Micah R Ledbetter
e944ee993a
Embed certs into Windows deployment scripts ( #840 )
...
- Obviate need to copy separate script and certificate files
- Allow execution from any directory, not just the script's parent
directory (no assumption of any particular working directory)
- Fix docs that neglected to mention copying cacert.pem
- Fix docs that incorrectly referred to the user cert store
As part of this work, rewrite the windows_client.ps1.j2 deployment
script template
- Add comment-based help
- Require admin privileges
- Use a Param() block
- Use parameter sets with -Add and -Remove switches
- Add the -GetInstalledCerts switch, to list any Algo certificates
installed the machine's cert store
- Add the -SaveCerts switch, to save the embedded certificates to files
- Put Jinja2 variables inside Powershell variables,
- Use native Powershell cmdlets rather than shell out to certutil.exe
- Add a playbook to regenerate the windows_USER.ps1 scripts
7 years ago
Micah R Ledbetter
4b0aea8f5a
Document iptables rules ( #854 )
...
* Remove firewall rule related to the old proxy role
* Remove proxy conditionals from mobileconfig template
* Add comments explaining firewall rules
7 years ago
Jack Ivanov
78830d96aa
Android: add the CA and set the ciphers explicitly ( #837 )
7 years ago
Jack Ivanov
4e4440a318
Exclude CA from P12 ( #835 )
7 years ago
adamluk
b30f6db079
Update rules.v6.j2 ( #818 )
...
Updated to use -m conntrack for consistency as per the other IPv6 rules.
7 years ago
Jack Ivanov
02427910de
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration ( #804 )
...
* Move to ansible-2.4.3
* Add Lightsail support #623
* Fixing the EC2 deployment
* Scaleway integration #623
* OpenStack cloud provider (DreamCompute optimised) #623
* Remove the security role
* Enable unattended-upgrades for clouds
* New requirements to make Azure and GCE work
7 years ago
Jack Ivanov
f18c1a0d67
Certificate revocation fix ( #719 )
7 years ago
Julie Bernosky
dc4dff040e
Add StrongSwan log level config option to ipsec.conf template ( #700 )
7 years ago
Jack Ivanov
ee7264f26e
Ask users to enter the p12 password manually ( #697 )
7 years ago
Jack Ivanov
6b803e069f
LibreSSL fix #625 ( #685 )
7 years ago
Jack Ivanov
9d8e39f63d
Move back to the Xenial repo ( #606 )
7 years ago
Jack Ivanov
f0283856ad
fix revocation ( #586 )
7 years ago
Jack Ivanov
26c202ded5
Generate p12 each deployment. Generate ps1 scripts if windows supported. Define `become` for all the section. ( #580 )
7 years ago
Jack Ivanov
ba7859ba5f
Revoke non-existing users fix
7 years ago
Jack Ivanov
0131505195
Enhance PS1 script ( #510 )
...
update docs
Update README.md
update readme
7 years ago
Jack Ivanov
ee6db37428
Change the P12 and SSH passwords only for new users ( #550 )
7 years ago
Jack Ivanov
40e0363b18
Add html helper for Android ( #554 )
...
* add html helper #280
move to the new local schema
fix a typo
* Update client-android.md
7 years ago
Ruben Jongejan
e9e6c6e383
cleaner syntax for local actions ( #536 )
...
* refactored local actions to cleaner syntax
* openssl commands folded
* removed unnecessary local_action's
7 years ago
tetov
ac6db06a19
grammar edit ( #540 )
...
* grammar edit
* Update openssl.yml
8 years ago
Jack Ivanov
58d5a06e87
delete tasks and move to roles ( #519 )
8 years ago
Ruben Jongejan
07ddb5863b
improved readability with native yaml ( #530 )
8 years ago
Jack Ivanov
9f698fdd68
Get strongswan from the Zesty repo on Xenial ( #515 )
8 years ago
Jack Ivanov
bd348af9c2
Implementing blocks and additional fail hints #487 ( #497 )
...
change the troubleshooting url
8 years ago
Jack Ivanov
2f5c050fd2
dpdaction to clear ( #498 )
8 years ago
Jack Ivanov
0ed68b6c30
Properly configure ICMP restrictions ( #492 )
8 years ago
Ryan Kasper
0cb43650cb
Windows 10 -PfsGroup None --> -PfsGroup ECP256 ( #493 )
...
