ovpnmcgen.rb 0.2.1 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ChangeLog +6 -2
- data/README.md +30 -5
- data/bin/ovpnmcgen.rb +2 -0
- data/features/gen_basic.feature +29 -0
- data/lib/ovpnmcgen/version.rb +1 -1
- data/lib/ovpnmcgen.rb +15 -6
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 510af3c4d73274fe91dff739fe77f883e3f5b79e
|
|
4
|
+
data.tar.gz: 39b381a40aadc97c26ee22500246be3b0e101879
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d38b4b00261d0593db63a8539c5fa65b2bd5d28e3a3f9b833d64a08cb332ec5a5ef4862f610372e4e6d991cbf63d954f05628b6f871dd141087def94e272cc52
|
|
7
|
+
data.tar.gz: 18d9405965ffc38ebd3676cc4e3e210ee3cc9be161ffd93c2bcfadb8082be88e2d3a57247f8fb7b8d6fd51c05b6fdc90c289a6620644d708aa3b136247facf9b
|
data/ChangeLog
CHANGED
|
@@ -1,4 +1,8 @@
|
|
|
1
|
-
= 0.
|
|
1
|
+
= 0.3.0 / 2014-05-04
|
|
2
|
+
* Documentation updates.
|
|
3
|
+
* Added support for `URLStringProbe`, via `--url-probe`.
|
|
4
|
+
|
|
5
|
+
= 0.2.1 / 2014-04-19
|
|
2
6
|
* Implement unit testing.
|
|
3
7
|
* Switch to a portable and native uuidgen implementation.
|
|
4
8
|
* Minor documentation improvements.
|
|
@@ -18,4 +22,4 @@
|
|
|
18
22
|
* Improved Documentation.
|
|
19
23
|
|
|
20
24
|
= 0.0.1 / 2014-03-26
|
|
21
|
-
* Initial Release.
|
|
25
|
+
* Initial Release.
|
data/README.md
CHANGED
|
@@ -2,11 +2,14 @@
|
|
|
2
2
|
|
|
3
3
|
OpenVPN iOS Configuration Profile Utility
|
|
4
4
|
|
|
5
|
-
[](http://waffle.io/iphoting/ovpnmcgen.rb)
|
|
6
|
+
[](http://badge.fury.io/gh/iphoting%2Fovpnmcgen.rb)
|
|
7
|
+
[](http://badge.fury.io/rb/ovpnmcgen.rb)
|
|
8
|
+
[](https://travis-ci.org/iphoting/ovpnmcgen.rb)
|
|
6
9
|
|
|
7
10
|
Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.
|
|
8
11
|
|
|
9
|
-
Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch` and `
|
|
12
|
+
Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch`, `InterfaceTypeMatch`, and optionally `URLStringProbe`. For 'high' (default) security level, the following algorithm is executed upon network changes, in order:
|
|
10
13
|
|
|
11
14
|
- If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
|
|
12
15
|
- Else if wireless SSID matches any specified with `--untrusted-ssids`, unconditionally bring up the VPN connection on the next network attempt.
|
|
@@ -14,7 +17,7 @@ Although there are many possible VPN-on-Demand (VoD) triggers, this utility curr
|
|
|
14
17
|
- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
|
|
15
18
|
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
16
19
|
|
|
17
|
-
Note: The other match triggers, such as `DNSDomainMatch`, `DNSServerAddressMatch`,
|
|
20
|
+
Note: The other match triggers, such as `DNSDomainMatch`, `DNSServerAddressMatch`, and per-connection domain inspection (`ActionParameters`), are not implemented. I reckon some kind of DSL will need to be built to support them; pull-requests are welcome.
|
|
18
21
|
|
|
19
22
|
## Installation
|
|
20
23
|
|
|
@@ -55,6 +58,7 @@ Usage: ovpnmcgen.rb generate [options] <user> <device>
|
|
|
55
58
|
--cert-uuid UUID Override a Certificate payload UUID.
|
|
56
59
|
-t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
|
|
57
60
|
-u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
|
|
61
|
+
--url-probe URL This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.
|
|
58
62
|
--ovpnconfigfile FILE Path to OpenVPN client config file.
|
|
59
63
|
-o, --output FILE Output to file. [Default: stdout]
|
|
60
64
|
```
|
|
@@ -79,6 +83,14 @@ For 'medium' security level, the following algorithm is executed upon network ch
|
|
|
79
83
|
- Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
|
|
80
84
|
- Else, unconditionally bring up the VPN connection on the next network attempt.
|
|
81
85
|
|
|
86
|
+
### URL Probe
|
|
87
|
+
|
|
88
|
+
Apple provides a `URLStringProbe` test condition where a VPN connection will only be established, if and only if a specified URL is successfully fetched (returning a 200 HTTP status code) without redirection.
|
|
89
|
+
|
|
90
|
+
This feature can be enabled for statistical and maintenance-protection reasons. Otherwise, it can also workaround a circular limitation with unsecured wireless captive portals. See Known Issues below for further elaboration.
