From bff7c414b2ddf00316ac7f9ca9c7e46c2182a803 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Thu, 13 Oct 2016 15:27:06 +0200 Subject: [PATCH 01/53] Initial commit of reorg'd docs --- ADVANCED.md | 81 -------------------- CONTRIBUTING.md | 4 +- README.md | 129 ++++++++++--------------------- algo | 30 ++++---- config.cfg | 3 +- deploy.yml | 1 - docs/ADVANCED.md | 135 +++++++++++++++++++++++++++++++++ docs/ROLES.md | 32 ++++++++ requirements.txt | 1 + roles/cloud-ec2/tasks/main.yml | 4 +- 10 files changed, 228 insertions(+), 192 deletions(-) delete mode 100644 ADVANCED.md create mode 100644 docs/ADVANCED.md create mode 100644 docs/ROLES.md diff --git a/ADVANCED.md b/ADVANCED.md deleted file mode 100644 index 00de5fe..0000000 --- a/ADVANCED.md +++ /dev/null @@ -1,81 +0,0 @@ -### Cloud Providers - -**digitalocean** -*Requirement variables:* -- do_access_token -- do_ssh_name -- do_server_name -- do_region - -*Possible regions:* -- ams2 -- ams3 -- fra1 -- lon1 -- nyc1 -- nyc2 -- nyc3 -- sfo1 -- sfo2 -- sgp1 -- tor1 -- blr1 - -**gce** -*Requirement variables:* -- credentials_file -- server_name -- ssh_public_key -- zone - -*Possible zones:* -- us-central1-a -- us-central1-b -- us-central1-c -- us-central1-f -- us-east1-b -- us-east1-c -- us-east1-d -- europe-west1-b -- europe-west1-c -- europe-west1-d -- asia-east1-a -- asia-east1-b -- asia-east1-c - -**ec2** -*Requirement variables:* -- aws_access_key -- aws_secret_key -- aws_server_name -- ssh_public_key -- region - -*Possible regions:* -- us-east-1 -- us-west-1 -- us-west-2 -- ap-south-1 -- ap-northeast-2 -- ap-southeast-1 -- ap-southeast-2 -- ap-northeast-1 -- eu-central-1 -- eu-west-1 -- sa-east-1 - -**local installation** -*Requirement variables:* -- server_ip -- server_user -- IP_subject_alt_name - -### Deployment - -Start the deploy with extra variables and tags that you need. -Example for DigitalOcean: - -``` -ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' -``` - diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9a1001f..c3a7ac5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,8 +1,8 @@ ### Common Issues * Check that you're using at least Ansible 2.1 -* If installing to a local server, try using a fresh install -* Please review the [FAQ](https://github.com/trailofbits/algo#faq) in the readme +* If installing to a local server, use a fresh install of Ubuntu 16.04 +* Please review the [FAQ](https://github.com/trailofbits/algo#faq) ### Coding Guidelines diff --git a/README.md b/README.md index 5cb7148..c125213 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,11 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Features -* Supports only IKEv2 -* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH -* Generates mobileconfig profiles to auto-configure Apple devices +* Supports only IKEv2 w/ a single cipher suite: AES GCM, SHA2 HMAC, and P-256 DH +* Generates Apple Profiles to auto-configure iOS and macOS devices * Provides helper scripts to add and remove users * Blocks ads with a local DNS resolver and HTTP proxy (optional) +* Sets up limited SSH tunnels for each user (optional) * Based on current versions of Ubuntu and StrongSwan * Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server @@ -23,120 +23,71 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw * Does not claim to provide anonymity or censorship avoidance * Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster) -## Included Roles +## Initial Setup -Ansible scripts are organized into roles. The roles used by Algo are described in detail below. - -### Required Roles - -* **Common** - * Installs several required packages and software updates, then reboots if necessary - * Configures network interfaces and enables packet forwarding on them -* **VPN** - * Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges - * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user - * Bundles the appropriate certificates into Apple mobileconfig profiles for each user - -### Optional Roles - -* **Security Enhancements** - * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied - * Modify operating system features like core dumps, kernel parameters, and SUID binaries to limit possible attacks - * Modifies SSH to use only modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP - * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834) -* **Ad Blocking and Compression HTTP Proxy** - * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset - * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy - * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations -* **DNS Ad Blocking** - * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains - * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations -* **Security Monitoring and Logging** - * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents - * Emails aggregated Logs to a configured address on a regular basis -* **SSH Tunneling** - * Adds a restricted `algo` group to SSH with no shell access and limited forwarding options - * Creates one limited, local account per user and an SSH public key for each - -## Usage - -### Requirements - -* ansible >= 2.1 -* python >= 2.6 -* [dopy=0.3.5](https://github.com/Wiredcraft/dopy) -* [boto](https://github.com/boto/boto) -* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python) -* [apache-libcloud](https://github.com/apache/libcloud) -* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS) -* [six](https://github.com/JioCloud/python-six) -* SHell or BASH -* libselinux-python (for RedHat based distros) - -### Roles and Tags -**Cloud roles:** -- role: cloud-digitalocean, tags: digitalocean -- role: cloud-ec2, tags: ec2 -- role: cloud-gce, tags: gce - -**Server roles:** -- role: vpn, tags: vpn -- role: dns_adblocking, tags: dns, adblock -- role: proxy, tags: proxy, adblock -- role: logging, tags: logging -- role: security, tags: security -- role: ssh_tunneling, tags: ssh_tunneling - -### Cloud Deployment - -To install the dependencies on OS X or Linux: +The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. +1. Install the dependencies on OS X or Linux: ``` sudo easy_install pip sudo pip install -r requirements.txt ``` -Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. - -Start the deploy and follow the instructions: - +2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. +3. Start the deploy and follow the instructions: ``` ./algo ``` -When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user. +That's it! You now have an Algo VPN server on the internet. -### Local Deployment +Note: for local or scripted deployment instructions see the [Advanced Usage](/docs/ADVANCED.md) documentation. -It is possible to download Algo to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA and using a PPA requires installing `software-properties-common`. tl;dr: -``` -sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible -sudo apt-get update && sudo apt-get install ansible -git clone https://github.com/trailofbits/algo -cd algo && ./algo -``` +## User Management -### User Management +### Configuration Files -If you want to add or delete users, update the `users` list in `config.cfg` and run the command: +After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. +* [adsf].mobileconfig: Apple Configuration Profiles. These are all-in-one configuration files for iOS and macOS devices. Open them to a compatible device to fully configure the VPN. Note that they can be installed via AirDrop. +* asdf +* asdf + +### Adding or Removing Users + +Algo's own scripts can easily add and remove users from the VPN server. + +1. Update the `users` list in your `config.cfg` +2. Run the command: ``` ./algo update-users ``` +The Algo VPN server now only contains the users listed in the `config.cfg` file. + +## SSH Tunneling + +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. + +Use the following command to SSH tunnel through the server: + +```asdf``` + +[explain the options] + ## FAQ -### Has this been audited? +### Has Algo been audited? -No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use algo at your own risk. +No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use Algo at your own risk. ### Why aren't you using Tor? -The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/). +The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/). ### Why aren't you using Racoon, LibreSwan, or OpenSwan? -Raccoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version. +Racoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version. ### Why aren't you using a memory-safe or verified IKE daemon? @@ -148,4 +99,4 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi ### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD? -Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free, Open, and HardenedBSD. Follow along on our progress in [this issue](https://github.com/trailofbits/algo/issues/35). +Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35). diff --git a/algo b/algo index bf1ebe4..8f406a6 100755 --- a/algo +++ b/algo @@ -4,11 +4,11 @@ set -e digitalocean () { read -p " -Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens): +Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): : " -rs do_access_token read -p " -Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security): +Enter an existing SSH key name (https://cloud.digitalocean.com/settings/security): : " -r do_ssh_name read -p " @@ -32,9 +32,9 @@ Name the vpn server: 12. Bangalore Enter the number of your desired region: [7]: " -r region - region=${region:-7} + region=${region:-7} - case "$region" in + case "$region" in 1) do_region="ams2" ;; 2) do_region="ams3" ;; 3) do_region="fra1" ;; @@ -49,22 +49,22 @@ Enter the number of your desired region: 12) do_region="blr1" ;; esac -ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" +ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } ec2 () { read -p " Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -: " -rs aws_access_key +[asdf...]: " -rs aws_access_key read -p " Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -: " -rs aws_secret_key +[asdf...]: " -rs aws_secret_key read -p " Enter the local path to your SSH public key: -: " -r ssh_public_key +[adsf]: " -r ssh_public_key read -p " Name the vpn server: @@ -86,7 +86,7 @@ Name the vpn server: 11. sa-east-1 South America (São Paulo) Enter the number of your desired region: [1]: " -r aws_region - aws_region=${aws_region:-1} + aws_region=${aws_region:-1} case "$aws_region" in 1) region="us-east-1" ;; @@ -155,7 +155,7 @@ Please choose the number of your zone. Press enter for default (#8) zone. 13) zone="asia-east1-c" ;; esac -ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" +ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } @@ -173,7 +173,7 @@ What user should we use to login on the server? (ignore if you're deploying to l Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) : " -r IP_subject - ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" + ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" } algo_provisioning () { @@ -184,7 +184,7 @@ algo_provisioning () { 3. Google Compute Engine 4. Install to existing