iphoting
diff --git a/‎.travis.yml
+9-5 b/‎.travis.yml
+9-5
diff --git a/‎ChangeLog
+6 b/‎ChangeLog
+6
diff --git a/‎README.md
+63-9 b/‎README.md
+63-9
diff --git a/‎Rakefile
+4 b/‎Rakefile
+4
diff --git a/‎bin/ovpnmcgen.rb
+22-6 b/‎bin/ovpnmcgen.rb
+22-6
diff --git a/‎config/pre_commit.yml
+13 b/‎config/pre_commit.yml
+13
@@ -1,14 +1,17 @@
 language: ruby
+#cache: bundler
 
 before_install:
+  # https://github.com/travis-ci/travis-ci/issues/8978
+  - gem update --system
   - gem update bundler
   - bundle version
 
 rvm:
-  - "1.9.3"
-  - "2.0.0"
-  - "2.1"
-  - "2.2"
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
   - ruby-head
   - jruby-19mode
 
@@ -26,4 +29,5 @@ deploy:
   on:
     tags: true
     repo: "iphoting/ovpnmcgen.rb"
-    ruby: 2.0.0
+    ruby: 2.4.0
+    branch: master
@@ -1,3 +1,9 @@
+= 0.6.0 / 2018-01-27
+	* Added support for `EvaluateConnection`, `Domains`, via `--domains`. It will include an `ActionParameters` dict containing `Domains`, and if `--domain-probe-url` is set, also contains `RequiredURLStringProbe`.
+	* Added support for updated bundle identifier (VPNSubType) `net.openvpn.connect.app` (changed since OpenVPN Connect 1.2.x), via `--v12compat`.
+	* Added support for `--cert` and `--key` for inline attachment of certificate and key, to workaround bug in OpenVPN Connect 1.2.5.
+	* Added support for `vpn-on-demand: 0` key/value pair when `--no-vod` is set, so that OpenVPN Connect can control this profile.
+
 = 0.5.0 / 2015-02-22
 	* Specify multiple remotes with `--remotes "host2 1194 tcp","host3 1195 udp"` flag.
 
 
@@ -9,6 +9,16 @@ OpenVPN iOS Configuration Profile Utility
 
 Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.
 
+---
+
+**OpenVPN Connect (iOS) v1.2.x**: 
+- Breaking changes: enable the `--v12compat` switch.
+- Bug/workaround: enable the `--cert` & `--key` switches as necessary.
+
+Refer to [known issues](#known-issues) below for more details.
+
+---
+
 Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements `SSIDMatch`, `InterfaceTypeMatch`, and optionally `URLStringProbe`. For 'high' (default) security level, the following algorithm is executed upon network changes, in order:
 
 - If wireless SSID matches any specified with `--trusted-ssids`, tear down the VPN connection and do not reconnect on demand.
@@ -47,18 +57,26 @@ Usage: ovpnmcgen.rb generate [options] <user> <device>
     -c, --config FILE    Specify path to config file. [Default: .ovpnmcgen.rb.yml]
     --cafile FILE        Path to OpenVPN CA file. (Required)
     --tafile FILE        Path to TLS-Auth Key file.
+    --cert FILE          Path to Cert file.
+    --key FILE           Path to Private Key file.
     --host HOSTNAME      Hostname of OpenVPN server. (Required)
     --proto PROTO        OpenVPN server protocol. [Default: udp]
     -p, --port PORT      OpenVPN server port. [Default: 1194]
-    --p12file FILE       Path to user PKCS#12 file. (Required)
+    --p12file FILE       Path to user PKCS#12 file.
     --p12pass PASSWORD   Password to unlock PKCS#12 file.
-    --[no-]vod           Enable or Disable VPN-On-Demand. [Default: Enabled]
+    --[no-]vod           Enable or Disable VPN-On-Demand. 
+                         When Disabled, sets `vpn-on-demand: 0`, so that OpenVPN Connect can control this profile. [Default: Enabled]
+    --v12compat          Enable OpenVPN Connect 1.2.x compatibility. 
+                         When Enabled, use updated `VPNSubType: net.openvpn.connect.app` 
+                         (changed since OpenVPN Connect 1.2.x). [Default: Disabled]
     --security-level LEVEL Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]
     --vpn-uuid UUID      Override a VPN configuration payload UUID.
     --profile-uuid UUID  Override a Profile UUID.
     --cert-uuid UUID     Override a Certificate payload UUID.
     -t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
     -u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
+    -d, --domains DOMAINS List of comma-separated domain names requiring VPN service.
+    --domain-probe-url PROBE An HTTP(S) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response.
     --url-probe URL      This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.
     --remotes REMOTES	List of comma-separated alternate remotes: "<host> <port> <proto>".
     --ovpnconfigfile FILE Path to OpenVPN client config file.
@@ -110,13 +128,25 @@ This feature can be enabled for statistical and maintenance-protection reasons.
 
