diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 0000000..d377571
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,36 @@
+### OS / Environment
+
+
+
+### Ansible version
+
+
+
+### Version of components from `requirements.txt`
+
+
+
+
+### Summary of the problem
+
+
+
+### Steps to reproduce the behavior
+
+
+
+### The way of deployment (cloud or local)
+
+
+
+### Expected behavior
+
+
+
+### Actual behavior
+
+
+
+### Full log
+
+
diff --git a/.gitignore b/.gitignore
index 9df513b..e1c9fea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
*.retry
configs/*
inventory_users
+*.kate-swp
diff --git a/ADVANCED.md b/ADVANCED.md
deleted file mode 100644
index 00de5fe..0000000
--- a/ADVANCED.md
+++ /dev/null
@@ -1,81 +0,0 @@
-### Cloud Providers
-
-**digitalocean**
-*Requirement variables:*
-- do_access_token
-- do_ssh_name
-- do_server_name
-- do_region
-
-*Possible regions:*
-- ams2
-- ams3
-- fra1
-- lon1
-- nyc1
-- nyc2
-- nyc3
-- sfo1
-- sfo2
-- sgp1
-- tor1
-- blr1
-
-**gce**
-*Requirement variables:*
-- credentials_file
-- server_name
-- ssh_public_key
-- zone
-
-*Possible zones:*
-- us-central1-a
-- us-central1-b
-- us-central1-c
-- us-central1-f
-- us-east1-b
-- us-east1-c
-- us-east1-d
-- europe-west1-b
-- europe-west1-c
-- europe-west1-d
-- asia-east1-a
-- asia-east1-b
-- asia-east1-c
-
-**ec2**
-*Requirement variables:*
-- aws_access_key
-- aws_secret_key
-- aws_server_name
-- ssh_public_key
-- region
-
-*Possible regions:*
-- us-east-1
-- us-west-1
-- us-west-2
-- ap-south-1
-- ap-northeast-2
-- ap-southeast-1
-- ap-southeast-2
-- ap-northeast-1
-- eu-central-1
-- eu-west-1
-- sa-east-1
-
-**local installation**
-*Requirement variables:*
-- server_ip
-- server_user
-- IP_subject_alt_name
-
-### Deployment
-
-Start the deploy with extra variables and tags that you need.
-Example for DigitalOcean:
-
-```
-ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2'
-```
-
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9a1001f..8074f82 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,9 +1,14 @@
-### Common Issues
+### Troubleshooting
-* Check that you're using at least Ansible 2.1
-* If installing to a local server, try using a fresh install
-* Please review the [FAQ](https://github.com/trailofbits/algo#faq) in the readme
+* Check that you installed all the dependencies with pip and have Ansible 2.1+
+* If installing to a local server, use a fresh install of Ubuntu 16.04
-### Coding Guidelines
+### Filing New Issues
-* Please review any Pull Requests with [ansible-lint](https://github.com/willthames/ansible-lint)
+* Please review the [FAQ](https://github.com/trailofbits/algo#faq)
+* Please include the full output from your terminal window if appropriate
+
+### Pull Requests
+
+* Run [ansible-lint](https://github.com/willthames/ansible-lint) on any new ansible scripts
+* Run [shellcheck](https://github.com/koalaman/shellcheck) on any new shell scripts
diff --git a/README.md b/README.md
index adef035..8164cf8 100644
--- a/README.md
+++ b/README.md
@@ -6,13 +6,13 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw
## Features
-* Supports only IKEv2
-* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH
-* Generates mobileconfig profiles to auto-configure Apple devices
+* Supports only IKEv2 w/ a single cipher suite: AES-GCM, HMAC-SHA2, and P-256 DH
+* Generates Apple Profiles to auto-configure iOS and macOS devices
* Provides helper scripts to add and remove users
* Blocks ads with a local DNS resolver and HTTP proxy (optional)
-* Based on current versions of Ubuntu and StrongSwan
-* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server
+* Sets up limited SSH users for tunneling traffic (optional)
+* Based on current versions of Ubuntu and strongSwan
+* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, Microsoft Azure or your own server
## Anti-features
@@ -23,123 +23,90 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw
* Does not claim to provide anonymity or censorship avoidance
* Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster)
-## Included Roles
+## Deploy the Algo Server
-Ansible scripts are organized into roles. The roles used by Algo are described in detail below.
+The easiest way to get an Algo server running is to let it setup a _new_ virtual machine in the cloud for you.
-### Required Roles
+1. Install the dependencies for your operating system:
-* **Common**
- * Installs several required packages and software updates, then reboots if necessary
- * Configures network interfaces and enables packet forwarding on them
-* **VPN**
- * Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges
- * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
- * Bundles the appropriate certificates into Apple mobileconfig profiles for each user
+ OS X: `sudo easy_install pip && sudo pip install -r requirements.txt`
+ Linux (deb-based): `sudo easy_install pip && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt`
-### Optional Roles
+2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
+3. Start the deploy and follow the instructions: `./algo`
-* **Security Enhancements**
- * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
- * Modify operating system features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
- * Modifies SSH to use only modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP
- * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
-* **Ad Blocking and Compression HTTP Proxy**
- * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset
- * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy
- * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
-* **DNS Ad Blocking**
- * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
- * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
-* **Security Monitoring and Logging**
- * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents
- * Emails aggregated Logs to a configured address on a regular basis
-* **SSH Tunneling**
- * Adds a restricted `algo` group to SSH with no shell access and limited forwarding options
- * Creates one limited, local account per user and an SSH public key for each
+That's it! You now have an Algo VPN server on the internet.
-## Usage
+Note: for local or scripted deployment instructions see the [Advanced Usage](/docs/ADVANCED.md) documentation.
-### Warning
-If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. (You can find some information about tags [here](https://github.com/trailofbits/algo/blob/master/ADVANCED.md))
+## Configure the VPN Clients
-### Requirements
+Certificates and configuration files that users will need are placed in the `configs` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server.