Ubuntu server -Enter the number of your desired provider +Enter the number of your desired provider : " read -r N @@ -198,12 +198,12 @@ Enter the number of your desired provider esac } - + user_management () { ansible-playbook users.yml } case "$1" in - update-users) user_management ;; - *) algo_provisioning ;; + update-users) user_management ;; + *) algo_provisioning ;; esac diff --git a/config.cfg b/config.cfg index 4704920..8fe2582 100644 --- a/config.cfg +++ b/config.cfg @@ -5,7 +5,7 @@ users: - dan - jack -# If you're using auditd for monitoring, add an email address to send logs +# Add an email address to send logs if you're using auditd for monitoring, auditd_action_mail_acct: email@example.com ### Advanced users only below this line ### @@ -15,7 +15,6 @@ easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 easyrsa_p12_export_password: vpnpws - # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False diff --git a/deploy.yml b/deploy.yml index 4e6ca20..9fbf792 100644 --- a/deploy.yml +++ b/deploy.yml @@ -38,4 +38,3 @@ handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md new file mode 100644 index 0000000..9877033 --- /dev/null +++ b/docs/ADVANCED.md @@ -0,0 +1,135 @@ +# Advanced Usage + +## Requirements + +Before you begin, make sure you have installed all the dependencies necessary for your use case. Algo depends on the software below and most of it will be installed via the `requirements.txt` file. + +* ansible >= 2.1 +* python >= 2.6 +* [dopy=0.3.5](https://github.com/Wiredcraft/dopy) +* [boto](https://github.com/boto/boto) +* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python) +* [apache-libcloud](https://github.com/apache/libcloud) +* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS) +* [six](https://github.com/JioCloud/python-six) +* SHell or BASH +* libselinux-python (for RedHat based distros) + +## Local Deployment + +It is possible to download the Algo scripts to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA, and using a PPA requires installing `software-properties-common`. + +tl;dr: + +``` +sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible +sudo apt-get update && sudo apt-get install ansible +git clone https://github.com/trailofbits/algo +cd algo && ./algo +``` + +## Scripted Deployment + +Example for DigitalOcean: + +``` +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=my_secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +``` + +### Roles + +Cloud roles: + +- role: cloud-digitalocean, tags: digitalocean +- role: cloud-ec2, tags: ec2 +- role: cloud-gce, tags: gce + +Server roles: + +- role: vpn, tags: vpn +- role: dns_adblocking, tags: dns, adblock +- role: proxy, tags: proxy, adblock +- role: logging, tags: logging +- role: security, tags: security +- role: ssh_tunneling, tags: ssh_tunneling + +### Digital Ocean + +Required variables: + +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +Possible regions: + +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +### Google Cloud Engine + +Required variables: + +- credentials_file +- server_name +- ssh_public_key +- zone + +Possible zones: + +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +### Amazon EC2 + +Required variables: + +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +Possible regions: + +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + +### Local Installation + +Required variables: + +- server_ip +- server_user +- IP_subject_alt_name \ No newline at end of file diff --git a/docs/ROLES.md b/docs/ROLES.md new file mode 100644 index 0000000..8e1df28 --- /dev/null +++ b/docs/ROLES.md @@ -0,0 +1,32 @@ +# Ansible Roles + +## Required Roles + +* **Common** + * Installs several required packages and software updates, then reboots if necessary + * Configures network interfaces and enables packet forwarding on them +* **VPN** + * Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges + * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user + * Bundles the appropriate certificates into Apple mobileconfig profiles for each user + * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834) + +## Optional Roles + +* **Security Enhancements (Reccommended)** + * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied + * Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks + * Enhances SSH with modern ciphers and seccomp, and restricts access to older, unwanted features like X11 forwarding and SFTP +* **Ad Blocking and Compression HTTP Proxy** + * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset + * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy + * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations +* **DNS Ad Blocking** + * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains + * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations +* **Security Monitoring and Logging** + * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents + * Sends logs to a configured email address on a regular basis +* **SSH Tunneling** + * Adds a restricted `algo` group with no shell access and limited SSH forwarding options + * Creates one limited, local account per user and an SSH public key for each diff --git a/requirements.txt b/requirements.txt index a666d82..36b226c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ +ansible>=2.1 dopy==0.3.5 boto azure>=0.7.1 diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 4f25e1b..eace8c4 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Locate official Ubuntu 16.04 AMI for region. +- name: Locate official Ubuntu 16.04 AMI for region ec2_ami_find: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" @@ -13,7 +13,7 @@ - set_fact: ami_image: "{{ ami_search.results[0].ami_id }}" -- name: Add ssh public key. +- name: Add ssh public key ec2_key: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" From e99d5dffea1d0221e23c63d77e10d6c15bc7c529 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Thu, 13 Oct 2016 15:50:24 +0200 Subject: [PATCH 02/53] better defaults --- algo | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/algo b/algo index 8f406a6..c0cec1d 100755 --- a/algo +++ b/algo @@ -56,15 +56,15 @@ ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_t ec2 () { read -p " Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -[asdf...]: " -rs aws_access_key +[AKIA...]: " -rs aws_access_key read -p " Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -[asdf...]: " -rs aws_secret_key +[ABCD...]: " -rs aws_secret_key read -p " Enter the local path to your SSH public key: -[adsf]: " -r ssh_public_key +[~/.ssh/id_rsa.pub]: " -r ssh_public_key read -p " Name the vpn server: From 462bf29e08110b7244c2fe92267eb95e4b20f15b Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Thu, 13 Oct 2016 16:35:32 +0200 Subject: [PATCH 03/53] change EC2 instructions --- algo | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/algo b/algo index c0cec1d..0e891da 100755 --- a/algo +++ b/algo @@ -55,16 +55,18 @@ ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_t ec2 () { read -p " -Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [AKIA...]: " -rs aws_access_key read -p " -Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key read -p " Enter the local path to your SSH public key: -[~/.ssh/id_rsa.pub]: " -r ssh_public_key +: " -r ssh_public_key read -p " Name the vpn server: From f76c2690024268ee9fcdce2ace15a953718e4b96 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sat, 15 Oct 2016 19:31:22 +0200 Subject: [PATCH 04/53] reorganize the readme to be even simpler --- README.md | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 3a28e3c..3e832b0 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw * Does not claim to provide anonymity or censorship avoidance * Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster) -## Initial Setup +## Deploy the Algo Server The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. @@ -34,18 +34,13 @@ sudo pip install -r requirements.txt ``` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. -3. Start the deploy and follow the instructions: -``` -./algo -``` +3. Start the deploy and follow the instructions: `./algo` That's it! You now have an Algo VPN server on the internet. Note: for local or scripted deployment instructions see the [Advanced Usage](/docs/ADVANCED.md) documentation. -## User Management - -### Configuration Files +## Configure the VPN Clients After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. @@ -53,19 +48,7 @@ After Algo finishes setting up the server, you can find all the certificates and * asdf * asdf -### Adding or Removing Users - -Algo's own scripts can easily add and remove users from the VPN server. - -1. Update the `users` list in your `config.cfg` -2. Run the command: -``` -./algo update-users -``` - -The Algo VPN server now only contains the users listed in the `config.cfg` file. - -## SSH Tunneling +## Setup an SSH Tunnel If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. @@ -75,6 +58,15 @@ Use the following command to SSH tunnel through the server: asdf then explain the options used +## Adding or Removing Users + +Algo's own scripts can easily add and remove users from the VPN server. + +1. Update the `users` list in your `config.cfg` +2. Run the command: `./algo update-users` + +The Algo VPN server now only contains the users listed in the `config.cfg` file. + ## FAQ ### Has Algo been audited? From d62b302b8f995a4c7dfaecfedce9aa0bc986bf6a Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Oct 2016 17:47:35 +0200 Subject: [PATCH 05/53] better contributor guidelines --- CONTRIBUTING.