windows-vpn/windows-vpn.ps1

129 lines
3.0 KiB
PowerShell
Raw Normal View History

2024-10-24 11:16:31 +00:00
param (
$allUsers = $false,
$vpnName = "Verdnatura"
)
2021-03-18 13:21:38 +00:00
# Advanced configuration
2024-11-12 16:27:57 +00:00
$vpnHost = "vpn.verdnatura.es"
2024-10-24 11:16:31 +00:00
$vpnSuffix = "verdnatura.es"
2021-03-18 13:21:38 +00:00
$vpnSplit = $true
$vpnNetworks = @("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
$vpnCaUrl = "https://cdn.verdnatura.es/public/verdnatura.der"
$caHash = "028a316a3072f402c10fd7699cb061c93cc5cb15"
# Scripting
$restorePowerShellPolicy = $false
$ErrorActionPreference = "Inquire"
2024-10-24 11:16:31 +00:00
if ($allUsers) {
$caPath = "LocalMachine\Root"
} else {
$caPath = "CurrentUser\Root"
}
$caLocation = "Cert:\$caPath"
$hasCa = Get-ChildItem $caLocation | Where-Object {$_.Thumbprint -eq $caHash}
2021-03-18 13:21:38 +00:00
if (!$hasCa) {
Echo "Downloading and installing CA certificate."
$caFile = "$env:TEMP\$caHash.der"
Invoke-WebRequest $vpnCaUrl `
-OutFile $caFile
Import-Certificate `
-FilePath $caFile `
2024-10-24 11:16:31 +00:00
-CertStoreLocation $caLocation `
2021-03-18 13:21:38 +00:00
| Out-Null
Remove-Item $caFile
}
Echo "Creating the VPN connection."
2024-11-12 16:27:57 +00:00
try {
$args = @{
Name = $vpnName
Force = $true
ErrorAction = "Stop"
AllUserConnection = $allUsers
2021-03-18 13:21:38 +00:00
}
2024-11-12 16:27:57 +00:00
Remove-VpnConnection @args
} catch {
if ($_.Exception.StatusCode -eq 1) {
throw "Connection '$vpnName' is open, close it before running the script."
} elseif ($_.Exception.StatusCode -ne 6) {
throw
}
}
$args = @{
Name = $vpnName
ServerAddress = $vpnHost
TunnelType = "Ikev2"
EncryptionLevel = "Required"
AuthenticationMethod = "Eap"
DnsSuffix = $vpnSuffix
RememberCredential = $true
AllUserConnection = $allUsers
}
Add-VpnConnection @args
$rasphoneRelPath = "Microsoft\Network\Connections\Pbk\rasphone.pbk"
if ($allUsers) {
$rasphonePath = "$env:ProgramData\$rasphoneRelPath"
} else {
$rasphonePath = "$env:AppData\$rasphoneRelPath"
2021-03-18 13:21:38 +00:00
}
2024-11-12 16:27:57 +00:00
$rasphone = Get-Content $rasphonePath -Raw
$regex = "^([\s\S]*\[${vpnName}\][\s\S]*IpInterfaceMetric=)(\d+)([\s\S]*)$"
$match = [Regex]::Match($rasphone, $regex)
$rasphone = $match.Groups[1].Value + '1' + $match.Groups[3].Value
$rasphone | Set-Content $rasphonePath
2021-03-18 13:21:38 +00:00
New-ItemProperty `
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters" `
-Name "NegotiateDH2048_AES256" `
-PropertyType DWord `
-Value 1 `
-ErrorAction SilentlyContinue `
| Out-Null
if ($vpnSplit) {
Echo "Enabling split tunneling."
2024-11-12 16:27:57 +00:00
$args = @{
Name = $vpnName
SplitTunneling = $true
AllUserConnection = $allUsers
}
Set-VpnConnection @args
2021-03-18 13:21:38 +00:00
Echo "Adding routes for VPN networks."
foreach ($vnNetwork in $vpnNetworks) {
Echo " - $vnNetwork"
2024-11-12 16:27:57 +00:00
$args = @{
ConnectionName = $vpnName
DestinationPrefix = $vnNetwork
RouteMetric = 5
AllUserConnection = $allUsers
}
Add-VpnConnectionRoute @args
2021-03-18 13:21:38 +00:00
}
}
if ($restorePowerShellPolicy) {
Echo "Restoring PowerShell default policy."
Set-ExecutionPolicy `
-ExecutionPolicy Undefined `
-Scope LocalMachine
}
Echo "Connection created successfully."