 By enabling this option, you will need to reliably and quickly respond with HTTP status code 200 at the URL string supplied.
 
+### Domain Matching
+To require an iOS device to bring up the VPN when `example.com` is requested is not so easy, especially if it is has a publicly accessible DNS resolution. 
+
+Apple provides an `EvaluateConnection` and `ActionParameters` configuration options with the view that certain domains will have DNS resolution failures, and hence, require the VPN to be up. In most corporate cases with internal-facing hostnames, it works well. See the `--domains` option.
+
+However, if there are certain sensitive public sites (or blocked sites) that you decide that a VPN should be brought up instead, you will need to additionally specify a `RequiredURLStringProbe` that returns a non-200 response. See the `--domain-probe-url` option.
+
 ## Examples
 
 ### Typical Usage
-	$ ovpnmcgen.rb gen --trusted-ssids home --host vpn.example.com \
-	--cafile path/to/ca.pem --tafile path/to/ta.key \
+	$ ovpnmcgen.rb gen --v12compat \
+	--trusted-ssids home \
+	--host vpn.example.com \
+	--cafile path/to/ca.pem \
+	--tafile path/to/ta.key \
 	--url-probe http://vpn.example.com/status \
-	--p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad
+	--p12file path/to/john-ipad.p12 \
+	--p12pass p12passphrase \
+	john ipad
 
 Output:
 
