search

StreisandEffect / discussions

30 stars 3 forks source link

Why PowerShell ISE? #74

Open ridercz opened 6 years ago

ridercz commented 6 years ago

The L2TP/IPSec instructions direct users to use PowerShell ISE. Why? IMHO is easier to let them use standard PowerShell or even better standard CMD.

cpu commented 6 years ago

@nopdotcom Any reasons you preferred the one to the other?

nopdotcom commented 6 years ago

I didn't want to explain how to paste into a console window; you can use Ctrl-V in ISE. Not all people have the new console yet. I didn't say "use either PS or PS ISE" because there'd be a lingering feeling the other method should be documented too; maybe I should revisit whether that's necessary.

(you didn't ask this, but I'm just writing it here)

The reason we don't use downloaded .cmd or .ps1 files is that most people have script execution turned off, because that's Microsoft's default. You need to do a dance to turn it on, and we'd then need another to change it back.

I've had problems before with end-users being able to run .reg files, which would otherwise be the standard way of installing the NAT registry key. I could be convinced to do that instead, but I do like the transparency of showing what's going on.

AFAIK the tool for managing the VPN is a pure PowerShell cmdlet and not easily available to cmd.exe.

nopdotcom commented 6 years ago

All that being said, I am emphatically not a Windows person; I'm just faking it. If there are better ways to do this, I'd rather use them. I do need to keep the instructions relatively simple.

One caveat: The Streisand builder is complicated to run, but Streisand users should be able to follow our directions without too much technical knowledge. I forget this a lot myself....

ridercz commented 6 years ago

Well, I am emphatically a Windows person and I'm just faking my Linux skills. So we can join our powers together.

I like the OpenVPN approach: you have one file and it does everything for you. I can prepare CMD file, which will perform all the setup steps necessary, on Windows 8 and higher. Of course, we will retain the manual configuration steps as a fallback.

I can prepare the file, but I'm unable to embed it into the build process (my Linux/Ansible faking skills aren't good enought), so you - or someone else - has to do it.

If you think it's a good idea, let me know.

nopdotcom commented 6 years ago

Yeah, an example would be very cool. I can do the templating of it. Here's the spot that currently generates the PS1 line.

I think the OpenVPN approach is great for users, and I wish everything was like that on all platforms. For L2TP, the mobileconfig stuff for OS X and iOS is an example. (There appears to be no way to auto-configure L2TP on Android without root. Thanks, Android.)

One possible approach to a cmd-based installer would be to invoke PowerShell with a base64 command.

-EncodedCommand
     Accepts a base-64-encoded string version of a command. Use this parameter
     to submit commands to Windows PowerShell that require complex quotation
     marks or curly braces.

I've vaguely considered building a Windows NSIS "installer" during deployment that would shotgun-install all configuration information for all services, and maybe even the client software. I would really prefer a text-based configuration; even a signed script is good.

ridercz commented 6 years ago

I don't think Base64 would be necessary. I would also like to avoid that so users can read and understand the batch file. I'll take look into that.

ridercz commented 6 years ago

So, this is my solution:

@ECHO OFF

REM -- Override these variables for configuration
SET VPN_NAME=MyStreisandVpn
SET VPN_SERVER=mystreisandserver.somewehere.com
SET VPN_PSK=my-preshared-key

REM -- Check if we are elevated
>NUL 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
IF '%ERRORLEVEL%' NEQ '0' (
    ECHO This script must be run from the elevated command prompt.
    GOTO SHOW_UAC_PROMPT
) ELSE (
    GOTO IS_ELEVATED
)

REM -- Run this script using WSH as elevated
:SHOW_UAC_PROMPT
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%TEMP%\streisand-elevateme.vbs"
ECHO UAC.ShellExecute "cmd.exe", "/c %~s0 ", "", "runas", 1 >> "%TEMP%\streisand-elevateme.vbs"
"%TEMP%\streisand-elevateme.vbs"
DEL "%TEMP%\streisand-elevateme.vbs"
EXIT /B

REM -- Already elevated or ran using WSH above
:IS_ELEVATED

REM -- Show header
ECHO *******************************************************************************
ECHO ** STREISAND VPN CONFIGURATION SCRIPT                                        **
ECHO *******************************************************************************
ECHO.
ECHO This script will configure the %VPN_NAME% VPN on this computer.
CHOICE /M "Do you want to continue"
IF '%ERRORLEVEL%' NEQ '1' EXIT /B
ECHO.

REM -- Enable L2TP VPN over NAT
ECHO Enabling L2TP/IPsec VPN over NAT:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 2 /f
ECHO.

REM -- Create the connection
ECHO Creating VPN connection (the warning is expected and may be ignored):
powershell -Command Add-VpnConnection -Name %VPN_NAME% -ServerAddress %VPN_SERVER% -AuthenticationMethod Chap -EncryptionLevel Optional -TunnelType L2tp -Force -RememberCredential -L2tpPsk %VPN_PSK%

IF '%ERRORLEVEL%' NEQ '0' (
    ECHO.
    ECHO Unable to automatically create the VPN connection.
    ECHO Please use the manual setup method.
) ELSE (
    ECHO.
    ECHO The VPN connection has been configured. It might be necessary to reboot 
    ECHO the computer for you to be able to use it.
)
ECHO.
PAUSE

This batch file will:

  1. Check if it's elevated (required for the command to succeed).
  2. If not, it will ask for elevation.
  3. Will display some info about what is going to do and ask user if they want to proceed.
  4. Will enable VPN trough NAT (create or modify registry key).
  5. Will create the VPN over PowerShell.
  6. Will warn user that he might need to reboot the computer.
  7. Wait for any key to be pressed.

I thought about adding the automatic reboot to the script (with user consent), but then decided not to - users know how to do it :-).

The script is designed to behave nice both when run from console and when double-clicked as is.

To customize it, just modify the SET VPN_*=value part on top. The script itself does not use any special characters such as curly braces so I believe the transformation should be quite straightforward.

ridercz commented 6 years ago

Most of the code is explanation and confirmation. It can be made much more succinct, but I don't think it's a good idea to just flash black window and do the magic silently, we aren't Penn & Teller ;-).

nopdotcom commented 6 years ago

(Holidays got in the way, sorry.)

I can write the detailed directions and the template for that, although I wanna play with it before I commit. How would the user download and run this script?

Hitechcomputergeek commented 6 years ago

By the way, there's a prettier way to request UAC elevation without creating a temporary .vbs - powershell Start-Process -Verb runAs -FilePath cmd -ArgumentList '/c %~s0'. (Hopefully %~s0expands properly; I don't have access to a Windows box right now so I can't test it.)