-* ansible >= 2.1
-* python >= 2.6
-* [dopy=0.3.5](https://github.com/Wiredcraft/dopy)
-* [boto](https://github.com/boto/boto)
-* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python)
-* [apache-libcloud](https://github.com/apache/libcloud)
-* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS)
-* [six](https://github.com/JioCloud/python-six)
-* SHell or BASH
-* libselinux-python (for RedHat based distros)
+### Apple Devices
-### Roles and Tags
-**Cloud roles:**
-- role: cloud-digitalocean, tags: digitalocean
-- role: cloud-ec2, tags: ec2
-- role: cloud-gce, tags: gce
+Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN.
-**Server roles:**
-- role: vpn, tags: vpn
-- role: dns_adblocking, tags: dns, adblock
-- role: proxy, tags: proxy, adblock
-- role: logging, tags: logging
-- role: security, tags: security
-- role: ssh_tunneling, tags: ssh_tunneling
+### Android Devices
-### Cloud Deployment
+You need to install the [StrongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use.
-To install the dependencies on OS X or Linux:
+### Windows
-```
-sudo easy_install pip
-sudo pip install -r requirements.txt
-```
+Import your user certificate to your Personal certificate store and your CA certificate to the Local Machine Trusted Root certificate store. Then, add an IKEv2 connection in the network settings and activate additional ciphers for it via Powershell (change the ConnectionName to the name of your IKEv2 connection):
-Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
+`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612
+8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none`
-Start the deploy and follow the instructions:
+Note that an all-in-one Powershell script that imports your personal certificate, sets up the VPN connection, and activates the stronger ciphers for it is included in the `configs` folder.
-```
-./algo
-```
+### StrongSwan Clients (e.g., OpenWRT)
-When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user.
+Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device.
-### Local Deployment
+### Other Devices
-It is possible to download Algo to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA and using a PPA requires installing `software-properties-common`. tl;dr:
-```
-sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible
-sudo apt-get update && sudo apt-get install ansible
-git clone https://github.com/trailofbits/algo
-cd algo && ./algo
-```
+Depending on the platform, you may need one or multiple of the following files.
-### User Management
+* ca.crt: CA Certificate
+* user_ipsec.conf: StrongSwan client configuration
+* user_ipsec.secrets: StrongSwan client configuration
+* user.crt: User Certificate
+* user.key: User Private Key
+* user.mobileconfig: Apple Profile
+* user.p12: User Certificate and Private Key (in PKCS#12 format)
+* user_windows.ps1: Powershell script to setup a VPN connection on Windows
-If you want to add or delete users, update the `users` list in `config.cfg` and run the command:
+## Setup an SSH Tunnel
-```
-./algo update-users
-```
+If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited (`ssh -N` is required). This is done to ensure that users have the least access required to tunnel through the server.
+
+Use the command below to start an SSH tunnel, replacing `ip` and `user` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through Algo.
+
+ `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem`
+
+## Adding or Removing Users
+
+Algo's own scripts can easily add and remove users from the VPN server.
+
+1. Update the `users` list in your `config.cfg`
+2. Run the command: `./algo update-users`
+
+The Algo VPN server now contains only the users listed in the `config.cfg` file.
## FAQ
-### Has this been audited?
+### Has Algo been audited?
-No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use algo at your own risk.
+No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use Algo at your own risk.
### Why aren't you using Tor?
-The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/).
+The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/).
### Why aren't you using Racoon, LibreSwan, or OpenSwan?
-Raccoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.
+Racoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.
### Why aren't you using a memory-safe or verified IKE daemon?
@@ -151,4 +118,4 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi
### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD?
-Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free, Open, and HardenedBSD. Follow along on our progress in [this issue](https://github.com/trailofbits/algo/issues/35).
+Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35).
diff --git a/algo b/algo
index d1e5773..bd4aaf3 100755
--- a/algo
+++ b/algo
@@ -2,13 +2,155 @@
set -e
+SKIP_TAGS="_null"
+
+additional_roles () {
+read -p "
+Do you want to apply security enhancements?
+[y/N]: " -r security_enabled
+security_enabled=${security_enabled:-n}
+if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi
+
+read -p "
+Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing?
+[y/N]: " -r proxy_enabled
+proxy_enabled=${proxy_enabled:-n}
+if [[ "$proxy_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" proxy"; fi
+
+read -p "
+Do you want to install a local DNS resolver to block ads while surfing?
+[y/N]: " -r dns_enabled
+dns_enabled=${dns_enabled:-n}
+if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; EXTRA_VARS+=" local_dns=Y"; fi
+
+read -p "
+Do you want to use auditd for security monitoring (see config.cfg)?
+[y/N]: " -r logging_enabled
+logging_enabled=${logging_enabled:-n}
+if [[ "$logging_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" logging"; fi
+
+read -p "
+Do you want each user to have their own account for SSH tunneling?
+[y/N]: " -r ssh_tunneling_enabled
+ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
+if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi
+
+read -p "
+Do you want to enable VPN always when connected to Wi-Fi?
+[y/N]: " -r OnDemandEnabled_WIFI
+OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n}
+if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi
+
+if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then
+ read -p "
+Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi)
+: " -r OnDemandEnabled_WIFI_ECXLUDE
+ OnDemandEnabled_WIFI_ECXLUDE=${OnDemandEnabled_WIFI_ECXLUDE:-_null}
+ EXTRA_VARS+=" OnDemandEnabled_WIFI_ECXLUDE=$OnDemandEnabled_WIFI_ECXLUDE"
+fi
+
+read -p "
+Do you want to enable VPN always when connected to the cellular network?
