From dcfed41ae8467d924185579a49fd040c671bc362 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 10 Feb 2020 11:01:20 +0100 Subject: [PATCH 1/5] Apply netplan for digitalocean only (#1723) --- roles/common/tasks/aip/digitalocean.yml | 10 ++++++++++ roles/common/tasks/ubuntu.yml | 10 ---------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/common/tasks/aip/digitalocean.yml b/roles/common/tasks/aip/digitalocean.yml index cd5032f..bc01630 100644 --- a/roles/common/tasks/aip/digitalocean.yml +++ b/roles/common/tasks/aip/digitalocean.yml @@ -11,3 +11,13 @@ - name: Set SNAT IP as a fact set_fact: snat_aipv4: "{{ anchor_ipv4.content }}" + +- name: IPv6 egress alias configured + template: + src: 99-algo-ipv6-egress.yaml.j2 + dest: /etc/netplan/99-algo-ipv6-egress.yaml + when: + - ipv6_support + - ipv6_subnet_size|int > 1 + notify: + - netplan apply diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index 6355bbf..04e9cd8 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -78,16 +78,6 @@ - name: Gather additional facts import_tasks: facts.yml -- name: IPv6 egress alias configured - template: - src: 99-algo-ipv6-egress.yaml.j2 - dest: /etc/netplan/99-algo-ipv6-egress.yaml - when: - - ipv6_support - - ipv6_subnet_size|int > 1 - notify: - - netplan apply - - name: Set OS specific facts set_fact: tools: From 5c09d6dd02cb192b89a722204a4092b2f89795fd Mon Sep 17 00:00:00 2001 From: Dan Hughes Date: Wed, 12 Feb 2020 06:58:20 +0000 Subject: [PATCH 2/5] Use absolute path for identityfile in ssh config (#1718) * Use absolute path for identityfile in ssh config * Update readme with ssh config include --- README.md | 8 ++++++++ server.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c044d3d..263bf76 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,14 @@ where `` is the IP address of your Algo server. If you find yourself regular `ssh-add ~/.ssh/algo > /dev/null 2>&1` +Alternatively, you can choose to include the generated configuration for any Algo servers created into your SSH config. Edit the file `~/.ssh/config` to include this directive at the top: + +``` +Include /configs/*/ssh_config +``` + +where `` is the directory where you cloned Algo. + ## Adding or Removing Users _If you chose to save the CA key during the deploy process,_ then Algo's own scripts can easily add and remove users from the VPN server. diff --git a/server.yml b/server.yml index fb472f0..99ffa37 100644 --- a/server.yml +++ b/server.yml @@ -32,7 +32,7 @@ HostName {{ IP_subject_alt_name }} User {{ ansible_ssh_user }} Port {{ ansible_ssh_port }} - IdentityFile {{ SSH_keys.private }} + IdentityFile {{ SSH_keys.private | realpath }} KeepAlive yes ServerAliveInterval 30 when: inventory_hostname != 'localhost' From 512b5660e11268806c137e9f3b0e036c4a037885 Mon Sep 17 00:00:00 2001 From: Dan Hughes Date: Wed, 12 Feb 2020 07:14:13 +0000 Subject: [PATCH 3/5] Use user-defined hostname for SSH hostname (#1715) * Use user-defined hostname for SSH hostname * Update readme to use hostname in ssh commands --- README.md | 4 ++-- config.cfg | 2 +- server.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 263bf76..af9df90 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ You can now set up clients to connect to your VPN. Proceed to [Configure the VPN "# Local DNS resolver 172.16.0.1 #" "# The p12 and SSH keys password for new users is XXXXXXXX #" "# The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #" - "# Shell access: ssh -F configs//ssh_config algo #" + "# Shell access: ssh -F configs//ssh_config #" ``` ## Configure the VPN Clients @@ -159,7 +159,7 @@ Use the example command below to start an SSH tunnel by replacing `` and ` Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message: - `ssh -F configs//ssh_config algo` +`ssh -F configs//ssh_config ` where `` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently. diff --git a/config.cfg b/config.cfg index 7d3027e..6446398 100644 --- a/config.cfg +++ b/config.cfg @@ -146,7 +146,7 @@ congrats: ca_key_pass: | "# The CA key password is {{ CA_password|default(omit) }} #" ssh_access: | - "# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config algo #" + "# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #" SSH_keys: comment: algo@ssh diff --git a/server.yml b/server.yml index 99ffa37..54551eb 100644 --- a/server.yml +++ b/server.yml @@ -28,7 +28,7 @@ dest: "configs/{{ IP_subject_alt_name }}/ssh_config" mode: "0600" content: | - Host {{ IP_subject_alt_name }} algo + Host {{ IP_subject_alt_name }} {{ algo_server_name }} HostName {{ IP_subject_alt_name }} User {{ ansible_ssh_user }} Port {{ ansible_ssh_port }} From 1e8a9c5cf1bd0b443958f7eb40207504b817e534 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 12 Feb 2020 08:31:44 +0100 Subject: [PATCH 4/5] Generate mobileconfigs for WireGuard (#1698) * Generate mobileconfigs for WireGuard * add xmllint to wireguard profiles * Enable onDemand prompts for WireGuard * linting --- input.yml | 67 ++++++++-------- roles/wireguard/tasks/main.yml | 10 ++- roles/wireguard/tasks/mobileconfig.yml | 10 +++ roles/wireguard/templates/mobileconfig.j2 | 25 ++++++ roles/wireguard/templates/vpn-dict.j2 | 94 +++++++++++++++++++++++ tests/wireguard-client.sh | 2 + 6 files changed, 174 insertions(+), 34 deletions(-) create mode 100644 roles/wireguard/tasks/mobileconfig.yml create mode 100644 roles/wireguard/templates/mobileconfig.j2 create mode 100644 roles/wireguard/templates/vpn-dict.j2 diff --git a/input.yml b/input.yml index cc1794b..3ee6257 100644 --- a/input.yml +++ b/input.yml @@ -52,42 +52,43 @@ when: - server_name is undefined - algo_provider != "local" - - block: - - name: Cellular On Demand prompt - pause: - prompt: | - Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? - [y/N] - register: _ondemand_cellular - when: ondemand_cellular is undefined - - name: Wi-Fi On Demand prompt - pause: - prompt: | - Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? - [y/N] - register: _ondemand_wifi - when: ondemand_wifi is undefined + - name: Cellular On Demand prompt + pause: + prompt: | + Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks? + [y/N] + register: _ondemand_cellular + when: ondemand_cellular is undefined - - name: Trusted Wi-Fi networks prompt - pause: - prompt: | - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand" - (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) - register: _ondemand_wifi_exclude - when: - - ondemand_wifi_exclude is undefined - - (ondemand_wifi|default(false)|bool) or - (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false)) + - name: Wi-Fi On Demand prompt + pause: + prompt: | + Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi? + [y/N] + register: _ondemand_wifi + when: ondemand_wifi is undefined - - name: Retain the PKI prompt - pause: - prompt: | - Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) - [y/N] - register: _store_pki - when: store_pki is undefined - when: ipsec_enabled + - name: Trusted Wi-Fi networks prompt + pause: + prompt: | + List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand" + (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) + register: _ondemand_wifi_exclude + when: + - ondemand_wifi_exclude is undefined + - (ondemand_wifi|default(false)|bool) or + (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false)) + + - name: Retain the PKI prompt + pause: + prompt: | + Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) + [y/N] + register: _store_pki + when: + - store_pki is undefined + - ipsec_enabled - name: DNS adblocking prompt pause: diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 4e38762..7e1fbc1 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -8,7 +8,8 @@ - "{{ wireguard_pki_path }}/preshared" - "{{ wireguard_pki_path }}/private" - "{{ wireguard_pki_path }}/public" - - "{{ wireguard_config_path }}" + - "{{ wireguard_config_path }}/apple/ios" + - "{{ wireguard_config_path }}/apple/macos" delegate_to: localhost become: false @@ -51,6 +52,13 @@ vars: index: "{{ item.0 }}" + - include_tasks: mobileconfig.yml + loop: + - ios + - macos + loop_control: + loop_var: system + - name: Generate QR codes shell: > umask 077; diff --git