From c6f45ead6920abec525129ec37b5e7adde45b2fb Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 6 Sep 2019 09:33:36 +0200 Subject: [PATCH 1/3] Allow OnDemand to be toggled later (#1557) --- roles/strongswan/templates/mobileconfig.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/strongswan/templates/mobileconfig.j2 b/roles/strongswan/templates/mobileconfig.j2 index a8123d5..807683f 100644 --- a/roles/strongswan/templates/mobileconfig.j2 +++ b/roles/strongswan/templates/mobileconfig.j2 @@ -8,11 +8,11 @@ IKEv2 -{% if algo_ondemand_wifi or algo_ondemand_cellular %} OnDemandEnabled - 1 + {{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }} OnDemandRules +{% if algo_ondemand_wifi or algo_ondemand_cellular %} {% if algo_ondemand_wifi_exclude|b64decode != '_null' %} {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %} @@ -52,12 +52,12 @@ URLStringProbe http://captive.apple.com/hotspot-detect.html +{% endif %} Action - Disconnect + {{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }} -{% endif %} AuthenticationMethod Certificate ChildSecurityAssociationParameters From 1ca8ee5554330f7bbd869b2936a7d7a3087b9b9e Mon Sep 17 00:00:00 2001 From: Squirrel Date: Fri, 6 Sep 2019 16:55:57 +0800 Subject: [PATCH 2/3] Generates a password by native module (#1576) * use password module to generate password * fix variable reference * reduce character set to meet origin design * CA and p12 password chanes - Move the CA_password generation task to the native lookup plugin - Get rid of unneeded tasks --- roles/common/tasks/facts.yml | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml index c064d7b..02e88ed 100644 --- a/roles/common/tasks/facts.yml +++ b/roles/common/tasks/facts.yml @@ -1,27 +1,12 @@ --- -- block: - - name: Generate password for the CA key - command: openssl rand -hex 16 - register: CA_password - - - name: Generate p12 export password - shell: > - openssl rand 8 | - python -c 'import sys,string; chars=string.ascii_letters + string.digits + "_@"; print("".join([chars[ord(c) % 64] for c in list(sys.stdin.read())]))' - register: p12_password_generated - when: p12_password is not defined - tags: update-users - become: false - delegate_to: localhost - - name: Define facts set_fact: - p12_export_password: "{{ p12_password|default(p12_password_generated.stdout) }}" + p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}" tags: update-users - name: Set facts set_fact: - CA_password: "{{ CA_password.stdout }}" + CA_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@') }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}" - name: Set IPv6 support as a fact From 71e49eb2c82dffc9f114052a963690d3d97abbb7 Mon Sep 17 00:00:00 2001 From: Nian Wang Date: Fri, 6 Sep 2019 01:56:24 -0700 Subject: [PATCH 3/3] Add spacing, list format for readability. (#1560) --- ...-from-script-or-cloud-init-to-localhost.md | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md index a59a3f7..0c937d3 100644 --- a/docs/deploy-from-script-or-cloud-init-to-localhost.md +++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md @@ -1,10 +1,14 @@ # Deploy from script or cloud-init -You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory. +You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. + +The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory. ## Cloud init deployment -You can copy-paste the snippet below to the user data (cloud-init or startup script) field when creating a new server. For now it is only possible for [DigitalOcean](https://www.digitalocean.com/docs/droplets/resources/metadata/), Amazon [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Lightsail](https://lightsail.aws.amazon.com/ls/docs/en/articles/lightsail-how-to-configure-server-additional-data-shell-script), [Google Cloud](https://cloud.google.com/compute/docs/startupscript), [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) and [Vultr](https://my.vultr.com/startup/), although Vultr doesn't [officially support cloud-init](https://www.vultr.com/docs/getting-started-with-cloud-init). +You can copy-paste the snippet below to the user data (cloud-init or startup script) field when creating a new server. + +For now it is only possible for [DigitalOcean](https://www.digitalocean.com/docs/droplets/resources/metadata/), Amazon [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Lightsail](https://lightsail.aws.amazon.com/ls/docs/en/articles/lightsail-how-to-configure-server-additional-data-shell-script), [Google Cloud](https://cloud.google.com/compute/docs/startupscript), [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) and [Vultr](https://my.vultr.com/startup/), although Vultr doesn't [officially support cloud-init](https://www.vultr.com/docs/getting-started-with-cloud-init). ``` #!/bin/bash @@ -14,19 +18,19 @@ The command will prepare the environment and install AlgoVPN with the default pa ## Variables -`METHOD` - which method of the deployment to use. Possible values are local and cloud. Default: cloud. The cloud method is intended to use in cloud-init deployments only. If you are not using cloud-init to deploy the server you have to use the local method. -`ONDEMAND_CELLULAR` - "Connect On Demand" when connected to cellular networks. Boolean. Default: false. -`ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false. -`ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. -`STORE_PKI` - To retain the PKI. (required to add users in the future, but less secure). Default: false. -`DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false. -`SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false. -`ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address. -`USERS` - list of VPN users. Comma-separated list. Default: user1. -`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo. -`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master. -`EXTRA_VARS` - Additional extra variables. -`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`. +- `METHOD`: Which method of the deployment to use. Possible values are local and cloud. Default: cloud. The cloud method is intended to use in cloud-init deployments only. If you are not using cloud-init to deploy the server you have to use the local method. +- `ONDEMAND_CELLULAR`: "Connect On Demand" when connected to cellular networks. Boolean. Default: false. +- `ONDEMAND_WIFI`: "Connect On Demand" when connected to Wi-Fi. Default: false. +- `ONDEMAND_WIFI_EXCLUDE`: List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. +- `STORE_PKI`: To retain the PKI. (required to add users in the future, but less secure). Default: false. +- `DNS_ADBLOCKING`: To install an ad blocking DNS resolver. Default: false. +- `SSH_TUNNELING`: Enable SSH tunneling for each user. Default: false. +- `ENDPOINT`: The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address. +- `USERS`: list of VPN users. Comma-separated list. Default: user1. +- `REPO_SLUG`: Owner and repository that used to get the installation scripts from. Default: trailofbits/algo. +- `REPO_BRANCH`: Branch for `REPO_SLUG`. Default: master. +- `EXTRA_VARS`: Additional extra variables. +- `ANSIBLE_EXTRA_ARGS`: Any available ansible parameters. ie: `--skip-tags apparmor`. ## Examples