mirror of https://github.com/trailofbits/algo
Deprecate IKEv2 for Windows (#1521)
* Windows to WireGuard * Add note about WireGuard * change wireguard faq * Clarify Windows instructions * Correct Wireguard description * Update README.mdpull/1542/head
Jack Ivanov
5 years ago
committed by
Dan Guido
parent
ab0f0c00fe
commit
38d8a6d0e2
@ -1,72 +1,6 @@
|
||||
# Windows client manual setup
|
||||
# Windows client setup
|
||||
|
||||
## Automatic installation
|
||||
## Installation via profiles
|
||||
|
||||
To install automatically, use the generated user Powershell script.
|
||||
|
||||
1. Copy the user PowerShell script (`windows_USER.ps1`) to the client computer.
|
||||
2. Open Powershell as Administrator.
|
||||
3. Run the following command:
|
||||
```powershell
|
||||
powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add
|
||||
```
|
||||
|
||||
If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, pass the parameter `-AllUsers`
|
||||
|
||||
```powershell
|
||||
powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add -AllUsers
|
||||
```
|
||||
|
||||
4. The command has help information available. To view its full help, run this from Powershell:
|
||||
```powershell
|
||||
Get-Help -Name .\windows_USER.ps1 -Full | more
|
||||
```
|
||||
|
||||
## Manual installation
|
||||
|
||||
1. Copy the CA certificate (`cacert.pem`) and user certificate (`USER.p12`) to the client computer
|
||||
2. Open PowerShell as Administrator. Navigate to your copied files.
|
||||
3. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run.
|
||||
|
||||
```powershell
|
||||
Set-ExecutionPolicy Unrestricted -Scope Process
|
||||
```
|
||||
|
||||
4. In the same window, run the necessary commands to install the certificates and create the VPN configuration. Note the lines at the top defining the VPN address, USER.p12 file location, and CA certificate location - change those lines to the IP address of your Algo server and the location you saved those two files. Also note that it will prompt for the "User p12 password", which is printed at the end of a successful Algo deployment.
|
||||
|
||||
If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, then insert the line `AllUserConnection = $true` after `$EncryptionLevel = "Required"`.
|
||||
|
||||
```powershell
|
||||
$VpnServerAddress = "1.2.3.4"
|
||||
$UserP12Path = "$Home\Downloads\USER.p12"
|
||||
$CaCertPath = "$Home\Downloads\cacert.pem"
|
||||
$VpnName = "Algo VPN $VpnServerAddress IKEv2"
|
||||
$p12Pass = Read-Host -AsSecureString -Prompt "User p12 password"
|
||||
|
||||
Import-PfxCertificate -FilePath $UserP12Path -CertStoreLocation Cert:\LocalMachine\My -Password $p12Pass
|
||||
Import-Certificate -FilePath $CaCertPath -CertStoreLocation Cert:\LocalMachine\Root
|
||||
|
||||
$addVpnParams = @{
|
||||
Name = $VpnName
|
||||
ServerAddress = $VpnServerAddress
|
||||
TunnelType = "IKEv2"
|
||||
AuthenticationMethod = "MachineCertificate"
|
||||
EncryptionLevel = "Required"
|
||||
}
|
||||
Add-VpnConnection @addVpnParams
|
||||
|
||||
$setVpnParams = @{
|
||||
ConnectionName = $VpnName
|
||||
AuthenticationTransformConstants = "GCMAES256"
|
||||
CipherTransformConstants = "GCMAES256"
|
||||
EncryptionMethod = "AES256"
|
||||
IntegrityCheckMethod = "SHA384"
|
||||
DHGroup = "ECP384"
|
||||
PfsGroup = "ECP384"
|
||||
Force = $true
|
||||
}
|
||||
Set-VpnConnectionIPsecConfiguration @setVpnParams
|
||||
|
||||
```
|
||||
|
||||
Your VPN is now installed and ready to use.
|
||||
1. Install the [WireGuard VPN Client](https://www.wireguard.com/install/#windows-7-8-81-10-2012-2016-2019) and start it.
|
||||
2. Import the corresponding `wireguard/<name>.conf` file to your device, then setup a new connection with it.
|
||||
|
||||
@ -1,211 +0,0 @@
|
||||
#Requires -RunAsAdministrator
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Add or remove the Algo VPN
|
||||
|
||||
.DESCRIPTION
|
||||
Add or remove the Algo VPN
|
||||
See the examples for more information
|
||||
|
||||
.PARAMETER Add
|
||||
Add the VPN to the local system
|
||||
|
||||
.PARAMETER Remove
|
||||
Remove the VPN from the local system
|
||||
|
||||
.PARAMETER GetInstalledCerts
|
||||
Retrieve Algo certs, if any, from the system certificate store
|
||||
|
||||
.PARAMETER SaveCerts
|
||||
Save the Algo certs embedded in this file
|
||||
|
||||
.PARAMETER OutputDirectory
|
||||
When saving the Algo certs, save to this directory
|
||||
|
||||
.PARAMETER Pkcs12DecryptionPassword
|
||||
The decryption password for the user's PKCS12 certificate, sometimes called the "p12 password".
|
||||
Note that this must be passed in as a SecureString, not a regular string.
|
||||
You can create a secure string with the `Read-Host -AsSecureString` cmdlet.
|
||||
See the examples for more information.
|
||||
|
||||
.PARAMETER AllUsers
|
||||
Allow all users to use the VPN
|
||||
|
||||
.EXAMPLE
|
||||
client_USER.ps1 -Add
|
||||
|
||||
Adds the Algo VPN
|
||||
|
||||
.EXAMPLE
|
||||
$p12pass = Read-Host -AsSecureString; client_USER.ps1 -Add -Pkcs12DecryptionPassword $p12pass
|
||||
|
||||
Create a variable containing the PKCS12 decryption password, then use it when adding the VPN.
|
||||
This can be especially useful when troubleshooting, because you can use the same variable with
|
||||
multiple calls to client_USER.ps1, rather than having to type the PKCS12 password each time.
|
||||
|
||||
.EXAMPLE
|
||||
client_USER.ps1 -Remove
|
||||
|
||||
Removes the Algo VPN if installed.
|
||||
|
||||
.EXAMPLE
|
||||
client_USER.ps1 -GetIntalledCerts
|
||||
|
||||
Show the Algo VPN's installed certificates, if any.
|
||||
|
||||
.EXAMPLE
|
||||
client_USER.ps1 -SaveCerts -OutputDirectory $Home\Downloads
|
||||
|
||||
Save the embedded CA cert and encrypted user PKCS12 file.
|
||||
#>
|
||||
[CmdletBinding(DefaultParameterSetName="Add")] Param(
|
||||
[Parameter(ParameterSetName="Add")]
|
||||
[Switch] $Add,
|
||||
|
||||
[Parameter(ParameterSetName="Add")]
|
||||
[SecureString] $Pkcs12DecryptionPassword,
|
||||
|
||||
[Parameter(ParameterSetName="Add")]
|
||||
[Switch] $AllUsers = $false,
|
||||
|
||||
[Parameter(Mandatory, ParameterSetName="Remove")]
|
||||
[Switch] $Remove,
|
||||
|
||||
[Parameter(Mandatory, ParameterSetName="GetInstalledCerts")]
|
||||
[Switch] $GetInstalledCerts,
|
||||
|
||||
[Parameter(Mandatory, ParameterSetName="SaveCerts")]
|
||||
[Switch] $SaveCerts,
|
||||
|
||||
[Parameter(ParameterSetName="SaveCerts")]
|
||||
[string] $OutputDirectory = "$PWD"
|
||||
)
|
||||
|
||||
$ErrorActionPreference = "Stop"
|
||||
|
||||
$VpnServerAddress = "{{ IP_subject_alt_name }}"
|
||||
$VpnName = "AlgoVPN {{ algo_server_name }} IKEv2"
|
||||
$VpnUser = "{{ item.0 }}"
|
||||
$CaCertificateBase64 = "{{ PayloadContentCA }}"
|
||||
$UserPkcs12Base64 = "{{ item.1.stdout }}"
|
||||
|
||||
if ($PsCmdlet.ParameterSetName -eq "Add" -and -not $Pkcs12DecryptionPassword) {
|
||||
$Pkcs12DecryptionPassword = ConvertTo-SecureString '{{ p12_export_password }}' -asplaintext -force
|
||||
}
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Create a temporary directory
|
||||
#>
|
||||
function New-TemporaryDirectory {
|
||||
[CmdletBinding()] Param()
|
||||
do {
|
||||
$guid = New-Guid | Select-Object -ExpandProperty Guid
|
||||
$newTempDirPath = Join-Path -Path $env:TEMP -ChildPath $guid
|
||||
} while (Test-Path -Path $newTempDirPath)
|
||||
New-Item -ItemType Directory -Path $newTempDirPath
|
||||
}
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Retrieve any installed Algo VPN certificates
|
||||
#>
|
||||
function Get-InstalledAlgoVpnCertificates {
|
||||
[CmdletBinding()] Param()
|
||||
Get-ChildItem -LiteralPath Cert:\LocalMachine\Root |
|
||||
Where-Object {
|
||||
$_.Subject -match "^CN=${VpnServerAddress}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$"