+[y/N]: " -r OnDemandEnabled_Cellular
+OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
+if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
+
+read -p "
+Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers)
+[y/N]: " -r Win10_Enabled
+Win10_Enabled=${Win10_Enabled:-n}
+if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
+
+}
+
+deploy () {
+
+ ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}"
+
+}
+
+azure () {
+ read -p "
+Enter your azure secret (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure)
+You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
+[...]: " -rs azure_secret
+
+ read -p "
+
+Enter your azure tenant (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure)
+You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
+[...]: " -rs azure_tenant
+
+ read -p "
+
+Enter your azure client_id (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure)
+You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
+[...]: " -rs azure_client_id
+
+ read -p "
+
+Enter your azure subscription_id (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure)
+You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
+[...]: " -rs azure_subscription_id
+
+ read -p "
+
+Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key
+ ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub}
+
+ read -p "
+Name the vpn server:
+[algo]: " -r azure_server_name
+ azure_server_name=${azure_server_name:-algo}
+
+ read -p "
+ What region should the server be located in?
+ 1. South Central US
+ 2. Central US
+ 3. North Europe
+ 4. West Europe
+ 5. Southeast Asia
+ 6. Japan West
+ 7. Japan East
+ 8. Australia Southeast
+ 9. Australia East
+ 10. Canada Central
+ 11. West US 2
+ 12. West Central US
+ 13. UK South
+ 14. UK West
+Enter the number of your desired region:
+[1]: " -r azure_region
+ azure_region=${azure_region:-1}
+
+ case "$azure_region" in
+ 1) region="southcentralus" ;;
+ 2) region="centralus" ;;
+ 3) region="northeurope" ;;
+ 4) region="westeurope" ;;
+ 5) region="southeastasia" ;;
+ 6) region="japanwest" ;;
+ 7) region="japaneast" ;;
+ 8) region="australiasoutheast" ;;
+ 9) region="australiaeast" ;;
+ 10) region="canadacentral" ;;
+ 11) region="westus2" ;;
+ 12) region="westcentralus" ;;
+ 13) region="uksouth" ;;
+ 14) region="ukwest" ;;
+ esac
+
+ ROLES="azure vpn cloud"
+ EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region"
+}
+
digitalocean () {
read -p "
-Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):
+Enter your API token (https://cloud.digitalocean.com/settings/api/tokens):
: " -rs do_access_token
-
+
read -p "
-Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):
+Enter an existing SSH key name (https://cloud.digitalocean.com/settings/security):
: " -r do_ssh_name
read -p "
@@ -30,11 +172,11 @@ Name the vpn server:
10. Singapore
11. Toronto
12. Bangalore
-Enter the number of your desired region:
+Enter the number of your desired region:
[7]: " -r region
- region=${region:-7}
-
- case "$region" in
+ region=${region:-7}
+
+ case "$region" in
1) do_region="ams2" ;;
2) do_region="ams3" ;;
3) do_region="fra1" ;;
@@ -48,25 +190,28 @@ Enter the number of your desired region:
11) do_region="tor1" ;;
12) do_region="blr1" ;;
esac
-
-ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region"
+ROLES="digitalocean vpn cloud"
+EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region"
}
ec2 () {
read -p "
-Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
-: " -rs aws_access_key
+Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
+Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
+[AKIA...]: " -rs aws_access_key
read -p "
-Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
-: " -rs aws_secret_key
-
- read -e -p "
-Enter the local path to your SSH public key:
-: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key
+Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
+Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
+[ABCD...]: " -rs aws_secret_key
+
read -p "
+Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key
+ ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub}
+
+read -p "
Name the vpn server:
[algo]: " -r aws_server_name
aws_server_name=${aws_server_name:-algo}
@@ -74,46 +219,50 @@ Name the vpn server:
read -p "
What region should the server be located in?
1. us-east-1 US East (N. Virginia)
- 2. us-west-1 US West (N. California)
- 3. us-west-2 US West (Oregon)
- 4. ap-south-1 Asia Pacific (Mumbai)
- 5. ap-northeast-2 Asia Pacific (Seoul)
- 6. ap-southeast-1 Asia Pacific (Singapore)
- 7. ap-southeast-2 Asia Pacific (Sydney)
- 8. ap-northeast-1 Asia Pacific (Tokyo)
- 9. eu-central-1 EU (Frankfurt)
- 10. eu-west-1 EU (Ireland)
- 11. sa-east-1 South America (São Paulo)
-Enter the number of your desired region:
+ 2. us-east-2 US East (Ohio)
+ 3. us-west-1 US West (N. California)
+ 4. us-west-2 US West (Oregon)
+ 5. ap-south-1 Asia Pacific (Mumbai)
+ 6. ap-northeast-2 Asia Pacific (Seoul)
+ 7. ap-southeast-1 Asia Pacific (Singapore)
+ 8. ap-southeast-2 Asia Pacific (Sydney)
+ 9. ap-northeast-1 Asia Pacific (Tokyo)
+ 10. eu-central-1 EU (Frankfurt)
+ 11. eu-west-1 EU (Ireland)
+ 12. sa-east-1 South America (São Paulo)
+ 13. ca-central-1 Canada (Central)
+Enter the number of your desired region:
[1]: " -r aws_region
- aws_region=${aws_region:-1}
-
- case "$aws_region" in
- 1) region="us-east-1" ;;
- 2) region="us-west-1" ;;
- 3) region="us-west-2" ;;
- 4) region="ap-south-1" ;;
- 5) region="ap-northeast-2" ;;
- 6) region="ap-southeast-1" ;;
- 7) region="ap-southeast-2" ;;
- 8) region="ap-northeast-1" ;;
- 9) region="eu-central-1" ;;
- 10) region="eu-west-1" ;;
- 11) region="sa-east-1" ;;
- esac
-
-ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
+ aws_region=${aws_region:-1}
+ case "$aws_region" in
+ 1) region="us-east-1" ;;
+ 2) region="us-east-2" ;;
+ 3) region="us-west-1" ;;
+ 4) region="us-west-2" ;;
+ 5) region="ap-south-1" ;;
+ 6) region="ap-northeast-2" ;;
+ 7) region="ap-southeast-1" ;;
+ 8) region="ap-southeast-2" ;;
+ 9) region="ap-northeast-1" ;;
+ 10) region="eu-central-1" ;;
+ 11) region="eu-west-1" ;;
+ 12) region="sa-east-1" ;;
+ 13) region="ca-central-1" ;;
+ esac
+
+ ROLES="ec2 vpn cloud"
+ EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
}
gce () {
read -p "
-Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):
+Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):
: " -r credentials_file
-
+
read -p "
-Enter the local path to your SSH public key:
-: " -r ssh_public_key
+Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key
+ ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub}
read -p "
Name the vpn server:
@@ -137,9 +286,9 @@ Name the vpn server:
13. East Asia (Taiwan C)
Please choose the number of your zone. Press enter for default (#8) zone.
