ovpnmcgen.rb 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ChangeLog +5 -0
- data/README.md +34 -5
- data/bin/ovpnmcgen.rb +12 -5
- data/lib/ovpnmcgen.rb +22 -8
- data/lib/ovpnmcgen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fdb5a1d34606c4cbb5765c7054f2e467c535b54d
|
|
4
|
+
data.tar.gz: 03169243a1c65f06da0c35ae43d4cbca470de610
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 20331f1211f7fc4848f936c6d4b72d06b6cc01dfcb6dc89f8d558ba4fdaa76ff0c91484928aea0ca56aef253ef0e1c9dbd05747f6ccfa8e97065fc68ea576da2
|
|
7
|
+
data.tar.gz: 0e30f9454ec12d9f8d3f9cbc7df5246925aba72a88c7ba14ca7a75119ebbbd7b8846f9b0165b8a772722b375f66a5e74ef2dff3f7ec71a821bcd02cd4790211e
|
data/ChangeLog
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
= 0.2.0 / 2014-04-18
|
|
2
|
+
* Support custom UUID value overrides.
|
|
3
|
+
* Support for security level, i.e. paranoid, high (default), medium.
|
|
4
|
+
* TLS-Auth keyfile now optional.
|
|
5
|
+
|
|
1
6
|
= 0.1.0 / 2014-03-27
|
|
2
7
|
* Added support for `--ovpnconfigfile`, `--port`, `--proto`.
|
|
3
8
|
* Shorter switches for `--[un]trusted-ssids`.
|
data/README.md
CHANGED
|
@@ -4,11 +4,11 @@ OpenVPN iOS Configuration Profile Utility
|
|
|
4
4
|
|
|
5
5
|
Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.
|
|
6
6
|
|
|
7
|
-
Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`.
|
|
7
|
+
Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `InterfaceTypeMatch`. For 'high' (default) security level, the following algorithm is executed upon network changes, in order:
|
|
8
8
|
|
|
9
9
|
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
10
10
|
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
11
|
-
- Else if the primary network interface becomes Wifi (any SSID except those above), bring up the VPN connection.
|
|
11
|
+
- Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
|
|
12
12
|
- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
|
|
13
13
|
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
14
14
|
|
|
@@ -40,16 +40,43 @@ Usage: ovpnmcgen.rb generate [options] <user> <device>
|
|
|
40
40
|
|
|
41
41
|
Options:
|
|
42
42
|
--cafile FILE Path to OpenVPN CA file. (Required)
|
|
43
|
-
--tafile FILE Path to TLS Key file.
|
|
43
|
+
--tafile FILE Path to TLS-Auth Key file.
|
|
44
44
|
--host HOSTNAME Hostname of OpenVPN server. (Required)
|
|
45
|
+
--proto PROTO OpenVPN server protocol. [Default: udp]
|
|
46
|
+
-p, --port PORT OpenVPN server port. [Default: 1194]
|
|
45
47
|
--p12file FILE Path to user PKCS#12 file. (Required)
|
|
46
48
|
--p12pass PASSWORD Password to unlock PKCS#12 file.
|
|
47
49
|
--[no-]vod Enable or Disable VPN-On-Demand. [Default: Enabled]
|
|
48
|
-
--
|
|
49
|
-
--
|
|
50
|
+
--security-level LEVEL Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]
|
|
51
|
+
--vpn-uuid UUID Override a VPN configuration payload UUID.
|
|
52
|
+
--profile-uuid UUID Override a Profile UUID.
|
|
53
|
+
--cert-uuid UUID Override a Certificate payload UUID.
|
|
54
|
+
-t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
|
|
55
|
+
-u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
|
|
56
|
+
--ovpnconfigfile FILE Path to OpenVPN client config file.
|
|
50
57
|
-o, --output FILE Output to file. [Default: stdout]
|
|
51
58
|
```
|
|
52
59
|
|
|
60
|
+
### Security Levels
|
|
61
|
+
|
|
62
|
+
There are three different security levels to choose from, 'paranoid', 'high' (default), and 'medium'. The algorithm illustrated above is for 'high'.
|
|
63
|
+
|
|
64
|
+
For 'paranoid' security level, the following algorithm is executed upon network changes, in order:
|
|
65
|
+
|
|
66
|
+
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
67
|
+
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
68
|
+
- Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
|
|
69
|
+
- Else if the primary network interface becomes Cellular, unconditionally bring up the VPN connection on the next network attempt.
|
|
70
|
+
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
71
|
+
|
|
72
|
+
For 'medium' security level, the following algorithm is executed upon network changes, in order:
|
|
73
|
+
|
|
74
|
+
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
75
|
+
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
76
|
+
- Else if the primary network interface becomes Wifi (any SSID except those above), leave any existing VPN connection up, but do not reconnect on demand.
|
|
77
|
+
- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
|
|
78
|
+
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
79
|
+
|
|
53
80
|
## Examples
|
|
54
81
|
|
|
55
82
|
### Typical Usage
|
|
@@ -277,6 +304,8 @@ Output similar to above:
|
|
|
277
304
|
|
|
278
305
|
The same UUID should be used for profile updates, so that iOS knows which profile to replace, especially in MDM environments.
