First version, script added
This commit is contained in:
parent
45894fa1a5
commit
2a35ef9ab7
32
README.md
32
README.md
|
|
@ -1,3 +1,31 @@
|
||||||
# windows-vpn
|
# Windows IPsec configurator
|
||||||
|
|
||||||
Script to automate VPN connection creation on Windows
|
Script to automate VPN connection creation on Windows.
|
||||||
|
|
||||||
|
You need to execute this script as administrator.
|
||||||
|
|
||||||
|
To be able to execute it you have to manually run the following commnand in
|
||||||
|
PowerShell (also as administrator).
|
||||||
|
|
||||||
|
```
|
||||||
|
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
|
||||||
|
```
|
||||||
|
|
||||||
|
To avoid DNS issues because of Windows 10 "smart multi-homed name resolution"
|
||||||
|
you have to manually (it cannot be done via scripting) change the connection
|
||||||
|
metric under:
|
||||||
|
|
||||||
|
- VPN connection > Properties > Networking > TCP/IPv4 > Properties > Advanced...
|
||||||
|
- Disable "Automatic metric" and set "Interface metric" to 1.
|
||||||
|
|
||||||
|
More info about the issue at:
|
||||||
|
|
||||||
|
- https://superuser.com/questions/966832/windows-10-dns-resolution-via-vpn-connection-not-working
|
||||||
|
|
||||||
|
The EAP XML configuration can be generated from an existing connection using
|
||||||
|
the following commands.
|
||||||
|
|
||||||
|
```
|
||||||
|
$conn = Get-VpnConnection -Name $vpnName
|
||||||
|
$conn.EapConfigXmlStream.InnerXml
|
||||||
|
```
|
||||||
|
|
@ -0,0 +1,127 @@
|
||||||
|
# Basic configuration
|
||||||
|
|
||||||
|
$vpnName = "Verdnatura"
|
||||||
|
$vpnHost = "vpn.verdnatura.es"
|
||||||
|
$vpnSuffix = "verdnatura.es"
|
||||||
|
|
||||||
|
# Advanced configuration
|
||||||
|
|
||||||
|
$vpnSplit = $true
|
||||||
|
$vpnNetworks = @("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
|
||||||
|
$vpnCaUrl = "https://cdn.verdnatura.es/public/verdnatura.der"
|
||||||
|
$caHash = "028a316a3072f402c10fd7699cb061c93cc5cb15"
|
||||||
|
$eapConfig =
|
||||||
|
@"
|
||||||
|
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
|
||||||
|
<EapMethod>
|
||||||
|
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type>
|
||||||
|
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
|
||||||
|
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
|
||||||
|
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId>
|
||||||
|
</EapMethod>
|
||||||
|
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
|
||||||
|
<EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
|
||||||
|
<ServerValidation>
|
||||||
|
<ServerNames></ServerNames>
|
||||||
|
<TrustedRootCAHash>2 8a 31 6a 30 72 f4 2 c1 f d7 69 9c b0 61 c9 3c c5 cb 15</TrustedRootCAHash>
|
||||||
|
<DisablePrompt>false</DisablePrompt>
|
||||||
|
</ServerValidation>
|
||||||
|
<Phase2Authentication>
|
||||||
|
<PAPAuthentication/>
|
||||||
|
</Phase2Authentication>
|
||||||
|
<Phase1Identity>
|
||||||
|
<IdentityPrivacy>false</IdentityPrivacy>
|
||||||
|
</Phase1Identity>
|
||||||
|
</EapTtls>
|
||||||
|
</Config>
|
||||||
|
</EapHostConfig>
|
||||||
|
"@
|
||||||
|
|
||||||
|
# Scripting
|
||||||
|
|
||||||
|
$restorePowerShellPolicy = $false
|
||||||
|
$ErrorActionPreference = "Inquire"
|
||||||
|
|
||||||
|
$hasCa = Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $caHash}
|
||||||
|
|
||||||
|
if (!$hasCa) {
|
||||||
|
Echo "Downloading and installing CA certificate."
|
||||||
|
|
||||||
|
$caFile = "$env:TEMP\$caHash.der"
|
||||||
|
|
||||||
|
Invoke-WebRequest $vpnCaUrl `
|
||||||
|
-OutFile $caFile
|
||||||
|
|
||||||
|
Import-Certificate `
|
||||||
|
-FilePath $caFile `
|
||||||
|
-CertStoreLocation Cert:\LocalMachine\Root `
|
||||||
|
| Out-Null
|
||||||
|
|
||||||
|
Remove-Item $caFile
|
||||||
|
}
|
||||||
|
|
||||||
|
Echo "Creating the VPN connection."
|
||||||
|
|
||||||
|
Try {
|
||||||
|
Remove-VpnConnection `
|
||||||
|
-Name $vpnName `
|
||||||
|
-AllUserConnection `
|
||||||
|
-Force `
|
||||||
|
-ErrorAction Stop
|
||||||
|
} Catch {
|
||||||
|
If ($_.Exception.StatusCode -eq 1) {
|
||||||
|
Throw "Connection '$vpnName' is open, close it before running the script."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$eapXml = New-Object -TypeName System.Xml.XmlDocument
|
||||||
|
$eapXml.LoadXml($eapConfig)
|
||||||
|
|
||||||
|
Add-VpnConnection `
|
||||||
|
-Name $vpnName `
|
||||||
|
-AllUserConnection `
|
||||||
|
-ServerAddress $vpnHost `
|
||||||
|
-TunnelType Ikev2 `
|
||||||
|
-EncryptionLevel Required `
|
||||||
|
-AuthenticationMethod Eap `
|
||||||
|
-EapConfigXmlStream $eapXml `
|
||||||
|
-DnsSuffix $vpnSuffix `
|
||||||
|
-RememberCredential
|
||||||
|
|
||||||
|
New-ItemProperty `
|
||||||
|
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters" `
|
||||||
|
-Name "NegotiateDH2048_AES256" `
|
||||||
|
-PropertyType DWord `
|
||||||
|
-Value 1 `
|
||||||
|
-ErrorAction SilentlyContinue `
|
||||||
|
| Out-Null
|
||||||
|
|
||||||
|
if ($vpnSplit) {
|
||||||
|
Echo "Enabling split tunneling."
|
||||||
|
|
||||||
|
Set-VpnConnection `
|
||||||
|
-Name $vpnName `
|
||||||
|
-AllUserConnection `
|
||||||
|
-SplitTunneling $true
|
||||||
|
|
||||||
|
Echo "Adding routes for VPN networks."
|
||||||
|
|
||||||
|
foreach ($vnNetwork in $vpnNetworks) {
|
||||||
|
Echo " - $vnNetwork"
|
||||||
|
Add-VpnConnectionRoute `
|
||||||
|
-ConnectionName $vpnName `
|
||||||
|
-AllUserConnection `
|
||||||
|
-DestinationPrefix $vnNetwork `
|
||||||
|
-RouteMetric 5
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($restorePowerShellPolicy) {
|
||||||
|
Echo "Restoring PowerShell default policy."
|
||||||
|
|
||||||
|
Set-ExecutionPolicy `
|
||||||
|
-ExecutionPolicy Undefined `
|
||||||
|
-Scope LocalMachine
|
||||||
|
}
|
||||||
|
|
||||||
|
Echo "Connection created successfully."
|
||||||
Loading…
Reference in New Issue