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c3a7ac5..8074f82 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,9 +1,14 @@ -### Common Issues +### Troubleshooting -* Check that you're using at least Ansible 2.1 +* Check that you installed all the dependencies with pip and have Ansible 2.1+ * If installing to a local server, use a fresh install of Ubuntu 16.04 + +### Filing New Issues + * Please review the [FAQ](https://github.com/trailofbits/algo#faq) +* Please include the full output from your terminal window if appropriate -### Coding Guidelines +### Pull Requests -* Please review any Pull Requests with [ansible-lint](https://github.com/willthames/ansible-lint) +* Run [ansible-lint](https://github.com/willthames/ansible-lint) on any new ansible scripts +* Run [shellcheck](https://github.com/koalaman/shellcheck) on any new shell scripts From 8ae80788ada7a7da9e9e14351cf2debecd2d0b8c Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Oct 2016 23:05:20 +0200 Subject: [PATCH 06/53] better user instructions --- README.md | 29 ++++++++++++++++++++--------- config.cfg | 5 ++++- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3e832b0..e746888 100644 --- a/README.md +++ b/README.md @@ -42,21 +42,32 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. +After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. -* [adsf].mobileconfig: Apple Configuration Profiles. These are all-in-one configuration files for iOS and macOS devices. Open them to a compatible device to fully configure the VPN. Note that they can be installed via AirDrop. -* asdf -* asdf +### Apple Devices + +Find the corresponding mobileconfig (Apple Profile) for the user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. Installing a profile will fully configure the VPN. + +### StrongSwan Clients (e.g., OpenWRT) + +Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. + +### Other Devices + +* ca.crt: CA Certificate +* user_ipsec.conf: StrongSwan client configuration +* user_ipsec.secrets: StrongSwan client configuration +* user.crt: User Certificate +* user.key: User Private Key +* user.mobileconfig: Apple Profile +* user.p12: User Certificate and Private Key (in PKCS#12 format) +* user.ssh.pem (optional): SSH authorized_key file ## Setup an SSH Tunnel If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. -Use the following command to SSH tunnel through the server: - -```asdf``` - -asdf then explain the options used +Make sure to access the server using 'ssh -N' for any limited accounts. ## Adding or Removing Users diff --git a/config.cfg b/config.cfg index e6c6b9a..c9cedd8 100644 --- a/config.cfg +++ b/config.cfg @@ -8,12 +8,15 @@ users: # Add an email address to send logs if you're using auditd for monitoring, auditd_action_mail_acct: email@example.com +# Exported certificates will be protected by the password below: +easyrsa_p12_export_password: vpnpws + + ### Advanced users only below this line ### easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 -easyrsa_p12_export_password: vpnpws # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False From c87c9f8f0e2b976c27eaf0d6b6f79c19886238eb Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Mon, 17 Oct 2016 16:08:39 +0200 Subject: [PATCH 07/53] easier to read --- README.md | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index e746888..6d1e1ce 100644 --- a/README.md +++ b/README.md @@ -27,12 +27,7 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. -1. Install the dependencies on OS X or Linux: -``` -sudo easy_install pip -sudo pip install -r requirements.txt -``` - +1. Install the dependencies on OS X or Linux: `sudo easy_install pip && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` @@ -42,18 +37,20 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. +Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. ### Apple Devices -Find the corresponding mobileconfig (Apple Profile) for the user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. Installing a profile will fully configure the VPN. +Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. ### StrongSwan Clients (e.g., OpenWRT) -Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. +Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device. ### Other Devices +Depending on the platform, you may need one or multiple of the following files. + * ca.crt: CA Certificate * user_ipsec.conf: StrongSwan client configuration * user_ipsec.secrets: StrongSwan client configuration @@ -61,13 +58,12 @@ Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificat * user.key: User Private Key * user.mobileconfig: Apple Profile * user.p12: User Certificate and Private Key (in PKCS#12 format) -* user.ssh.pem (optional): SSH authorized_key file ## Setup an SSH Tunnel -If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `config` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. -Make sure to access the server using 'ssh -N' for any limited accounts. +Make sure to access the server using 'ssh -N' with these limited accounts. ## Adding or Removing Users From ff66be9ba82109680f8c0d524f6d477aa85b0603 Mon Sep 17 00:00:00 2001 From: defunct Date: Mon, 17 Oct 2016 13:07:54 -0400 Subject: [PATCH 08/53] #99 also --- algo | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/algo b/algo index 3ee1bc4..ec8da23 100755 --- a/algo +++ b/algo @@ -113,9 +113,9 @@ gce () { Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): : " -r credentials_file - read -p " + read -e -p " Enter the local path to your SSH public key: -: " -r ssh_public_key +: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key read -p " Name the vpn server: From 46e5e0aa33142be3d12007a996f9f9a6910cbcc0 Mon Sep 17 00:00:00 2001 From: defunct Date: Tue, 18 Oct 2016 10:35:34 -0400 Subject: [PATCH 09/53] Add new Ohio region --- docs/ADVANCED.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md index 2bd50f2..ad057e8 100644 --- a/docs/ADVANCED.md +++ b/docs/ADVANCED.md @@ -117,6 +117,7 @@ Required variables: Possible regions: - us-east-1 +- us-east-2 - us-west-1 - us-west-2 - ap-south-1 @@ -134,4 +135,4 @@ Required variables: - server_ip - server_user -- IP_subject_alt_name \ No newline at end of file +- IP_subject_alt_name From 5769d5a1cc362b13915ee099a648b08d9614bb8f Mon Sep 17 00:00:00 2001 From: defunct Date: Tue, 18 Oct 2016 10:39:12 -0400 Subject: [PATCH 10/53] Add EC2 Ohio region --- algo | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/algo b/algo index ec8da23..6921bef 100755 --- a/algo +++ b/algo @@ -76,32 +76,34 @@ Name the vpn server: read -p " What region should the server be located in? 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) + 2. us-east-2 US East (Ohio) + 3. us-west-1 US West (N. California) + 4. us-west-2 US West (Oregon) + 5. ap-south-1 Asia Pacific (Mumbai) + 6. ap-northeast-2 Asia Pacific (Seoul) + 7. ap-southeast-1 Asia Pacific (Singapore) + 8. ap-southeast-2 Asia Pacific (Sydney) + 9. ap-northeast-1 Asia Pacific (Tokyo) + 10. eu-central-1 EU (Frankfurt) + 11. eu-west-1 EU (Ireland) + 12. sa-east-1 South America (São Paulo) Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} case "$aws_region" in 1) region="us-east-1" ;; - 2) region="us-west-1" ;; - 3) region="us-west-2" ;; - 4) region="ap-south-1" ;; - 5) region="ap-northeast-2" ;; - 6) region="ap-southeast-1" ;; - 7) region="ap-southeast-2" ;; - 8) region="ap-northeast-1" ;; - 9) region="eu-central-1" ;; - 10) region="eu-west-1" ;; - 11) region="sa-east-1" ;; + 2) region="us-east-2" ;; + 3) region="us-west-1" ;; + 4) region="us-west-2" ;; + 5) region="ap-south-1" ;; + 6) region="ap-northeast-2" ;; + 7) region="ap-southeast-1" ;; + 8) region="ap-southeast-2" ;; + 9) region="ap-northeast-1" ;; + 10) region="eu-central-1" ;; + 11) region="eu-west-1" ;; + 12) region="sa-east-1" ;; esac ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" From d4f8ea13ac3f4795a980e9052a1acc0182663459 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 21 Oct 2016 20:27:14 +0300 Subject: [PATCH 11/53] add prompts for optional features. resolved #103 --- algo | 89 ++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/algo b/algo index 6921bef..cb98f29 100755 --- a/algo +++ b/algo @@ -2,11 +2,50 @@ set -e +additional_roles () { +read -p " +Do you want to apply security enhancements? +[y/N]: " -r security_enabled +security_enabled=${security_enabled:-n} +if [[ "$security_enabled" == 'y' ]]; then ROLES+=" security"; fi + +read -p " +Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? +[y/N]: " -r proxy_enabled +proxy_enabled=${proxy_enabled:-n} +if [[ "$proxy_enabled" == 'y' ]]; then ROLES+=" proxy"; fi + +read -p " +Do you want to install a local DNS resolver to block ads while surfing? +[y/N]: " -r dns_enabled +dns_enabled=${dns_enabled:-n} +if [[ "$dns_enabled" == 'y' ]]; then ROLES+=" dns"; fi + +read -p " +Do you want to use auditd for security monitoring (see config.cfg)? +[y/N]: " -r logging_enabled +logging_enabled=${logging_enabled:-n} +if [[ "$logging_enabled" == 'y' ]]; then ROLES+=" logging"; fi + +read -p " +Do you want each user to have their own account for SSH tunneling? +[y/N]: " -r ssh_tunneling_enabled +ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} +if [[ "$ssh_tunneling_enabled" == 'y' ]]; then ROLES+=" ssh_tunneling"; fi + +} + +deploy () { + + ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" + +} + digitalocean () { read -p " Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): : " -rs do_access_token - + read -p " Enter an existing SSH key name (https://cloud.digitalocean.com/settings/security): : " -r do_ssh_name @@ -30,10 +69,10 @@ Name the vpn server: 10. Singapore 11. Toronto 12. Bangalore -Enter the number of your desired region: +Enter the number of your desired region: [7]: " -r region region=${region:-7} - + case "$region" in 1) do_region="ams2" ;; 2) do_region="ams3" ;; @@ -48,9 +87,9 @@ Enter the number of your desired region: 11) do_region="tor1" ;; 12) do_region="blr1" ;; esac - -ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" +ROLES="digitalocean vpn" +EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } ec2 () { @@ -63,7 +102,7 @@ Note: Make sure to use either your root key (recommended) or an IAM user with an Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key - + read -e -p " Enter the local path to your SSH public key: : " -i "~/.ssh/id_rsa.pub" -r ssh_public_key @@ -87,13 +126,13 @@ Name the vpn server: 10. eu-central-1 EU (Frankfurt) 11. eu-west-1 EU (Ireland) 12. sa-east-1 South America (São Paulo) -Enter the number of your desired region: +Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} - - case "$aws_region" in + + case "$aws_region" in 1) region="us-east-1" ;; - 2) region="us-east-2" ;; + 2) region="us-east-2" ;; 3) region="us-west-1" ;; 4) region="us-west-2" ;; 5) region="ap-south-1" ;; @@ -105,16 +144,16 @@ Enter the number of your desired region: 11) region="eu-west-1" ;; 12) region="sa-east-1" ;; esac - -ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" + ROLES="ec2 vpn" + EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" } gce () { read -p " -Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): +Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): : " -r credentials_file - + read -e -p " Enter the local path to your SSH public key: : " -i "~/.ssh/id_rsa.pub" -r ssh_public_key @@ -141,9 +180,9 @@ Name the vpn server: 13. East Asia (Taiwan C) Please choose the number of your zone. Press enter for default (#8) zone. [8]: " -r region - region=${region:-8} - - case "$region" in + region=${region:-8} + + case "$region" in 1) zone="us-central1-a" ;; 2) zone="us-central1-b" ;; 3) zone="us-central1-c" ;; @@ -158,16 +197,16 @@ Please choose the number of your zone. Press enter for default (#8) zone. 12) zone="asia-east1-b" ;; 13) zone="asia-east1-c" ;; esac - -ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" + ROLES="gce vpn" + EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } non_cloud () { read -p " Enter IP address of your server: (use localhost for local installation) : " -r server_ip - + read -p " What user should we use to login on the server? (ignore if you're deploying to localhost) [root]: " -r server_user @@ -176,8 +215,10 @@ What user should we use to login on the server? (ignore if you're deploying to l read -p " Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) : " -r IP_subject - - ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" + + ROLES="local vpn" + EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" + } algo_provisioning () { @@ -201,6 +242,8 @@ Enter the number of your desired provider *) exit 1 ;; esac + additional_roles + deploy } user_management () { @@ -210,4 +253,4 @@ user_management () { case "$1" in