Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Generate mobileconfigs for WireGuard (#1698)

Browse Source 
* Generate mobileconfigs for WireGuard

* add xmllint to wireguard profiles

* Enable onDemand prompts for WireGuard

* linting
pull/1727/head
Jack Ivanov 4 years ago committed by GitHub
parent 512b5660e1
commit 1e8a9c5cf1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 174 additions and 34 deletions
Show Stats Download Patch File Download Diff File

67
input.yml
Unescape Escape View File

@ -52,42 +52,43 @@
when: when:
- server_name is undefined - server_name is undefined
- algo_provider != "local" - algo_provider != "local"
- block:
- name: Cellular On Demand prompt
pause:
prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
register: _ondemand_cellular
when: ondemand_cellular is undefined
- name: Wi-Fi On Demand prompt - name: Cellular On Demand prompt
pause: pause:
prompt: | prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N] [y/N]
register: _ondemand_wifi register: _ondemand_cellular
when: ondemand_wifi is undefined when: ondemand_cellular is undefined
- name: Wi-Fi On Demand prompt
pause:
prompt: |
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
register: _ondemand_wifi
when: ondemand_wifi is undefined
- name: Trusted Wi-Fi networks prompt - name: Trusted Wi-Fi networks prompt
pause: pause:
prompt: | prompt: |
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand" List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
register: _ondemand_wifi_exclude register: _ondemand_wifi_exclude
when: when:
- ondemand_wifi_exclude is undefined - ondemand_wifi_exclude is undefined
- (ondemand_wifi|default(false)|bool) or - (ondemand_wifi|default(false)|bool) or
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false)) (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
- name: Retain the PKI prompt - name: Retain the PKI prompt
pause: pause:
prompt: | prompt: |
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N] [y/N]
register: _store_pki register: _store_pki
when: store_pki is undefined when:
when: ipsec_enabled - store_pki is undefined
- ipsec_enabled
- name: DNS adblocking prompt - name: DNS adblocking prompt
pause: pause:

10
roles/wireguard/tasks/main.yml
Unescape Escape View File

@ -8,7 +8,8 @@
- "{{ wireguard_pki_path }}/preshared" - "{{ wireguard_pki_path }}/preshared"
- "{{ wireguard_pki_path }}/private" - "{{ wireguard_pki_path }}/private"
- "{{ wireguard_pki_path }}/public" - "{{ wireguard_pki_path }}/public"
- "{{ wireguard_config_path }}" - "{{ wireguard_config_path }}/apple/ios"
- "{{ wireguard_config_path }}/apple/macos"
delegate_to: localhost delegate_to: localhost
become: false become: false
@ -51,6 +52,13 @@
vars: vars:
index: "{{ item.0 }}" index: "{{ item.0 }}"
- include_tasks: mobileconfig.yml
loop:
- ios
- macos
loop_control:
loop_var: system
- name: Generate QR codes - name: Generate QR codes
shell: > shell: >
umask 077; umask 077;

10
roles/wireguard/tasks/mobileconfig.yml
Unescape Escape View File

@ -0,0 +1,10 @@
---
- name: WireGuard apple mobileconfig generated
template:
src: mobileconfig.j2
dest: "{{ wireguard_config_path }}/apple/{{ system }}/{{ item.1 }}.mobileconfig"
mode: "0600"
with_indexed_items: "{{ wireguard_users }}"
when: item.1 in users
vars:
index: "{{ item.0 }}"

25
roles/wireguard/templates/mobileconfig.j2
Unescape Escape View File

@ -0,0 +1,25 @@
#jinja2:lstrip_blocks: True
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
{% include 'vpn-dict.j2' %}
</array>
<key>PayloadDisplayName</key>
<string>AlgoVPN {{ algo_server_name }} WireGuard</string>
<key>PayloadIdentifier</key>
<string>donut.local.{{ 500000 | random | to_uuid | upper }}</string>
<key>PayloadOrganization</key>
<string>AlgoVPN</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>{{ 400000 | random | to_uuid | upper }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

94
roles/wireguard/templates/vpn-dict.j2
Unescape Escape View File

@ -0,0 +1,94 @@
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>{{ algo_server_name }}</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.{{ algo_server_name + system | to_uuid | upper }}</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>{{ algo_server_name + system | to_uuid | upper }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>AlgoVPN {{ algo_server_name }}</string>
<key>VPN</key>
<dict>
<key>OnDemandEnabled</key>
<integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
<key>OnDemandRules</key>
<array>
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
{% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
{% for network_name in WIFI_EXCLUDE_LIST %}
<string>{{ network_name|e }}</string>
{% endfor %}
</array>
</dict>
{% endif %}
<dict>
<key>Action</key>
{% if algo_ondemand_wifi %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>URLStringProbe</key>
<string>http://captive.apple.com/hotspot-detect.html</string>
</dict>
<dict>
<key>Action</key>
{% if algo_ondemand_cellular %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>Cellular</string>
<key>URLStringProbe</key>
<string>http://captive.apple.com/hotspot-detect.html</string>
</dict>
{% endif %}
<dict>
<key>Action</key>
<string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>{{ IP_subject_alt_name }}:{{ wireguard_port }}</string>
</dict>
<key>VPNSubType</key>
<string>com.wireguard.{{ system }}</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>WgQuickConfig</key>
<string>{{- lookup('template', 'client.conf.j2') | indent(8) }}</string>
</dict>
</dict>

2
tests/wireguard-client.sh
Unescape Escape View File

@ -2,6 +2,8 @@
set -euxo pipefail set -euxo pipefail
xmllint --noout ./configs/10.0.8.100/wireguard/apple/*/*.mobileconfig
crudini --set configs/10.0.8.100/wireguard/user1.conf Interface Table off crudini --set configs/10.0.8.100/wireguard/user1.conf Interface Table off
wg-quick up configs/10.0.8.100/wireguard/user1.conf wg-quick up configs/10.0.8.100/wireguard/user1.conf

Write Preview
Loading…
Cancel
Save