First version, script added
This commit is contained in:
parent
45894fa1a5
commit
2a35ef9ab7
32
README.md
32
README.md
|
|
@ -1,3 +1,31 @@
|
|||
# windows-vpn
|
||||
# Windows IPsec configurator
|
||||
|
||||
Script to automate VPN connection creation on Windows
|
||||
Script to automate VPN connection creation on Windows.
|
||||
|
||||
You need to execute this script as administrator.
|
||||
|
||||
To be able to execute it you have to manually run the following commnand in
|
||||
PowerShell (also as administrator).
|
||||
|
||||
```
|
||||
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
|
||||
```
|
||||
|
||||
To avoid DNS issues because of Windows 10 "smart multi-homed name resolution"
|
||||
you have to manually (it cannot be done via scripting) change the connection
|
||||
metric under:
|
||||
|
||||
- VPN connection > Properties > Networking > TCP/IPv4 > Properties > Advanced...
|
||||
- Disable "Automatic metric" and set "Interface metric" to 1.
|
||||
|
||||
More info about the issue at:
|
||||
|
||||
- https://superuser.com/questions/966832/windows-10-dns-resolution-via-vpn-connection-not-working
|
||||
|
||||
The EAP XML configuration can be generated from an existing connection using
|
||||
the following commands.
|
||||
|
||||
```
|
||||
$conn = Get-VpnConnection -Name $vpnName
|
||||
$conn.EapConfigXmlStream.InnerXml
|
||||
```
|
||||
|
|
@ -0,0 +1,127 @@
|
|||
# Basic configuration
|
||||
|
||||
$vpnName = "Verdnatura"
|
||||
$vpnHost = "vpn.verdnatura.es"
|
||||
$vpnSuffix = "verdnatura.es"
|
||||
|
||||
# Advanced configuration
|
||||
|
||||
$vpnSplit = $true
|
||||
$vpnNetworks = @("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
|
||||
$vpnCaUrl = "https://cdn.verdnatura.es/public/verdnatura.der"
|
||||
$caHash = "028a316a3072f402c10fd7699cb061c93cc5cb15"
|
||||
$eapConfig =
|
||||
@"
|
||||
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
|
||||
<EapMethod>
|
||||
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type>
|
||||
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
|
||||
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
|
||||
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId>
|
||||
</EapMethod>
|
||||
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
|
||||
<EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
|
||||
<ServerValidation>
|
||||
<ServerNames></ServerNames>
|
||||
<TrustedRootCAHash>2 8a 31 6a 30 72 f4 2 c1 f d7 69 9c b0 61 c9 3c c5 cb 15</TrustedRootCAHash>
|
||||
<DisablePrompt>false</DisablePrompt>
|
||||
</ServerValidation>
|
||||
<Phase2Authentication>
|
||||
<PAPAuthentication/>
|
||||
</Phase2Authentication>
|
||||
<Phase1Identity>
|
||||
<IdentityPrivacy>false</IdentityPrivacy>
|
||||
</Phase1Identity>
|
||||
</EapTtls>
|
||||
</Config>
|
||||
</EapHostConfig>
|
||||
"@
|
||||
|
||||
# Scripting
|
||||
|
||||
$restorePowerShellPolicy = $false
|
||||
$ErrorActionPreference = "Inquire"
|
||||
|
||||
$hasCa = Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $caHash}
|
||||
|
||||
if (!$hasCa) {
|
||||
Echo "Downloading and installing CA certificate."
|
||||
|
||||
$caFile = "$env:TEMP\$caHash.der"
|
||||
|
||||
Invoke-WebRequest $vpnCaUrl `
|
||||
-OutFile $caFile
|
||||
|
||||
Import-Certificate `
|
||||
-FilePath $caFile `
|
||||
-CertStoreLocation Cert:\LocalMachine\Root `
|
||||
| Out-Null
|
||||
|
||||
Remove-Item $caFile
|
||||
}
|
||||
|
||||
Echo "Creating the VPN connection."
|
||||
|
||||
Try {
|
||||
Remove-VpnConnection `
|
||||
-Name $vpnName `
|
||||
-AllUserConnection `
|
||||
-Force `
|
||||
-ErrorAction Stop
|
||||
} Catch {
|
||||
If ($_.Exception.StatusCode -eq 1) {
|
||||
Throw "Connection '$vpnName' is open, close it before running the script."
|
||||
}
|
||||
}
|
||||
|
||||
$eapXml = New-Object -TypeName System.Xml.XmlDocument
|
||||
$eapXml.LoadXml($eapConfig)
|
||||
|
||||
Add-VpnConnection `
|
||||
-Name $vpnName `
|
||||
-AllUserConnection `
|
||||
-ServerAddress $vpnHost `
|
||||
-TunnelType Ikev2 `
|
||||
-EncryptionLevel Required `
|
||||
-AuthenticationMethod Eap `
|
||||
-EapConfigXmlStream $eapXml `
|
||||
-DnsSuffix $vpnSuffix `
|
||||
-RememberCredential
|
||||
|
||||
New-ItemProperty `
|
||||
-Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters" `
|
||||
-Name "NegotiateDH2048_AES256" `
|
||||
-PropertyType DWord `
|
||||
-Value 1 `
|
||||
-ErrorAction SilentlyContinue `
|
||||
| Out-Null
|
||||
|
||||
if ($vpnSplit) {
|
||||
Echo "Enabling split tunneling."
|
||||
|
||||
Set-VpnConnection `
|
||||
-Name $vpnName `
|
||||
-AllUserConnection `
|
||||
-SplitTunneling $true
|
||||
|
||||
Echo "Adding routes for VPN networks."
|
||||
|
||||
foreach ($vnNetwork in $vpnNetworks) {
|
||||
Echo " - $vnNetwork"
|
||||
Add-VpnConnectionRoute `
|
||||
-ConnectionName $vpnName `
|
||||
-AllUserConnection `
|
||||
-DestinationPrefix $vnNetwork `
|
||||
-RouteMetric 5
|
||||
}
|
||||
}
|
||||
|
||||
if ($restorePowerShellPolicy) {
|
||||
Echo "Restoring PowerShell default policy."
|
||||
|
||||
Set-ExecutionPolicy `
|
||||
-ExecutionPolicy Undefined `
|
||||
-Scope LocalMachine
|
||||
}
|
||||
|
||||
Echo "Connection created successfully."
|
||||
Loading…
Reference in New Issue