Open ridercz opened 6 years ago
@nopdotcom Any reasons you preferred the one to the other?
I didn't want to explain how to paste into a console window; you can use Ctrl-V in ISE. Not all people have the new console yet. I didn't say "use either PS or PS ISE" because there'd be a lingering feeling the other method should be documented too; maybe I should revisit whether that's necessary.
(you didn't ask this, but I'm just writing it here)
The reason we don't use downloaded .cmd
or .ps1
files is that most people have script execution turned off, because that's Microsoft's default. You need to do a dance to turn it on, and we'd then need another to change it back.
I've had problems before with end-users being able to run .reg
files, which would otherwise be the standard way of installing the NAT registry key. I could be convinced to do that instead, but I do like the transparency of showing what's going on.
AFAIK the tool for managing the VPN is a pure PowerShell cmdlet and not easily available to cmd.exe
.
All that being said, I am emphatically not a Windows person; I'm just faking it. If there are better ways to do this, I'd rather use them. I do need to keep the instructions relatively simple.
One caveat: The Streisand builder is complicated to run, but Streisand users should be able to follow our directions without too much technical knowledge. I forget this a lot myself....
Well, I am emphatically a Windows person and I'm just faking my Linux skills. So we can join our powers together.
I like the OpenVPN approach: you have one file and it does everything for you. I can prepare CMD file, which will perform all the setup steps necessary, on Windows 8 and higher. Of course, we will retain the manual configuration steps as a fallback.
I can prepare the file, but I'm unable to embed it into the build process (my Linux/Ansible faking skills aren't good enought), so you - or someone else - has to do it.
If you think it's a good idea, let me know.
Yeah, an example would be very cool. I can do the templating of it. Here's the spot that currently generates the PS1 line.
I think the OpenVPN approach is great for users, and I wish everything was like that on all platforms. For L2TP, the mobileconfig
stuff for OS X and iOS is an example. (There appears to be no way to auto-configure L2TP on Android without root. Thanks, Android.)
One possible approach to a cmd-based installer would be to invoke PowerShell with a base64 command.
-EncodedCommand
Accepts a base-64-encoded string version of a command. Use this parameter
to submit commands to Windows PowerShell that require complex quotation
marks or curly braces.
I've vaguely considered building a Windows NSIS "installer" during deployment that would shotgun-install all configuration information for all services, and maybe even the client software. I would really prefer a text-based configuration; even a signed script is good.
I don't think Base64 would be necessary. I would also like to avoid that so users can read and understand the batch file. I'll take look into that.
So, this is my solution:
@ECHO OFF
REM -- Override these variables for configuration
SET VPN_NAME=MyStreisandVpn
SET VPN_SERVER=mystreisandserver.somewehere.com
SET VPN_PSK=my-preshared-key
REM -- Check if we are elevated
>NUL 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
IF '%ERRORLEVEL%' NEQ '0' (
ECHO This script must be run from the elevated command prompt.
GOTO SHOW_UAC_PROMPT
) ELSE (
GOTO IS_ELEVATED
)
REM -- Run this script using WSH as elevated
:SHOW_UAC_PROMPT
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%TEMP%\streisand-elevateme.vbs"
ECHO UAC.ShellExecute "cmd.exe", "/c %~s0 ", "", "runas", 1 >> "%TEMP%\streisand-elevateme.vbs"
"%TEMP%\streisand-elevateme.vbs"
DEL "%TEMP%\streisand-elevateme.vbs"
EXIT /B
REM -- Already elevated or ran using WSH above
:IS_ELEVATED
REM -- Show header
ECHO *******************************************************************************
ECHO ** STREISAND VPN CONFIGURATION SCRIPT **
ECHO *******************************************************************************
ECHO.
ECHO This script will configure the %VPN_NAME% VPN on this computer.
CHOICE /M "Do you want to continue"
IF '%ERRORLEVEL%' NEQ '1' EXIT /B
ECHO.
REM -- Enable L2TP VPN over NAT
ECHO Enabling L2TP/IPsec VPN over NAT:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 2 /f
ECHO.
REM -- Create the connection
ECHO Creating VPN connection (the warning is expected and may be ignored):
powershell -Command Add-VpnConnection -Name %VPN_NAME% -ServerAddress %VPN_SERVER% -AuthenticationMethod Chap -EncryptionLevel Optional -TunnelType L2tp -Force -RememberCredential -L2tpPsk %VPN_PSK%
IF '%ERRORLEVEL%' NEQ '0' (
ECHO.
ECHO Unable to automatically create the VPN connection.
ECHO Please use the manual setup method.
) ELSE (
ECHO.
ECHO The VPN connection has been configured. It might be necessary to reboot
ECHO the computer for you to be able to use it.
)
ECHO.
PAUSE
This batch file will:
I thought about adding the automatic reboot to the script (with user consent), but then decided not to - users know how to do it :-).
The script is designed to behave nice both when run from console and when double-clicked as is.
To customize it, just modify the SET VPN_*=value
part on top. The script itself does not use any special characters such as curly braces so I believe the transformation should be quite straightforward.
Most of the code is explanation and confirmation. It can be made much more succinct, but I don't think it's a good idea to just flash black window and do the magic silently, we aren't Penn & Teller ;-).
(Holidays got in the way, sorry.)
I can write the detailed directions and the template for that, although I wanna play with it before I commit. How would the user download and run this script?
By the way, there's a prettier way to request UAC elevation without creating a temporary .vbs - powershell Start-Process -Verb runAs -FilePath cmd -ArgumentList '/c %~s0'
. (Hopefully %~s0
expands properly; I don't have access to a Windows box right now so I can't test it.)
The L2TP/IPSec instructions direct users to use PowerShell ISE. Why? IMHO is easier to let them use standard PowerShell or even better standard CMD.