@@ -191,7 +221,7 @@ Output:
 				<string>DEFAULT</string>
 			</dict>
 			<key>VPNSubType</key>
-			<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
+			<string>net.openvpn.connect.app</string>
 			<key>VPNType</key>
 			<string>VPN</string>
 			<key>VendorConfig</key>
@@ -270,10 +300,16 @@ Output:
 ```
 
 ### Extended Usage
-	$ ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet \
-	--host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key \
+	$ ovpnmcgen.rb gen --v12compat \
+	--trusted-ssids home,school \
+	--untrusted-ssids virusnet \
+	--host vpn.example.com \
+	--cafile path/to/ca.pem \
+	--tafile path/to/ta.key \
 	--url-probe http://vpn.example.com/status \
-	--p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad
+	--p12file path/to/john-ipad.p12 \
+	--p12pass p12passphrase \
+	john ipad
 
 Output similar to above:
 
@@ -349,8 +385,26 @@ Output similar to above:
 	-inkey path/to/john-ipad.key -in path/to/john-ipad.crt \
 	-passout pass:p12passphrase -name [email protected]
 
+### Using OpenSSL to convert from PKCS#12 (.p12) to Cert PEM file
+	openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-cert.crt \
+	-nodes -nokeys
+
+### Using OpenSSL to convert from PKCS#12 (.p12) to Key PEM file
+	openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-key.pem \
+	-nodes -nocerts
+
 ## Known Issues
 
+- OpenVPN Connect v1.2.5 breaking changes
+
+	*Diagnosis*: Certificates no longer found or VoD mobileconfig broken after OpenVPN Connect upgrade to v1.2.5.
+
+	The VPN switch in the Settings.app jumps rapidly from On to Off, status switches from Connecting... to Disconnected immediately. No logs produced within the OpernVPN Connect app log viewer.
+
+	This is caused by 1) a breaking change, where the `VPNSubType` has changed, and 2) a bug where the OpenVPN Connect is missing a keychain access entitlement from Apple.
+
+	*Solution + Workaround*: Enable the `--v12compat` switch to resolve (1), and use `--cert` and `--key` switches to workaround (2).
+
 - "Not connected to Internet" error/behaviour when VPN should be established.
 
 	*Diagnosis*: Load any site in Safari. An error message "Safari cannot open the page because your iPhone is not connected to the Internet" will be presented.
 
@@ -7,4 +7,8 @@ end
 desc "Run cucumber tests"
 task :test => :cucumber
 
+namespace :pre_commit do
+	task :ci => [:test]
+end
+
 task :default => :test
@@ -7,7 +7,7 @@
 program :version, Ovpnmcgen::VERSION
 program :description, Ovpnmcgen::SUMMARY
 program :help, 'Usage', 'ovpnmcgen.rb <command> [options] <args...>'
-program :help_formatter, :compact
+program :help_formatter, Commander::HelpFormatter::Terminal
 default_command :help
 never_trace!
 global_option '-c', '--config FILE', 'Specify path to config file. [Default: .ovpnmcgen.rb.yml]'
@@ -16,23 +16,30 @@
   c.syntax = 'ovpnmcgen.rb generate [options] <user> <device>'
   c.summary = 'Generates iOS Configuration Profiles (.mobileconfig)'
   c.description = 'Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.'
-  c.example 'Typical Usage', 'ovpnmcgen.rb gen --trusted-ssids home --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
-  c.example 'Extended Usage', 'ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
+  c.example 'Typical Usage', 'ovpnmcgen.rb gen --v12compat --trusted-ssids home --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
+  c.example 'Extended Usage', 'ovpnmcgen.rb gen --v12compat --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
   c.example 'Using OpenSSL to convert files into PKCS#12 (.p12)', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase -name [email protected]'
+  c.example 'Using OpenSSL to convert from PKCS#12 (.p12) to Cert PEM file', 'openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-cert.crt -nodes -nokeys'
+  c.example 'Using OpenSSL to convert from PKCS#12 (.p12) to Key PEM file', 'openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-key.pem -nodes -nocerts'
   c.option '--cafile FILE', 'Path to OpenVPN CA file. (Required)'
   c.option '--tafile FILE', 'Path to TLS-Auth Key file.'
+  c.option '--cert FILE', 'Path to Cert file.'
+  c.option '--key FILE', 'Path to Private Key file.'
   c.option '--host HOSTNAME', 'Hostname of OpenVPN server. (Required)'
   c.option '--proto PROTO', 'OpenVPN server protocol. [Default: udp]'
   c.option '-p', '--port PORT', 'OpenVPN server port. [Default: 1194]'
   c.option '--p12file FILE', 'Path to user PKCS#12 file. (Required)'
   c.option '--p12pass PASSWORD', 'Password to unlock PKCS#12 file.'
-  c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. [Default: Enabled]'
+  c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. When Disabled, sets `vpn-on-demand: 0`, so that OpenVPN Connect can control this profile. [Default: Enabled]'
+  c.option '--v12compat', 'Enable OpenVPN Connect 1.2.x compatibility. When Enabled, use updated `VPNSubType: net.openvpn.connect.app` (changed since OpenVPN Connect 1.2.x). [Default: Disabled]'
   c.option '--security-level LEVEL', 'Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]'
   c.option '--vpn-uuid UUID', 'Override a VPN configuration payload UUID.'
   c.option '--profile-uuid UUID', 'Override a Profile UUID.'
   c.option '--cert-uuid UUID', 'Override a Certificate payload UUID.'
   c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
   c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
+  c.option '-d', '--domains DOMAINS', Array, 'List of comma-separated domain names requiring VPN service.'
+  c.option '--domain-probe-url PROBE', String, 'An HTTP(S) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response.'
   c.option '--url-probe URL', 'This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.'
   c.option '--remotes REMOTES', Array, 'List of comma-separated alternate remotes: "<host> <port> <proto>".'
   c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
@@ -50,7 +57,11 @@
 
     raise ArgumentError.new "Host is required" unless options.host or config.host
     raise ArgumentError.new "cafile is required" unless options.cafile or config.cafile
-    raise ArgumentError.new "PKCS#12 file is required" unless options.p12file or config.p12file
+
+    # A --p12file or (--cert and --key) needs to be provided. Shall not prevent user from specifying both.
+    unless (options.p12file or config.p12file) or ((options.cert or config.cert) and (options.key or config.key))
+      raise ArgumentError.new "PKCS#12 or cert & key file required"
+    end
 
     options.default :vod => case
       when config.vod == true || config.no_vod == false
@@ -69,7 +80,6 @@
     inputs = {
       :user => user,
       :device => device,
-      :p12file => options.p12file || config.p12file,
       :p12pass => options.p12pass || config.p12pass,
       :cafile => options.cafile || config.cafile,
       :host => options.host || config.host,
@@ -84,9 +94,15 @@
       :security_level => options.security_level
     }
     inputs[:ovpnconfigfile] = options.ovpnconfigfile || config.ovpnconfigfile if options.ovpnconfigfile or config.ovpnconfigfile
+    inputs[:p12file] = options.p12file || config.p12file if options.p12file or config.p12file
     inputs[:tafile] = options.tafile || config.tafile if options.tafile or config.tafile
+    inputs[:cert] = options.cert || config.cert if options.cert or config.cert
+    inputs[:key] = options.key || config.key if options.key or config.key
     inputs[:url_probe] = options.url_probe || config.url_probe if options.url_probe or config.url_probe
     inputs[:remotes] = options.remotes || config.remotes if options.remotes or config.remotes
+    inputs[:domains] = options.domains || config.domains if options.domains or config.domains
+    inputs[:domain_probe_url] = options.domain_probe_url || config.domain_probe_url if options.domain_probe_url or config.domain_probe_url
+    inputs[:v12compat] = options.v12compat || config.v12compat if options.v12compat or config.v12compat
 
     unless options.output
       puts Ovpnmcgen.generate(inputs)
 
@@ -0,0 +1,13 @@
+---
+:checks_remove:
+- :common
+- :rails
+:checks_add:
+- :merge_conflict
+- :yaml
+:warnings_remove: []
+:warnings_add:
+- :tabs
+- :nb_space
+- :whitespace
+- :ci