wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-02 19:03:04 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into ansible-2.8

Browse source
This commit is contained in:
Jack Ivanov 2019-09-06 11:13:07 +02:00 committed by GitHub
commit a2da4b6325
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
docs/deploy-from-script-or-cloud-init-to-localhost.md
View file

@ -1,10 +1,14 @@
# Deploy from script or cloud-init # Deploy from script or cloud-init
You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory. You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created.
The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory.
## Cloud init deployment ## Cloud init deployment
You can copy-paste the snippet below to the user data (cloud-init or startup script) field when creating a new server. For now this has only been successfully tested on [DigitalOcean](https://www.digitalocean.com/docs/droplets/resources/metadata/), Amazon [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Lightsail](https://lightsail.aws.amazon.com/ls/docs/en/articles/lightsail-how-to-configure-server-additional-data-shell-script), [Google Cloud](https://cloud.google.com/compute/docs/startupscript), [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) and [Vultr](https://my.vultr.com/startup/), although Vultr doesn't [officially support cloud-init](https://www.vultr.com/docs/getting-started-with-cloud-init). You can copy-paste the snippet below to the user data (cloud-init or startup script) field when creating a new server.
For now this has only been successfully tested on [DigitalOcean](https://www.digitalocean.com/docs/droplets/resources/metadata/), Amazon [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Lightsail](https://lightsail.aws.amazon.com/ls/docs/en/articles/lightsail-how-to-configure-server-additional-data-shell-script), [Google Cloud](https://cloud.google.com/compute/docs/startupscript), [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) and [Vultr](https://my.vultr.com/startup/), although Vultr doesn't [officially support cloud-init](https://www.vultr.com/docs/getting-started-with-cloud-init).
``` ```
#!/bin/bash #!/bin/bash
@ -14,31 +18,31 @@ The command will prepare the environment and install AlgoVPN with the default pa
## Variables ## Variables
`METHOD` - which method of the deployment to use. Possible values are local and cloud. Default: cloud. The cloud method is intended to use in cloud-init deployments only. If you are not using cloud-init to deploy the server you have to use the local method. - `METHOD`: which method of the deployment to use. Possible values are local and cloud. Default: cloud. The cloud method is intended to use in cloud-init deployments only. If you are not using cloud-init to deploy the server you have to use the local method.
`ONDEMAND_CELLULAR` - "Connect On Demand" when connected to cellular networks. Boolean. Default: false. - `ONDEMAND_CELLULAR`: "Connect On Demand" when connected to cellular networks. Boolean. Default: false.
`ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false. - `ONDEMAND_WIFI`: "Connect On Demand" when connected to Wi-Fi. Default: false.
`ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. - `ONDEMAND_WIFI_EXCLUDE`: List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.
`STORE_PKI` - To retain the PKI. (required to add users in the future, but less secure). Default: false. - `STORE_PKI: To retain the PKI. (required to add users in the future, but less secure). Default: false.
`DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false. - `DNS_ADBLOCKING`: To install an ad blocking DNS resolver. Default: false.
`SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false. - `SSH_TUNNELING`: Enable SSH tunneling for each user. Default: false.
`ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address. - `ENDPOINT`: The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.
`USERS` - list of VPN users. Comma-separated list. Default: user1. - `USERS`: list of VPN users. Comma-separated list. Default: user1.
`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo. - `REPO_SLUG`: Owner and repository that used to get the installation scripts from. Default: trailofbits/algo.
`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master. - `REPO_BRANCH`: Branch for `REPO_SLUG`. Default: master.
`EXTRA_VARS` - Additional extra variables. - `EXTRA_VARS`: Additional extra variables.
`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`. - `ANSIBLE_EXTRA_ARGS`: Any available ansible parameters. ie: `--skip-tags apparmor`.
## Examples ## Examples

21
roles/common/tasks/facts.yml
View file

@ -1,29 +1,12 @@
--- ---
- block:
- name: Generate password for the CA key
command: openssl rand -hex 16
register: CA_password
- name: Generate p12 export password
shell: >
openssl rand 8 |
python3 -c 'import sys,string; chars=string.ascii_letters + string.digits + "_@"; print("".join([chars[ord(c) % 64] for c in list(sys.stdin.read())]))'
register: p12_password_generated
when: p12_password is not defined
tags: update-users
environment:
LANG: C
become: false
delegate_to: localhost
- name: Define facts - name: Define facts
set_fact: set_fact:
p12_export_password: "{{ p12_password|default(p12_password_generated.stdout) }}" p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
tags: update-users tags: update-users
- name: Set facts - name: Set facts
set_fact: set_fact:
CA_password: "{{ CA_password.stdout }}" CA_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@') }}"
IP_subject_alt_name: "{{ IP_subject_alt_name }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Set IPv6 support as a fact - name: Set IPv6 support as a fact

8
roles/strongswan/templates/mobileconfig.j2
View file

@ -8,11 +8,11 @@
<dict> <dict>
<key>IKEv2</key> <key>IKEv2</key>
<dict> <dict>
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
<key>OnDemandEnabled</key> <key>OnDemandEnabled</key>
<integer>1</integer> <integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
<key>OnDemandRules</key> <key>OnDemandRules</key>
<array> <array>
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
{% if algo_ondemand_wifi_exclude|b64decode != '_null' %} {% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %} {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
<dict> <dict>
@ -52,12 +52,12 @@
<key>URLStringProbe</key> <key>URLStringProbe</key>
<string>http://captive.apple.com/hotspot-detect.html</string> <string>http://captive.apple.com/hotspot-detect.html</string>
</dict> </dict>
{% endif %}
<dict> <dict>
<key>Action</key> <key>Action</key>
<string>Disconnect</string> <string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
</dict> </dict>
</array> </array>
{% endif %}
<key>AuthenticationMethod</key> <key>AuthenticationMethod</key>
<string>Certificate</string> <string>Certificate</string>
<key>ChildSecurityAssociationParameters</key> <key>ChildSecurityAssociationParameters</key>