* Windows 10 -PfsGroup None --> -PfsGroup ECP256
Fixes broken tunnel when rekey (CREATE_CHILD_SA request [ N(REKEY_SA) SA No TSi TSr KE ]) occurs (on my Windows 10 1703 build 15063.138 Creator's Update system this is ~every 57 minutes)
* Update Windows Client PfsGroup Commandline
8 years ago
Jack Ivanov
540c761d3b
Disable RSA in the mobileconfigs. Fixes #486
8 years ago
Jack Ivanov
451394100d
Some enhances in the compat ciphers ( #464 )
...
raise the IntegrityCheckMethod to SHA384
Move Windows to ECDSA
Increase IntegrityCheckMethod
8 years ago
Jack Ivanov
c3fcfe5d0d
Let users choose the distro version #449 ( #466 )
...
Make dpdaction great again
add 1704 to travis
Make EC2 image name more convenient
modify apparmor profile
8 years ago
Andy Boutte
76cdc69548
CF tested and working for EC2 deployment ( #431 )
...
* AWS CloudFormation #132
* IPv6 EC2 draft
* CF tested and working for EC2 deployment
* IPv6 Implementation, EC2, Cloudformation
* Fixed ipv6 networking
* adding ip6tables rule for DHCP on AWS
8 years ago
Jack Ivanov
a7b06058cb
remove the proxy role #440 ( #457 )
...
* remove the proxy role #440
* Separate facts. Make roles more independent from each other
move openssl to local tasks
move unneeded tasks
8 years ago
Dan Guido
0b05ea19bc
Windows needs SHA2-256. Closes #453 . ( #456 )
8 years ago
Dan Guido
8173b84ff8
Change uniqueids back to never ( #448 )
...
We need this to allow multiple connections with the same id/certificate
8 years ago
Dan Guido
f9f7be7b0d
Fix a typo from #439
8 years ago
Dan Guido
1778cb1f45
disable dpd #430 ( #437 )
...
Closes #430
8 years ago
Dan Guido
8e5e6d5088
remove extraneous integrity algos from AEAD ciphers ( #439 )
...
In reference to
https://github.com/trailofbits/algo/issues/9#issuecomment-294370560
8 years ago
Jack Ivanov
fa5a956193
Add URLStringProbe ( #428 )
...
* Add URLStringProbe
* switch to Apple's hotspot-detect.html
8 years ago
Jack Ivanov
ea5976f49b
write logs to file if BSD only
8 years ago
MiWCryptAnalytics
04b61ca3d2
Increase CA key entropy to 128bit ( #415 )
...
Changes the default CA key size from 48 bit to 128bit with OpenSSL usermode CSPRNG with hex encoding
8 years ago
Jack Ivanov
02f363d825
change the order of ciphers
8 years ago
mathew19
ae43ed6f81
Update client_ipsec.secrets.j2 ( #414 )
...
Fix filename in client ipsec_user.secrets
8 years ago
mathew19
5e56996f5c
Fix name ( #411 )
8 years ago
Jack Ivanov
c61a07fb60
Escaping Special Characters #388 ( #403 )
8 years ago
Jack Ivanov
56a72e5af2
New ciphers implementing #247 ( #352 )
...
Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
8 years ago
Dan Guido
e55ce03906
URLStringProbe with this URL does not work as intended
8 years ago
Dan Guido
5e22b79033
Add configuration for URL probes to Apple profile
...
Chrome and Android both request a known URL that generates HTTP 204 No Content responses to determine if they have internet connectivity. In Apple profiles, we can use the same URL to determine whether the VPN needs to connect. Using this feature will help save battery life for lots of users.
8 years ago
Jack Ivanov
47515154bb
add mtu in the sswan profile
8 years ago
brad2014
09e5d87c7b
Minor name and documentation edits ( #327 )
8 years ago
Dan Guido
655a917dd2
iptables filter table fix ( #285 )
8 years ago
Jack Ivanov
6facb6cb4f
FreeBSD / HardenedBSD ( #262 )
...
* FreeBSD draft
ifconfig fix
Pre-tasks fixes
fix hardcoded IP
some refactoring
disable system-based tags
disable freebsd tags
FreeBSD vpn role
add defaults
ssh role freebsd
default fix
dns_adblocking freebsd
ubuntu dict fix
* HardenedBSD
update-users BSD
* Rebuild the kernel
docs changing
8 years ago