Merge remote-tracking branch 'upstream/master' into fix-ipsec-53

README.md

@@ -96,7 +96,7 @@ You can now set up clients to connect to your VPN. Proceed to [Configure the VPN
     "#                     Local DNS resolver 172.16.0.1                    #"
     "#        The p12 and SSH keys password for new users is XXXXXXXX       #"
     "#        The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX       #"
-    "#      Shell access: ssh -F configs/<server_ip>/ssh_config algo        #"
+    "#      Shell access: ssh -F configs/<server_ip>/ssh_config <hostname>  #"
 ```
 
 ## Configure the VPN Clients
@@ -159,12 +159,20 @@ Use the example command below to start an SSH tunnel by replacing `<user>` and `
 
 Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message:
 
- `ssh -F configs/<ip>/ssh_config algo`
+`ssh -F configs/<ip>/ssh_config <hostname>`
 
 where `<ip>` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
 
  `ssh-add ~/.ssh/algo > /dev/null 2>&1`
 
+Alternatively, you can choose to include the generated configuration for any Algo servers created into your SSH config. Edit the file `~/.ssh/config` to include this directive at the top:
+
+```
+Include <algodirectory>/configs/*/ssh_config
+```
+
+where `<algodirectory>` is the directory where you cloned Algo.
+
 ## Adding or Removing Users
 
 _If you chose to save the CA key during the deploy process,_ then Algo's own scripts can easily add and remove users from the VPN server.

config.cfg

@@ -146,7 +146,7 @@ congrats:
   ca_key_pass: |
     "#        The CA key password is {{ CA_password|default(omit) }}       #"
   ssh_access: |
-    "#      Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config algo        #"
+    "#      Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }}        #"
 
 SSH_keys:
   comment: algo@ssh

input.yml

@@ -52,11 +52,11 @@
         when:
           - server_name is undefined
           - algo_provider != "local"
-      - block:
+
       - name: Cellular On Demand prompt
         pause:
           prompt: |
-              Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
+            Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
             [y/N]
         register: _ondemand_cellular
         when: ondemand_cellular is undefined
@@ -64,7 +64,7 @@
       - name: Wi-Fi On Demand prompt
         pause:
           prompt: |
-              Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
+            Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
             [y/N]
         register: _ondemand_wifi
         when: ondemand_wifi is undefined
@@ -72,7 +72,7 @@
       - name: Trusted Wi-Fi networks prompt
         pause:
           prompt: |
-              List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
+            List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
             (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
         register: _ondemand_wifi_exclude
         when:
@@ -86,8 +86,9 @@
             Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
             [y/N]
         register: _store_pki
-          when: store_pki is undefined
+        when:
-        when: ipsec_enabled
+          - store_pki is undefined
+          - ipsec_enabled
 
       - name: DNS adblocking prompt
         pause:

roles/common/tasks/aip/digitalocean.yml

@@ -11,3 +11,13 @@
 - name: Set SNAT IP as a fact
   set_fact:
     snat_aipv4: "{{ anchor_ipv4.content }}"
+
+- name: IPv6 egress alias configured
+  template:
+    src: 99-algo-ipv6-egress.yaml.j2
+    dest: /etc/netplan/99-algo-ipv6-egress.yaml
+  when:
+    - ipv6_support
+    - ipv6_subnet_size|int > 1
+  notify:
+    - netplan apply

roles/common/tasks/aip/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Verify the provider
+  assert:
+    that: algo_provider in aip_supported_providers
+    msg: Algo does not support Alternative Ingress IP for {{ algo_provider }}
+
 - name: Include alternative ingress ip configuration
   include_tasks:
     file: "{{ algo_provider if algo_provider in aip_supported_providers else 'placeholder' }}.yml"

roles/common/tasks/ubuntu.yml

@@ -78,16 +78,6 @@
 - name: Gather additional facts
   import_tasks: facts.yml
 
-- name: IPv6 egress alias configured
-  template:
-    src: 99-algo-ipv6-egress.yaml.j2
-    dest: /etc/netplan/99-algo-ipv6-egress.yaml
-  when:
-    - ipv6_support
-    - ipv6_subnet_size|int > 1
-  notify:
-    - netplan apply
-
 - name: Set OS specific facts
   set_fact:
     tools:

roles/wireguard/tasks/main.yml

@@ -8,7 +8,8 @@
     - "{{ wireguard_pki_path }}/preshared"
     - "{{ wireguard_pki_path }}/private"
     - "{{ wireguard_pki_path }}/public"
-    - "{{ wireguard_config_path }}"
+    - "{{ wireguard_config_path }}/apple/ios"
+    - "{{ wireguard_config_path }}/apple/macos"
   delegate_to: localhost
   become: false
 
@@ -51,6 +52,13 @@
       vars:
         index: "{{ item.0 }}"
 
+    - include_tasks: mobileconfig.yml
+      loop:
+        - ios
+        - macos
+      loop_control:
+        loop_var: system
+
     - name: Generate QR codes
       shell: >
         umask 077;

roles/wireguard/tasks/mobileconfig.yml

@@ -0,0 +1,10 @@
+---
+- name: WireGuard apple mobileconfig generated
+  template:
+    src: mobileconfig.j2
+    dest: "{{ wireguard_config_path }}/apple/{{ system }}/{{ item.1 }}.mobileconfig"
+    mode: "0600"
+  with_indexed_items:  "{{ wireguard_users }}"
+  when: item.1 in users
+  vars:
+    index: "{{ item.0 }}"

roles/wireguard/templates/mobileconfig.j2

@@ -0,0 +1,25 @@
+#jinja2:lstrip_blocks: True
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+    {% include 'vpn-dict.j2' %}
+  </array>
+  <key>PayloadDisplayName</key>
+  <string>AlgoVPN {{ algo_server_name }} WireGuard</string>
+  <key>PayloadIdentifier</key>
+  <string>donut.local.{{ 500000 | random | to_uuid | upper }}</string>
+  <key>PayloadOrganization</key>
+  <string>AlgoVPN</string>
+  <key>PayloadRemovalDisallowed</key>
+  <false/>
+  <key>PayloadType</key>
+  <string>Configuration</string>
+  <key>PayloadUUID</key>
+  <string>{{ 400000 | random | to_uuid | upper }}</string>
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+</dict>
+</plist>

roles/wireguard/templates/vpn-dict.j2

@@ -0,0 +1,94 @@
+<dict>
+	<key>IPv4</key>
+  <dict>
+      <key>OverridePrimary</key>
+      <integer>1</integer>
+  </dict>
+	<key>PayloadDescription</key>
+	<string>Configures VPN settings</string>
+	<key>PayloadDisplayName</key>
+	<string>{{ algo_server_name }}</string>
+	<key>PayloadIdentifier</key>
+	<string>com.apple.vpn.managed.{{ algo_server_name + system | to_uuid | upper }}</string>
+	<key>PayloadType</key>
+	<string>com.apple.vpn.managed</string>
+	<key>PayloadUUID</key>
+	<string>{{ algo_server_name + system | to_uuid | upper }}</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+	<key>Proxies</key>
+	<dict>
+		<key>HTTPEnable</key>
+		<integer>0</integer>
+		<key>HTTPSEnable</key>
+		<integer>0</integer>
+	</dict>
+	<key>UserDefinedName</key>
+	<string>AlgoVPN {{ algo_server_name }}</string>
+	<key>VPN</key>
+	<dict>
+    <key>OnDemandEnabled</key>
+    <integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
+    <key>OnDemandRules</key>
+    <array>
+      {% if algo_ondemand_wifi or algo_ondemand_cellular %}
+      {% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
+      {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
+      <dict>
+        <key>Action</key>
+        <string>Disconnect</string>
+        <key>InterfaceTypeMatch</key>
+        <string>WiFi</string>
+        <key>SSIDMatch</key>
+        <array>
+          {% for network_name in WIFI_EXCLUDE_LIST %}
+          <string>{{ network_name|e }}</string>
+          {% endfor %}
+        </array>
+      </dict>
+      {% endif %}
+      <dict>
+        <key>Action</key>
+        {% if algo_ondemand_wifi %}
+        <string>Connect</string>
+        {% else %}
+        <string>Disconnect</string>
+        {% endif %}
+        <key>InterfaceTypeMatch</key>
+        <string>WiFi</string>
+        <key>URLStringProbe</key>
+        <string>http://captive.apple.com/hotspot-detect.html</string>
+      </dict>
+      <dict>
+        <key>Action</key>
+        {% if algo_ondemand_cellular %}
+        <string>Connect</string>
+        {% else %}
+        <string>Disconnect</string>
+        {% endif %}
+        <key>InterfaceTypeMatch</key>
+        <string>Cellular</string>
+        <key>URLStringProbe</key>
+        <string>http://captive.apple.com/hotspot-detect.html</string>
+      </dict>
+      {% endif %}
+      <dict>
+        <key>Action</key>
+        <string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
+      </dict>
+    </array>
+		<key>AuthenticationMethod</key>
+		<string>Password</string>
+		<key>RemoteAddress</key>
+		<string>{{ IP_subject_alt_name }}:{{ wireguard_port }}</string>
+	</dict>
+	<key>VPNSubType</key>
+	<string>com.wireguard.{{ system }}</string>
+	<key>VPNType</key>
+	<string>VPN</string>
+	<key>VendorConfig</key>
+	<dict>
+		<key>WgQuickConfig</key>
+		<string>{{- lookup('template', 'client.conf.j2') | indent(8) }}</string>
+	</dict>
+</dict>

server.yml

@@ -28,11 +28,11 @@
             dest: "configs/{{ IP_subject_alt_name }}/ssh_config"
             mode: "0600"
             content: |
-              Host {{ IP_subject_alt_name }} algo
+              Host {{ IP_subject_alt_name }} {{ algo_server_name }}
                 HostName {{ IP_subject_alt_name }}
                 User {{ ansible_ssh_user }}
                 Port {{ ansible_ssh_port }}
-                IdentityFile {{ SSH_keys.private }}
+                IdentityFile {{ SSH_keys.private | realpath }}
                 KeepAlive yes
                 ServerAliveInterval 30
         when: inventory_hostname != 'localhost'

tests/wireguard-client.sh

@@ -2,6 +2,8 @@
 
 set -euxo pipefail
 
+xmllint --noout ./configs/10.0.8.100/wireguard/apple/*/*.mobileconfig
+
 crudini --set configs/10.0.8.100/wireguard/user1.conf Interface Table off
 
 wg-quick up configs/10.0.8.100/wireguard/user1.conf