[8]: " -r region
- region=${region:-8}
-
- case "$region" in
+ region=${region:-8}
+
+ case "$region" in
1) zone="us-central1-a" ;;
2) zone="us-central1-b" ;;
3) zone="us-central1-c" ;;
@@ -154,16 +303,16 @@ Please choose the number of your zone. Press enter for default (#8) zone.
12) zone="asia-east1-b" ;;
13) zone="asia-east1-c" ;;
esac
-
-ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone"
+ ROLES="gce vpn cloud"
+ EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone"
}
non_cloud () {
read -p "
Enter IP address of your server: (use localhost for local installation)
: " -r server_ip
-
+
read -p "
What user should we use to login on the server? (ignore if you're deploying to localhost)
[root]: " -r server_user
@@ -172,8 +321,10 @@ What user should we use to login on the server? (ignore if you're deploying to l
read -p "
Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
: " -r IP_subject
-
- ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject"
+
+ ROLES="local vpn"
+ EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject"
+ SKIP_TAGS+=" cloud update-alternatives"
}
algo_provisioning () {
@@ -182,9 +333,10 @@ algo_provisioning () {
1. DigitalOcean
2. Amazon EC2
3. Google Compute Engine
- 4. Install to existing Ubuntu server
+ 4. Microsoft Azure
+ 5. Install to existing Ubuntu server
-Enter the number of your desired provider
+Enter the number of your desired provider
: "
read -r N
@@ -193,17 +345,20 @@ Enter the number of your desired provider
1) digitalocean; ;;
2) ec2; ;;
3) gce; ;;
- 4) non_cloud; ;;
+ 4) azure; ;;
+ 5) non_cloud; ;;
*) exit 1 ;;
esac
+ additional_roles
+ deploy
}
-
+
user_management () {
ansible-playbook users.yml
}
case "$1" in
- update-users) user_management ;;
- *) algo_provisioning ;;
-esac
+ update-users) user_management ;;
+ *) algo_provisioning ;;
+esac
diff --git a/ansible.cfg b/ansible.cfg
index dc8f8cd..1a3afab 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -8,5 +8,5 @@ host_key_checking = False
record_host_keys = False
[ssh_connection]
-ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o ConnectTimeout=6 -o ConnectionAttempts=30
scp_if_ssh = True
diff --git a/azure.yml b/azure.yml
deleted file mode 100644
index ec15d2c..0000000
--- a/azure.yml
+++ /dev/null
@@ -1,96 +0,0 @@
-- name: Configure the server and install required software
- hosts: localhost
- gather_facts: false
-
- vars:
- regions:
- "1": "East US"
- "2": "West US"
- "3": "South Central US"
- "4": "North Europe"
- "5": "East Asia"
- "6": "Japan East"
- "7": "West Europe"
- "8": "Southeast Asia"
- "9": "Japan West"
- "10": "North Central US"
- "11": "Central US"
- "12": "Brazil South"
- "13": "East US 2"
- "14": "Australia Southeast"
- "15": "Australia East"
-
- #vars_prompt:
- #- name: "azure_subscription_id"
- #prompt: "Enter your subscription ID (https://blogs.msdn.microsoft.com/mschray/2015/05/13/getting-your-azure-guid-subscription-id/):\n"
- #private: yes
-
- #- name: "management_cert_path"
- #prompt: "Enter the local path to your management cert [ex: ~/.ssh/id_rsa.pub] (https://azure.microsoft.com/en-us/documentation/articles/azure-api-management-certs/):\n"
- #private: no
-
- #- name: "ssh_public_key"
- #prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n"
- #private: no
-
- #- name: "region"
- #prompt: >
- #What region should the server be located in?
- #1. East US
- #2. West US
- #3. South Central US
- #4. North Europe
- #5. East Asia
- #6. Japan East
- #7. West Europe
- #8. Southeast Asia
- #9. Japan West
- #10. North Central US
- #11. Central US
- #12. Brazil South
- #13. East US 2
- #14. Australia Southeast
- #15. Australia East
- #Enter the number of your desired region:
- #default: "7"
- #private: no
-
- #- name: "azure_server_name"
- #prompt: "Name the vpn server:\n"
- #default: "algo.local"
- #private: no
-
- #- name: "dns_enabled"
- #prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
- #default: "Y"
- #private: no
-
- #- name: "auditd_enabled"
- #prompt: "Do you want to use auditd ? (Y or N):\n"
- #default: "Y"
- #private: no
-
- roles:
- - cloud-azure
-
-- name: Post-provisioning tasks
- hosts: vpn-host
- gather_facts: false
- become: true
- vars_files:
- - config.cfg
-
- pre_tasks:
- - name: Install prerequisites
- raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- - name: Configure defaults
- raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
-
- roles:
- - common
- - security
- - proxy
- - vpn
- - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
-
diff --git a/config.cfg b/config.cfg
index 22a48f8..23865ee 100644
--- a/config.cfg
+++ b/config.cfg
@@ -5,16 +5,19 @@ users:
- dan
- jack
-# If you're using auditd for monitoring, add an email address to send logs
+# Add an email address to send logs if you're using auditd for monitoring.
+# Avoid using '+' in your email address otherwise auditd will fail to start.
auditd_action_mail_acct: email@example.com
+# Exported certificates will be protected by the password below:
+easyrsa_p12_export_password: vpnpws
+
+
### Advanced users only below this line ###
easyrsa_dir: /opt/easy-rsa-ipsec
easyrsa_ca_expire: 3650
easyrsa_cert_expire: 3650
-easyrsa_p12_export_password: vpnpws
-
# If True re-init all existing certificates. (True or False)
easyrsa_reinit_existent: False
@@ -25,15 +28,13 @@ vpn_network_ipv6: 'fd9d:bc11:4020::/48'
server_name: "{{ ansible_ssh_host }}"
IP_subject_alt_name: "{{ ansible_ssh_host }}"
-# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
-service_dns: True
-
-# If you don't want to use a local DNS resolver (option `service_dns`) you need to define DNS servers in this list.
dns_servers:
- - 8.8.8.8
- - 8.8.4.4
- - 2001:4860:4860::8888
- - 2001:4860:4860::8844
+ ipv4:
+ - 8.8.8.8
+ - 8.8.4.4
+ ipv6:
+ - 2001:4860:4860::8888
+ - 2001:4860:4860::8844
strongswan_enabled_plugins:
- aes
@@ -60,8 +61,6 @@ ipsec_config:
dpddelay: '35s'
rekey: 'no'
keyexchange: 'ikev2'
- ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
- esp: 'aes128gcm16-sha2_256-ecp256!'
compress: 'yes'
fragmentation: 'yes'
@@ -71,3 +70,7 @@ ec2_vpc_nets:
# IP address for the proxy and the local dns resolver
local_service_ip: 172.16.0.1
+
+pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
+VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
+CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
diff --git a/deploy.yml b/deploy.yml
index 4e6ca20..dca53ef 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -8,6 +8,7 @@
- { role: cloud-digitalocean, tags: ['digitalocean'] }
- { role: cloud-ec2, tags: ['ec2'] }
- { role: cloud-gce, tags: ['gce'] }
+ - { role: cloud-azure, tags: ['azure'] }
- { role: local, tags: ['local'] }
- name: Post-provisioning tasks
@@ -21,7 +22,7 @@
pre_tasks:
- name: Common pre-tasks
include: playbooks/common.yml
- tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ]
+ tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ]
- name: DigitalOcean pre-tasks
include: playbooks/digitalocean.yml
@@ -39,3 +40,17 @@
- name: reload eth0
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
+ post_tasks:
+ - shell: |
+ echo "#----------------------------------------------------------------------#"
+ echo "# Congratulations! #"
+ echo "# Your Algo server is running. #"
+ echo "# Config files and certificates are in the ./configs/ directory. #"
+ echo "# Go to https://whoer.net/ after connecting #"
+ echo "# and ensure that all your traffic passes through the VPN. #"
+ echo "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
+ echo "#----------------------------------------------------------------------#"
+ tags: always
+ register: congrats
+ - debug: msg="{{ congrats.stdout_lines }}"
+ tags: always
diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md
new file mode 100644
index 0000000..ad057e8
--- /dev/null
+++ b/docs/ADVANCED.md
@@ -0,0 +1,138 @@
+# Advanced Usage
+
+## Requirements
+
+Before you begin, make sure you have installed all the dependencies necessary for your use case. Algo depends on the software below and most of it will be installed via the `requirements.txt` file.
+
+* ansible >= 2.1
+* python >= 2.6
+* [dopy=0.3.5](https://github.com/Wiredcraft/dopy)
+* [boto](https://github.com/boto/boto)
+* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python)
+* [apache-libcloud](https://github.com/apache/libcloud)
+* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS)
+* [six](https://github.com/JioCloud/python-six)
+* SHell or BASH
+* libselinux-python (for RedHat based distros)
+
+## Local Deployment
+
+**Warning**: If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. You can find some information about tags below.
+
+It is possible to download the Algo scripts to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA, and using a PPA requires installing `software-properties-common`.
+
+tl;dr:
+
+```
+sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible
+sudo apt-get update && sudo apt-get install ansible
+git clone https://github.com/trailofbits/algo
+cd algo && ./algo
+```
+
+## Scripted Deployment
+
+Example for DigitalOcean:
+
+```
+ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=my_secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2'
+```
+
+### Roles
+
+Cloud roles:
+
+- role: cloud-digitalocean, tags: digitalocean
+- role: cloud-ec2, tags: ec2
+- role: cloud-gce, tags: gce
+
+Server roles:
+
+- role: vpn, tags: vpn
+- role: dns_adblocking, tags: dns, adblock
+- role: proxy, tags: proxy, adblock
+- role: logging, tags: logging
+- role: security, tags: security
+- role: ssh_tunneling, tags: ssh_tunneling
+
+### Digital Ocean
+
+Required variables:
+
+- do_access_token
+- do_ssh_name
+- do_server_name
+- do_region
+
+Possible regions:
+
+- ams2
+- ams3
+- fra1
+- lon1
+- nyc1
+- nyc2
+- nyc3
+- sfo1
+- sfo2
+- sgp1
+- tor1
+- blr1
+
+### Google Cloud Engine
+
+Required variables:
+
+- credentials_file
+- server_name
+- ssh_public_key
+- zone
+
+Possible zones:
+
+- us-central1-a
+- us-central1-b
+- us-central1-c
+- us-central1-f
+- us-east1-b
+- us-east1-c
+- us-east1-d
+- europe-west1-b
+- europe-west1-c
+- europe-west1-d
+- asia-east1-a
+- asia-east1-b
+- asia-east1-c
+
+### Amazon EC2
+
+Required variables:
+
+- aws_access_key
+- aws_secret_key
+- aws_server_name
+- ssh_public_key
+- region
+
+Possible regions:
+
+- us-east-1
+- us-east-2
+- us-west-1
+- us-west-2
+- ap-south-1
+- ap-northeast-2
+- ap-southeast-1
+- ap-southeast-2
+- ap-northeast-1
+- eu-central-1
+- eu-west-1
+- sa-east-1
+
+### Local Installation
+
+Required variables:
+
+- server_ip
+- server_user
+- IP_subject_alt_name
diff --git a/docs/ROLES.md b/docs/ROLES.md
