1
0
mirror of synced 2024-11-23 05:26:02 +03:00

Update IKEv2 script

- Add the option for users to specify their own password to protect the
  exported VPN client configuration files
- Update tests
This commit is contained in:
hwdsl2 2021-01-15 23:26:25 -06:00
parent 927e0ca7e3
commit b17ec88a0d
2 changed files with 77 additions and 9 deletions

View File

@ -140,6 +140,7 @@ jobs:
y y
ANSWERS ANSWERS
@ -160,6 +161,7 @@ jobs:
y y
vpnclient2 vpnclient2
ANSWERS ANSWERS
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
@ -347,6 +349,7 @@ jobs:
y y
ANSWERS ANSWERS
@ -361,6 +364,7 @@ jobs:
y y
vpnclient2 vpnclient2
ANSWERS ANSWERS
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig

View File

@ -32,9 +32,7 @@ check_dns_name() {
create_mobileconfig() { create_mobileconfig() {
bigecho2 "Creating .mobileconfig for iOS and macOS..." bigecho "Creating .mobileconfig for iOS and macOS..."
[ -z "$p12_password" ] && exiterr "Password for .p12 file cannot be empty."
if [ -z "$server_addr" ]; then if [ -z "$server_addr" ]; then
server_addr=$(grep "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=) server_addr=$(grep "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=)
@ -235,13 +233,30 @@ new_client() {
bigecho "Exporting .p12 file..." bigecho "Exporting .p12 file..."
if [ "$use_own_password" = "1" ]; then
cat <<'EOF'
Enter a *secure* password to protect the .p12 and .mobileconfig files.
When importing into an iOS or macOS device, this password cannot be empty.
EOF
else
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16) p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file." [ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
fi
if [ "$in_container" = "0" ]; then if [ "$in_container" = "0" ]; then
if [ "$use_own_password" = "1" ]; then
pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1
else
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1 pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1
fi
else
if [ "$use_own_password" = "1" ]; then
pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1
else else
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1 pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1
fi fi
fi
create_mobileconfig create_mobileconfig
@ -357,6 +372,26 @@ if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; t
[ -z "$client_validity" ] && client_validity=120 [ -z "$client_validity" ] && client_validity=120
done done
cat <<'EOF'
VPN client configuration will be exported as .p12 and .mobileconfig files,
which contain the client certificate, private key and CA certificate.
To protect these files, this script can generate a random password for you,
which will be displayed when finished.
EOF
printf "Do you want to specify your own password instead? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
use_own_password=1
;;
*)
use_own_password=0
;;
esac
# Create client configuration # Create client configuration
new_client new_client
@ -378,11 +413,16 @@ else
printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)" printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)"
fi fi
if [ "$use_own_password" = "0" ]; then
cat <<EOF cat <<EOF
(Important) Password for .p12 and .mobileconfig files: (Important) Password for .p12 and .mobileconfig files:
$p12_password $p12_password
Write this down, you'll need it to import to your device! Write this down, you'll need it to import to your device!
EOF
fi
cat <<'EOF'
Next steps: Configure IKEv2 VPN clients. See: Next steps: Configure IKEv2 VPN clients. See:
https://git.io/ikev2clients https://git.io/ikev2clients
@ -582,6 +622,26 @@ if [ "$mobike_support" = "1" ]; then
esac esac
fi fi
cat <<'EOF'
VPN client configuration will be exported as .p12 and .mobileconfig files,
which contain the client certificate, private key and CA certificate.
To protect these files, this script can generate a random password for you,
which will be displayed when finished.
EOF
printf "Do you want to specify your own password instead? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
use_own_password=1
;;
*)
use_own_password=0
;;
esac
cat <<EOF cat <<EOF
Below are the IKEv2 setup options you selected. Below are the IKEv2 setup options you selected.
@ -668,7 +728,6 @@ fi
# Create client configuration # Create client configuration
new_client new_client
echo
bigecho "Adding a new IKEv2 connection..." bigecho "Adding a new IKEv2 connection..."
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
@ -761,11 +820,16 @@ else
printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)" printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)"
fi fi
if [ "$use_own_password" = "0" ]; then
cat <<EOF cat <<EOF
(Important) Password for .p12 and .mobileconfig files: (Important) Password for .p12 and .mobileconfig files:
$p12_password $p12_password
Write this down, you'll need it to import to your device! Write this down, you'll need it to import to your device!
EOF
fi
cat <<'EOF'
Next steps: Configure IKEv2 VPN clients. See: Next steps: Configure IKEv2 VPN clients. See:
https://git.io/ikev2clients https://git.io/ikev2clients