diff --git a/docs/client-linux.md b/docs/client-linux.md index a5fd5b4b..a5155501 100644 --- a/docs/client-linux.md +++ b/docs/client-linux.md @@ -19,4 +19,60 @@ ansible-playbook deploy_client.yml -e 'client_ip=client.com vpn_user=jack server ### Additional options -If the user requires sudo password use the following argument: `--ask-become-pass`. \ No newline at end of file +If the user requires sudo password use the following argument: `--ask-become-pass`. + +## OS Specific instructions + +Some Linux clients may require more specific and details instructions to configure a connection to the deployed Algo VPN, these are documented here. + +### Fedora Workstation + +#### (Gnome) Network Manager install + +We'll use the [rsclarke/NetworkManager-strongswan](https://copr.fedorainfracloud.org/coprs/rsclarke/NetworkManager-strongswan/) Copr repo (see [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-327820191)), this will make the `IKE` and `ESP` fields available in the Gnome Network Manager. Note that at time of writing the non-Copr repo will result in connection failures. Also note that the Copr repo *instructions are not filled in by author. Author knows what to do. Everybody else should avoid this repo*. So unless you are comfortable with using this repo, you'll want to hold out untill the patches applied in the Copr repo make it into stable. + +First remove the stable `NetworkManager-strongswan` package, ensure you have backups in place and / or take note of config backups taken during the removal of the package. + +```` +dnf remove NetworkManager-strongswan +```` + +Next, enable the Copr repo and install it along with the `NetworkManager-strongswan-gnome` package: + +```` +dnf copr enable -y rsclarke/NetworkManager-strongswan +dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome +```` + +Reboot your machine: + +```` +reboot now +```` + +#### (Gnome) Network Manager configuration + +In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the user we created is `user-name`. + +* Go to *Settings* > *Network* +* Add a new Network (`+` bottom left of the window) +* Select *IPsec/IKEv2 (strongswan)* +* Fill out the options: + * Name: your choice, e.g.: *ikev2-1.2.3.4* + * Gateway: + * Address: IP of the Algo VPN server, e.g: `1.2.3.4` + * Certificate: `cacert.pem` found at `/path/to/algo/1.2.3.4/cacert.pem` + * Client: + * Authentication: *Certificate/Private key* + * Certificate: `user-name.crt` found at `/path/to/algo/1.2.3.4/pki/certs/user-name.crt` + * Private key: `user-name.key` found at `/path/to/algo/1.2.3.4/pki/private/user-name.key` + * Options: + * Check *Request an inner IP address*, connection will fail without this option + * Optionally check *Enforce UDP encapsulation* + * Optionally check *Use IP compression* + * For the later 2 options, hover to option in the settings to see a description + * Cipher proposal: + * Check *Enable custom proposals* + * IKE: `aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256` + * ESP: `aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256` +* Apply and turn the connection on, you should now be connected \ No newline at end of file