Marown/setup-ipsec-vpn
1
0
Fork 0
mirror of https://github.com/hwdsl2/setup-ipsec-vpn.git synced 2024-06-30 01:25:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Simplify IKEv2 import

Browse Source 
- Simplify IKEv2 configuration import: Remove passwords for IKEv2
  client config files. When importing, it is no longer required to
  enter a config file password.
- For macOS and iOS, .mobileconfig files require a password to work.
  The password is now included so there is no need to manually enter.
- Note: Client config files should be securely transferred from
  the VPN server to VPN client device(s) for import.
This commit is contained in:
hwdsl2 2022-02-12 01:21:12 -06:00
parent d20f82e6f2
commit dbc3527448
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
extras/ikev2setup.sh
View File

@ -150,7 +150,7 @@ check_container() {
show_header() {
cat <<'EOF'
IKEv2 Script Copyright (c) 2020-2022 Lin Song 22 Jan 2022
IKEv2 Script Copyright (c) 2020-2022 Lin Song 12 Feb 2022
EOF
}
@ -665,13 +665,18 @@ export_p12_file() {
bigecho2 "Creating client configuration..."
create_p12_password
p12_file="$export_dir$client_name.p12"
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1
p12_file_enc="$export_dir$client_name.enc.p12"
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1
if [ "$os_type" = "alpine" ] || { [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "11" ]; }; then
pem_file="$export_dir$client_name.temp.pem"
openssl pkcs12 -in "$p12_file" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
/bin/rm -f "$pem_file"
else
pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1
fi
if [ "$export_to_home_dir" = "1" ]; then
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
@ -712,7 +717,9 @@ install_uuidgen() {
create_mobileconfig() {
[ -z "$server_addr" ] && get_server_address
p12_base64=$(base64 -w 52 "$export_dir$client_name.p12")
p12_file_enc="$export_dir$client_name.enc.p12"
p12_base64=$(base64 -w 52 "$p12_file_enc")
/bin/rm -f "$p12_file_enc"
[ -z "$p12_base64" ] && exiterr "Could not encode .p12 file."
ca_base64=$(certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a | grep -v CERTIFICATE)
[ -z "$ca_base64" ] && exiterr "Could not encode IKEv2 VPN CA certificate."
@ -811,6 +818,8 @@ cat > "$mc_file" <<EOF
<string>IKEv2</string>
</dict>
<dict>
<key>Password</key>
<string>$p12_password</string>
<key>PayloadCertificateFileName</key>
<string>$client_name</string>
<key>PayloadContent</key>
@ -1113,10 +1122,6 @@ cat <<EOF
$export_dir$client_name.p12 (for Windows & Linux)
$export_dir$client_name.sswan (for Android)
$export_dir$client_name.mobileconfig (for iOS & macOS)
*IMPORTANT* Password for client config files:
$p12_password
Write this down, you'll need it for import!
EOF
cat <<'EOF'