forked from gammacapricorni/happy-meraki-client-vpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAddMerakiVPN.ps1
87 lines (76 loc) · 4.33 KB
/
AddMerakiVPN.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Path for the public phonebook. Used as this is an all users connection.
# Change $env:PROGRAMDATA to $env:APPDATA if not creating an AllUserConnection.
$PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'
# Update these variables with the actual VPN name, address, and PSK.
$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'
# If no VPNs, rasphone.Pbk may not already exist
# If file does not exist, then create an empty placeholder.
# Placeholder will be overwritten when new VPN is created.
# Change $env:PROGRAMDATA to $env:APPDATA if not creating an AllUserConnection.
If ((Test-Path $PbkPath) -eq $false) {
$PbkFolder = Join-Path $env:PROGRAMDATA "Microsoft\Network\Connections\pbk\"
# Check if pbk folder actually exists. If it does, create place-holder phonebook.
if ((Test-Path $PbkFolder) -eq $true){
New-Item -path $PbkFolder -name "rasphone.pbk" -ItemType "file" | Out-Null
}
# If pbk folder doesn't exist, make folder then make place-holder phonebook.
else{
$ConnectionFolder = Join-Path $env:PROGRAMDATA "Microsoft\Network\Connections\"
New-Item -path $ConnectionFolder -name "pbk" -ItemType "directory" | Out-Null
New-Item -path $PbkFolder -name "rasphone.pbk" -ItemType "file" | Out-Null
}
}
# If VPN exists, delete VPN connection
Remove-VpnConnection -AllUserConnection -Name $ConnectionName -Force -EA SilentlyContinue
# Adds the new VPN connection.
Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional -Force -WA SilentlyContinue
# Sets the VPN connection to split tunnel
# Comment out for full tunnel
Start-Sleep -m 100
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -WA SilentlyContinue
# If you need parameters to add metrics or for IPv6 subnets, open Powershell and run: get-help add-vpnconnectionroute -full
# This will give the full list of valid parameters for Add-Vpnconnectionroute and instructions for using them
# Adds the route for the interesting subnet
# $Destination should equal the interesting subnet with CIDR mask
# Comment out for full tunnel
$Destination = '192.168.100.0/24'
Start-Sleep -m 100
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination
# If there is more than one subnet for the client VPN on the destination network
# then we need an additional route for each subnet.
#
# Create an additional Destination# variable for each subnet
# Repeat the start-sleep and Add-Vpnconnectionroute lines once for each subnet.
# Update variable after -DestinationPrefix to match your new variable.
#
# You could make a loop for adding routes. My typical use case only has 1-2
# subnets though so...
#
# Remove # from lines below to use the code.
#
# $Destination15 = '192.168.15.0/24'
# Start-Sleep -m 100
# Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination15
# Set RASPhone.pbk so that the Windows credential is used to authenticate to servers.
# Important when you use Meraki cloud credentials.
(Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath
# Create desktop shortcut for all users using rasphone.exe
# Provides a static box for end users to type user name/password into
# Avoids Windows 10 overlay problems such as showing "Connecting..." even
# after a successful connection.
$ShortcutFile = "$env:Public\Desktop\$ConnectionName.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = "rasphone.exe"
$Shortcut.Arguments = "-d `"$ConnectionName`""
$ShortCut.WorkingDirectory = "$env:SystemRoot\System32\"
$Shortcut.Save()
# Prevent Windows 10 problem with NAT-Traversal (often on hotspots)
# See https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# for more details
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent"
$Name = "AssumeUDPEncapsulationContextOnSendRule"
$value = "2"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null