update-users) user_management ;; *) algo_provisioning ;; -esac +esac From acc4667e478a68d2c6d8aa8d8f2811e210de891e Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 22 Oct 2016 19:42:53 +0400 Subject: [PATCH 12/53] Update README.md #104 --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 6d1e1ce..4cc8473 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,10 @@ Certificates and configuration files that users will need are placed in the `con Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. +### Android Devices + +You need to install the [StrongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use. + ### StrongSwan Clients (e.g., OpenWRT) Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device. From 44bc3ead48b2cbfd78bc4440ee8cad932ecc6fe9 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 17:53:08 +0300 Subject: [PATCH 13/53] set AllowTcpForwarding to local --- roles/ssh_tunneling/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index ea4d086..7083431 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -6,7 +6,7 @@ marker: '# ANSIBLE_MANAGED_ssh_tunneling_role' block: | Match Group algo - AllowTcpForwarding remote + AllowTcpForwarding local AllowAgentForwarding no AllowStreamLocalForwarding no PermitTunnel no From 0571563741a15a47c14b6c4c0b4a4b0228960ae2 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 18:08:33 +0300 Subject: [PATCH 14/53] ignore swp files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9df513b..e1c9fea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.retry configs/* inventory_users +*.kate-swp From d50bd439888c4747c47cbac8dc885043d70e9530 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 18:08:58 +0300 Subject: [PATCH 15/53] Fix SSH keys permissions --- roles/ssh_tunneling/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 7083431..ff78716 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -57,5 +57,10 @@ fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes with_items: "{{ users }}" +- name: Change mode for SSH private keys + local_action: file path=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem mode=0600 + with_items: "{{ users }}" + become: false + - name: Fetch the known_hosts file fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes From a8bbc81369cae81e9fed9a71acca7c1ec144baac Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 18:09:16 +0300 Subject: [PATCH 16/53] Fix prompts --- algo | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/algo b/algo index cb98f29..1727abf 100755 --- a/algo +++ b/algo @@ -7,31 +7,31 @@ read -p " Do you want to apply security enhancements? [y/N]: " -r security_enabled security_enabled=${security_enabled:-n} -if [[ "$security_enabled" == 'y' ]]; then ROLES+=" security"; fi +if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi read -p " Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? [y/N]: " -r proxy_enabled proxy_enabled=${proxy_enabled:-n} -if [[ "$proxy_enabled" == 'y' ]]; then ROLES+=" proxy"; fi +if [[ "$proxy_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" proxy"; fi read -p " Do you want to install a local DNS resolver to block ads while surfing? [y/N]: " -r dns_enabled dns_enabled=${dns_enabled:-n} -if [[ "$dns_enabled" == 'y' ]]; then ROLES+=" dns"; fi +if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi read -p " Do you want to use auditd for security monitoring (see config.cfg)? [y/N]: " -r logging_enabled logging_enabled=${logging_enabled:-n} -if [[ "$logging_enabled" == 'y' ]]; then ROLES+=" logging"; fi +if [[ "$logging_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" logging"; fi read -p " Do you want each user to have their own account for SSH tunneling? [y/N]: " -r ssh_tunneling_enabled ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} -if [[ "$ssh_tunneling_enabled" == 'y' ]]; then ROLES+=" ssh_tunneling"; fi +if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi } From ec8b62e099ea427f5bfb87f1cb6b76ec6df11329 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 19:16:34 +0400 Subject: [PATCH 17/53] Update README.md #105 --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4cc8473..d3372f7 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,10 @@ Depending on the platform, you may need one or multiple of the following files. If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `config` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. -Make sure to access the server using 'ssh -N' with these limited accounts. +Make sure to access the server using 'ssh -N' with these limited accounts. +In order to make a tunnel you have to run this command: +`ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem` +Don't forget to change `ip` and `user`. And then you can configure your browsers to use 127.0.0.1:1080 as sock4/5 ## Adding or Removing Users From 289807ead41734a563d1d136a872046b32900321 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 25 Oct 2016 21:33:46 +0300 Subject: [PATCH 18/53] fix dependencies --- roles/proxy/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/proxy/meta/main.yml b/roles/proxy/meta/main.yml index e985f92..ef71a47 100644 --- a/roles/proxy/meta/main.yml +++ b/roles/proxy/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - { role: common, tags: common } + - { role: vpn, tags: vpn } From 76ea7f67aed879e0a917b1775c2c3ab6d2d44f25 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 26 Oct 2016 18:56:23 +0300 Subject: [PATCH 19/53] extra vars added to use local DNS #110 --- algo | 2 +- config.cfg | 4 ---- roles/vpn/templates/ipsec.conf.j2 | 2 +- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/algo b/algo index 1727abf..c24fe1e 100755 --- a/algo +++ b/algo @@ -19,7 +19,7 @@ read -p " Do you want to install a local DNS resolver to block ads while surfing? [y/N]: " -r dns_enabled dns_enabled=${dns_enabled:-n} -if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi +if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; EXTRA_VARS+=" local_dns=Y"; fi read -p " Do you want to use auditd for security monitoring (see config.cfg)? diff --git a/config.cfg b/config.cfg index c9cedd8..6db3c7e 100644 --- a/config.cfg +++ b/config.cfg @@ -27,10 +27,6 @@ vpn_network_ipv6: 'fd9d:bc11:4020::/48' server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" -# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False) -service_dns: True - -# If you don't want to use a local DNS resolver (option `service_dns`) you need to define DNS servers in this list. dns_servers: - 8.8.8.8 - 8.8.4.4 diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index fa29458..2bd6ad1 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -17,7 +17,7 @@ conn %default right=%any rightauth=pubkey rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }} -{% if service_dns is defined and service_dns == "Y" %} +{% if local_dns is defined and local_dns == "Y" %} rightdns={{ local_service_ip }} {% else %} rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} From 6c66cb03c7a382295120caf002faaca85420d7fe Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 26 Oct 2016 19:10:49 +0300 Subject: [PATCH 20/53] Fix for SSH timeout and attempts #111 --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index dc8f8cd..1a3afab 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,5 +8,5 @@ host_key_checking = False record_host_keys = False [ssh_connection] -ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null +ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o ConnectTimeout=6 -o ConnectionAttempts=30 scp_if_ssh = True From d052cb8e772af160c8a13b934f7146d53d1a7876 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 28 Oct 2016 21:00:11 +0300 Subject: [PATCH 21/53] skip-tags added. Fixed #121 --- algo | 12 +++++++----- roles/common/tasks/main.yml | 8 ++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/algo b/algo index c24fe1e..9acb841 100755 --- a/algo +++ b/algo @@ -2,6 +2,8 @@ set -e +SKIP_TAGS="_null" + additional_roles () { read -p " Do you want to apply security enhancements? @@ -37,7 +39,7 @@ if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi deploy () { - ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" + ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}" } @@ -88,7 +90,7 @@ Enter the number of your desired region: 12) do_region="blr1" ;; esac -ROLES="digitalocean vpn" +ROLES="digitalocean vpn cloud" EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } @@ -145,7 +147,7 @@ Enter the number of your desired region: 12) region="sa-east-1" ;; esac - ROLES="ec2 vpn" + ROLES="ec2 vpn cloud" EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" } @@ -198,7 +200,7 @@ Please choose the number of your zone. Press enter for default (#8) zone. 13) zone="asia-east1-c" ;; esac - ROLES="gce vpn" + ROLES="gce vpn cloud" EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } @@ -218,7 +220,7 @@ Enter the public IP address of your server: (IMPORTANT! This IP is used to verif ROLES="local vpn" EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" - + SKIP_TAGS+=" cloud" } algo_provisioning () { diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 44aa345..4b6e2ee 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,8 @@ args: executable: /bin/bash register: reboot_required + tags: + - cloud - name: Reboot shell: sleep 2 && shutdown -r now "Ansible updates triggered" @@ -19,16 +21,22 @@ poll: 0 when: reboot_required is defined and reboot_required.stdout == 'required' ignore_errors: true + tags: + - cloud - name: Wait for shutdown local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' become: false + tags: + - cloud - name: Wait until SSH becomes ready... local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' become: false + tags: + - cloud - name: Disable MOTD on login and SSHD replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" From 7cb2197d16b2f8bcea21051afb9746c5b8b94989 Mon Sep 17 00:00:00 2001 From: Nima Fatemi Date: Fri, 28 Oct 2016 19:48:28 +0000 Subject: [PATCH 22/53] Avoid using + for email address using + in email add (eg email+auditd@domain.tld) would cause auditd fail to start see #117 --- config.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config.cfg b/config.cfg index 6db3c7e..26f1458 100644 --- a/config.cfg +++ b/config.cfg @@ -5,7 +5,8 @@ users: - dan - jack -# Add an email address to send logs if you're using auditd for monitoring, +# Add an email address to send logs if you're using auditd for monitoring. +# Avoid using '+' in your email address otherwise auditd will fail to start. auditd_action_mail_acct: email@example.com # Exported certificates will be protected by the password below: From 5383c714991819fef58742554fb2266e4d4fa180 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 3 Nov 2016 17:21:18 +0300 Subject: [PATCH 23/53] Fixed #108 --- roles/vpn/tasks/main.yml | 4 +++- roles/vpn/templates/mobileconfig.j2 | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index fbe4b94..6fff583 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -170,6 +170,9 @@ - name: Set facts for mobileconfigs set_fact: proxy_enabled: false + pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" + VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" + CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 @@ -224,4 +227,3 @@ - include: iptables.yml tags: iptables - diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 5714839..762848a 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -44,7 +44,7 @@ LocalIdentifier {{ item.0 }} PayloadCertificateUUID - 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + {{ pkcs12_PayloadCertificateUUID }} CertificateType ECDSA256 ServerCertificateIssuerCommonName @@ -66,11 +66,11 @@ PayloadDisplayName VPN PayloadIdentifier - com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53 + com.apple.vpn.managed.