Untitled

#Requires -RunAsAdministrator

<#
.SYNOPSIS
Add or remove the Algo VPN

.DESCRIPTION
Add or remove the Algo VPN
See the examples for more information

.PARAMETER Add
Add the VPN to the local system

.PARAMETER Remove
Remove the VPN from the local system

.PARAMETER GetInstalledCerts
Retrieve Algo certs, if any, from the system certificate store

.PARAMETER SaveCerts
Save the Algo certs embedded in this file

.PARAMETER OutputDirectory
When saving the Algo certs, save to this directory

.PARAMETER Pkcs12DecryptionPassword
The decryption password for the user's PKCS12 certificate, sometimes called the "p12 password".
Note that this must be passed in as a SecureString, not a regular string.
You can create a secure string with the `Read-Host -AsSecureString` cmdlet.
See the examples for more information.

.EXAMPLE
client_USER.ps1 -Add

Adds the Algo VPN

.EXAMPLE
$p12pass = Read-Host -AsSecureString; client_USER.ps1 -Add -Pkcs12DecryptionPassword $p12pass

Create a variable containing the PKCS12 decryption password, then use it when adding the VPN.
This can be especially useful when troubleshooting, because you can use the same variable with
multiple calls to client_USER.ps1, rather than having to type the PKCS12 password each time.

.EXAMPLE
client_USER.ps1 -Remove

Removes the Algo VPN if installed.

.EXAMPLE
client_USER.ps1 -GetIntalledCerts

Show the Algo VPN's installed certificates, if any.

.EXAMPLE
client_USER.ps1 -SaveCerts -OutputDirectory $Home\Downloads

Save the embedded CA cert and encrypted user PKCS12 file.
#>
[CmdletBinding(DefaultParameterSetName="Add")] Param(
    [Parameter(ParameterSetName="Add")]
    [Switch] $Add,

    [Parameter(ParameterSetName="Add")]
    [SecureString] $Pkcs12DecryptionPassword,

    [Parameter(Mandatory, ParameterSetName="Remove")]
    [Switch] $Remove,

    [Parameter(Mandatory, ParameterSetName="GetInstalledCerts")]
    [Switch] $GetInstalledCerts,

    [Parameter(Mandatory, ParameterSetName="SaveCerts")]
    [Switch] $SaveCerts,

    [Parameter(ParameterSetName="SaveCerts")]
    [string] $OutputDirectory = "$PWD"
)

$ErrorActionPreference = "Stop"

