wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-13 16:23:00 +02:00
Code Issues Projects Releases Wiki Activity

generate service IPs dynamically

Browse source
This commit is contained in:
Jack Ivanov 2019-05-07 13:39:53 +02:00
parent 6b33d09d9f
commit 19c3e76366
10 changed files with 22 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
config.cfg
View file

@ -100,8 +100,17 @@ dns_servers:
- 2606:4700:4700::1111 - 2606:4700:4700::1111
- 2606:4700:4700::1001 - 2606:4700:4700::1001
# IP address for the local dns resolver # Randomly generated IP address for the local dns resolver
local_service_ip: 172.16.0.1 local_service_ip: >-
10.
{{- 255 | random(seed=algo_server_name + ansible_fqdn + 'second') }}.
{{- 255 | random(seed=algo_server_name + ansible_fqdn + 'third') }}.
{{- 255 | random(seed=algo_server_name + ansible_fqdn + 'fourth') }}
local_service_ipv6: >-
FD{{ 99 | random(seed=algo_server_name + ansible_fqdn + 'first') }}:
{{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'second') }}:
{{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'third') }}:
{{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'fourth') }}::1
# Your Algo server will automatically install security updates. Some updates # Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself # require a reboot to take effect but your Algo server will not reboot itself

2
roles/common/handlers/main.yml
View file

@ -18,7 +18,7 @@
ifconfig lo100 destroy || true && ifconfig lo100 destroy || true &&
ifconfig lo100 create && ifconfig lo100 create &&
ifconfig lo100 inet {{ local_service_ip }} netmask 255.255.255.255 && ifconfig lo100 inet {{ local_service_ip }} netmask 255.255.255.255 &&
ifconfig lo100 inet6 FCAA::1/64; echo $? ifconfig lo100 inet6 {{ local_service_ipv6 }}/128; echo $?
- name: restart iptables - name: restart iptables
service: name=netfilter-persistent state=restarted service: name=netfilter-persistent state=restarted

2
roles/common/tasks/freebsd.yml
View file

@ -54,7 +54,7 @@
block: | block: |
cloned_interfaces="lo100" cloned_interfaces="lo100"
ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255" ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255"
ifconfig_lo100_ipv6="inet6 FCAA::1/64" ifconfig_lo100_ipv6="inet6 {{ local_service_ipv6 }}/128"
notify: notify:
- restart loopback bsd - restart loopback bsd

2
roles/common/templates/10-algo-lo100.network.j2
View file

@ -4,4 +4,4 @@ Name=lo
[Network] [Network]
Description=lo:100 Description=lo:100
Address={{ local_service_ip }}/32 Address={{ local_service_ip }}/32
Address=FCAA::1/64 Address={{ local_service_ipv6 }}/128

2
roles/common/templates/rules.v6.j2
View file

@ -83,7 +83,7 @@ COMMIT
# particular virtual (tun,tap,...) or physical (ethernet) interface. # particular virtual (tun,tap,...) or physical (ethernet) interface.
# Accept DNS traffic to the local DNS resolver # Accept DNS traffic to the local DNS resolver
-A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT -A INPUT -d {{ local_service_ipv6 }}/128 -p udp --dport 53 -j ACCEPT
# Drop traffic between VPN clients # Drop traffic between VPN clients
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}

2
roles/dns_adblocking/templates/dnsmasq.conf.j2
View file

@ -116,7 +116,7 @@ group=nogroup
#except-interface= #except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if # Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.) # you use this.)
listen-address=127.0.0.1,FCAA::1,{{ local_service_ip }} listen-address=127.0.0.1,{{ local_service_ipv6 }},{{ local_service_ip }}
# If you want dnsmasq to provide only DNS service on an interface, # If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to # configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it. # disable DHCP and TFTP on it.

2
tests/ipsec-client.sh
View file

@ -21,3 +21,5 @@ fping -t 900 -c3 -r3 -Dse 10.0.8.100 172.16.0.1
host google.com 172.16.0.1 host google.com 172.16.0.1
echo "IPsec tests passed" echo "IPsec tests passed"
ipsec down algovpn-10.0.8.100

2
tests/local-deploy.sh
View file

@ -2,7 +2,7 @@
set -ex set -ex
DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test local_dns=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true" DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test local_dns=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true local_service_ip=172.16.0.1"
if [ "${DEPLOY}" == "docker" ] if [ "${DEPLOY}" == "docker" ]
then then

2
tests/update-users.sh
View file

@ -2,7 +2,7 @@
set -ex set -ex
USER_ARGS="{ 'server': '10.0.8.100', 'users': ['desktop', 'user1', 'user2'] }" USER_ARGS="{ 'server': '10.0.8.100', 'users': ['desktop', 'user1', 'user2'], 'local_service_ip': '172.16.0.1' }"
if [ "${DEPLOY}" == "docker" ] if [ "${DEPLOY}" == "docker" ]
then then

2
tests/wireguard-client.sh
View file

@ -19,3 +19,5 @@ wg | grep "latest handshake"
host google.com 172.16.0.1 host google.com 172.16.0.1
echo "WireGuard tests passed" echo "WireGuard tests passed"
wg-quick down user1