Add an iOS/OS X .mobileconfig file for L2TP #822
Conversation
Disclaimer: I am not an ansible person; would love someone to clean up. The .mobileconfig included is very similar to what OS X Server emits. Note that we can't configure "AlwaysOn" VPNs because that apparently requires a "managed" device, and nobody really wants that. See https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html for more information.
|
Hi @nopdotcom I'm super excited to see this PR! Thank you! I know there are a number of people that will be happy to see this support. I'm likely not going to be able to review this until the weekend but I wanted to leave a note to make sure you know that the PR is noticed & in someone's queue. Thanks again |
|
Cool, and thank you for the kind words. Perhaps I could convince @ccaviness to eyeball this PR for sanity’s sake. (Clay, I’m on Keybase.) I predict he’s going to tell me that I shouldn’t be writing XML in a text-based template language, and he’d be right. Just FYI: I am planning on building a It also looks like much of the drudgework in setting up L2TP on Windows can be done via a downloadable file; see |
|
It's pretty common practice to template I'm not familiar with ansible or the specifics of configuring L2TP via profile, but looking through it everything seems sane. |
|
@ccaviness, thanks for your help. I owe you one. |
| apt: | ||
| name: uuid | ||
|
|
||
| - name: Generate a UUID for this Apple .mobileconfig package |
There was a problem hiding this comment.
nit: "this Apple .mobileconfig" -> "the Apple .mobileconfig"
| shell: uuid -v4 | ||
| register: l2tp_mobileconfig_package_uuid | ||
|
|
||
| - name: Generate a UUID for this VPN for the Apple .mobileconfig package |
| <key>PayloadVersion</key> | ||
| <integer>1</integer> | ||
| <key>PayloadDisplayName</key> | ||
| <string>Streisand L2TP config for({{ streisand_server_name }})</string> |
There was a problem hiding this comment.
I think you're missing a space between "for" and ({{ here.
Sounds good! The TLS/HTTPS config needs some love overall. I have a bit of in-progress work here that I hope to return to. I can always catch up the mobileconfig afterwards. |
There was a problem hiding this comment.
I can confirm that the mobileconfig file works perfectly on iOS 10.3.3 connecting to a brand-new Streisand test server running this branch. Nice work! This is a great feature for L2TP users.
In addition to the feedback @cpu posted, I think we also need to add a couple of short sentences that explain how to use these (even though the steps are dead-simple).
Thanks for putting this together! This is a pretty fantastic first-time contribution.
|
|
||
| There are two ways to configure the OS X L2TP VPN to connect to this Streisand server. The easiest is to install an OS X *profile* containing the VPN definition. You can also set it up manually. | ||
|
|
||
| The profile is [available here](streisand.mobileconfig). |
There was a problem hiding this comment.
We should include additional instructions here. Maybe something like...
"Double-click on the downloaded file to begin the connection setup process."
|
|
||
| There are two ways to configure the iOS L2TP VPN to connect to this Streisand server. The easiest is to install an iOS *profile* containing the VPN definition. You can also set it up manually. | ||
|
|
||
| The profile is [available here](streisand.mobileconfig). |
There was a problem hiding this comment.
We should include additional instructions here. Maybe something like...
"Tap this link from your iOS device to begin the setup process."
|
Thanks for the feedback. I'll update the PR tonight or tomorrow.
|
The profile instructions reflect the user interface for iOS 10.3.2 and OS X 10.11. Added details on how to manage profiles, including removing them. Warned that profiles may be dangerous.
|
OK, this is back in good enough shape to merge. I got this feedback from reviewers on the whole document: add screenshots, and give the rest of the systems some love that way. But adding inline imgs would bloat the page out. Along with detailed instructions, screenshots also have a maintenance tail (new operating systems etc) and finding people to do both at once might be problematic. Eventually, I want to include the VPN icon on OS X because it is not obviously “VPN” at all. ~500 byte PNG, so it fits in a data url. I’ve attached what you can get for 65kB/20kB images as an example. (Both are lossily-compressed PNGs.) But the pressure for screenshots should be off the OS X/iOS L2TP side.
|
|
@jlund Can you give this another 🔍? I think it's ready to merge pending your review being accepted/dismissed. |
|
This looks good to me. Merged! I created a related discussion with my thoughts on including screenshots in our documentation: StreisandEffect/discussions#33 Thanks again for making this happen! |
Disclaimer: I am not an ansible person; would love someone to clean up.
The
.mobileconfiggenerated is very similar to what OS X Server emits. Note that we can't configure "AlwaysOn" VPNs because that apparently requires a "managed" device, and nobody really wants that.See https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html for more information on these config files.
This PR addresses half of #136 (we still need to generate some mobileconfig containing our server certs) and I am ignoring the similar #512 until I understand what that “connect on demand” checkbox really does. (Probably not what you’d think.)