{{ VPN_PayloadIdentifier }} PayloadType com.apple.vpn.managed PayloadUUID - D247A30B-6023-4C8E-B3E3-FF1910A65E53 + {{ VPN_PayloadIdentifier }} PayloadVersion 1 Proxies @@ -111,11 +111,11 @@ PayloadDisplayName {{ item.0 }}.p12 PayloadIdentifier - com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }} PayloadType com.apple.security.pkcs12 PayloadUUID - 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + {{ pkcs12_PayloadCertificateUUID }} PayloadVersion 1 @@ -131,11 +131,11 @@ PayloadDisplayName {{ IP_subject_alt_name }} PayloadIdentifier - com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38 + com.apple.security.root.{{ CA_PayloadIdentifier }} PayloadType com.apple.security.root PayloadUUID - 32EA3AAA-D19E-43EF-B357-608218745A38 + {{ CA_PayloadIdentifier }} PayloadVersion 1 @@ -148,16 +148,16 @@ {% endif %} PayloadIdentifier {% if proxy_enabled is defined and proxy_enabled == true %} - donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA + donut.local.{{ 600000 | random | to_uuid | upper }} {% else %} - donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE + donut.local.{{ 500000 | random | to_uuid | upper }} {% endif %} PayloadRemovalDisallowed PayloadType Configuration PayloadUUID - 743B04A8-5725-45A2-B1BB-836F8C16DB0A + {{ 400000 | random | to_uuid | upper }} PayloadVersion 1 From 29de003b2d47399c5f2f0a43bcccf02c339bd8b3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 3 Nov 2016 18:05:56 +0300 Subject: [PATCH 24/53] inplemented #109 --- algo | 20 +++++++++++++ roles/vpn/templates/mobileconfig.j2 | 44 +++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/algo b/algo index 9acb841..4911274 100755 --- a/algo +++ b/algo @@ -35,6 +35,26 @@ Do you want each user to have their own account for SSH tunneling? ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi +read -p " +Do you want to enable VPN always when connected to Wi-Fi? +[y/N]: " -r OnDemandEnabled_WIFI +OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n} +if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi + +if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then + read -p " +Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi) +: " -r OnDemandEnabled_WIFI_ECXLUDE + OnDemandEnabled_WIFI_ECXLUDE=${OnDemandEnabled_WIFI_ECXLUDE:-_null} + EXTRA_VARS+=" OnDemandEnabled_WIFI_ECXLUDE=$OnDemandEnabled_WIFI_ECXLUDE" +fi + +read -p " +Do you want to enable VPN always when connected to the cellular network? +[y/N]: " -r OnDemandEnabled_Cellular +OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} +if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi + } deploy () { diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 762848a..d7ac899 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -6,7 +6,51 @@ IKEv2 +{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} + OnDemandEnabled + 1 + OnDemandRules + +{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %} +{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %} + + Action + Disconnect + InterfaceTypeMatch + WiFi + SSIDMatch + +{% for network_name in WIFI_ECXLUDE_LIST %} + {{ network_name }} +{% endfor %} + + +{% else %} +{% endif %} + + Action +{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %} + Connect + {% else %} + Disconnect +{% endif %} + InterfaceTypeMatch + WiFi + + + Action +{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %} + Connect + {% else %} + Disconnect +{% endif %} + InterfaceTypeMatch + Cellular + + +{% else %} +{% endif %} AuthenticationMethod Certificate ChildSecurityAssociationParameters From 09bbc4058c287db52b65935c27bf8dfecc129b57 Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Sun, 6 Nov 2016 09:40:07 -0800 Subject: [PATCH 25/53] Add missing tags in common playbook If the common playbook is invoked with the "cloud" tag, non-cloud tasks will be skipped. On GCE this causes "Install tools" to be skipped, apparmor-utils is not installed, and then the "Enforcing ipsec with apparmor" step fails. --- roles/common/tasks/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 4b6e2ee..9cdb88d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -2,9 +2,13 @@ - name: Gather Facts setup: + tags: + - always - name: Install software updates apt: update_cache=yes upgrade=dist + tags: + - cloud - name: Check if reboot is required shell: > @@ -43,6 +47,8 @@ with_items: - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } + tags: + - cloud - name: Install tools apt: name="{{ item }}" state=latest @@ -55,24 +61,36 @@ - sendmail - iptables-persistent - cgroup-tools + tags: + - always - name: Loopback for services configured template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg notify: - restart loopback + tags: + - always - name: Loopback included into the network config lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present notify: - restart loopback + tags: + - always - meta: flush_handlers + tags: + - always - name: Enable packet forwarding for IPv4 sysctl: name="{{ item }}" value=1 with_items: - net.ipv4.ip_forward - net.ipv4.conf.all.forwarding + tags: + - always - name: Enable packet forwarding for IPv6 sysctl: name=net.ipv6.conf.all.forwarding value=1 + tags: + - always From 433389c0aba2dde05470e589e84c90bd8d59ae87 Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Sun, 6 Nov 2016 09:42:58 -0800 Subject: [PATCH 26/53] Use /var/run/reboot-required to determine if a restart is needed The current check only looks to see if a new kernel was installed. --- roles/common/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 9cdb88d..a5730ac 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,7 +12,7 @@ - name: Check if reboot is required shell: > - if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi + if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi args: executable: /bin/bash register: reboot_required From 3e3d7c6fa78b45d5525f3d45ab722af30971d902 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 23 Nov 2016 20:28:05 +0300 Subject: [PATCH 27/53] Update readme. Fix #120 --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d3372f7..2bd41a8 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,9 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. -1. Install the dependencies on OS X or Linux: `sudo easy_install pip && sudo pip install -r requirements.txt` +1. Install the dependencies +1.1. On OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` +1.2. On Linux (deb based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` From 047f68df2f248195583a840f6a7ebc2192fc85ba Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 23 Nov 2016 20:34:53 +0300 Subject: [PATCH 28/53] Change the site in the congrats handler to whoer.net in order to clarify the message at the end of the install about testing VPN. Fix #110 --- roles/vpn/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 84e08b0..26ba6ff 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -20,7 +20,7 @@ - "# Congratulations! #" - "# Your Algo server is running. #" - "# Config files and certificates are in the ./configs/ directory. #" - - "# Go to https://www.dnsleaktest.com/ after connecting #" + - "# Go to https://whoer.net/ after connecting #" - "# and ensure that all your traffic passes through the VPN. #" - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - "#----------------------------------------------------------------------#" From 1dc6e1a0fa6d9fa5d47c58043bf50706af8ce465 Mon Sep 17 00:00:00 2001 From: Defunct Date: Thu, 27 Oct 2016 19:00:43 +0000 Subject: [PATCH 29/53] resolves #118 - AWS env keys --- roles/cloud-ec2/tasks/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index eace8c4..e2b0a65 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,7 +1,7 @@ - name: Locate official Ubuntu 16.04 AMI for region ec2_ami_find: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" owner: 099720109477 sort: name @@ -15,8 +15,8 @@ - name: Add ssh public key ec2_key: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: VPNKEY region: "{{ region }}" key_material: "{{ item }}" @@ -25,8 +25,8 @@ - name: Configure EC2 security group ec2_group: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: vpn-secgroup description: Security group for VPN servers region: "{{ region }}" @@ -51,8 +51,8 @@ - name: Launch instance ec2: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" keypair: "VPNKEY" group: vpn-secgroup instance_type: t2.nano From 74b9f0a15a2d466726960eeabc6a840ad6bc5048 Mon Sep 17 00:00:00 2001 From: Defunct Date: Thu, 27 Oct 2016 19:29:19 +0000 Subject: [PATCH 30/53] support older bash versions - resolves #116 --- algo | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/algo b/algo index c24fe1e..eba3eb4 100755 --- a/algo +++ b/algo @@ -103,9 +103,10 @@ Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key - read -e -p " -Enter the local path to your SSH public key: -: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key + + read -p " +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key_file +ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: @@ -154,9 +155,9 @@ gce () { Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): : " -r credentials_file - read -e -p " -Enter the local path to your SSH public key: -: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key + read -p " +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key +ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: From 437d659eb638545a26395c75f374ab61cc8c95fb Mon Sep 17 00:00:00 2001 From: Defunct Date: Sun, 13 Nov 2016 18:44:41 +0000 Subject: [PATCH 31/53] resolves #126 - incorrect private key usage w/o ssh-agent --- algo | 8 ++++---- roles/cloud-ec2/tasks/main.yml | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/algo b/algo index eba3eb4..8eeb05a 100755 --- a/algo +++ b/algo @@ -105,10 +105,10 @@ Note: Make sure to use either your root key (recommended) or an IAM user with an read -p " -Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key_file -ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key + ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub} - read -p " +read -p " Name the vpn server: [algo]: " -r aws_server_name aws_server_name=${aws_server_name:-algo} @@ -157,7 +157,7 @@ Enter the local path to your credentials JSON file (https://support.google.com/c read -p " Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key -ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} + ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index e2b0a65..4b8de61 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -66,6 +66,7 @@ - name: Add new instance to host group add_host: hostname: "{{ item.public_ip }}" + ansible_ssh_private_key_file: "{{ ssh_public_key[:-4] }}" groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" From 27ea98e7a88d665e4f4b13c8f1cee2c37cfcd557 Mon Sep 17 00:00:00 2001 From: fkt Date: Sat, 26 Nov 2016 18:05:06 +0000 Subject: [PATCH 32/53] Show congrats message at the end - #115 --- deploy.yml | 15 +++++++++++++++ roles/vpn/handlers/main.yml | 12 ------------ roles/vpn/tasks/main.yml | 2 -- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/deploy.yml b/deploy.yml index 9fbf792..7fecd16 100644 --- a/deploy.yml +++ b/deploy.yml @@ -38,3 +38,18 @@ handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' + + post_tasks: + - shell: | + echo "#----------------------------------------------------------------------#" + echo "# Congratulations! #" + echo "# Your Algo server is running. #" + echo "# Config files and certificates are in the ./configs/ directory. #" + echo "# Go to https://whoer.net/ after connecting #" + echo "# and ensure that all your traffic passes through the VPN. #" + echo "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" + echo "#----------------------------------------------------------------------#" + tags: always + register: congrats + - debug: msg="{{ congrats.stdout_lines }}" + tags: always diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 26ba6ff..32885b5 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -12,15 +12,3 @@ - name: restart iptables service: name=netfilter-persistent state=restarted - -- name: congrats - debug: - msg: - - "#----------------------------------------------------------------------#" - - "# Congratulations! #" - - "# Your Algo server is running. #" - - "# Config files and certificates are in the ./configs/ directory. #" - - "# Go to https://whoer.net/ after connecting #" - - "# and ensure that all your traffic passes through the VPN. #" - - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - - "#----------------------------------------------------------------------#" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 6fff583..53734b7 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -222,8 +222,6 @@ - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes - notify: - - congrats - include: iptables.yml tags: iptables From ee95846445a2d0989257cf0b70c3a842573444bb Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 26 Nov 2016 23:22:12 +0300 Subject: [PATCH 33/53] mobileconfig fix --- roles/vpn/templates/mobileconfig.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index d7ac899..e796621 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -6,8 +6,8 @@ IKEv2 -{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} +{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} OnDemandEnabled 1 OnDemandRules From d708750bd1df2642d353cd3c4a2a3295ed80f4c9 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 26 Nov 2016 23:42:04 +0300 Subject: [PATCH 34/53] Issue template --- .github/ISSUE_TEMPLATE.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE.md diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 0000000..0689e36 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,27 @@ +### OS / Environment + + + +### Ansible version + + + +### Version of components from `requirements.txt` + + + +### Summary of the problem + + + +### Steps to reproduce the behavior + + + +### Expected behavior + + + +### Actual behavior + + From 2cb98b4516038bce9c455f149d164f905c61092a Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 27 Nov 2016 01:37:17 +0300 Subject: [PATCH 35/53] Windows RSA support #9 --- algo | 6 ++++++ config.cfg | 2 -- roles/vpn/templates/client_ipsec.conf.j2 | 8 ++++++++ roles/vpn/templates/client_ipsec.secrets.j2 | 5 ++++- roles/vpn/templates/easy-rsa.vars.j2 | 4 ++++ roles/vpn/templates/ipsec.conf.j2 | 8 ++++++++ roles/vpn/templates/ipsec.secrets.j2 | 5 ++++- 7 files changed, 34 insertions(+), 4 deletions(-) diff --git a/algo b/algo index 4911274..cd224d8 100755 --- a/algo +++ b/algo @@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network? OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi +read -p " +Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers) +[y/N]: " -r Win10_Enabled +Win10_Enabled=${Win10_Enabled:-n} +if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi + } deploy () { diff --git a/config.cfg b/config.cfg index 26f1458..51f0021 100644 --- a/config.cfg +++ b/config.cfg @@ -59,8 +59,6 @@ ipsec_config: dpddelay: '35s' rekey: 'no' keyexchange: 'ikev2' - ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!' - esp: 'aes128gcm16-sha2_256-ecp256!' compress: 'yes' fragmentation: 'yes' diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index 3b01ff1..2e97c36 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }} {{ key }}={{ value }} {% endfor %} +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! +{% else %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256 + esp=aes128gcm16-sha2_256-ecp256 +{% endif %} + right={{ IP_subject_alt_name }} rightid={{ IP_subject_alt_name }} rightsubnet=0.0.0.0/0 diff --git a/roles/vpn/templates/client_ipsec.secrets.j2 b/roles/vpn/templates/client_ipsec.secrets.j2 index ec4a30f..6160312 100644 --- a/roles/vpn/templates/client_ipsec.secrets.j2 +++ b/roles/vpn/templates/client_ipsec.secrets.j2 @@ -1,2 +1,5 @@ +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key +{% else %} {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key - +{% endif %} diff --git a/roles/vpn/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2 index 50159aa..2805b3b 100644 --- a/roles/vpn/templates/easy-rsa.vars.j2 +++ b/roles/vpn/templates/easy-rsa.vars.j2 @@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only" # * rsa # * ec +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +set_var EASYRSA_ALGO rsa +{% else %} set_var EASYRSA_ALGO ec +{% endif %} # Define the named curve, used in ec mode only: diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index 2bd6ad1..c412994 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -7,6 +7,14 @@ conn %default {{ key }}={{ value }} {% endfor %} +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! +{% else %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256 + esp=aes128gcm16-sha2_256-ecp256 +{% endif %} + left=%any leftauth=pubkey leftid={{ IP_subject_alt_name }} diff --git a/roles/vpn/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2 index d5793ae..2226f04 100644 --- a/roles/vpn/templates/ipsec.secrets.j2 +++ b/roles/vpn/templates/ipsec.secrets.j2 @@ -1,2 +1,5 @@ +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +: RSA {{ IP_subject_alt_name }}.key +{% else %} : ECDSA {{ IP_subject_alt_name }}.key - +{% endif %} From e90b58802d5ab74c36426d29975a3b5ccb58237d Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 27 Nov 2016 12:44:05 +0300 Subject: [PATCH 36/53] fix in the mobileconfig template --- roles/vpn/templates/mobileconfig.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index e796621..1ccb037 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -90,7 +90,11 @@ PayloadCertificateUUID {{ pkcs12_PayloadCertificateUUID }} CertificateType +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + RSA2048 +{% else %} ECDSA256 +{% endif %} ServerCertificateIssuerCommonName {{ IP_subject_alt_name }} RemoteAddress From e40545cce5ec960ea97bb9da397af3a858882a11 Mon Sep 17 00:00:00 2001 From: defunct Date: Sun, 27 Nov 2016 12:55:05 -0500 Subject: [PATCH 37/53] opens #126 This commit reverts changes in 437d659 to avoid breaking changes. --- roles/cloud-ec2/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 4b8de61..e2b0a65 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -66,7 +66,6 @@ - name: Add new instance to host group add_host: hostname: "{{ item.public_ip }}" - ansible_ssh_private_key_file: "{{ ssh_public_key[:-4] }}" groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" From f6166ccde4f8c878f07af69099167026b29a0731 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 29 Nov 2016 22:14:18 +0300 Subject: [PATCH 38/53] modify ciphers #9 --- roles/vpn/templates/ipsec.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index c412994..58089c1 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -9,10 +9,10 @@ conn %default {% if Win10_Enabled is defined and Win10_Enabled == "Y" %} ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! - esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048! {% else %} - ike=aes128gcm16-sha2_256-prfsha256-ecp256 - esp=aes128gcm16-sha2_256-ecp256 + ike=aes128gcm16-sha2_256-prfsha256-ecp256! + esp=aes128gcm16-sha2_256-ecp256! {% endif %} left=%any From 8a0c5ab9718dafeb169239c8a4e47e5fce180f9e Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 29 Nov 2016 23:00:01 +0300 Subject: [PATCH 39/53] Windows support implemented --- README.md | 8 ++++++++ roles/vpn/tasks/main.yml | 12 ++++++++++++ roles/vpn/templates/client_windows.ps1.j2 | 3 +++ 3 files changed, 23 insertions(+) create mode 100644 roles/vpn/templates/client_windows.ps1.j2 diff --git a/README.md b/README.md index 2bd41a8..e9e4bc9 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,14 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. +### Windows Devices + +You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.
+Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:
+`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 +8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)
+Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine. + ### Apple Devices Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 53734b7..dacc736 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -191,6 +191,8 @@ with_items: - "{{ users }}" + + - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" @@ -215,6 +217,16 @@ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes with_items: "{{ users }}" +- name: Build the windows client powershell script + template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600 + when: Win10_Enabled is defined and Win10_Enabled == "Y" + with_items: "{{ users }}" + +- name: Fetch users windows scripts + fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes + when: Win10_Enabled is defined and Win10_Enabled == "Y" + with_items: "{{ users }}" + - name: Restrict permissions file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root with_items: diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2 new file mode 100644 index 0000000..9b6d197 --- /dev/null +++ b/roles/vpn/templates/client_windows.ps1.j2 @@ -0,0 +1,3 @@ +certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12 +Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required +Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none From 3d53dde6ca43cf05b80745a0686bb8d1e14f09d5 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 6 Dec 2016 20:14:08 +0300 Subject: [PATCH 40/53] Fixed. #137 --- config.cfg | 4 ++++ roles/vpn/tasks/main.yml | 5 ----- users.yml | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/config.cfg b/config.cfg index 51f0021..34a1908 100644 --- a/config.cfg +++ b/config.cfg @@ -64,3 +64,7 @@ ipsec_config: # IP address