|
|
279
306
|
|
|
307
|
+
Custom overrides now supported for UUIDs.
|
|
308
|
+
|
|
280
309
|
- Adopt OpenVPN parameters from an OpenVPN-compatible client.conf input file.
|
|
281
310
|
|
|
282
311
|
Implemented, but lacks support for inline `<ca|tls-auth>` data enclosures.
|
data/bin/ovpnmcgen.rb
CHANGED
|
@@ -19,13 +19,17 @@ command :generate do |c|
|
|
|
19
19
|
c.example 'Extended Usage', 'ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
|
|
20
20
|
c.example 'Using OpenSSL to convert files into PKCS#12 (.p12)', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase -name john-ipad@vpn.example.com'
|
|
21
21
|
c.option '--cafile FILE', 'Path to OpenVPN CA file. (Required)'
|
|
22
|
-
c.option '--tafile FILE', 'Path to TLS Key file.
|
|
22
|
+
c.option '--tafile FILE', 'Path to TLS-Auth Key file.'
|
|
23
23
|
c.option '--host HOSTNAME', 'Hostname of OpenVPN server. (Required)'
|
|
24
24
|
c.option '--proto PROTO', 'OpenVPN server protocol. [Default: udp]'
|
|
25
25
|
c.option '-p', '--port PORT', 'OpenVPN server port. [Default: 1194]'
|
|
26
26
|
c.option '--p12file FILE', 'Path to user PKCS#12 file. (Required)'
|
|
27
27
|
c.option '--p12pass PASSWORD', 'Password to unlock PKCS#12 file.'
|
|
28
28
|
c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. [Default: Enabled]'
|
|
29
|
+
c.option '--security-level LEVEL', 'Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]'
|
|
30
|
+
c.option '--vpn-uuid UUID', 'Override a VPN configuration payload UUID.'
|
|
31
|
+
c.option '--profile-uuid UUID', 'Override a Profile UUID.'
|
|
32
|
+
c.option '--cert-uuid UUID', 'Override a Certificate payload UUID.'
|
|
29
33
|
c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
|
|
30
34
|
c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
|
|
31
35
|
c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
|
|
@@ -34,9 +38,8 @@ command :generate do |c|
|
|
|
34
38
|
raise ArgumentError.new "Invalid arguments. Run '#{File.basename(__FILE__)} help generate' for guidance" if args.nil? or args.length < 2
|
|
35
39
|
raise ArgumentError.new "Host is required" unless options.host
|
|
36
40
|
raise ArgumentError.new "cafile is required" unless options.cafile
|
|
37
|
-
raise ArgumentError.new "tafile is required" unless options.tafile
|
|
38
41
|
raise ArgumentError.new "PKCS#12 file is required" unless options.p12file
|
|
39
|
-
options.default :vod => true, :proto => 'udp', :port => 1194
|
|
42
|
+
options.default :vod => true, :proto => 'udp', :port => 1194, :security_level => 'high'
|
|
40
43
|
user, device, p12file, p12pass = args
|
|
41
44
|
inputs = {
|
|
42
45
|
:user => user,
|
|
@@ -44,15 +47,19 @@ command :generate do |c|
|
|
|
44
47
|
:p12file => options.p12file,
|
|
45
48
|
:p12pass => options.p12pass,
|
|
46
49
|
:cafile => options.cafile,
|
|
47
|
-
:tafile => options.tafile,
|
|
48
50
|
:host => options.host,
|
|
49
51
|
:proto => options.proto,
|
|
50
52
|
:port => options.port,
|
|
51
53
|
:enableVOD => options.vod,
|
|
52
54
|
:trusted_ssids => options.trusted_ssids,
|
|
53
|
-
:untrusted_ssids => options.untrusted_ssids
|
|
55
|
+
:untrusted_ssids => options.untrusted_ssids,
|
|
56
|
+
:profile_uuid => options.profile_uuid,
|
|
57
|
+
:vpn_uuid => options.vpn_uuid,
|
|
58
|
+
:cert_uuid => options.cert_uuid,
|
|
59
|
+
:security_level => options.security_level
|
|
54
60
|
}
|
|
55
61
|
inputs[:ovpnconfigfile] = options.ovpnconfigfile if options.ovpnconfigfile
|
|
62
|
+
inputs[:tafile] = options.tafile if options.tafile
|
|
56
63
|
|
|
57
64
|
unless options.output
|
|
58
65
|
puts Ovpnmcgen.generate(inputs)
|
data/lib/ovpnmcgen.rb
CHANGED
|
@@ -13,7 +13,9 @@ module Ovpnmcgen
|
|
|
13
13
|
def generate(inputs = {})
|
|
14
14
|
identifier = inputs[:identifier] || inputs[:host].split('.').reverse!.join('.')
