diff --git a/README.md b/README.md index f655a33..ccc540d 100644 --- a/README.md +++ b/README.md @@ -174,7 +174,7 @@ Generates Apple `.mobileconfig` profiles for distributing CA certificates and op |---|---| | `--ca-cert` only | CA trust anchor | | `--ca-cert` + `--client-cert` + `--client-key` | CA trust anchor + PKCS#12 client certificate | -| All of the above + `--remote-address` + `--match-domains` | CA + client cert + IKEv2 VPN | +| All of the above + `--remote-address` + `--dns` + `--match-domains` | CA + client cert + IKEv2 VPN | ### Usage @@ -182,10 +182,9 @@ Generates Apple `.mobileconfig` profiles for distributing CA certificates and op generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \ --identifier com.example.vpn \ [--client-cert CLIENT.pem --client-key CLIENT_KEY.pem] \ - [--remote-address vpn.example.com --match-domains example.com] \ + [--remote-address vpn.example.com --dns 10.0.0.1 --match-domains example.com] \ [--profile-name "My VPN"] [--ca-name "My CA"] \ - [--client-name "My Cert"] [--vpn-name "My VPN Connection"] \ - [--openssl /usr/bin/openssl] + [--client-name "My Cert"] [--vpn-name "My VPN Connection"] ``` #### Required arguments @@ -202,6 +201,7 @@ generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \ #### VPN (requires client certificate) - `--remote-address FQDN` — VPN gateway hostname. +- `--dns IP [IP …]` — DNS server(s) for split DNS. - `--match-domains DOMAIN [DOMAIN …]` — Split-DNS domains routed through the VPN. #### Display name overrides (all optional) @@ -211,10 +211,6 @@ generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \ - `--client-name NAME` — Client cert payload display name (default: certificate CN). - `--vpn-name NAME` — VPN connection display name (default: profile name). -#### Other - -- `--openssl PATH` — Path to the `openssl` binary (default: `/usr/bin/openssl`). - ### Examples **CA trust profile only:** @@ -245,6 +241,7 @@ python3 generate-mobileconfig.py \ --client-cert certs/alice_cert.pem \ --client-key certs/alice_key.pem \ --remote-address vpn.example.com \ + --dns 10.0.0.1 \ --match-domains example.com internal.example.com \ --output alice-vpn.mobileconfig ``` diff --git a/generate-mobileconfig.py b/generate-mobileconfig.py index b19af41..70542ec 100644 --- a/generate-mobileconfig.py +++ b/generate-mobileconfig.py @@ -67,6 +67,7 @@ def main(): g_vpn = parser.add_argument_group("VPN (optional, requires client certificate)") g_vpn.add_argument("--remote-address", metavar="FQDN", help="VPN gateway FQDN") + g_vpn.add_argument("--dns", metavar="IP", nargs="+", help="DNS server(s) for split DNS") g_vpn.add_argument("--match-domains", metavar="DOMAIN", nargs="+", help="Split DNS domains") g_meta = parser.add_argument_group("Profile metadata") @@ -91,7 +92,7 @@ def main(): if args.client_key and not args.client_cert: parser.error("--client-cert is required when --client-key is specified") - vpn_args = [args.remote_address, args.match_domains] + vpn_args = [args.remote_address, args.dns, args.match_domains] if any(vpn_args) and not all(vpn_args): parser.error("--remote-address and --match-domains must be specified together") if args.remote_address and not args.client_cert: @@ -164,9 +165,13 @@ def main(): "AuthenticationMethod": "None", "ExtendedAuthEnabled": 1, "PayloadCertificateUUID": uuid_cert, - "SupplementalMatchDomains": args.match_domains, "OnDemandEnabled": 0, }, + "DNS": { + "ServerAddresses": args.dns, + "SupplementalMatchDomains": args.match_domains, + "SupplementalMatchDomainsNoSearch": 1, + }, }) profile = {