Update IKEv2 script
- Add the option for users to specify their own password to protect the exported VPN client configuration files - Update tests
This commit is contained in:
parent
927e0ca7e3
commit
b17ec88a0d
4
.github/workflows/main.yml
vendored
4
.github/workflows/main.yml
vendored
@ -140,6 +140,7 @@ jobs:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
y
|
y
|
||||||
ANSWERS
|
ANSWERS
|
||||||
|
|
||||||
@ -160,6 +161,7 @@ jobs:
|
|||||||
y
|
y
|
||||||
vpnclient2
|
vpnclient2
|
||||||
|
|
||||||
|
|
||||||
ANSWERS
|
ANSWERS
|
||||||
|
|
||||||
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
|
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
|
||||||
@ -347,6 +349,7 @@ jobs:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
y
|
y
|
||||||
ANSWERS
|
ANSWERS
|
||||||
|
|
||||||
@ -361,6 +364,7 @@ jobs:
|
|||||||
y
|
y
|
||||||
vpnclient2
|
vpnclient2
|
||||||
|
|
||||||
|
|
||||||
ANSWERS
|
ANSWERS
|
||||||
|
|
||||||
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
|
ls -ld /etc/ipsec.d/vpnclient2-*.mobileconfig
|
||||||
|
@ -32,9 +32,7 @@ check_dns_name() {
|
|||||||
|
|
||||||
create_mobileconfig() {
|
create_mobileconfig() {
|
||||||
|
|
||||||
bigecho2 "Creating .mobileconfig for iOS and macOS..."
|
bigecho "Creating .mobileconfig for iOS and macOS..."
|
||||||
|
|
||||||
[ -z "$p12_password" ] && exiterr "Password for .p12 file cannot be empty."
|
|
||||||
|
|
||||||
if [ -z "$server_addr" ]; then
|
if [ -z "$server_addr" ]; then
|
||||||
server_addr=$(grep "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=)
|
server_addr=$(grep "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=)
|
||||||
@ -235,12 +233,29 @@ new_client() {
|
|||||||
|
|
||||||
bigecho "Exporting .p12 file..."
|
bigecho "Exporting .p12 file..."
|
||||||
|
|
||||||
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)
|
if [ "$use_own_password" = "1" ]; then
|
||||||
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
|
cat <<'EOF'
|
||||||
if [ "$in_container" = "0" ]; then
|
Enter a *secure* password to protect the .p12 and .mobileconfig files.
|
||||||
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1
|
When importing into an iOS or macOS device, this password cannot be empty.
|
||||||
|
|
||||||
|
EOF
|
||||||
else
|
else
|
||||||
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1
|
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)
|
||||||
|
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$in_container" = "0" ]; then
|
||||||
|
if [ "$use_own_password" = "1" ]; then
|
||||||
|
pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1
|
||||||
|
else
|
||||||
|
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "$use_own_password" = "1" ]; then
|
||||||
|
pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1
|
||||||
|
else
|
||||||
|
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
create_mobileconfig
|
create_mobileconfig
|
||||||
@ -357,6 +372,26 @@ if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; t
|
|||||||
[ -z "$client_validity" ] && client_validity=120
|
[ -z "$client_validity" ] && client_validity=120
|
||||||
done
|
done
|
||||||
|
|
||||||
|
cat <<'EOF'
|
||||||
|
|
||||||
|
VPN client configuration will be exported as .p12 and .mobileconfig files,
|
||||||
|
which contain the client certificate, private key and CA certificate.
|
||||||
|
To protect these files, this script can generate a random password for you,
|
||||||
|
which will be displayed when finished.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
printf "Do you want to specify your own password instead? [y/N] "
|
||||||
|
read -r response
|
||||||
|
case $response in
|
||||||
|
[yY][eE][sS]|[yY])
|
||||||
|
use_own_password=1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
use_own_password=0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
# Create client configuration
|
# Create client configuration
|
||||||
new_client
|
new_client
|
||||||
|
|
||||||
@ -378,11 +413,16 @@ else
|
|||||||
printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)"
|
printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$use_own_password" = "0" ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
(Important) Password for .p12 and .mobileconfig files:
|
(Important) Password for .p12 and .mobileconfig files:
|
||||||
$p12_password
|
$p12_password
|
||||||
Write this down, you'll need it to import to your device!
|
Write this down, you'll need it to import to your device!
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<'EOF'
|
||||||
|
|
||||||
Next steps: Configure IKEv2 VPN clients. See:
|
Next steps: Configure IKEv2 VPN clients. See:
|
||||||
https://git.io/ikev2clients
|
https://git.io/ikev2clients
|
||||||
@ -582,6 +622,26 @@ if [ "$mobike_support" = "1" ]; then
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
cat <<'EOF'
|
||||||
|
|
||||||
|
VPN client configuration will be exported as .p12 and .mobileconfig files,
|
||||||
|
which contain the client certificate, private key and CA certificate.
|
||||||
|
To protect these files, this script can generate a random password for you,
|
||||||
|
which will be displayed when finished.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
printf "Do you want to specify your own password instead? [y/N] "
|
||||||
|
read -r response
|
||||||
|
case $response in
|
||||||
|
[yY][eE][sS]|[yY])
|
||||||
|
use_own_password=1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
use_own_password=0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
Below are the IKEv2 setup options you selected.
|
Below are the IKEv2 setup options you selected.
|
||||||
@ -668,7 +728,6 @@ fi
|
|||||||
# Create client configuration
|
# Create client configuration
|
||||||
new_client
|
new_client
|
||||||
|
|
||||||
echo
|
|
||||||
bigecho "Adding a new IKEv2 connection..."
|
bigecho "Adding a new IKEv2 connection..."
|
||||||
|
|
||||||
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
|
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
|
||||||
@ -761,11 +820,16 @@ else
|
|||||||
printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)"
|
printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.mobileconfig (for iOS & macOS)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$use_own_password" = "0" ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
(Important) Password for .p12 and .mobileconfig files:
|
(Important) Password for .p12 and .mobileconfig files:
|
||||||
$p12_password
|
$p12_password
|
||||||
Write this down, you'll need it to import to your device!
|
Write this down, you'll need it to import to your device!
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<'EOF'
|
||||||
|
|
||||||
Next steps: Configure IKEv2 VPN clients. See:
|
Next steps: Configure IKEv2 VPN clients. See:
|
||||||
https://git.io/ikev2clients
|
https://git.io/ikev2clients
|
||||||
|
Loading…
Reference in New Issue
Block a user