a/roles/wireguard/tasks/mobileconfig.yml b/roles/wireguard/tasks/mobileconfig.yml new file mode 100644 index 0000000..0e192b4 --- /dev/null +++ b/roles/wireguard/tasks/mobileconfig.yml @@ -0,0 +1,10 @@ +--- +- name: WireGuard apple mobileconfig generated + template: + src: mobileconfig.j2 + dest: "{{ wireguard_config_path }}/apple/{{ system }}/{{ item.1 }}.mobileconfig" + mode: "0600" + with_indexed_items: "{{ wireguard_users }}" + when: item.1 in users + vars: + index: "{{ item.0 }}" diff --git a/roles/wireguard/templates/mobileconfig.j2 b/roles/wireguard/templates/mobileconfig.j2 new file mode 100644 index 0000000..6c3f33e --- /dev/null +++ b/roles/wireguard/templates/mobileconfig.j2 @@ -0,0 +1,25 @@ +#jinja2:lstrip_blocks: True + + + + + PayloadContent + + {% include 'vpn-dict.j2' %} + + PayloadDisplayName + AlgoVPN {{ algo_server_name }} WireGuard + PayloadIdentifier + donut.local.{{ 500000 | random | to_uuid | upper }} + PayloadOrganization + AlgoVPN + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + {{ 400000 | random | to_uuid | upper }} + PayloadVersion + 1 + + diff --git a/roles/wireguard/templates/vpn-dict.j2 b/roles/wireguard/templates/vpn-dict.j2 new file mode 100644 index 0000000..6444df9 --- /dev/null +++ b/roles/wireguard/templates/vpn-dict.j2 @@ -0,0 +1,94 @@ + + IPv4 + + OverridePrimary + 1 + + PayloadDescription + Configures VPN settings + PayloadDisplayName + {{ algo_server_name }} + PayloadIdentifier + com.apple.vpn.managed.{{ algo_server_name + system | to_uuid | upper }} + PayloadType + com.apple.vpn.managed + PayloadUUID + {{ algo_server_name + system | to_uuid | upper }} + PayloadVersion + 1 + Proxies + + HTTPEnable + 0 + HTTPSEnable + 0 + + UserDefinedName + AlgoVPN {{ algo_server_name }} + VPN + + OnDemandEnabled + {{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }} + OnDemandRules + + {% if algo_ondemand_wifi or algo_ondemand_cellular %} + {% if algo_ondemand_wifi_exclude|b64decode != '_null' %} + {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %} + + Action + Disconnect + InterfaceTypeMatch + WiFi + SSIDMatch + + {% for network_name in WIFI_EXCLUDE_LIST %} + {{ network_name|e }} + {% endfor %} + + + {% endif %} + + Action + {% if algo_ondemand_wifi %} + Connect + {% else %} + Disconnect + {% endif %} + InterfaceTypeMatch + WiFi + URLStringProbe + http://captive.apple.com/hotspot-detect.html + + + Action + {% if algo_ondemand_cellular %} + Connect + {% else %} + Disconnect + {% endif %} + InterfaceTypeMatch + Cellular + URLStringProbe + http://captive.apple.com/hotspot-detect.html + + {% endif %} + + Action + {{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }} + + + AuthenticationMethod + Password + RemoteAddress + {{ IP_subject_alt_name }}:{{ wireguard_port }} + + VPNSubType + com.wireguard.{{ system }} + VPNType + VPN + VendorConfig + + WgQuickConfig + {{- lookup('template', 'client.conf.j2') | indent(8) }} + + diff --git a/tests/wireguard-client.sh b/tests/wireguard-client.sh index 46b4603..cc7d652 100755 --- a/tests/wireguard-client.sh +++ b/tests/wireguard-client.sh @@ -2,6 +2,8 @@ set -euxo pipefail +xmllint --noout ./configs/10.0.8.100/wireguard/apple/*/*.mobileconfig + crudini --set configs/10.0.8.100/wireguard/user1.conf Interface Table off wg-quick up configs/10.0.8.100/wireguard/user1.conf From 28d95eace2dd3a4ad81adb73ac53a279e42e408a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Tue, 18 Feb 2020 16:20:27 +0100 Subject: [PATCH 5/5] Update main.yml (#1727) --- roles/common/tasks/aip/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/common/tasks/aip/main.yml b/roles/common/tasks/aip/main.yml index 6055fd3..e644d9d 100644 --- a/roles/common/tasks/aip/main.yml +++ b/roles/common/tasks/aip/main.yml @@ -1,4 +1,9 @@ --- +- name: Verify the provider + assert: + that: algo_provider in aip_supported_providers + msg: Algo does not support Alternative Ingress IP for {{ algo_provider }} + - name: Include alternative ingress ip configuration include_tasks: file: "{{ algo_provider if algo_provider in aip_supported_providers else 'placeholder' }}.yml"