for the proxy and the local dns resolver local_service_ip: 172.16.0.1 + +pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" +VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" +CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index dacc736..f5951a4 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -170,9 +170,6 @@ - name: Set facts for mobileconfigs set_fact: proxy_enabled: false - pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" - VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" - CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 @@ -191,8 +188,6 @@ with_items: - "{{ users }}" - - - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" diff --git a/users.yml b/users.yml index 6bdbf2e..fb79ba2 100644 --- a/users.yml +++ b/users.yml @@ -139,7 +139,7 @@ remove: yes force: yes when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" - with_items: "{{ valid_users.stdout_lines }}" + with_items: "{{ valid_users.stdout_lines | default('null') }}" - name: SSH | Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes From b71a09ef07e7fb12fb93ac2797303b11ec9233ae Mon Sep 17 00:00:00 2001 From: Defunct Date: Fri, 9 Dec 2016 16:06:19 +0000 Subject: [PATCH 41/53] EC2 Canada - resolves #141 --- algo | 2 ++ 1 file changed, 2 insertions(+) diff --git a/algo b/algo index 8f1db94..75eda1a 100755 --- a/algo +++ b/algo @@ -155,6 +155,7 @@ Name the vpn server: 10. eu-central-1 EU (Frankfurt) 11. eu-west-1 EU (Ireland) 12. sa-east-1 South America (São Paulo) + 13. ca-central-1 Canada (Central) Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} @@ -172,6 +173,7 @@ Enter the number of your desired region: 10) region="eu-central-1" ;; 11) region="eu-west-1" ;; 12) region="sa-east-1" ;; + 13) region="ca-central-1" ;; esac ROLES="ec2 vpn cloud" From 27e5a4fecaab4c2d918b9e45b0a3547386183755 Mon Sep 17 00:00:00 2001 From: Defunct Date: Fri, 9 Dec 2016 20:45:12 +0000 Subject: [PATCH 42/53] Sort by latest AMI - resolves #140 --- roles/cloud-ec2/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index e2b0a65..ae4fbab 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -4,7 +4,7 @@ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" owner: 099720109477 - sort: name + sort: creationDate sort_order: descending sort_end: 1 region: "{{ region }}" From 83a93f19ece8fb3d2655336e9fb41393760bc960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Attila=20Gy=C3=B6rffy?= Date: Sat, 10 Dec 2016 15:53:34 +0200 Subject: [PATCH 43/53] Fix configs path in the README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e9e4bc9..f04b853 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. +Certificates and configuration files that users will need are placed in the `configs` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. ### Windows Devices @@ -75,7 +75,7 @@ Depending on the platform, you may need one or multiple of the following files. ## Setup an SSH Tunnel -If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `config` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. Make sure to access the server using 'ssh -N' with these limited accounts. In order to make a tunnel you have to run this command: From c5526027249777b57a0565b90c1f9398c8fc1759 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 10 Dec 2016 21:09:34 +0300 Subject: [PATCH 44/53] Azure support #26 --- algo | 81 ++++++++++++++++++++++++++- azure.yml | 96 -------------------------------- deploy.yml | 3 +- requirements.txt | 2 +- roles/cloud-azure/tasks/main.yml | 70 +++++++++++++++++++++++ 5 files changed, 152 insertions(+), 100 deletions(-) delete mode 100644 azure.yml diff --git a/algo b/algo index 8f1db94..667642d 100755 --- a/algo +++ b/algo @@ -69,6 +69,81 @@ deploy () { } +azure () { + read -p " +Enter your azure secret (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_secret + + read -p " + +Enter your azure tenant (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_tenant + + read -p " + +Enter your azure client_id (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_client_id + + read -p " + +Enter your azure subscription_id (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_subscription_id + + read -e -p " + +Enter the local path to your SSH public key: +: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key + + read -p " +Name the vpn server: +[algo]: " -r azure_server_name + azure_server_name=${azure_server_name:-algo} + + read -p " + What region should the server be located in? + 1. South Central US + 2. Central US + 3. North Europe + 4. West Europe + 5. Southeast Asia + 6. Japan West + 7. Japan East + 8. Australia Southeast + 9. Australia East + 10. Canada Central + 11. West US 2 + 12. West Central US + 13. UK South + 14. UK West +Enter the number of your desired region: +[1]: " -r azure_region + azure_region=${azure_region:-1} + + case "$azure_region" in + 1) region="southcentralus" ;; + 2) region="centralus" ;; + 3) region="northeurope" ;; + 4) region="westeurope" ;; + 5) region="southeastasia" ;; + 6) region="japanwest" ;; + 7) region="japaneast" ;; + 8) region="australiasoutheast" ;; + 9) region="australiaeast" ;; + 10) region="canadacentral" ;; + 11) region="westus2" ;; + 12) region="westcentralus" ;; + 13) region="uksouth" ;; + 14) region="ukwest" ;; + esac + + ROLES="azure vpn cloud" + EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region" +} + digitalocean () { read -p " Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): @@ -256,7 +331,8 @@ algo_provisioning () { 1. DigitalOcean 2. Amazon EC2 3. Google Compute Engine - 4. Install to existing Ubuntu server + 4. Microsoft Azure + 5. Install to existing Ubuntu server Enter the number of your desired provider : " @@ -267,7 +343,8 @@ Enter the number of your desired provider 1) digitalocean; ;; 2) ec2; ;; 3) gce; ;; - 4) non_cloud; ;; + 4) azure; ;; + 5) non_cloud; ;; *) exit 1 ;; esac diff --git a/azure.yml b/azure.yml deleted file mode 100644 index ec15d2c..0000000 --- a/azure.yml +++ /dev/null @@ -1,96 +0,0 @@ -- name: Configure the server and install required software - hosts: localhost - gather_facts: false - - vars: - regions: - "1": "East US" - "2": "West US" - "3": "South Central US" - "4": "North Europe" - "5": "East Asia" - "6": "Japan East" - "7": "West Europe" - "8": "Southeast Asia" - "9": "Japan West" - "10": "North Central US" - "11": "Central US" - "12": "Brazil South" - "13": "East US 2" - "14": "Australia Southeast" - "15": "Australia East" - - #vars_prompt: - #- name: "azure_subscription_id" - #prompt: "Enter your subscription ID (https://blogs.msdn.microsoft.com/mschray/2015/05/13/getting-your-azure-guid-subscription-id/):\n" - #private: yes - - #- name: "management_cert_path" - #prompt: "Enter the local path to your management cert [ex: ~/.ssh/id_rsa.pub] (https://azure.microsoft.com/en-us/documentation/articles/azure-api-management-certs/):\n" - #private: no - - #- name: "ssh_public_key" - #prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n" - #private: no - - #- name: "region" - #prompt: > - #What region should the server be located in? - #1. East US - #2. West US - #3. South Central US - #4. North Europe - #5. East Asia - #6. Japan East - #7. West Europe - #8. Southeast Asia - #9. Japan West - #10. North Central US - #11. Central US - #12. Brazil South - #13. East US 2 - #14. Australia Southeast - #15. Australia East - #Enter the number of your desired region: - #default: "7" - #private: no - - #- name: "azure_server_name" - #prompt: "Name the vpn server:\n" - #default: "algo.local" - #private: no - - #- name: "dns_enabled" - #prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" - #default: "Y" - #private: no - - #- name: "auditd_enabled" - #prompt: "Do you want to use auditd ? (Y or N):\n" - #default: "Y" - #private: no - - roles: - - cloud-azure - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - security - - proxy - - vpn - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - diff --git a/deploy.yml b/deploy.yml index 7fecd16..b6c8380 100644 --- a/deploy.yml +++ b/deploy.yml @@ -8,6 +8,7 @@ - { role: cloud-digitalocean, tags: ['digitalocean'] } - { role: cloud-ec2, tags: ['ec2'] } - { role: cloud-gce, tags: ['gce'] } + - { role: cloud-azure, tags: ['azure'] } - { role: local, tags: ['local'] } - name: Post-provisioning tasks @@ -21,7 +22,7 @@ pre_tasks: - name: Common pre-tasks include: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] + tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'pre' ] - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml diff --git a/requirements.txt b/requirements.txt index 36b226c..3039915 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ ansible>=2.1 dopy==0.3.5 boto -azure>=0.7.1 +azure==2.0.0rc5 apache-libcloud six diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 8b13789..d894b2e 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -1 +1,71 @@ +--- +- set_fact: + resource_group: "Algo_{{ region }}" + +- name: Create a resource group + azure_rm_resourcegroup: + secret: "{{ azure_secret | default(lookup('env','AZURE_CLIENT_ID')) }}" + tenant: "{{ azure_tenant | default(lookup('env','AZURE_SECRET')) }}" + client_id: "{{ azure_client_id | default(lookup('env','AZURE_SUBSCRIPTION_ID')) }}" + subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_TENANT')) }}" + name: "{{ resource_group }}" + location: "{{ region }}" + tags: + service: algo + +- name: Create a virtual network + azure_rm_virtualnetwork: + resource_group: "{{ resource_group }}" + name: algo_net + address_prefixes: "10.10.0.0/16" + tags: + service: algo + +- name: Create a subnet + azure_rm_subnet: + resource_group: "{{ resource_group }}" + name: algo_subnet + address_prefix: "10.10.0.0/24" + virtual_network: algo_net + tags: + service: algo + +- name: Create an instance + azure_rm_virtualmachine: + secret: "{{ azure_secret | default(lookup('env','AZURE_CLIENT_ID')) }}" + tenant: "{{ azure_tenant | default(lookup('env','AZURE_SECRET')) }}" + client_id: "{{ azure_client_id | default(lookup('env','AZURE_SUBSCRIPTION_ID')) }}" + subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_TENANT')) }}" + resource_group: "{{ resource_group }}" + admin_username: ubuntu + virtual_network: algo_net + name: "{{ azure_server_name }}" + ssh_password_enabled: false + vm_size: Standard_D1 + tags: + service: algo + ssh_public_keys: + - { path: "/home/ubuntu/.ssh/authorized_keys", key_data: "{{ lookup('file', '{{ ssh_public_key }}') }}" } + image: + offer: UbuntuServer + publisher: Canonical + sku: '16.04-LTS' + version: latest + register: azure_rm_virtualmachine + +- set_fact: + ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}" + +- name: Add the instance to an inventory group + add_host: + name: "{{ ip_address }}" + groups: vpn-host + ansible_ssh_user: ubuntu + ansible_python_interpreter: "/usr/bin/python2.7" + easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: azure + ipv6_support: no + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ ip_address }} timeout=320" From 4b50cd70c09a10ab87d77f1ef406f9fbae59c14b Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Mon, 12 Dec 2016 02:41:45 -0500 Subject: [PATCH 