|
|
15
15
|
port = inputs[:port] || 1194
|
|
16
|
-
certUUID = inputs[:
|
|
16
|
+
certUUID = inputs[:cert_uuid] || `uuidgen`.chomp.upcase
|
|
17
|
+
vpnUUID = inputs[:vpn_uuid] || `uuidgen`.chomp.upcase
|
|
18
|
+
plistUUID = inputs[:profile_uuid] || `uuidgen`.chomp.upcase
|
|
17
19
|
user, device, domain, host, proto, enableVOD = inputs[:user], inputs[:device], inputs[:host], inputs[:host], inputs[:proto], inputs[:enableVOD]
|
|
18
20
|
p12pass = inputs[:p12pass] || ''
|
|
19
21
|
trusted_ssids = inputs[:trusted_ssids] || false
|
|
@@ -31,7 +33,7 @@ module Ovpnmcgen
|
|
|
31
33
|
rescue Errno::ENOENT
|
|
32
34
|
puts "TLS file not found: #{inputs[:tafile]}!"
|
|
33
35
|
exit
|
|
34
|
-
end
|
|
36
|
+
end if inputs[:tafile]
|
|
35
37
|
|
|
36
38
|
begin
|
|
37
39
|
p12file = Base64.encode64(File.read(inputs[:p12file]))
|
|
@@ -47,13 +49,13 @@ module Ovpnmcgen
|
|
|
47
49
|
'client' => 'NOARGS',
|
|
48
50
|
'comp-lzo' => 'NOARGS',
|
|
49
51
|
'dev' => 'tun',
|
|
50
|
-
'key-direction' => '1',
|
|
51
52
|
'remote-cert-tls' => 'server'
|
|
52
53
|
}
|
|
53
54
|
end
|
|
54
55
|
ovpnconfighash['remote'] = "#{host} #{port} #{proto}"
|
|
55
56
|
ovpnconfighash['ca'] = ca_cert
|
|
56
|
-
ovpnconfighash['tls-auth'] = tls_auth
|
|
57
|
+
ovpnconfighash['tls-auth'] = tls_auth if inputs[:tafile]
|
|
58
|
+
ovpnconfighash['key-direction'] = '1' if inputs[:tafile]
|
|
57
59
|
|
|
58
60
|
vpnOnDemandRules = Array.new
|
|
59
61
|
vodTrusted = { # Trust only Wifi SSID
|
|
@@ -69,10 +71,22 @@ module Ovpnmcgen
|
|
|
69
71
|
|
|
70
72
|
vpnOnDemandRules << { # Untrust all Wifi
|
|
71
73
|
'InterfaceTypeMatch' => 'WiFi',
|
|
72
|
-
'Action' =>
|
|
74
|
+
'Action' => case inputs[:security_level]
|
|
75
|
+
when 'paranoid', 'high'
|
|
76
|
+
'Connect'
|
|
77
|
+
else # medium
|
|
78
|
+
'Ignore'
|
|
79
|
+
end
|
|
73
80
|
} << { # Trust Cellular
|
|
74
81
|
'InterfaceTypeMatch' => 'Cellular',
|
|
75
|
-
'Action' =>
|
|
82
|
+
'Action' => case inputs[:security_level]
|
|
83
|
+
when 'paranoid'
|
|
84
|
+
'Connect'
|
|
85
|
+
when 'high'
|
|
86
|
+
'Ignore'
|
|
87
|
+
else # medium
|
|
88
|
+
'Disconnect'
|
|
89
|
+
end
|
|
76
90
|
} << { # Default catch-all
|
|
77
91
|
'Action' => 'Connect'
|
|
78
92
|
}
|
|
@@ -96,7 +110,7 @@ module Ovpnmcgen
|
|
|
96
110
|
'PayloadIdentifier' => "#{identifier}.#{user}-#{device}.vpnconfig",
|
|
97
111
|
'PayloadOrganization' => domain,
|
|
98
112
|
'PayloadType' => 'com.apple.vpn.managed',
|
|
99
|
-
'PayloadUUID' =>
|
|
113
|
+
'PayloadUUID' => vpnUUID,
|
|
100
114
|
'PayloadVersion' => 1,
|
|
101
115
|
'UserDefinedName' => "#{host}/VoD",
|
|
102
116
|
'VPN' => {
|
|
@@ -121,7 +135,7 @@ module Ovpnmcgen
|
|
|
121
135
|
'PayloadOrganization' => domain,
|
|
122
136
|
'PayloadRemovalDisallowed' => false,
|
|
123
137
|
'PayloadType' => 'Configuration',
|
|
124
|
-
'PayloadUUID' =>
|
|
138
|
+
'PayloadUUID' => plistUUID,
|
|
125
139
|
'PayloadVersion' => 1,
|
|
126
140
|
#'EncryptedPayloadContent' => StringData.new(encPlistPayloadContent)
|
|
127
141
|
'PayloadContent' => plistPayloadContent
|
data/lib/ovpnmcgen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ovpnmcgen.rb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ronald Ip
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-04-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|