$VpnServerAddress = "111.111.111.111"
$VpnName = "Algo VPN 111.111.111.111 IKEv2"
$VpnUser = "vpn-user"
$CaCertificateBase64 = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJxVENDQVUrZ0F3SUJBZ0lKQVBuOFg2TVI0d2ZlTUFvR0NDcUdTTTQ5QkFNQ01CWXhGREFTQmdOVkJBTU0KQ3pFMU5TNDBMalExTGpFNE1CNFhEVEU0TURVek1EQTNNekUwTkZvWERUSTRNRFV5TnpBM016RTBORm93RmpFVQpNQklHQTFVRUF3d0xNVFUxTGpRdU5EVXVNVGd3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJmCk54VXgxaDk5WFVCSG5JRnVqdGdpcWVRMjlEUS9uajVoRlhtYjhUTFVqT2dtVWtQeU1OTkRIeHMxdDhjRGRvWjAKWHlzL2ZHbTkvSTlhZHFMSDhlV2NvNEdGTUlHQ01CMEdBMVVkRGdRV0JCUWlOUlhHSVdNMnE5VGgxaVE5cjhycwpiKzNOSHpCR0JnTlZIU01FUHpBOWdCUWlOUlhHSVdNMnE5VGgxaVE5cjhyc2IrM05INkVhcEJnd0ZqRVVNQklHCkExVUVBd3dMTVRVMUxqUXVORFV1TVRpQ0NRRDUvRitqRWVNSDNqQU1CZ05WSFJNRUJUQURBUUgvTUFzR0ExVWQKRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBMjJ0VlVVeDdpaHVieG0xc3RUYyttbnZFV2s3dwo2VEV1MGttdzJEbUZEcEFDSUc2UFg1QTRDaXV3R1U2NTRzTXZUUlZ2OTJ0cDNEeXJBRmMyTG5XZEhoNEYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
$UserPkcs12Base64 = "MIIEHwIBAzCCA+UGCSqGSIb3DQEHAaCCA9YEggPSMIIDzjCCAp8GCSqGSIb3DQEHBqCCApAwggKM
AgEAMIIChQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI/g3tBeIK0SgCAggAgIICWDSlQLTo
nZpHqcxunuGKWz5lDX/MjUeZvr/OPJzTfIh4l0oHh+0GECv0/1UTidQYsvKgo9v+VZHjK3sIrUj/
eDMI3Y3TfpEOESflZFG73Ed+foQo33lBEe92CJGq65xt7k5He2pCrnn5PuiS/O+8fd5iDsoLzJwg
LTPKs41DCARaHCMk0WvYIdaerJ9PhyQ7nxT0OBJmYj+rNQtH4xojBX6v9Ppzie+CX6HBDtE+H1/h
Y5DBywXMtBp6fqjr+FQv0uz2UhfDTpQpZyOglrv0T8TKrUdnQtc69e96qMx3XEG4/5JY+vpcSa0b
kgpbnbyAsFt54XamjEQPdvTjvTjtF8Gk1AMfzHjnL3D+g35/9LlGbd7XGrsJad6xnX4fBk7Dqdx2
Y5DBywXMtBp6fqjr+FQv0uz2UhfDTpQpZyOglrv0T8TKrUdnQtc69e96qMx3XEG4/5JY+vpcSa0b
vPXMYOWyMVUdTj8kpp/X+cj9aVQJakghjeuWK7SVSbNq+D9CqwpFg/xf44NwEhXW1j74tGVHXaVz
sP+L8B3k8iHEOHWOt1yGd3/RT4QWrkguR+cv6VkjfZ8klnFlq4Ft5MhKmWVEUcRyOFUxKnZ8N6zj
jtbqWUh9FXRg/3OzhOZW11WIlRbhamd5fAf7BMGbZgeSAAYZ7KjLUmaXWewp09nKOE61SwYlCSYx
GoQ3e9TwIMecJxeNJ2hjHP9e+lWM8WDlqJg1U1gvjdectmkmh2KGK5eI31KM2rEBcekyjjmqa4yC
QYNy5kuMp/5IvAzQCeUwllRTcon8X68aTTCCAScGCSqGSIb3DQEHAaCCARgEggEUMIIBEDCCAQwG
CyqGSIb3DQEMCgECoIG0MIGxMBwGCiqGSIb3DQEMAQMwDgQINtyYN2NhCzICAggABIGQr0shF9LT
MsbwG9YbqR1wOyoft7haS7DDly/mP6AcyluJI7nAObuf9I0CFjkajIusJbhmijUm/CANhYFcFwJS
AymMTcVw1luiIcZfUObJD+jR2cmUiJ2wkblKps88kIwWoROQeuIcowOKDdA7UQiOx6wULH0ueAaa
nisKt+wtwO8DfBY+OZoUYsnfuSB2mWQ0MUYwHwYJKoZIhvcNAQkUMRIeEAB2AHAAbgAtAG0AYQBr
AHIwIwYJKoZIhvcNAQkVMRYEFLqDiS7oysXaLtYMF2K6sYJxO3yQMDEwITAJBgUrDgMCGgUABBRY
OBJE6EONztNPQZ0j+20Lemr7uQQIiOZGy6nAvmwCAggA"

if ($PsCmdlet.ParameterSetName -eq "Add" -and -not $Pkcs12DecryptionPassword) {
    $Pkcs12DecryptionPassword = Read-Host -AsSecureString -Prompt "Pkcs12DecryptionPassword"
}

<#
.SYNOPSIS
Create a temporary directory
#>
function New-TemporaryDirectory {
    [CmdletBinding()] Param()
    do {
        $guid = New-Guid | Select-Object -ExpandProperty Guid
        $newTempDirPath = Join-Path -Path $env:TEMP -ChildPath $guid
    } while (Test-Path -Path $newTempDirPath)
    New-Item -ItemType Directory -Path $newTempDirPath
}

<#
.SYNOPSIS
Retrieve any installed Algo VPN certificates
#>
function Get-InstalledAlgoVpnCertificates {
    [CmdletBinding()] Param()
    Get-ChildItem -LiteralPath Cert:\LocalMachine\Root |
        Where-Object {
            $_.Subject -match "^CN=${VpnServerAddress}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$"
        }
    Get-ChildItem -LiteralPath Cert:\LocalMachine\My |
        Where-Object {
            $_.Subject -match "^CN=${VpnUser}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$"
        }
}

function Save-AlgoVpnCertificates {
    [CmdletBinding()] Param(
        [String] $OutputDirectory = $PWD
    )
    $caCertPath = Join-Path -Path $OutputDirectory -ChildPath "cacert.pem"
    $userP12Path = Join-Path -Path $OutputDirectory -ChildPath "$VpnUser.p12"
    # NOTE: We cannot use ConvertFrom-Base64 here because it is not designed for binary data
    [IO.File]::WriteAllBytes(
        $caCertPath,
        [Convert]::FromBase64String($CaCertificateBase64))
    [IO.File]::WriteAllBytes(
        $userP12Path,
        [Convert]::FromBase64String($UserPkcs12Base64))
    return New-Object -TypeName PSObject -Property @{
        CaPem = $caCertPath
        UserPkcs12 = $userP12Path
    }
}

function Add-AlgoVPN {
    [Cmdletbinding()] Param()

    $workDir = New-TemporaryDirectory

    try {
        $certs = Save-AlgoVpnCertificates -OutputDirectory $workDir
        $importPfxCertParams = @{
            Password = $Pkcs12DecryptionPassword
            FilePath = $certs.UserPkcs12
            CertStoreLocation = "Cert:\LocalMachine\My"
        }
        Import-PfxCertificate @importPfxCertParams
        $importCertParams = @{
            FilePath =  $certs.CaPem
            CertStoreLocation = "Cert:\LocalMachine\Root"
        }
        Import-Certificate @importCertParams
    } finally {
        Remove-Item -Recurse -Force -LiteralPath $workDir
    }

    $addVpnParams = @{
        Name = $VpnName
        ServerAddress = $VpnServerAddress
        TunnelType = "IKEv2"
        AuthenticationMethod = "MachineCertificate"
        EncryptionLevel = "Required"
    }
    Add-VpnConnection @addVpnParams

    $setVpnParams = @{
        ConnectionName = $VpnName
        AuthenticationTransformConstants = "GCMAES128"
        CipherTransformConstants = "GCMAES128"
        EncryptionMethod = "AES128"
        IntegrityCheckMethod = "SHA384"
        DHGroup = "ECP256"
        PfsGroup = "ECP256"
        Force = $true
    }
    Set-VpnConnectionIPsecConfiguration @setVpnParams
}

function Remove-AlgoVPN {
    [CmdletBinding()] Param()
    Get-InstalledAlgoVpnCertificates | Remove-Item -Force
    Remove-VpnConnection -Name $VpnName -Force
}

switch ($PsCmdlet.ParameterSetName) {
    "Add" { Add-AlgoVPN }
    "Remove" { Remove-AlgoVPN }
    "GetInstalledCerts" { Get-InstalledAlgoVpnCertificates }
    "SaveCerts" {
        $certs = Save-AlgoVpnCertificates -OutputDirectory $OutputDirectory
        Get-Item -LiteralPath $certs.UserPkcs12, $certs.CaPem
    }
    default { throw "Unknown parameter set: '$($PsCmdlet.ParameterSetName)'" }
}