#!/bin/zsh CLIENT="me" SERVER="debian" FQDN="debian.example.com" CA="ca" # WiFi SSIDs that do not require automatic connection to VPN on network change TRUSTED_SSIDS=("SSID1" "SSID2") PAYLOADCERTIFICATEUUID=$( cat /proc/sys/kernel/random/uuid ) PKCS12PASSWORD=$( cat /proc/sys/kernel/random/uuid ) cat << EOF PayloadDisplayName ${SERVER} VPN PayloadIdentifier ${(j:.:)${(Oas:.:)FQDN}} PayloadUUID $( cat /proc/sys/kernel/random/uuid ) PayloadType Configuration PayloadVersion 1 PayloadContent PayloadDisplayName ${SERVER} VPN PayloadDescription Configure VPN UserDefinedName ${SERVER} VPNType IKEv2 IKEv2 RemoteAddress ${FQDN} RemoteIdentifier ${FQDN} LocalIdentifier ${CLIENT} AuthenticationMethod Certificate PayloadCertificateUUID ${PAYLOADCERTIFICATEUUID} CertificateType RSA ServerCertificateIssuerCommonName ${FQDN} EnablePFS 1 IKESecurityAssociationParameters EncryptionAlgorithm AES-128-GCM IntegrityAlgorithm SHA2-256 DiffieHellmanGroup 19 ChildSecurityAssociationParameters EncryptionAlgorithm AES-128-GCM IntegrityAlgorithm SHA2-256 DiffieHellmanGroup 19 OnDemandEnabled 1 OnDemandRules InterfaceTypeMatch WiFi SSIDMatch `for x in ${TRUSTED_SSIDS}; echo " $x"` Action Disconnect InterfaceTypeMatch Cellular Action Disconnect Action Connect PayloadType com.apple.vpn.managed PayloadIdentifier com.apple.vpn.managed.${SERVER} PayloadUUID $( cat /proc/sys/kernel/random/uuid ) PayloadVersion 1 PayloadDisplayName ${CLIENT}.p12 PayloadDescription Add PKCS#12 certificate PayloadCertificateFileName ${CLIENT}.p12 Password ${PKCS12PASSWORD} PayloadContent $( openssl pkcs12 -export -inkey /etc/ipsec.d/private/${CLIENT}.pem -in /etc/ipsec.d/certs/${CLIENT}.pem -name "${CLIENT}" -certfile /etc/ipsec.d/cacerts/${CA}.pem -password pass:${PKCS12PASSWORD} | base64 ) PayloadType com.apple.security.pkcs12 PayloadIdentifier com.apple.security.pkcs12.${CLIENT} PayloadUUID ${PAYLOADCERTIFICATEUUID} PayloadVersion 1 PayloadDisplayName ${SERVER} CA PayloadDescription Add CA root certificate PayloadCertificateFileName ca.pem PayloadContent $( cat /etc/ipsec.d/cacerts/${CA}.pem | base64 ) PayloadType com.apple.security.root PayloadIdentifier com.apple.security.root.${SERVER} PayloadUUID $( cat /proc/sys/kernel/random/uuid ) PayloadVersion 1 EOF