|
|
91
|
+
|
|
92
|
+
By enabling this option, you will need to reliably and quickly respond with HTTP status code 200 at the URL string supplied.
|
|
93
|
+
|
|
82
94
|
## Examples
|
|
83
95
|
|
|
84
96
|
### Typical Usage
|
|
@@ -235,6 +247,7 @@ Output:
|
|
|
235
247
|
--p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad
|
|
236
248
|
|
|
237
249
|
Output similar to above:
|
|
250
|
+
|
|
238
251
|
```
|
|
239
252
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
240
253
|
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
@@ -303,16 +316,28 @@ Output similar to above:
|
|
|
303
316
|
|
|
304
317
|
- "Not connected to Internet" error/behaviour when VPN should be established.
|
|
305
318
|
|
|
319
|
+
Diagnosis: Load any site in Safari. An error message "Safari cannot open the page because your iPhone is not connected to the Internet" will be presented.
|
|
320
|
+
|
|
306
321
|
There is a bug in the iOS/OS X network routing code that hangs the routing system, preventing the gateway or IP address from being set. This happens more frequently when the tunnel is brought up/down more frequently.
|
|
307
322
|
|
|
308
323
|
Workaround: Hard-restart iOS. Press and hold down both the home and sleep/wake buttons until iOS turns off and back on with the Apple boot up screen. Release when the Apple boot up screen appears.
|
|
309
324
|
|
|
310
325
|
- Weird Rapid Connecting…/Disconnected behaviour.
|
|
311
326
|
|
|
327
|
+
Diagnosis: VPN status in Settings.app rapid alternates between Connecting… and Disconnected.
|
|
328
|
+
|
|
312
329
|
Usually happens when the VoD component is stuck in an infinite loop. Not sure what triggers it.
|
|
313
330
|
|
|
314
331
|
Workaround: Hard-restart iOS. Press and hold down both the home and sleep/wake buttons until iOS turns off and back on with the Apple boot up screen. Release when the Apple boot up screen appears.
|
|
315
332
|
|
|
333
|
+
- Cannot load Captive Portals (Hotspots on unsecured Wireless networks).
|
|
334
|
+
|
|
335
|
+
Some unsecured hotspots require navigating certain webpages before full access to the internet is available. This requirement blocks VPN connections and iOS will also block captive portal access, waiting on the VPN connection. This circular dependency results in no internet access.
|
|
336
|
+
|
|
337
|
+
Workaround: Manually disable VPN-on-Demand in Settings.app > VPN > Server (i) option screen. Reenable only after Internet access is available.
|
|
338
|
+
|
|
339
|
+
Solution: Implement `URLStringProbe` where, if and only if this URL is successfully fetched (returning a 200 HTTP status code) without redirection, will the VPN service be required, relied on, and brought up. Enable with the `--url-probe` flag.
|
|
340
|
+
|
|
316
341
|
## TODO
|
|
317
342
|
|
|
318
343
|
- Config file to specify global options, such as `--cafile`, `--tafile`, `--host`, `--[un]trusted-ssids`.
|
|
@@ -320,11 +345,11 @@ Output similar to above:
|
|
|
320
345
|
|
|
321
346
|
The same UUID should be used for profile updates, so that iOS knows which profile to replace, especially in MDM environments.
|
|
322
347
|
|
|
323
|
-
Custom overrides now supported
|
|
348
|
+
Custom UUID overrides now supported via `--{profile,vpn,cert}-uuid`.
|
|
324
349
|
|
|
325
350
|
- Adopt OpenVPN parameters from an OpenVPN-compatible client.conf input file.
|
|
326
351
|
|
|
327
|
-
Implemented, but
|
|
352
|
+
Implemented, but does not support inline `<ca|tls-auth>` data enclosures, and command line flags (that are required) override config file values.
|
|
328
353
|
|
|
329
354
|
- Sign/Encrypt .mobileconfig.
|
|
330
355
|
|
data/bin/ovpnmcgen.rb
CHANGED
|
@@ -32,6 +32,7 @@ command :generate do |c|
|
|
|
32
32
|
c.option '--cert-uuid UUID', 'Override a Certificate payload UUID.'
|
|
33
33
|
c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
|
|
34
34
|
c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
|
|
35
|
+
c.option '--url-probe URL', 'This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.'
|
|
35
36
|
c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
|
|
36
37
|
c.option '-o', '--output FILE', 'Output to file. [Default: stdout]'
|
|
37
38
|
c.action do |args, options|
|
|
@@ -60,6 +61,7 @@ command :generate do |c|
|
|
|
60
61
|
}
|
|
61
62
|
inputs[:ovpnconfigfile] = options.ovpnconfigfile if options.ovpnconfigfile
|
|
62
63
|
inputs[:tafile] = options.tafile if options.tafile
|
|
64
|
+
inputs[:url_probe] = options.url_probe if options.url_probe
|
|
63
65
|
|
|
64
66
|
unless options.output
|
|
65
67
|
puts Ovpnmcgen.generate(inputs)
|
data/features/gen_basic.feature
CHANGED
|
@@ -122,6 +122,35 @@ Feature: Basic Generate Functionality
|
|
|
122
122
|
\s*<integer>0</integer>
|
|
123
123
|
"""
|
|
124
124
|
|
|
125
|
+
Scenario: The url-probe flag is set.