new file mode 100644
index 0000000..8e1df28
--- /dev/null
+++ b/docs/ROLES.md
@@ -0,0 +1,32 @@
+# Ansible Roles
+
+## Required Roles
+
+* **Common**
+ * Installs several required packages and software updates, then reboots if necessary
+ * Configures network interfaces and enables packet forwarding on them
+* **VPN**
+ * Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges
+ * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
+ * Bundles the appropriate certificates into Apple mobileconfig profiles for each user
+ * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
+
+## Optional Roles
+
+* **Security Enhancements (Reccommended)**
+ * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
+ * Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
+ * Enhances SSH with modern ciphers and seccomp, and restricts access to older, unwanted features like X11 forwarding and SFTP
+* **Ad Blocking and Compression HTTP Proxy**
+ * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset
+ * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy
+ * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
+* **DNS Ad Blocking**
+ * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
+ * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
+* **Security Monitoring and Logging**
+ * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents
+ * Sends logs to a configured email address on a regular basis
+* **SSH Tunneling**
+ * Adds a restricted `algo` group with no shell access and limited SSH forwarding options
+ * Creates one limited, local account per user and an SSH public key for each
diff --git a/playbooks/common.yml b/playbooks/common.yml
index d84a6eb..36a051c 100644
--- a/playbooks/common.yml
+++ b/playbooks/common.yml
@@ -1,5 +1,7 @@
- name: Install prerequisites
- raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
+ raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
+ tags:
+ - update-alternatives
diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml
index 703e5d0..78b652b 100644
--- a/playbooks/digitalocean.yml
+++ b/playbooks/digitalocean.yml
@@ -1,5 +1,6 @@
- name: Enable IPv6 on the droplet
- uri:
+ local_action:
+ module: uri
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
method: POST
body:
@@ -8,15 +9,18 @@
status_code: 201
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
+ become: no
- name: Get Droplet networks
- uri:
+ local_action:
+ module: uri
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
method: GET
status_code: 200
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
register: droplet_info
+ become: no
- name: IPv6 configured
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
diff --git a/requirements.txt b/requirements.txt
index a666d82..3039915 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,6 @@
+ansible>=2.1
dopy==0.3.5
boto
-azure>=0.7.1
+azure==2.0.0rc5
apache-libcloud
six
diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml
index 8b13789..d894b2e 100644
--- a/roles/cloud-azure/tasks/main.yml
+++ b/roles/cloud-azure/tasks/main.yml
@@ -1 +1,71 @@
+---
+- set_fact:
+ resource_group: "Algo_{{ region }}"
+
+- name: Create a resource group
+ azure_rm_resourcegroup:
+ secret: "{{ azure_secret | default(lookup('env','AZURE_CLIENT_ID')) }}"
+ tenant: "{{ azure_tenant | default(lookup('env','AZURE_SECRET')) }}"
+ client_id: "{{ azure_client_id | default(lookup('env','AZURE_SUBSCRIPTION_ID')) }}"
+ subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_TENANT')) }}"
+ name: "{{ resource_group }}"
+ location: "{{ region }}"
+ tags:
+ service: algo
+
+- name: Create a virtual network
+ azure_rm_virtualnetwork:
+ resource_group: "{{ resource_group }}"
+ name: algo_net
+ address_prefixes: "10.10.0.0/16"
+ tags:
+ service: algo
+
+- name: Create a subnet
+ azure_rm_subnet:
+ resource_group: "{{ resource_group }}"
+ name: algo_subnet
+ address_prefix: "10.10.0.0/24"
+ virtual_network: algo_net
+ tags:
+ service: algo
+
+- name: Create an instance
+ azure_rm_virtualmachine:
+ secret: "{{ azure_secret | default(lookup('env','AZURE_CLIENT_ID')) }}"
+ tenant: "{{ azure_tenant | default(lookup('env','AZURE_SECRET')) }}"
+ client_id: "{{ azure_client_id | default(lookup('env','AZURE_SUBSCRIPTION_ID')) }}"
+ subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_TENANT')) }}"
+ resource_group: "{{ resource_group }}"
+ admin_username: ubuntu
+ virtual_network: algo_net
+ name: "{{ azure_server_name }}"
+ ssh_password_enabled: false
+ vm_size: Standard_D1
+ tags:
+ service: algo
+ ssh_public_keys:
+ - { path: "/home/ubuntu/.ssh/authorized_keys", key_data: "{{ lookup('file', '{{ ssh_public_key }}') }}" }
+ image:
+ offer: UbuntuServer
+ publisher: Canonical
+ sku: '16.04-LTS'
+ version: latest
+ register: azure_rm_virtualmachine
+
+- set_fact:
+ ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}"
+
+- name: Add the instance to an inventory group
+ add_host:
+ name: "{{ ip_address }}"
+ groups: vpn-host
+ ansible_ssh_user: ubuntu
+ ansible_python_interpreter: "/usr/bin/python2.7"
+ easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+ cloud_provider: azure
+ ipv6_support: no
+
+- name: Wait for SSH to become available
+ local_action: "wait_for port=22 host={{ ip_address }} timeout=320"
diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml
index 1dc0eda..0795b7f 100644
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: Locate official Ubuntu 16.04 AMI for region.
+- name: Locate official Ubuntu 16.04 AMI for region
ec2_ami_find:
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
+ aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
owner: 099720109477
- sort: name
+ sort: creationDate
sort_order: descending
sort_end: 1
region: "{{ region }}"
@@ -13,10 +13,10 @@
- set_fact:
ami_image: "{{ ami_search.results[0].ami_id }}"
-- name: Add ssh public key.
