Archives/algo
2
0
Fork 0
mirror of https://github.com/trailofbits/algo synced 2024-11-04 06:00:21 +00:00
Code Issues Projects Releases Wiki Activity

Windows support implemented

Browse Source
This commit is contained in:
Jack Ivanov 2016-11-29 23:00:01 +03:00
parent f6166ccde4
commit 8a0c5ab971
3 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -41,6 +41,14 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do
Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server.
### Windows Devices
You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.<br>
Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:<br>
`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612
8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)<br>
Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine.
### Apple Devices
Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN.

12
roles/vpn/tasks/main.yml
View File

@ -191,6 +191,8 @@
with_items:
- "{{ users }}"
- name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}"
@ -215,6 +217,16 @@
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
with_items: "{{ users }}"
- name: Build the windows client powershell script
template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600
when: Win10_Enabled is defined and Win10_Enabled == "Y"
with_items: "{{ users }}"
- name: Fetch users windows scripts
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes
when: Win10_Enabled is defined and Win10_Enabled == "Y"
with_items: "{{ users }}"
- name: Restrict permissions
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
with_items:

3
roles/vpn/templates/client_windows.ps1.j2 Normal file
View File

@ -0,0 +1,3 @@
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12
Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none