45/53] Update README.md --- README.md | 47 +++++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index f04b853..b596567 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Features -* Supports only IKEv2 w/ a single cipher suite: AES GCM, SHA2 HMAC, and P-256 DH +* Supports only IKEv2 w/ a single cipher suite: AES-GCM, HMAC-SHA2, and P-256 DH * Generates Apple Profiles to auto-configure iOS and macOS devices * Provides helper scripts to add and remove users * Blocks ads with a local DNS resolver and HTTP proxy (optional) -* Sets up limited SSH tunnels for each user (optional) -* Based on current versions of Ubuntu and StrongSwan -* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server +* Sets up limited SSH users for tunneling traffic (optional) +* Based on current versions of Ubuntu and strongSwan +* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, Microsoft Azure or your own server ## Anti-features @@ -25,11 +25,13 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Deploy the Algo Server -The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. +The easiest way to get an Algo server running is to let it setup a _new_ virtual machine in the cloud for you. + +1. Install the dependencies for your operating system: + + OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` -1. Install the dependencies -1.1. On OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` -1.2. On Linux (deb based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` @@ -41,14 +43,6 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do Certificates and configuration files that users will need are placed in the `configs` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. -### Windows Devices - -You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.
-Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:
-`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 -8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)
-Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine. - ### Apple Devices Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. @@ -57,6 +51,15 @@ Find the corresponding mobileconfig (Apple Profile) for each user and send it to You need to install the [StrongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use. +### Windows + +Import your user certificate to your Personal certificate store and your CA certificate to the Local Machine Trusted Root certificate store. Then, add an IKEv2 connection in the network settings and activate additional ciphers for it via Powershell (change the ConnectionName to the name of your IKEv2 connection): + +`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 +8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` + +Note that an all-in-one Powershell script that imports your personal certificate, sets up the VPN connection, and activates the stronger ciphers for it is included in the `configs` folder. + ### StrongSwan Clients (e.g., OpenWRT) Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device. @@ -72,15 +75,15 @@ Depending on the platform, you may need one or multiple of the following files. * user.key: User Private Key * user.mobileconfig: Apple Profile * user.p12: User Certificate and Private Key (in PKCS#12 format) +* user_windows.ps1: Powershell script to setup a VPN connection on Windows ## Setup an SSH Tunnel -If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited (`ssh -N` is required). This is done to ensure that users have the least access required to tunnel through the server. -Make sure to access the server using 'ssh -N' with these limited accounts. -In order to make a tunnel you have to run this command: -`ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem` -Don't forget to change `ip` and `user`. And then you can configure your browsers to use 127.0.0.1:1080 as sock4/5 +Use the command below to start an SSH tunnel, replacing `ip` and `user` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through Algo. + + `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem` ## Adding or Removing Users @@ -89,7 +92,7 @@ Algo's own scripts can easily add and remove users from the VPN server. 1. Update the `users` list in your `config.cfg` 2. Run the command: `./algo update-users` -The Algo VPN server now only contains the users listed in the `config.cfg` file. +The Algo VPN server now contains only the users listed in the `config.cfg` file. ## FAQ From f16d960feb476f28b8e219a7c9aee6f89f1a77ef Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 17:40:31 +0300 Subject: [PATCH 46/53] additional columns --- .github/ISSUE_TEMPLATE.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 0689e36..d377571 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -10,6 +10,7 @@ + ### Summary of the problem @@ -18,6 +19,10 @@ +### The way of deployment (cloud or local) + + + ### Expected behavior @@ -25,3 +30,7 @@ ### Actual behavior + +### Full log + + From abafe1581c6c78d784cf215b214947675d49eff8 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 18:04:51 +0300 Subject: [PATCH 47/53] Fixed #147 --- algo | 2 +- deploy.yml | 2 +- playbooks/common.yml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/algo b/algo index deb070c..e24d71e 100755 --- a/algo +++ b/algo @@ -324,7 +324,7 @@ Enter the public IP address of your server: (IMPORTANT! This IP is used to verif ROLES="local vpn" EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" - SKIP_TAGS+=" cloud" + SKIP_TAGS+=" cloud update-alternatives" } algo_provisioning () { diff --git a/deploy.yml b/deploy.yml index b6c8380..dca53ef 100644 --- a/deploy.yml +++ b/deploy.yml @@ -22,7 +22,7 @@ pre_tasks: - name: Common pre-tasks include: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'pre' ] + tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ] - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml diff --git a/playbooks/common.yml b/playbooks/common.yml index d84a6eb..eb7a695 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -3,3 +3,5 @@ - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + tags: + - update-alternatives From d55878147327df3e8902c2b6e18dd90f92ce7b2b Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 18:13:58 +0300 Subject: [PATCH 48/53] dirty fix #148 --- playbooks/common.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/common.yml b/playbooks/common.yml index eb7a695..36a051c 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -1,5 +1,5 @@ - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 From 0269cafff7554254b89e797f02726279b87cb8ab Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 18:52:34 +0300 Subject: [PATCH 49/53] DNS fix --- config.cfg | 10 ++++++---- roles/vpn/templates/ipsec.conf.j2 | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/config.cfg b/config.cfg index 34a1908..296de4d 100644 --- a/config.cfg +++ b/config.cfg @@ -29,10 +29,12 @@ server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" dns_servers: - - 8.8.8.8 - - 8.8.4.4 - - 2001:4860:4860::8888 - - 2001:4860:4860::8844 + ipv4: + - 8.8.8.8 + - 8.8.4.4 + ipv6: + - 2001:4860:4860::8888 + - 2001:4860:4860::8844 strongswan_enabled_plugins: - aes diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index 58089c1..6b60e36 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -28,7 +28,7 @@ conn %default {% if local_dns is defined and local_dns == "Y" %} rightdns={{ local_service_ip }} {% else %} - rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} + rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} {% endif %} conn ikev2-pubkey From 016a8c770803fe1c28e25ae9f910ba7f347cb478 Mon Sep 17 00:00:00 2001 From: kennwhite Date: Mon, 12 Dec 2016 15:14:58 -0500 Subject: [PATCH 50/53] Change default instance to free tier (t2.micro) I know this is a bit goofy, but the t2.nano is not in the free tier for AWS even though it is smaller than the t2.micro instance. See: https://aws.amazon.com/blogs/aws/ec2-update-t2-nano-instances-now-available/ (the "PS" at the bottom), confirmed on pricing page. The difference is $4.30 per mo vs. free/$8.76 per mo. Maybe add this to config questions, but at least one reviewer has noted this as an issue for his just-setup AWS free account. --- roles/cloud-ec2/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index ae4fbab..0be4f37 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -55,7 +55,7 @@ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" keypair: "VPNKEY" group: vpn-secgroup - instance_type: t2.nano + instance_type: t2.micro image: "{{ ami_image }}" wait: true region: "{{ region }}" From 48231cf02002942ce06cefb67066d5634379aa8d Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 13 Dec 2016 08:44:19 +0300 Subject: [PATCH 51/53] SSH fix for old bash versions #160 --- algo | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/algo b/algo index e24d71e..bd4aaf3 100755 --- a/algo +++ b/algo @@ -93,10 +93,10 @@ Enter your azure subscription_id (https://docs.ansible.com/ansible/guide_azure.h You can skip this step if you want to use your defaults credentials from ~/.azure/credentials [...]: " -rs azure_subscription_id - read -e -p " + read -p " -Enter the local path to your SSH public key: -: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key + ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: From bb90bb26a62ca3c3d775210b35311df2693c0095 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 13 Dec 2016 09:08:12 +0300 Subject: [PATCH 52/53] a fix for ipv6 provisioning on DO #158 --- playbooks/digitalocean.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml index 703e5d0..78b652b 100644 --- a/playbooks/digitalocean.yml +++ b/playbooks/digitalocean.yml @@ -1,5 +1,6 @@ - name: Enable IPv6 on the droplet - uri: + local_action: + module: uri url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" method: POST body: @@ -8,15 +9,18 @@ status_code: 201 HEADER_Authorization: "Bearer {{ do_access_token }}" HEADER_Content-Type: "application/json" + become: no - name: Get Droplet networks - uri: + local_action: + module: uri url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" method: GET status_code: 200 HEADER_Authorization: "Bearer {{ do_access_token }}" HEADER_Content-Type: "application/json" register: droplet_info + become: no - name: IPv6 configured template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 From 4d1c048b8f664f52ff349d6489b3938876b0a633 Mon Sep 17 00:00:00 2001 From: Kevin Chen Date: Tue, 13 Dec 2016 01:26:02 -0500 Subject: [PATCH 53/53] README: Add apt dependencies for pypi cryptography. The cryptography library requires gcc and some development headers that aren't installed by default on Ubuntu. Source: https://cryptography.io/en/latest/installation/#building-cryptography-on-linux --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b596567..8164cf8 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ The easiest way to get an Algo server running is to let it setup a _new_ virtual 1. Install the dependencies for your operating system: OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` - Linux (deb-based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo easy_install pip && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo`