end
+    rescue Errno::ENOENT
+      puts "OpenVPN config file not found: #{ovpnfilepath}!"
+      exit
+    end
+    return ovpnhash
+  end
+
+  module_function :getOVPNVendorConfigHash
+end

data/lib/ovpnmcgen/version.rb

@@ -1,4 +1,4 @@
 module Ovpnmcgen
-  VERSION = "0.0.2"
-  SUMMARY = "An OpenVPN iOS Configuration Profile Utility"
+  VERSION = "0.1.0"
+  SUMMARY = "An OpenVPN iOS Configuration Profile (.mobileconfig) Utility"
 end

data/ovpnmcgen.rb.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Ronald Ip"]
   spec.email         = ["myself@iphoting.com"]
   spec.summary       = Ovpnmcgen::SUMMARY
-  spec.description   = "This utility generates configuration profiles that enables VPN-on-Demand."
+  spec.description   = "Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility."
   spec.homepage      = ""
   spec.license       = "MIT"
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ovpnmcgen.rb
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Ronald Ip
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-26 00:00:00.000000000 Z
+date: 2014-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -66,7 +66,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '4.1'
-description: This utility generates configuration profiles that enables VPN-on-Demand.
+description: Generates iOS configuration profiles (.mobileconfig) that configures
+  OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator
+  or the iPhone Configuration Utility.
 email:
 - myself@iphoting.com
 executables:
@@ -75,14 +77,14 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
-- ".ruby-gemset"
-- ".ruby-version"
+- ChangeLog
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - bin/ovpnmcgen.rb
 - lib/ovpnmcgen.rb
+- lib/ovpnmcgen/ovpnconfig.rb
 - lib/ovpnmcgen/version.rb
 - ovpnmcgen.rb.gemspec
 homepage: ''
@@ -108,5 +110,5 @@ rubyforge_project:
 rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
-summary: An OpenVPN iOS Configuration Profile Utility
+summary: An OpenVPN iOS Configuration Profile (.mobileconfig) Utility
 test_files: []

data/.ruby-gemset

@@ -1 +0,0 @@
-ovpnmcgen

data/.ruby-version

@@ -1 +0,0 @@
-ruby-2.1.1