feat: Add DNS server support for VPN configuration in mobileconfig generation

README.md

@@ -174,7 +174,7 @@ Generates Apple `.mobileconfig` profiles for distributing CA certificates and op
 |---|---|
 | `--ca-cert` only | CA trust anchor |
 | `--ca-cert` + `--client-cert` + `--client-key` | CA trust anchor + PKCS#12 client certificate |
-| All of the above + `--remote-address` + `--match-domains` | CA + client cert + IKEv2 VPN |
+| All of the above + `--remote-address` + `--dns` + `--match-domains` | CA + client cert + IKEv2 VPN |
 
 ### Usage
 
@@ -182,10 +182,9 @@ Generates Apple `.mobileconfig` profiles for distributing CA certificates and op
 generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \
     --identifier com.example.vpn \
     [--client-cert CLIENT.pem --client-key CLIENT_KEY.pem] \
-    [--remote-address vpn.example.com --match-domains example.com] \
+    [--remote-address vpn.example.com --dns 10.0.0.1 --match-domains example.com] \
     [--profile-name "My VPN"] [--ca-name "My CA"] \
-    [--client-name "My Cert"] [--vpn-name "My VPN Connection"] \
+    [--client-name "My Cert"] [--vpn-name "My VPN Connection"]
-    [--openssl /usr/bin/openssl]
 ```
 
 #### Required arguments
@@ -202,6 +201,7 @@ generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \
 #### VPN (requires client certificate)
 
 - `--remote-address FQDN` — VPN gateway hostname.
+- `--dns IP [IP …]` — DNS server(s) for split DNS.
 - `--match-domains DOMAIN [DOMAIN …]` — Split-DNS domains routed through the VPN.
 
 #### Display name overrides (all optional)
@@ -211,10 +211,6 @@ generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \
 - `--client-name NAME` — Client cert payload display name (default: certificate CN).
 - `--vpn-name NAME` — VPN connection display name (default: profile name).
 
-#### Other
-
-- `--openssl PATH` — Path to the `openssl` binary (default: `/usr/bin/openssl`).
-
 ### Examples
 
 **CA trust profile only:**
@@ -245,6 +241,7 @@ python3 generate-mobileconfig.py \
     --client-cert certs/alice_cert.pem \
     --client-key  certs/alice_key.pem \
     --remote-address vpn.example.com \
+    --dns 10.0.0.1 \
     --match-domains example.com internal.example.com \
     --output alice-vpn.mobileconfig
 ```

generate-mobileconfig.py

@@ -67,6 +67,7 @@ def main():
 
     g_vpn = parser.add_argument_group("VPN (optional, requires client certificate)")
     g_vpn.add_argument("--remote-address", metavar="FQDN", help="VPN gateway FQDN")
+    g_vpn.add_argument("--dns",            metavar="IP", nargs="+", help="DNS server(s) for split DNS")
     g_vpn.add_argument("--match-domains",  metavar="DOMAIN", nargs="+", help="Split DNS domains")
 
     g_meta = parser.add_argument_group("Profile metadata")
@@ -91,7 +92,7 @@ def main():
     if args.client_key and not args.client_cert:
         parser.error("--client-cert is required when --client-key is specified")
 
-    vpn_args = [args.remote_address, args.match_domains]
+    vpn_args = [args.remote_address, args.dns, args.match_domains]
     if any(vpn_args) and not all(vpn_args):
         parser.error("--remote-address and --match-domains must be specified together")
     if args.remote_address and not args.client_cert:
@@ -164,9 +165,13 @@ def main():
                 "AuthenticationMethod":              "None",
                 "ExtendedAuthEnabled":               1,
                 "PayloadCertificateUUID":            uuid_cert,
-                "SupplementalMatchDomains":          args.match_domains,
                 "OnDemandEnabled":                   0,
             },
+            "DNS": {
+                "ServerAddresses":                  args.dns,
+                "SupplementalMatchDomains":         args.match_domains,
+                "SupplementalMatchDomainsNoSearch": 1,
+            },
         })
 
     profile = {