|
|
126
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --url-probe 'https://url.to.probe/' cucumber aruba`
|
|
127
|
+
Then the output should match:
|
|
128
|
+
"""
|
|
129
|
+
<key>URLStringProbe</key>
|
|
130
|
+
\s*<string>https://url.to.probe/</string>
|
|
131
|
+
"""
|
|
132
|
+
And the output should match:
|
|
133
|
+
"""
|
|
134
|
+
<dict>
|
|
135
|
+
\s*<key>Action</key>
|
|
136
|
+
\s*<string>Ignore</string>
|
|
137
|
+
\s*</dict>
|
|
138
|
+
"""
|
|
139
|
+
|
|
140
|
+
Scenario: The url-probe flag is not set.
|
|
141
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 cucumber aruba`
|
|
142
|
+
Then the output should not contain:
|
|
143
|
+
"""
|
|
144
|
+
<key>URLStringProbe</key>
|
|
145
|
+
"""
|
|
146
|
+
And the output should not match:
|
|
147
|
+
"""
|
|
148
|
+
<dict>
|
|
149
|
+
\s*<key>Action</key>
|
|
150
|
+
\s*<string>Ignore</string>
|
|
151
|
+
\s*</dict>
|
|
152
|
+
"""
|
|
153
|
+
|
|
125
154
|
Scenario: The [un]trusted-ssids flags are set.
|
|
126
155
|
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --trusted-ssids trusted1,trusted2 --untrusted-ssids evil3,evil4 cucumber aruba`
|
|
127
156
|
Then the output should match:
|
data/lib/ovpnmcgen/version.rb
CHANGED
data/lib/ovpnmcgen.rb
CHANGED
|
@@ -63,10 +63,7 @@ module Ovpnmcgen
|
|
|
63
63
|
'SSIDMatch' => untrusted_ssids,
|
|
64
64
|
'Action' => 'Connect'
|
|
65
65
|
}
|
|
66
|
-
|
|
67
|
-
vpnOnDemandRules << vodUntrusted if untrusted_ssids
|
|
68
|
-
|
|
69
|
-
vpnOnDemandRules << { # Untrust all Wifi
|
|
66
|
+
vodWifiOnly = { # Untrust all Wifi
|
|
70
67
|
'InterfaceTypeMatch' => 'WiFi',
|
|
71
68
|
'Action' => case inputs[:security_level]
|
|
72
69
|
when 'paranoid', 'high'
|
|
@@ -74,7 +71,8 @@ module Ovpnmcgen
|
|
|
74
71
|
else # medium
|
|
75
72
|
'Ignore'
|
|
76
73
|
end
|
|
77
|
-
}
|
|
74
|
+
}
|
|
75
|
+
vodCellularOnly = { # Trust Cellular
|
|
78
76
|
'InterfaceTypeMatch' => 'Cellular',
|
|
79
77
|
'Action' => case inputs[:security_level]
|
|
80
78
|
when 'paranoid'
|
|
@@ -84,10 +82,21 @@ module Ovpnmcgen
|
|
|
84
82
|
else # medium
|
|
85
83
|
'Disconnect'
|
|
86
84
|
end
|
|
87
|
-
}
|
|
85
|
+
}
|
|
86
|
+
vodDefault = { # Default catch-all
|
|
88
87
|
'Action' => 'Connect'
|
|
89
88
|
}
|
|
90
89
|
|
|
90
|
+
# Insert URLStringProbe conditions when enabled with --url-probe
|
|
91
|
+
vodTrusted['URLStringProbe'] = vodUntrusted['URLStringProbe'] = vodWifiOnly['URLStringProbe'] = vodCellularOnly['URLStringProbe'] = vodDefault['URLStringProbe'] = inputs[:url_probe] if inputs[:url_probe]
|
|
92
|
+
|
|
93
|
+
vpnOnDemandRules << vodTrusted if trusted_ssids
|
|
94
|
+
vpnOnDemandRules << vodUntrusted if untrusted_ssids
|
|
95
|
+
vpnOnDemandRules << vodWifiOnly << vodCellularOnly << vodDefault
|
|
96
|
+
vpnOnDemandRules << { # Default catch-all when URLStringProbe is enabled and returns false to prevent circular race.
|
|
97
|
+
'Action' => 'Ignore'
|
|
98
|
+
} if inputs[:url_probe]
|
|
99
|
+
|
|
91
100
|
cert = {
|
|
92
101
|
'Password' => p12pass,
|
|
93
102
|
'PayloadCertificateFileName' => "#{user}-#{device}.p12",
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ovpnmcgen.rb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ronald Ip
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-04
|
|
11
|
+
date: 2014-05-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|