+- name: Add ssh public key
ec2_key:
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
+ aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
name: VPNKEY
region: "{{ region }}"
key_material: "{{ item }}"
@@ -26,21 +26,36 @@
- name: Configure EC2 virtual private clouds
ec2_vpc:
aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
+ aws_secret_key: "{{ aws_secret_key }}"
state: present
resource_tags: { "Environment":"Algo" }
region: "{{ region }}"
cidr_block: "{{ ec2_vpc_nets.cidr_block }}"
+ internet_gateway: yes
subnets:
- cidr: "{{ ec2_vpc_nets.subnet_cidr }}"
resource_tags: { "Environment":"Algo" }
register: vpc
+- name: Set up Public Subnets Route Table
+ ec2_vpc_route_table:
+ vpc_id: "{{ vpc.vpc_id }}"
+ region: "{{ region }}"
+ state: present
+ tags:
+ Environment: Algo
+ subnets:
+ - "{{ ec2_vpc_nets.subnet_cidr }}"
+ routes:
+ - dest: 0.0.0.0/0
+ gateway_id: "{{ vpc.igw_id }}"
+ register: public_rt
+
- name: Configure EC2 security group
ec2_group:
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- name: algo-secgroup
+ aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
+ name: vpn-secgroup
description: Security group for VPN servers
region: "{{ region }}"
vpc_id: "{{ vpc.vpc_id }}"
@@ -65,12 +80,12 @@
- name: Launch instance
ec2:
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
+ aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
keypair: "VPNKEY"
- group: algo-secgroup
vpc_subnet_id: "{{ vpc.subnets[0].id }}"
- instance_type: t2.nano
+ group: vpn-secgroup
+ instance_type: t2.micro
image: "{{ ami_image }}"
wait: true
region: "{{ region }}"
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 44aa345..a5730ac 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -2,16 +2,22 @@
- name: Gather Facts
setup:
+ tags:
+ - always
- name: Install software updates
apt: update_cache=yes upgrade=dist
+ tags:
+ - cloud
- name: Check if reboot is required
shell: >
- if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi
+ if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
args:
executable: /bin/bash
register: reboot_required
+ tags:
+ - cloud
- name: Reboot
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
@@ -19,22 +25,30 @@
poll: 0
when: reboot_required is defined and reboot_required.stdout == 'required'
ignore_errors: true
+ tags:
+ - cloud
- name: Wait for shutdown
local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
+ tags:
+ - cloud
- name: Wait until SSH becomes ready...
local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
+ tags:
+ - cloud
- name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
with_items:
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
+ tags:
+ - cloud
- name: Install tools
apt: name="{{ item }}" state=latest
@@ -47,24 +61,36 @@
- sendmail
- iptables-persistent
- cgroup-tools
+ tags:
+ - always
- name: Loopback for services configured
template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
notify:
- restart loopback
+ tags:
+ - always
- name: Loopback included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
notify:
- restart loopback
+ tags:
+ - always
- meta: flush_handlers
+ tags:
+ - always
- name: Enable packet forwarding for IPv4
sysctl: name="{{ item }}" value=1
with_items:
- net.ipv4.ip_forward
- net.ipv4.conf.all.forwarding
+ tags:
+ - always
- name: Enable packet forwarding for IPv6
sysctl: name=net.ipv6.conf.all.forwarding value=1
+ tags:
+ - always
diff --git a/roles/proxy/meta/main.yml b/roles/proxy/meta/main.yml
index e985f92..ef71a47 100644
--- a/roles/proxy/meta/main.yml
+++ b/roles/proxy/meta/main.yml
@@ -2,3 +2,4 @@
dependencies:
- { role: common, tags: common }
+ - { role: vpn, tags: vpn }
diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml
index ea4d086..ff78716 100644
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@@ -6,7 +6,7 @@
marker: '# ANSIBLE_MANAGED_ssh_tunneling_role'
block: |
Match Group algo
- AllowTcpForwarding remote
+ AllowTcpForwarding local
AllowAgentForwarding no
AllowStreamLocalForwarding no
PermitTunnel no
@@ -57,5 +57,10 @@
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}"
+- name: Change mode for SSH private keys
+ local_action: file path=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem mode=0600
+ with_items: "{{ users }}"
+ become: false
+
- name: Fetch the known_hosts file
fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
index 84e08b0..32885b5 100644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@@ -12,15 +12,3 @@
- name: restart iptables
service: name=netfilter-persistent state=restarted
-
-- name: congrats
- debug:
- msg:
- - "#----------------------------------------------------------------------#"
- - "# Congratulations! #"
- - "# Your Algo server is running. #"
- - "# Config files and certificates are in the ./configs/ directory. #"
- - "# Go to https://www.dnsleaktest.com/ after connecting #"
- - "# and ensure that all your traffic passes through the VPN. #"
- - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
- - "#----------------------------------------------------------------------#"
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index fbe4b94..f5951a4 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -212,6 +212,16 @@
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
with_items: "{{ users }}"
+- name: Build the windows client powershell script
+ template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600
+ when: Win10_Enabled is defined and Win10_Enabled == "Y"
+ with_items: "{{ users }}"
+
+- name: Fetch users windows scripts
+ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes
+ when: Win10_Enabled is defined and Win10_Enabled == "Y"
+ with_items: "{{ users }}"
+
- name: Restrict permissions
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
with_items:
@@ -219,9 +229,6 @@
- name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
- notify:
- - congrats
- include: iptables.yml
tags: iptables
-
diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
index 3b01ff1..2e97c36 100644
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }}
{{ key }}={{ value }}
{% endfor %}
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+ ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
+ esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+{% else %}
+ ike=aes128gcm16-sha2_256-prfsha256-ecp256
+ esp=aes128gcm16-sha2_256-ecp256
+{% endif %}
+
right={{ IP_subject_alt_name }}
rightid={{ IP_subject_alt_name }}
rightsubnet=0.0.0.0/0
diff --git a/roles/vpn/templates/client_ipsec.secrets.j2 b/roles/vpn/templates/client_ipsec.secrets.j2
index ec4a30f..6160312 100644
--- a/roles/vpn/templates/client_ipsec.secrets.j2
+++ b/roles/vpn/templates/client_ipsec.secrets.j2
@@ -1,2 +1,5 @@
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key
+{% else %}
{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
-
+{% endif %}
diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2
new file mode 100644
index 0000000..9b6d197
--- /dev/null
+++ b/roles/vpn/templates/client_windows.ps1.j2
@@ -0,0 +1,3 @@
+certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12
+Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
+Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
diff --git a/roles/vpn/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2
index 50159aa..2805b3b 100644
--- a/roles/vpn/templates/easy-rsa.vars.j2
+++ b/roles/vpn/templates/easy-rsa.vars.j2
@@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only"
# * rsa
# * ec
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+set_var EASYRSA_ALGO rsa
+{% else %}
set_var EASYRSA_ALGO ec
+{% endif %}
# Define the named curve, used in ec mode only:
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index fa29458..6b60e36 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -7,6 +7,14 @@ conn %default
{{ key }}={{ value }}
{% endfor %}
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+ ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
+ esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+{% else %}
+ ike=aes128gcm16-sha2_256-prfsha256-ecp256!
