ovpnmcgen.rb 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/ChangeLog +5 -0
- data/README.md +34 -5
- data/bin/ovpnmcgen.rb +12 -5
- data/lib/ovpnmcgen.rb +22 -8
- data/lib/ovpnmcgen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fdb5a1d34606c4cbb5765c7054f2e467c535b54d
|
|
4
|
+
data.tar.gz: 03169243a1c65f06da0c35ae43d4cbca470de610
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 20331f1211f7fc4848f936c6d4b72d06b6cc01dfcb6dc89f8d558ba4fdaa76ff0c91484928aea0ca56aef253ef0e1c9dbd05747f6ccfa8e97065fc68ea576da2
|
|
7
|
+
data.tar.gz: 0e30f9454ec12d9f8d3f9cbc7df5246925aba72a88c7ba14ca7a75119ebbbd7b8846f9b0165b8a772722b375f66a5e74ef2dff3f7ec71a821bcd02cd4790211e
|
data/ChangeLog
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
= 0.2.0 / 2014-04-18
|
|
2
|
+
* Support custom UUID value overrides.
|
|
3
|
+
* Support for security level, i.e. paranoid, high (default), medium.
|
|
4
|
+
* TLS-Auth keyfile now optional.
|
|
5
|
+
|
|
1
6
|
= 0.1.0 / 2014-03-27
|
|
2
7
|
* Added support for `--ovpnconfigfile`, `--port`, `--proto`.
|
|
3
8
|
* Shorter switches for `--[un]trusted-ssids`.
|
data/README.md
CHANGED
|
@@ -4,11 +4,11 @@ OpenVPN iOS Configuration Profile Utility
|
|
|
4
4
|
|
|
5
5
|
Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.
|
|
6
6
|
|
|
7
|
-
Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`.
|
|
7
|
+
Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`. For 'high' (default) security level, the following algorithm is executed upon network changes, in order:
|
|
8
8
|
|
|
9
9
|
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
10
10
|
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
11
|
-
- Else if the primary network interface becomes Wifi (any SSID except those above), bring up the VPN connection.
|
|
11
|
+
- Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
|
|
12
12
|
- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
|
|
13
13
|
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
14
14
|
|
|
@@ -40,16 +40,43 @@ Usage: ovpnmcgen.rb generate [options] <user> <device>
|
|
|
40
40
|
|
|
41
41
|
Options:
|
|
42
42
|
--cafile FILE Path to OpenVPN CA file. (Required)
|
|
43
|
-
--tafile FILE Path to TLS Key file.
|
|
43
|
+
--tafile FILE Path to TLS-Auth Key file.
|
|
44
44
|
--host HOSTNAME Hostname of OpenVPN server. (Required)
|
|
45
|
+
--proto PROTO OpenVPN server protocol. [Default: udp]
|
|
46
|
+
-p, --port PORT OpenVPN server port. [Default: 1194]
|
|
45
47
|
--p12file FILE Path to user PKCS#12 file. (Required)
|
|
46
48
|
--p12pass PASSWORD Password to unlock PKCS#12 file.
|
|
47
49
|
--[no-]vod Enable or Disable VPN-On-Demand. [Default: Enabled]
|
|
48
|
-
--
|
|
49
|
-
--
|
|
50
|
+
--security-level LEVEL Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]
|
|
51
|
+
--vpn-uuid UUID Override a VPN configuration payload UUID.
|
|
52
|
+
--profile-uuid UUID Override a Profile UUID.
|
|
53
|
+
--cert-uuid UUID Override a Certificate payload UUID.
|
|
54
|
+
-t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
|
|
55
|
+
-u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
|
|
56
|
+
--ovpnconfigfile FILE Path to OpenVPN client config file.
|
|
50
57
|
-o, --output FILE Output to file. [Default: stdout]
|
|
51
58
|
```
|
|
52
59
|
|
|
60
|
+
### Security Levels
|
|
61
|
+
|
|
62
|
+
There are three different security levels to choose from, 'paranoid', 'high' (default), and 'medium'. The algorithm illustrated above is for 'high'.
|
|
63
|
+
|
|
64
|
+
For 'paranoid' security level, the following algorithm is executed upon network changes, in order:
|
|
65
|
+
|
|
66
|
+
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
67
|
+
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
68
|
+
- Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
|
|
69
|
+
- Else if the primary network interface becomes Cellular, unconditionally bring up the VPN connection on the next network attempt.
|
|
70
|
+
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
71
|
+
|
|
72
|
+
For 'medium' security level, the following algorithm is executed upon network changes, in order:
|
|
73
|
+
|
|
74
|
+
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
75
|
+
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
76
|
+
- Else if the primary network interface becomes Wifi (any SSID except those above), leave any existing VPN connection up, but do not reconnect on demand.
|
|
77
|
+
- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
|
|
78
|
+
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
79
|
+
|
|
53
80
|
## Examples
|
|
54
81
|
|
|
55
82
|
### Typical Usage
|
|
@@ -277,6 +304,8 @@ Output similar to above:
|
|
|
277
304
|
|
|
278
305
|
The same UUID should be used for profile updates, so that iOS knows which profile to replace, especially in MDM environments.
|
|
279
306
|
|
|
307
|
+
Custom overrides now supported for UUIDs.
|
|
308
|
+
|
|
280
309
|
- Adopt OpenVPN parameters from an OpenVPN-compatible client.conf input file.
|
|
281
310
|
|
|
282
311
|
Implemented, but lacks support for inline `<ca|tls-auth>` data enclosures.
|
data/bin/ovpnmcgen.rb
CHANGED
|
@@ -19,13 +19,17 @@ command :generate do |c|
|
|
|
19
19
|
c.example 'Extended Usage', 'ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
|
|
20
20
|
c.example 'Using OpenSSL to convert files into PKCS#12 (.p12)', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase -name john-ipad@vpn.example.com'
|
|
21
21
|
c.option '--cafile FILE', 'Path to OpenVPN CA file. (Required)'
|
|
22
|
-
c.option '--tafile FILE', 'Path to TLS Key file.
|
|
22
|
+
c.option '--tafile FILE', 'Path to TLS-Auth Key file.'
|
|
23
23
|
c.option '--host HOSTNAME', 'Hostname of OpenVPN server. (Required)'
|
|
24
24
|
c.option '--proto PROTO', 'OpenVPN server protocol. [Default: udp]'
|
|
25
25
|
c.option '-p', '--port PORT', 'OpenVPN server port. [Default: 1194]'
|
|
26
26
|
c.option '--p12file FILE', 'Path to user PKCS#12 file. (Required)'
|
|
27
27
|
c.option '--p12pass PASSWORD', 'Password to unlock PKCS#12 file.'
|
|
28
28
|
c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. [Default: Enabled]'
|
|
29
|
+
c.option '--security-level LEVEL', 'Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]'
|
|
30
|
+
c.option '--vpn-uuid UUID', 'Override a VPN configuration payload UUID.'
|
|
31
|
+
c.option '--profile-uuid UUID', 'Override a Profile UUID.'
|
|
32
|
+
c.option '--cert-uuid UUID', 'Override a Certificate payload UUID.'
|
|
29
33
|
c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
|
|
30
34
|
c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
|
|
31
35
|
c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
|
|
@@ -34,9 +38,8 @@ command :generate do |c|
|
|
|
34
38
|
raise ArgumentError.new "Invalid arguments. Run '#{File.basename(__FILE__)} help generate' for guidance" if args.nil? or args.length < 2
|
|
35
39
|
raise ArgumentError.new "Host is required" unless options.host
|
|
36
40
|
raise ArgumentError.new "cafile is required" unless options.cafile
|
|
37
|
-
raise ArgumentError.new "tafile is required" unless options.tafile
|
|
38
41
|
raise ArgumentError.new "PKCS#12 file is required" unless options.p12file
|
|
39
|
-
options.default :vod => true, :proto => 'udp', :port => 1194
|
|
42
|
+
options.default :vod => true, :proto => 'udp', :port => 1194, :security_level => 'high'
|
|
40
43
|
user, device, p12file, p12pass = args
|
|
41
44
|
inputs = {
|
|
42
45
|
:user => user,
|
|
@@ -44,15 +47,19 @@ command :generate do |c|
|
|
|
44
47
|
:p12file => options.p12file,
|
|
45
48
|
:p12pass => options.p12pass,
|
|
46
49
|
:cafile => options.cafile,
|
|
47
|
-
:tafile => options.tafile,
|
|
48
50
|
:host => options.host,
|
|
49
51
|
:proto => options.proto,
|
|
50
52
|
:port => options.port,
|
|
51
53
|
:enableVOD => options.vod,
|
|
52
54
|
:trusted_ssids => options.trusted_ssids,
|
|
53
|
-
:untrusted_ssids => options.untrusted_ssids
|
|
55
|
+
:untrusted_ssids => options.untrusted_ssids,
|
|
56
|
+
:profile_uuid => options.profile_uuid,
|
|
57
|
+
:vpn_uuid => options.vpn_uuid,
|
|
58
|
+
:cert_uuid => options.cert_uuid,
|
|
59
|
+
:security_level => options.security_level
|
|
54
60
|
}
|
|
55
61
|
inputs[:ovpnconfigfile] = options.ovpnconfigfile if options.ovpnconfigfile
|
|
62
|
+
inputs[:tafile] = options.tafile if options.tafile
|
|
56
63
|
|
|
57
64
|
unless options.output
|
|
58
65
|
puts Ovpnmcgen.generate(inputs)
|
data/lib/ovpnmcgen.rb
CHANGED
|
@@ -13,7 +13,9 @@ module Ovpnmcgen
|
|
|
13
13
|
def generate(inputs = {})
|
|
14
14
|
identifier = inputs[:identifier] || inputs[:host].split('.').reverse!.join('.')
|
|
15
15
|
port = inputs[:port] || 1194
|
|
16
|
-
certUUID = inputs[:
|
|
16
|
+
certUUID = inputs[:cert_uuid] || `uuidgen`.chomp.upcase
|
|
17
|
+
vpnUUID = inputs[:vpn_uuid] || `uuidgen`.chomp.upcase
|
|
18
|
+
plistUUID = inputs[:profile_uuid] || `uuidgen`.chomp.upcase
|
|
17
19
|
user, device, domain, host, proto, enableVOD = inputs[:user], inputs[:device], inputs[:host], inputs[:host], inputs[:proto], inputs[:enableVOD]
|
|
18
20
|
p12pass = inputs[:p12pass] || ''
|
|
19
21
|
trusted_ssids = inputs[:trusted_ssids] || false
|
|
@@ -31,7 +33,7 @@ module Ovpnmcgen
|
|
|
31
33
|
rescue Errno::ENOENT
|
|
32
34
|
puts "TLS file not found: #{inputs[:tafile]}!"
|
|
33
35
|
exit
|
|
34
|
-
end
|
|
36
|
+
end if inputs[:tafile]
|
|
35
37
|
|
|
36
38
|
begin
|
|
37
39
|
p12file = Base64.encode64(File.read(inputs[:p12file]))
|
|
@@ -47,13 +49,13 @@ module Ovpnmcgen
|
|
|
47
49
|
'client' => 'NOARGS',
|
|
48
50
|
'comp-lzo' => 'NOARGS',
|
|
49
51
|
'dev' => 'tun',
|
|
50
|
-
'key-direction' => '1',
|
|
51
52
|
'remote-cert-tls' => 'server'
|
|
52
53
|
}
|
|
53
54
|
end
|
|
54
55
|
ovpnconfighash['remote'] = "#{host} #{port} #{proto}"
|
|
55
56
|
ovpnconfighash['ca'] = ca_cert
|
|
56
|
-
ovpnconfighash['tls-auth'] = tls_auth
|
|
57
|
+
ovpnconfighash['tls-auth'] = tls_auth if inputs[:tafile]
|
|
58
|
+
ovpnconfighash['key-direction'] = '1' if inputs[:tafile]
|
|
57
59
|
|
|
58
60
|
vpnOnDemandRules = Array.new
|
|
59
61
|
vodTrusted = { # Trust only Wifi SSID
|
|
@@ -69,10 +71,22 @@ module Ovpnmcgen
|
|
|
69
71
|
|
|
70
72
|
vpnOnDemandRules << { # Untrust all Wifi
|
|
71
73
|
'InterfaceTypeMatch' => 'WiFi',
|
|
72
|
-
'Action' =>
|
|
74
|
+
'Action' => case inputs[:security_level]
|
|
75
|
+
when 'paranoid', 'high'
|
|
76
|
+
'Connect'
|
|
77
|
+
else # medium
|
|
78
|
+
'Ignore'
|
|
79
|
+
end
|
|
73
80
|
} << { # Trust Cellular
|
|
74
81
|
'InterfaceTypeMatch' => 'Cellular',
|
|
75
|
-
'Action' =>
|
|
82
|
+
'Action' => case inputs[:security_level]
|
|
83
|
+
when 'paranoid'
|
|
84
|
+
'Connect'
|
|
85
|
+
when 'high'
|
|
86
|
+
'Ignore'
|
|
87
|
+
else # medium
|
|
88
|
+
'Disconnect'
|
|
89
|
+
end
|
|
76
90
|
} << { # Default catch-all
|
|
77
91
|
'Action' => 'Connect'
|
|
78
92
|
}
|
|
@@ -96,7 +110,7 @@ module Ovpnmcgen
|
|
|
96
110
|
'PayloadIdentifier' => "#{identifier}.#{user}-#{device}.vpnconfig",
|
|
97
111
|
'PayloadOrganization' => domain,
|
|
98
112
|
'PayloadType' => 'com.apple.vpn.managed',
|
|
99
|
-
'PayloadUUID' =>
|
|
113
|
+
'PayloadUUID' => vpnUUID,
|
|
100
114
|
'PayloadVersion' => 1,
|
|
101
115
|
'UserDefinedName' => "#{host}/VoD",
|
|
102
116
|
'VPN' => {
|
|
@@ -121,7 +135,7 @@ module Ovpnmcgen
|
|
|
121
135
|
'PayloadOrganization' => domain,
|
|
122
136
|
'PayloadRemovalDisallowed' => false,
|
|
123
137
|
'PayloadType' => 'Configuration',
|
|
124
|
-
'PayloadUUID' =>
|
|
138
|
+
'PayloadUUID' => plistUUID,
|
|
125
139
|
'PayloadVersion' => 1,
|
|
126
140
|
#'EncryptedPayloadContent' => StringData.new(encPlistPayloadContent)
|
|
127
141
|
'PayloadContent' => plistPayloadContent
|
data/lib/ovpnmcgen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ovpnmcgen.rb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ronald Ip
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-04-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|