|
||||
}
|
||||
Get-ChildItem -LiteralPath Cert:\LocalMachine\My |
|
||||
Where-Object {
|
||||
$_.Subject -match "^CN=${VpnUser}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$"
|
||||
}
|
||||
}
|
||||
|
||||
function Save-AlgoVpnCertificates {
|
||||
[CmdletBinding()] Param(
|
||||
[String] $OutputDirectory = $PWD
|
||||
)
|
||||
$caCertPath = Join-Path -Path $OutputDirectory -ChildPath "cacert.pem"
|
||||
$userP12Path = Join-Path -Path $OutputDirectory -ChildPath "$VpnUser.p12"
|
||||
# NOTE: We cannot use ConvertFrom-Base64 here because it is not designed for binary data
|
||||
[IO.File]::WriteAllBytes(
|
||||
$caCertPath,
|
||||
[Convert]::FromBase64String($CaCertificateBase64))
|
||||
[IO.File]::WriteAllBytes(
|
||||
$userP12Path,
|
||||
[Convert]::FromBase64String($UserPkcs12Base64))
|
||||
return New-Object -TypeName PSObject -Property @{
|
||||
CaPem = $caCertPath
|
||||
UserPkcs12 = $userP12Path
|
||||
}
|
||||
}
|
||||
|
||||
function Add-AlgoVPN {
|
||||
[Cmdletbinding()] Param()
|
||||
|
||||
$workDir = New-TemporaryDirectory
|
||||
|
||||
try {
|
||||
$certs = Save-AlgoVpnCertificates -OutputDirectory $workDir
|
||||
$importPfxCertParams = @{
|
||||
Password = $Pkcs12DecryptionPassword
|
||||
FilePath = $certs.UserPkcs12
|
||||
CertStoreLocation = "Cert:\LocalMachine\My"
|
||||
}
|
||||
Import-PfxCertificate @importPfxCertParams
|
||||
$importCertParams = @{
|
||||
FilePath = $certs.CaPem
|
||||
CertStoreLocation = "Cert:\LocalMachine\Root"
|
||||
}
|
||||
Import-Certificate @importCertParams
|
||||
} finally {
|
||||
Remove-Item -Recurse -Force -LiteralPath $workDir
|
||||
}
|
||||
|
||||
$addVpnParams = @{
|
||||
Name = $VpnName
|
||||
ServerAddress = $VpnServerAddress
|
||||
TunnelType = "IKEv2"
|
||||
AuthenticationMethod = "MachineCertificate"
|
||||
EncryptionLevel = "Required"
|
||||
AllUserConnection = $AllUsers
|
||||
}
|
||||
Add-VpnConnection @addVpnParams
|
||||
|
||||
$addVpnRouteParams = @{
|
||||
ConnectionName = $VpnName
|
||||
}
|
||||
Add-VpnConnectionRoute @addVpnRouteParams -DestinationPrefix ::/1
|
||||
Add-VpnConnectionRoute @addVpnRouteParams -DestinationPrefix 8000::/1
|
||||
|
||||
$setVpnParams = @{
|
||||
ConnectionName = $VpnName
|
||||
AuthenticationTransformConstants = "GCMAES256"
|
||||
CipherTransformConstants = "GCMAES256"
|
||||
EncryptionMethod = "AES256"
|
||||
IntegrityCheckMethod = "SHA384"
|
||||
DHGroup = "ECP384"
|
||||
PfsGroup = "ECP384"
|
||||
Force = $true
|
||||
}
|
||||
Set-VpnConnectionIPsecConfiguration @setVpnParams
|
||||
}
|
||||
|
||||
function Remove-AlgoVPN {
|
||||
[CmdletBinding()] Param()
|
||||
Get-InstalledAlgoVpnCertificates | Remove-Item -Force
|
||||
Remove-VpnConnection -Name $VpnName -Force
|
||||
}
|
||||
|
||||
switch ($PsCmdlet.ParameterSetName) {
|
||||
"Add" { Add-AlgoVPN }
|
||||
"Remove" { Remove-AlgoVPN }
|
||||
"GetInstalledCerts" { Get-InstalledAlgoVpnCertificates }
|
||||
"SaveCerts" {
|
||||
$certs = Save-AlgoVpnCertificates -OutputDirectory $OutputDirectory
|
||||
Get-Item -LiteralPath $certs.UserPkcs12, $certs.CaPem
|
||||
}
|
||||
default { throw "Unknown parameter set: '$($PsCmdlet.ParameterSetName)'" }
|
||||
}
|
||||
Loading…
Reference in New Issue