Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/pip/ansible-9.4.0
dependabot/github_actions/actions/setup-python-5.1.0
fix/14704
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '30beadb949'
${ noResults }
algo/roles/strongswan/templates/client_windows.ps1.j2

206 lines
6.0 KiB
Django/Jinja
Raw Blame History

#Requires -RunAsAdministrator
<#
.SYNOPSIS
Add or remove the Algo VPN
.DESCRIPTION
Add or remove the Algo VPN
See the examples for more information
.PARAMETER Add
Add the VPN to the local system
.PARAMETER Remove
Remove the VPN from the local system
.PARAMETER GetInstalledCerts
Retrieve Algo certs, if any, from the system certificate store
.PARAMETER SaveCerts
Save the Algo certs embedded in this file
.PARAMETER OutputDirectory
When saving the Algo certs, save to this directory
.PARAMETER Pkcs12DecryptionPassword
The decryption password for the user's PKCS12 certificate, sometimes called the "p12 password".
Note that this must be passed in as a SecureString, not a regular string.
You can create a secure string with the `Read-Host -AsSecureString` cmdlet.
See the examples for more information.
.PARAMETER AllUsers
Allow all users to use the VPN
.EXAMPLE
client_USER.ps1 -Add
Adds the Algo VPN
.EXAMPLE
$p12pass = Read-Host -AsSecureString; client_USER.ps1 -Add -Pkcs12DecryptionPassword $p12pass
Create a variable containing the PKCS12 decryption password, then use it when adding the VPN.
This can be especially useful when troubleshooting, because you can use the same variable with
multiple calls to client_USER.ps1, rather than having to type the PKCS12 password each time.
.EXAMPLE
client_USER.ps1 -Remove
Removes the Algo VPN if installed.
.EXAMPLE
client_USER.ps1 -GetIntalledCerts
Show the Algo VPN's installed certificates, if any.
.EXAMPLE
client_USER.ps1 -SaveCerts -OutputDirectory $Home\Downloads
Save the embedded CA cert and encrypted user PKCS12 file.
#>
[CmdletBinding(DefaultParameterSetName="Add")] Param(
[Parameter(ParameterSetName="Add")]
[Switch] $Add,
[Parameter(ParameterSetName="Add")]
[SecureString] $Pkcs12DecryptionPassword,
[Parameter(ParameterSetName="Add")]
[Switch] $AllUsers = $false,
[Parameter(Mandatory, ParameterSetName="Remove")]
[Switch] $Remove,
[Parameter(Mandatory, ParameterSetName="GetInstalledCerts")]
[Switch] $GetInstalledCerts,
[Parameter(Mandatory, ParameterSetName="SaveCerts")]
[Switch] $SaveCerts,
[Parameter(ParameterSetName="SaveCerts")]
[string] $OutputDirectory = "$PWD"
)
$ErrorActionPreference = "Stop"
$VpnServerAddress = "{{ IP_subject_alt_name }}"
$VpnName = "AlgoVPN {{ algo_server_name }} IKEv2"
$VpnUser = "{{ item.0 }}"
$CaCertificateBase64 = "{{ PayloadContentCA }}"
$UserPkcs12Base64 = "{{ item.1.stdout }}"
if ($PsCmdlet.ParameterSetName -eq "Add" -and -not $Pkcs12DecryptionPassword) {
$Pkcs12DecryptionPassword = ConvertTo-SecureString '{{ p12_export_password }}' -asplaintext -force
}
<#
.SYNOPSIS
Create a temporary directory
#>
function New-TemporaryDirectory {
[CmdletBinding()] Param()
do {
$guid = New-Guid | Select-Object -ExpandProperty Guid
$newTempDirPath = Join-Path -Path $env:TEMP -ChildPath $guid
} while (Test-Path -Path $newTempDirPath)
New-Item -ItemType Directory -Path $newTempDirPath
}
<#
.SYNOPSIS
Retrieve any installed Algo VPN certificates
#>
function Get-InstalledAlgoVpnCertificates {
[CmdletBinding()] Param()
Get-ChildItem -LiteralPath Cert:\LocalMachine\Root |
Where-Object {
$_.Subject -match "^CN=${VpnServerAddress}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$"
}
Get-ChildItem -LiteralPath Cert:\LocalMachine\My |
Where-Object {
$_.Subject -match "^CN=${VpnUser}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$"
}
}
function Save-AlgoVpnCertificates {
[CmdletBinding()] Param(
[String] $OutputDirectory = $PWD
)
$caCertPath = Join-Path -Path $OutputDirectory -ChildPath "cacert.pem"
$userP12Path = Join-Path -Path $OutputDirectory -ChildPath "$VpnUser.p12"
# NOTE: We cannot use ConvertFrom-Base64 here because it is not designed for binary data
[IO.File]::WriteAllBytes(
$caCertPath,
[Convert]::FromBase64String($CaCertificateBase64))
[IO.File]::WriteAllBytes(
$userP12Path,
[Convert]::FromBase64String($UserPkcs12Base64))
return New-Object -TypeName PSObject -Property @{
CaPem = $caCertPath
UserPkcs12 = $userP12Path
}
}
function Add-AlgoVPN {
[Cmdletbinding()] Param()
$workDir = New-TemporaryDirectory
try {
$certs = Save-AlgoVpnCertificates -OutputDirectory $workDir
$importPfxCertParams = @{
Password = $Pkcs12DecryptionPassword
FilePath = $certs.UserPkcs12
CertStoreLocation = "Cert:\LocalMachine\My"
}
Import-PfxCertificate @importPfxCertParams
$importCertParams = @{
FilePath = $certs.CaPem
CertStoreLocation = "Cert:\LocalMachine\Root"
}
Import-Certificate @importCertParams
} finally {
Remove-Item -Recurse -Force -LiteralPath $workDir
}
$addVpnParams = @{
Name = $VpnName
ServerAddress = $VpnServerAddress
TunnelType = "IKEv2"
AuthenticationMethod = "MachineCertificate"
EncryptionLevel = "Required"
AllUserConnection = $AllUsers
}
Add-VpnConnection @addVpnParams
$setVpnParams = @{
ConnectionName = $VpnName
AuthenticationTransformConstants = "GCMAES256"
CipherTransformConstants = "GCMAES256"
EncryptionMethod = "AES256"
IntegrityCheckMethod = "SHA384"
DHGroup = "ECP384"
PfsGroup = "ECP384"
Force = $true
}
Set-VpnConnectionIPsecConfiguration @setVpnParams
}
function Remove-AlgoVPN {
[CmdletBinding()] Param()
Get-InstalledAlgoVpnCertificates | Remove-Item -Force
Remove-VpnConnection -Name $VpnName -Force
}
switch ($PsCmdlet.ParameterSetName) {
"Add" { Add-AlgoVPN }
"Remove" { Remove-AlgoVPN }
"GetInstalledCerts" { Get-InstalledAlgoVpnCertificates }
"SaveCerts" {
$certs = Save-AlgoVpnCertificates -OutputDirectory $OutputDirectory
Get-Item -LiteralPath $certs.UserPkcs12, $certs.CaPem
}
default { throw "Unknown parameter set: '$($PsCmdlet.ParameterSetName)'" }
}
Reference in New Issue View Git Blame Copy Permalink