From 2a35ef9ab77e20fa03d791aa6db9e3660ef3b769 Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan@verdnatura.es>
Date: Thu, 18 Mar 2021 14:21:38 +0100
Subject: [PATCH] First version, script added

---
 README.md       |  32 +++++++++++-
 windows-vpn.ps1 | 127 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 157 insertions(+), 2 deletions(-)
 create mode 100644 windows-vpn.ps1

diff --git a/README.md b/README.md
index 550e207..2bd3e54 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,31 @@
-# windows-vpn
+# Windows IPsec configurator
 
-Script to automate VPN connection creation on Windows
\ No newline at end of file
+Script to automate VPN connection creation on Windows.
+
+You need to execute this script as administrator.
+
+To be able to execute it you have to manually run the following commnand in
+PowerShell (also as administrator).
+
+```
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
+```
+
+To avoid DNS issues because of Windows 10 "smart multi-homed name resolution"
+you have to manually (it cannot be done via scripting) change the connection
+metric under:
+
+ - VPN connection > Properties > Networking > TCP/IPv4 > Properties > Advanced...
+ - Disable "Automatic metric" and set "Interface metric" to 1.
+
+More info about the issue at:
+
+ - https://superuser.com/questions/966832/windows-10-dns-resolution-via-vpn-connection-not-working
+
+The EAP XML configuration can be generated from an existing connection using
+the following commands.
+
+```
+$conn = Get-VpnConnection -Name $vpnName
+$conn.EapConfigXmlStream.InnerXml
+```
\ No newline at end of file
diff --git a/windows-vpn.ps1 b/windows-vpn.ps1
new file mode 100644
index 0000000..991e2d6
--- /dev/null
+++ b/windows-vpn.ps1
@@ -0,0 +1,127 @@
+# Basic configuration
+
+$vpnName = "Verdnatura"
+$vpnHost = "vpn.verdnatura.es"
+$vpnSuffix = "verdnatura.es"
+
+# Advanced configuration
+
+$vpnSplit = $true
+$vpnNetworks = @("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
+$vpnCaUrl = "https://cdn.verdnatura.es/public/verdnatura.der"
+$caHash = "028a316a3072f402c10fd7699cb061c93cc5cb15"
+$eapConfig =
+@"
+<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
+    <EapMethod>
+        <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type>
+        <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
+        <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
+        <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId>
+    </EapMethod>
+    <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
+        <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
+            <ServerValidation>
+                <ServerNames></ServerNames>
+                <TrustedRootCAHash>2 8a 31 6a 30 72 f4 2 c1 f d7 69 9c b0 61 c9 3c c5 cb 15</TrustedRootCAHash>
+                <DisablePrompt>false</DisablePrompt>
+            </ServerValidation>
+            <Phase2Authentication>
+                <PAPAuthentication/>
+            </Phase2Authentication>
+            <Phase1Identity>
+                <IdentityPrivacy>false</IdentityPrivacy>
+            </Phase1Identity>
+        </EapTtls>
+    </Config>
+</EapHostConfig>
+"@
+
+# Scripting
+
+$restorePowerShellPolicy = $false
+$ErrorActionPreference = "Inquire"
+
+$hasCa = Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $caHash}
+
+if (!$hasCa) {
+    Echo "Downloading and installing CA certificate."
+
+    $caFile = "$env:TEMP\$caHash.der"
+
+    Invoke-WebRequest $vpnCaUrl `
+        -OutFile $caFile
+
+    Import-Certificate `
+        -FilePath $caFile `
+        -CertStoreLocation Cert:\LocalMachine\Root `
+        | Out-Null
+
+    Remove-Item $caFile
+}
+
+Echo "Creating the VPN connection."
+
+Try {
+    Remove-VpnConnection `
+        -Name $vpnName `
+        -AllUserConnection `
+        -Force `
+        -ErrorAction Stop
+} Catch {
+    If ($_.Exception.StatusCode -eq 1) {
+        Throw "Connection '$vpnName' is open, close it before running the script."
+    }
+}
+
+$eapXml = New-Object -TypeName System.Xml.XmlDocument
+$eapXml.LoadXml($eapConfig)
+
+Add-VpnConnection `
+    -Name $vpnName `
+    -AllUserConnection `
+    -ServerAddress $vpnHost `
+    -TunnelType Ikev2 `
+    -EncryptionLevel Required `
+    -AuthenticationMethod Eap `
+    -EapConfigXmlStream $eapXml `
+    -DnsSuffix $vpnSuffix `
+    -RememberCredential
+
+New-ItemProperty `
+    -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters" `
+    -Name "NegotiateDH2048_AES256" `
+    -PropertyType DWord `
+    -Value 1 `
+    -ErrorAction SilentlyContinue `
+    | Out-Null
+
+if ($vpnSplit) {
+    Echo "Enabling split tunneling."
+
+    Set-VpnConnection `
+        -Name $vpnName `
+        -AllUserConnection `
+        -SplitTunneling $true
+        
+    Echo "Adding routes for VPN networks."
+
+    foreach ($vnNetwork in $vpnNetworks) {
+        Echo " - $vnNetwork"
+        Add-VpnConnectionRoute `
+            -ConnectionName $vpnName `
+            -AllUserConnection `
+            -DestinationPrefix $vnNetwork `
+            -RouteMetric 5
+    }
+}
+
+if ($restorePowerShellPolicy) {
+    Echo "Restoring PowerShell default policy."
+
+    Set-ExecutionPolicy `
+        -ExecutionPolicy Undefined `
+        -Scope LocalMachine
+}
+
+Echo "Connection created successfully."