ovpnmcgen.rb 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 367d863a65d76ef7131544d0cfeabe155b43ada8
4
- data.tar.gz: 638bd7fb996c3f265005992d0d452d41fceb1ab3
3
+ metadata.gz: fdb5a1d34606c4cbb5765c7054f2e467c535b54d
4
+ data.tar.gz: 03169243a1c65f06da0c35ae43d4cbca470de610
5
5
  SHA512:
6
- metadata.gz: 11d4d579cb0a28ed0536afb99ba0c98c88c97923c0c1deaa7acc4dedd01dc8ef24f315a0bcc2fa2164511216c65164b39bdcdd7c97b6506ef7078e715aace314
7
- data.tar.gz: f981db017988637593dc2b883531014040fefbe4b0846187a330519960a2e310690c757bd0e1a9020253a16dd139f4f0aa6cdbff8491ced055da851b1c27cd46
6
+ metadata.gz: 20331f1211f7fc4848f936c6d4b72d06b6cc01dfcb6dc89f8d558ba4fdaa76ff0c91484928aea0ca56aef253ef0e1c9dbd05747f6ccfa8e97065fc68ea576da2
7
+ data.tar.gz: 0e30f9454ec12d9f8d3f9cbc7df5246925aba72a88c7ba14ca7a75119ebbbd7b8846f9b0165b8a772722b375f66a5e74ef2dff3f7ec71a821bcd02cd4790211e
data/ChangeLog CHANGED
@@ -1,3 +1,8 @@
1
+ = 0.2.0 / 2014-04-18
2
+ * Support custom UUID value overrides.
3
+ * Support for security level, i.e. paranoid, high (default), medium.
4
+ * TLS-Auth keyfile now optional.
5
+
1
6
  = 0.1.0 / 2014-03-27
2
7
  * Added support for `--ovpnconfigfile`, `--port`, `--proto`.
3
8
  * Shorter switches for `--[un]trusted-ssids`.
data/README.md CHANGED
@@ -4,11 +4,11 @@ OpenVPN iOS Configuration Profile Utility
4
4
 
5
5
  Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.
6
6
 
7
- Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`. The following algorithm is executed upon network changes, in order:
7
+ Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`. For 'high' (default) security level, the following algorithm is executed upon network changes, in order:
8
8
 
9
9
  - If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
10
10
  - Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
11
- - Else if the primary network interface becomes Wifi (any SSID except those above), bring up the VPN connection.
11
+ - Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
12
12
  - Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
13
13
  - Else, unconditionally bring up the VPN connection on the next network attempt.
14
14
 
@@ -40,16 +40,43 @@ Usage: ovpnmcgen.rb generate [options] <user> <device>
40
40
 
41
41
  Options:
42
42
  --cafile FILE Path to OpenVPN CA file. (Required)
43
- --tafile FILE Path to TLS Key file. (Required)
43
+ --tafile FILE Path to TLS-Auth Key file.
44
44
  --host HOSTNAME Hostname of OpenVPN server. (Required)
45
+ --proto PROTO OpenVPN server protocol. [Default: udp]
46
+ -p, --port PORT OpenVPN server port. [Default: 1194]
45
47
  --p12file FILE Path to user PKCS#12 file. (Required)
46
48
  --p12pass PASSWORD Password to unlock PKCS#12 file.
47
49
  --[no-]vod Enable or Disable VPN-On-Demand. [Default: Enabled]
48
- --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
49
- --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
50
+ --security-level LEVEL Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]
51
+ --vpn-uuid UUID Override a VPN configuration payload UUID.
52
+ --profile-uuid UUID Override a Profile UUID.
53
+ --cert-uuid UUID Override a Certificate payload UUID.
54
+ -t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
55
+ -u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
56
+ --ovpnconfigfile FILE Path to OpenVPN client config file.
50
57
  -o, --output FILE Output to file. [Default: stdout]
51
58
  ```
52
59
 
60
+ ### Security Levels
61
+
62
+ There are three different security levels to choose from, 'paranoid', 'high' (default), and 'medium'. The algorithm illustrated above is for 'high'.
63
+
64
+ For 'paranoid' security level, the following algorithm is executed upon network changes, in order:
65
+
66
+ - If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
67
+ - Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
68
+ - Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
69
+ - Else if the primary network interface becomes Cellular, unconditionally bring up the VPN connection on the next network attempt.
70
+ - Else, unconditionally bring up the VPN connection on the next network attempt.
71
+
72
+ For 'medium' security level, the following algorithm is executed upon network changes, in order:
73
+
74
+ - If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
75
+ - Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
76
+ - Else if the primary network interface becomes Wifi (any SSID except those above), leave any existing VPN connection up, but do not reconnect on demand.
77
+ - Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
78
+ - Else, unconditionally bring up the VPN connection on the next network attempt.
79
+
53
80
  ## Examples
54
81
 
55
82
  ### Typical Usage
@@ -277,6 +304,8 @@ Output similar to above:
277
304
 
278
305
  The same UUID should be used for profile updates, so that iOS knows which profile to replace, especially in MDM environments.
279
306
 
307
+ Custom overrides now supported for UUIDs.
308
+
280
309
  - Adopt OpenVPN parameters from an OpenVPN-compatible client.conf input file.
281
310
 
282
311
  Implemented, but lacks support for inline `<ca|tls-auth>` data enclosures.
data/bin/ovpnmcgen.rb CHANGED
@@ -19,13 +19,17 @@ command :generate do |c|
19
19
  c.example 'Extended Usage', 'ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
20
20
  c.example 'Using OpenSSL to convert files into PKCS#12 (.p12)', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase -name john-ipad@vpn.example.com'
21
21
  c.option '--cafile FILE', 'Path to OpenVPN CA file. (Required)'
22
- c.option '--tafile FILE', 'Path to TLS Key file. (Required)'
22
+ c.option '--tafile FILE', 'Path to TLS-Auth Key file.'
23
23
  c.option '--host HOSTNAME', 'Hostname of OpenVPN server. (Required)'
24
24
  c.option '--proto PROTO', 'OpenVPN server protocol. [Default: udp]'
25
25
  c.option '-p', '--port PORT', 'OpenVPN server port. [Default: 1194]'
26
26
  c.option '--p12file FILE', 'Path to user PKCS#12 file. (Required)'
27
27
  c.option '--p12pass PASSWORD', 'Password to unlock PKCS#12 file.'
28
28
  c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. [Default: Enabled]'
29
+ c.option '--security-level LEVEL', 'Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]'
30
+ c.option '--vpn-uuid UUID', 'Override a VPN configuration payload UUID.'
31
+ c.option '--profile-uuid UUID', 'Override a Profile UUID.'
32
+ c.option '--cert-uuid UUID', 'Override a Certificate payload UUID.'
29
33
  c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
30
34
  c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
31
35
  c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
@@ -34,9 +38,8 @@ command :generate do |c|
34
38
  raise ArgumentError.new "Invalid arguments. Run '#{File.basename(__FILE__)} help generate' for guidance" if args.nil? or args.length < 2
35
39
  raise ArgumentError.new "Host is required" unless options.host
36
40
  raise ArgumentError.new "cafile is required" unless options.cafile
37
- raise ArgumentError.new "tafile is required" unless options.tafile
38
41
  raise ArgumentError.new "PKCS#12 file is required" unless options.p12file
39
- options.default :vod => true, :proto => 'udp', :port => 1194
42
+ options.default :vod => true, :proto => 'udp', :port => 1194, :security_level => 'high'
40
43
  user, device, p12file, p12pass = args
41
44
  inputs = {
42
45
  :user => user,
@@ -44,15 +47,19 @@ command :generate do |c|
44
47
  :p12file => options.p12file,
45
48
  :p12pass => options.p12pass,
46
49
  :cafile => options.cafile,
47
- :tafile => options.tafile,
48
50
  :host => options.host,
49
51
  :proto => options.proto,
50
52
  :port => options.port,
51
53
  :enableVOD => options.vod,
52
54
  :trusted_ssids => options.trusted_ssids,
53
- :untrusted_ssids => options.untrusted_ssids
55
+ :untrusted_ssids => options.untrusted_ssids,
56
+ :profile_uuid => options.profile_uuid,
57
+ :vpn_uuid => options.vpn_uuid,
58
+ :cert_uuid => options.cert_uuid,
59
+ :security_level => options.security_level
54
60
  }
55
61
  inputs[:ovpnconfigfile] = options.ovpnconfigfile if options.ovpnconfigfile
62
+ inputs[:tafile] = options.tafile if options.tafile
56
63
 
57
64
  unless options.output
58
65
  puts Ovpnmcgen.generate(inputs)
data/lib/ovpnmcgen.rb CHANGED
@@ -13,7 +13,9 @@ module Ovpnmcgen
13
13
  def generate(inputs = {})
14
14
  identifier = inputs[:identifier] || inputs[:host].split('.').reverse!.join('.')
15
15
  port = inputs[:port] || 1194
16
- certUUID = inputs[:certUUID] || `uuidgen`.chomp.upcase
16
+ certUUID = inputs[:cert_uuid] || `uuidgen`.chomp.upcase
17
+ vpnUUID = inputs[:vpn_uuid] || `uuidgen`.chomp.upcase
18
+ plistUUID = inputs[:profile_uuid] || `uuidgen`.chomp.upcase
17
19
  user, device, domain, host, proto, enableVOD = inputs[:user], inputs[:device], inputs[:host], inputs[:host], inputs[:proto], inputs[:enableVOD]
18
20
  p12pass = inputs[:p12pass] || ''
19
21
  trusted_ssids = inputs[:trusted_ssids] || false
@@ -31,7 +33,7 @@ module Ovpnmcgen
31
33
  rescue Errno::ENOENT
32
34
  puts "TLS file not found: #{inputs[:tafile]}!"
33
35
  exit
34
- end
36
+ end if inputs[:tafile]
35
37
 
36
38
  begin
37
39
  p12file = Base64.encode64(File.read(inputs[:p12file]))
@@ -47,13 +49,13 @@ module Ovpnmcgen
47
49
  'client' => 'NOARGS',
48
50
  'comp-lzo' => 'NOARGS',
49
51
  'dev' => 'tun',
50
- 'key-direction' => '1',
51
52
  'remote-cert-tls' => 'server'
52
53
  }
53
54
  end
54
55
  ovpnconfighash['remote'] = "#{host} #{port} #{proto}"
55
56
  ovpnconfighash['ca'] = ca_cert
56
- ovpnconfighash['tls-auth'] = tls_auth
57
+ ovpnconfighash['tls-auth'] = tls_auth if inputs[:tafile]
58
+ ovpnconfighash['key-direction'] = '1' if inputs[:tafile]
57
59
 
58
60
  vpnOnDemandRules = Array.new
59
61
  vodTrusted = { # Trust only Wifi SSID
@@ -69,10 +71,22 @@ module Ovpnmcgen
69
71
 
70
72
  vpnOnDemandRules << { # Untrust all Wifi
71
73
  'InterfaceTypeMatch' => 'WiFi',
72
- 'Action' => 'Connect'
74
+ 'Action' => case inputs[:security_level]
75
+ when 'paranoid', 'high'
76
+ 'Connect'
77
+ else # medium
78
+ 'Ignore'
79
+ end
73
80
  } << { # Trust Cellular
74
81
  'InterfaceTypeMatch' => 'Cellular',
75
- 'Action' => 'Ignore'
82
+ 'Action' => case inputs[:security_level]
83
+ when 'paranoid'
84
+ 'Connect'
85
+ when 'high'
86
+ 'Ignore'
87
+ else # medium
88
+ 'Disconnect'
89
+ end
76
90
  } << { # Default catch-all
77
91
  'Action' => 'Connect'
78
92
  }
@@ -96,7 +110,7 @@ module Ovpnmcgen
96
110
  'PayloadIdentifier' => "#{identifier}.#{user}-#{device}.vpnconfig",
97
111
  'PayloadOrganization' => domain,
98
112
  'PayloadType' => 'com.apple.vpn.managed',
99
- 'PayloadUUID' => `uuidgen`.chomp.upcase,
113
+ 'PayloadUUID' => vpnUUID,
100
114
  'PayloadVersion' => 1,
101
115
  'UserDefinedName' => "#{host}/VoD",
102
116
  'VPN' => {
@@ -121,7 +135,7 @@ module Ovpnmcgen
121
135
  'PayloadOrganization' => domain,
122
136
  'PayloadRemovalDisallowed' => false,
123
137
  'PayloadType' => 'Configuration',
124
- 'PayloadUUID' => `uuidgen`.chomp.upcase,
138
+ 'PayloadUUID' => plistUUID,
125
139
  'PayloadVersion' => 1,
126
140
  #'EncryptedPayloadContent' => StringData.new(encPlistPayloadContent)
127
141
  'PayloadContent' => plistPayloadContent
@@ -1,4 +1,4 @@
1
1
  module Ovpnmcgen
2
- VERSION = "0.1.0"
2
+ VERSION = "0.2.0"
3
3
  SUMMARY = "An OpenVPN iOS Configuration Profile (.mobileconfig) Utility"
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ovpnmcgen.rb
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ronald Ip
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-03-27 00:00:00.000000000 Z
11
+ date: 2014-04-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler