wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-02 19:03:04 +02:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into fix-ipsec-53

Browse source
This commit is contained in:
David E. Myers 2020-02-21 08:31:36 -05:00
commit 6409abeb32
No known key found for this signature in database
GPG key ID: D871FCA54815086C
12 changed files with 202 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
README.md
View file

@ -96,7 +96,7 @@ You can now set up clients to connect to your VPN. Proceed to [Configure the VPN
"# Local DNS resolver 172.16.0.1 #" "# Local DNS resolver 172.16.0.1 #"
"# The p12 and SSH keys password for new users is XXXXXXXX #" "# The p12 and SSH keys password for new users is XXXXXXXX #"
"# The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #" "# The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #"
"# Shell access: ssh -F configs/<server_ip>/ssh_config algo #" "# Shell access: ssh -F configs/<server_ip>/ssh_config <hostname> #"
``` ```
## Configure the VPN Clients ## Configure the VPN Clients
@ -159,12 +159,20 @@ Use the example command below to start an SSH tunnel by replacing `<user>` and `
Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message: Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message:
`ssh -F configs/<ip>/ssh_config algo` `ssh -F configs/<ip>/ssh_config <hostname>`
where `<ip>` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently. where `<ip>` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
`ssh-add ~/.ssh/algo > /dev/null 2>&1` `ssh-add ~/.ssh/algo > /dev/null 2>&1`
Alternatively, you can choose to include the generated configuration for any Algo servers created into your SSH config. Edit the file `~/.ssh/config` to include this directive at the top:
```
Include <algodirectory>/configs/*/ssh_config
```
where `<algodirectory>` is the directory where you cloned Algo.
## Adding or Removing Users ## Adding or Removing Users
_If you chose to save the CA key during the deploy process,_ then Algo's own scripts can easily add and remove users from the VPN server. _If you chose to save the CA key during the deploy process,_ then Algo's own scripts can easily add and remove users from the VPN server.

2
config.cfg
View file

@ -146,7 +146,7 @@ congrats:
ca_key_pass: | ca_key_pass: |
"# The CA key password is {{ CA_password|default(omit) }} #" "# The CA key password is {{ CA_password|default(omit) }} #"
ssh_access: | ssh_access: |
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config algo #" "# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
SSH_keys: SSH_keys:
comment: algo@ssh comment: algo@ssh

67
input.yml
View file

@ -52,42 +52,43 @@
when: when:
- server_name is undefined - server_name is undefined
- algo_provider != "local" - algo_provider != "local"
- block:
- name: Cellular On Demand prompt
pause:
prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
register: _ondemand_cellular
when: ondemand_cellular is undefined
- name: Wi-Fi On Demand prompt - name: Cellular On Demand prompt
pause: pause:
prompt: | prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N] [y/N]
register: _ondemand_wifi register: _ondemand_cellular
when: ondemand_wifi is undefined when: ondemand_cellular is undefined
- name: Trusted Wi-Fi networks prompt - name: Wi-Fi On Demand prompt
pause: pause:
prompt: | prompt: |
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand" Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) [y/N]
register: _ondemand_wifi_exclude register: _ondemand_wifi
when: when: ondemand_wifi is undefined
- ondemand_wifi_exclude is undefined
- (ondemand_wifi|default(false)|bool) or
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
- name: Retain the PKI prompt - name: Trusted Wi-Fi networks prompt
pause: pause:
prompt: | prompt: |
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
[y/N] (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
register: _store_pki register: _ondemand_wifi_exclude
when: store_pki is undefined when:
when: ipsec_enabled - ondemand_wifi_exclude is undefined
- (ondemand_wifi|default(false)|bool) or
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
- name: Retain the PKI prompt
pause:
prompt: |
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
register: _store_pki
when:
- store_pki is undefined
- ipsec_enabled
- name: DNS adblocking prompt - name: DNS adblocking prompt
pause: pause:

10
roles/common/tasks/aip/digitalocean.yml
View file

@ -11,3 +11,13 @@
- name: Set SNAT IP as a fact - name: Set SNAT IP as a fact
set_fact: set_fact:
snat_aipv4: "{{ anchor_ipv4.content }}" snat_aipv4: "{{ anchor_ipv4.content }}"
- name: IPv6 egress alias configured
template:
src: 99-algo-ipv6-egress.yaml.j2
dest: /etc/netplan/99-algo-ipv6-egress.yaml
when:
- ipv6_support
- ipv6_subnet_size|int > 1
notify:
- netplan apply

5
roles/common/tasks/aip/main.yml
View file

@ -1,4 +1,9 @@
--- ---
- name: Verify the provider
assert:
that: algo_provider in aip_supported_providers
msg: Algo does not support Alternative Ingress IP for {{ algo_provider }}
- name: Include alternative ingress ip configuration - name: Include alternative ingress ip configuration
include_tasks: include_tasks:
file: "{{ algo_provider if algo_provider in aip_supported_providers else 'placeholder' }}.yml" file: "{{ algo_provider if algo_provider in aip_supported_providers else 'placeholder' }}.yml"

10
roles/common/tasks/ubuntu.yml
View file

@ -78,16 +78,6 @@
- name: Gather additional facts - name: Gather additional facts
import_tasks: facts.yml import_tasks: facts.yml
- name: IPv6 egress alias configured
template:
src: 99-algo-ipv6-egress.yaml.j2
dest: /etc/netplan/99-algo-ipv6-egress.yaml
when:
- ipv6_support
- ipv6_subnet_size|int > 1
notify:
- netplan apply
- name: Set OS specific facts - name: Set OS specific facts
set_fact: set_fact:
tools: tools:

10
roles/wireguard/tasks/main.yml
View file

@ -8,7 +8,8 @@
- "{{ wireguard_pki_path }}/preshared" - "{{ wireguard_pki_path }}/preshared"
- "{{ wireguard_pki_path }}/private" - "{{ wireguard_pki_path }}/private"
- "{{ wireguard_pki_path }}/public" - "{{ wireguard_pki_path }}/public"
- "{{ wireguard_config_path }}" - "{{ wireguard_config_path }}/apple/ios"
- "{{ wireguard_config_path }}/apple/macos"
delegate_to: localhost delegate_to: localhost
become: false become: false
@ -51,6 +52,13 @@
vars: vars:
index: "{{ item.0 }}" index: "{{ item.0 }}"
- include_tasks: mobileconfig.yml
loop:
- ios
- macos
loop_control:
loop_var: system
- name: Generate QR codes - name: Generate QR codes
shell: > shell: >
umask 077; umask 077;

10
roles/wireguard/tasks/mobileconfig.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: WireGuard apple mobileconfig generated
template:
src: mobileconfig.j2
dest: "{{ wireguard_config_path }}/apple/{{ system }}/{{ item.1 }}.mobileconfig"
mode: "0600"
with_indexed_items: "{{ wireguard_users }}"
when: item.1 in users
vars:
index: "{{ item.0 }}"

25
roles/wireguard/templates/mobileconfig.j2 Normal file
View file

@ -0,0 +1,25 @@
#jinja2:lstrip_blocks: True
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
{% include 'vpn-dict.j2' %}
</array>
<key>PayloadDisplayName</key>
<string>AlgoVPN {{ algo_server_name }} WireGuard</string>
<key>PayloadIdentifier</key>
<string>donut.local.{{ 500000 | random | to_uuid | upper }}</string>
<key>PayloadOrganization</key>
<string>AlgoVPN</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>{{ 400000 | random | to_uuid | upper }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

94
roles/wireguard/templates/vpn-dict.j2 Normal file
View file

@ -0,0 +1,94 @@
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>{{ algo_server_name }}</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.{{ algo_server_name + system | to_uuid | upper }}</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>{{ algo_server_name + system | to_uuid | upper }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>AlgoVPN {{ algo_server_name }}</string>
<key>VPN</key>
<dict>
<key>OnDemandEnabled</key>
<integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
<key>OnDemandRules</key>
<array>
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
{% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
{% for network_name in WIFI_EXCLUDE_LIST %}
<string>{{ network_name|e }}</string>
{% endfor %}
</array>
</dict>
{% endif %}
<dict>
<key>Action</key>
{% if algo_ondemand_wifi %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>URLStringProbe</key>
<string>http://captive.apple.com/hotspot-detect.html</string>
</dict>
<dict>
<key>Action</key>
{% if algo_ondemand_cellular %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>Cellular</string>
<key>URLStringProbe</key>
<string>http://captive.apple.com/hotspot-detect.html</string>
</dict>
{% endif %}
<dict>
<key>Action</key>
<string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>{{ IP_subject_alt_name }}:{{ wireguard_port }}</string>
</dict>
<key>VPNSubType</key>
<string>com.wireguard.{{ system }}</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>WgQuickConfig</key>
<string>{{- lookup('template', 'client.conf.j2') | indent(8) }}</string>
</dict>
</dict>

4
server.yml
View file

@ -28,11 +28,11 @@
dest: "configs/{{ IP_subject_alt_name }}/ssh_config" dest: "configs/{{ IP_subject_alt_name }}/ssh_config"
mode: "0600" mode: "0600"
content: | content: |
Host {{ IP_subject_alt_name }} algo Host {{ IP_subject_alt_name }} {{ algo_server_name }}
HostName {{ IP_subject_alt_name }} HostName {{ IP_subject_alt_name }}
User {{ ansible_ssh_user }} User {{ ansible_ssh_user }}
Port {{ ansible_ssh_port }} Port {{ ansible_ssh_port }}
IdentityFile {{ SSH_keys.private }} IdentityFile {{ SSH_keys.private | realpath }}
KeepAlive yes KeepAlive yes
ServerAliveInterval 30 ServerAliveInterval 30
when: inventory_hostname != 'localhost' when: inventory_hostname != 'localhost'

2
tests/wireguard-client.sh
View file

@ -2,6 +2,8 @@
set -euxo pipefail set -euxo pipefail
xmllint --noout ./configs/10.0.8.100/wireguard/apple/*/*.mobileconfig
crudini --set configs/10.0.8.100/wireguard/user1.conf Interface Table off crudini --set configs/10.0.8.100/wireguard/user1.conf Interface Table off
wg-quick up configs/10.0.8.100/wireguard/user1.conf wg-quick up configs/10.0.8.100/wireguard/user1.conf