+ esp=aes128gcm16-sha2_256-ecp256!
+{% endif %}
+
left=%any
leftauth=pubkey
leftid={{ IP_subject_alt_name }}
@@ -17,10 +25,10 @@ conn %default
right=%any
rightauth=pubkey
rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }}
-{% if service_dns is defined and service_dns == "Y" %}
+{% if local_dns is defined and local_dns == "Y" %}
rightdns={{ local_service_ip }}
{% else %}
- rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
+ rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
conn ikev2-pubkey
diff --git a/roles/vpn/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2
index d5793ae..2226f04 100644
--- a/roles/vpn/templates/ipsec.secrets.j2
+++ b/roles/vpn/templates/ipsec.secrets.j2
@@ -1,2 +1,5 @@
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+: RSA {{ IP_subject_alt_name }}.key
+{% else %}
: ECDSA {{ IP_subject_alt_name }}.key
-
+{% endif %}
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index 5714839..1ccb037 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -7,6 +7,50 @@
IKEv2
+{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %}
+ OnDemandEnabled
+ 1
+ OnDemandRules
+
+{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %}
+{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %}
+
+ Action
+ Disconnect
+ InterfaceTypeMatch
+ WiFi
+ SSIDMatch
+
+{% for network_name in WIFI_ECXLUDE_LIST %}
+ {{ network_name }}
+{% endfor %}
+
+
+{% else %}
+{% endif %}
+
+ Action
+{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %}
+ Connect
+ {% else %}
+ Disconnect
+{% endif %}
+ InterfaceTypeMatch
+ WiFi
+
+
+ Action
+{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %}
+ Connect
+ {% else %}
+ Disconnect
+{% endif %}
+ InterfaceTypeMatch
+ Cellular
+
+
+{% else %}
+{% endif %}
AuthenticationMethod
Certificate
ChildSecurityAssociationParameters
@@ -44,9 +88,13 @@
LocalIdentifier
{{ item.0 }}
PayloadCertificateUUID
- 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9
+ {{ pkcs12_PayloadCertificateUUID }}
CertificateType
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+ RSA2048
+{% else %}
ECDSA256
+{% endif %}
ServerCertificateIssuerCommonName
{{ IP_subject_alt_name }}
RemoteAddress
@@ -66,11 +114,11 @@
PayloadDisplayName
VPN
PayloadIdentifier
- com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53
+ com.apple.vpn.managed.{{ VPN_PayloadIdentifier }}
PayloadType
com.apple.vpn.managed
PayloadUUID
- D247A30B-6023-4C8E-B3E3-FF1910A65E53
+ {{ VPN_PayloadIdentifier }}
PayloadVersion
1
Proxies
@@ -111,11 +159,11 @@
PayloadDisplayName
{{ item.0 }}.p12
PayloadIdentifier
- com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9
+ com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }}
PayloadType
com.apple.security.pkcs12
PayloadUUID
- 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9
+ {{ pkcs12_PayloadCertificateUUID }}
PayloadVersion
1
@@ -131,11 +179,11 @@
PayloadDisplayName
{{ IP_subject_alt_name }}
PayloadIdentifier
- com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38
+ com.apple.security.root.{{ CA_PayloadIdentifier }}
PayloadType
com.apple.security.root
PayloadUUID
- 32EA3AAA-D19E-43EF-B357-608218745A38
+ {{ CA_PayloadIdentifier }}
PayloadVersion
1
@@ -148,16 +196,16 @@
{% endif %}
PayloadIdentifier
{% if proxy_enabled is defined and proxy_enabled == true %}
- donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA
+ donut.local.{{ 600000 | random | to_uuid | upper }}
{% else %}
- donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE
+ donut.local.{{ 500000 | random | to_uuid | upper }}
{% endif %}
PayloadRemovalDisallowed
PayloadType
Configuration
PayloadUUID
- 743B04A8-5725-45A2-B1BB-836F8C16DB0A
+ {{ 400000 | random | to_uuid | upper }}
PayloadVersion
1
diff --git a/users.yml b/users.yml
index 6bdbf2e..fb79ba2 100644
--- a/users.yml
+++ b/users.yml
@@ -139,7 +139,7 @@
remove: yes
force: yes
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
- with_items: "{{ valid_users.stdout_lines }}"
+ with_items: "{{ valid_users.stdout_lines | default('null') }}"
- name: SSH | Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes