diff --git a/README.md b/README.md index d72329f..7896c9a 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ I would, but I don't know of any [suitable ones](https://github.com/trailofbits/ ### Why aren't you using OpenVPN? -OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of [TLS](https://tools.ietf.org/html/rfc7457), both the protocol and its implementations, and we simply trust the server less due to [past security incidents](https://www.exploit-db.com/exploits/34879/). +OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to [update](https://www.exploit-db.com/exploits/34037/) and [maintain](https://www.exploit-db.com/exploits/20485/) the software themselves. OpenVPN depends on the security of [TLS](https://tools.ietf.org/html/rfc7457), both the [protocol](http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites/) and its [implementations](http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/), and we simply trust the server less due to past [security](https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin/blob/master/README.md) [incidents](https://www.exploit-db.com/exploits/34879/). ### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD? diff --git a/ec2.yml b/ec2.yml deleted file mode 100644 index 884e643..0000000 --- a/ec2.yml +++ /dev/null @@ -1,112 +0,0 @@ -# vim:ft=ansible: -- name: Create a sandbox instance - hosts: localhost - gather_facts: False - vars_files: - - config.cfg - vars: - instance_type: t2.nano - security_group: vpn-secgroup - regions: - "1": "us-east-1" - "2": "us-west-1" - "3": "us-west-2" - "4": "ap-south-1" - "5": "ap-northeast-2" - "6": "ap-southeast-1" - "7": "ap-southeast-2" - "8": "ap-northeast-1" - "9": "eu-central-1" - "10": "eu-west-1" - "11": "sa-east-1" - - vars_prompt: - - name: "aws_access_key" - prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "aws_secret_key" - prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "region" - prompt: > - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) - default: "1" - private: no - - - name: "aws_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-ec2 - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/gce.yml b/gce.yml deleted file mode 100644 index 599855f..0000000 --- a/gce.yml +++ /dev/null @@ -1,110 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - gather_facts: false - - vars: - zones: - "1": "us-central1-a" - "2": "us-central1-b" - "3": "us-central1-c" - "4": "us-central1-f" - "5": "us-east1-b" - "6": "us-east1-c" - "7": "us-east1-d" - "8": "europe-west1-b" - "9": "europe-west1-c" - "10": "europe-west1-d" - "11": "asia-east1-a" - "12": "asia-east1-b" - "13": "asia-east1-c" - - vars_prompt: - - name: "credentials_file" - prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "zone" - prompt: > - What zone should the server be located in? - 1. Central US (Iowa A) - 2. Central US (Iowa B) - 3. Central US (Iowa C) - 4. Central US (Iowa F) - 5. Eastern US (South Carolina B) - 6. Eastern US (South Carolina C) - 7. Eastern US (South Carolina D) - 8. Western Europe (Belgium B) - 9. Western Europe (Belgium C) - 10. Western Europe (Belgium D) - 11. East Asia (Taiwan A) - 12. East Asia (Taiwan B) - 13. East Asia (Taiwan C) - Please choose the number of your zone. Press enter for default (#8) zone. - default: "8" - private: no - - - name: "server_name" - prompt: "Name the vpn server:\n" - default: "algo" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-gce - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn