mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-06 15:13:56 +02:00
parent
71c9c16ffe
commit
a2fdc509e1
12 changed files with 103 additions and 76 deletions
111
.travis.yml
111
.travis.yml
|
@ -51,56 +51,73 @@ custom_scripts:
|
||||||
- sudo env "PATH=$PATH" ./tests/ipsec-client.sh
|
- sudo env "PATH=$PATH" ./tests/ipsec-client.sh
|
||||||
- sudo ./tests/ssh-tunnel.sh
|
- sudo ./tests/ssh-tunnel.sh
|
||||||
|
|
||||||
|
stages:
|
||||||
|
- &tests-and-linters
|
||||||
|
stage: Tests
|
||||||
|
name: code checks and linters
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- shellcheck
|
||||||
|
script:
|
||||||
|
- pip install ansible-lint
|
||||||
|
- shellcheck algo install.sh
|
||||||
|
- ansible-playbook main.yml --syntax-check
|
||||||
|
- ansible-lint -v *.yml
|
||||||
|
|
||||||
|
- &deploy-local
|
||||||
|
stage: Deploy
|
||||||
|
name: local deployment from docker
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
sources: *default_sources
|
||||||
|
packages: *default_packages
|
||||||
|
before_install: *provisioning
|
||||||
|
before_script:
|
||||||
|
- docker build -t travis/algo .
|
||||||
|
- ./tests/local-deploy.sh
|
||||||
|
- ./tests/update-users.sh
|
||||||
|
script: *tests
|
||||||
|
|
||||||
|
- &deploy-cloudinit
|
||||||
|
stage: Deploy
|
||||||
|
name: cloud-init deployment
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
sources: *default_sources
|
||||||
|
packages: *default_packages
|
||||||
|
env: DEPLOY=cloud-init
|
||||||
|
before_install: *provisioning
|
||||||
|
before_script:
|
||||||
|
- until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done
|
||||||
|
- ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & )
|
||||||
|
- |
|
||||||
|
until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do
|
||||||
|
echo 'Cloud init is not finished. Sleep for 30 seconds';
|
||||||
|
sleep 30;
|
||||||
|
done
|
||||||
|
- sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml
|
||||||
|
- sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ .
|
||||||
|
- sudo lxc file pull algo/root/algo-configs.tar ./
|
||||||
|
- sudo tar -C ./configs -zxf algo-configs.tar
|
||||||
|
script: *tests
|
||||||
|
|
||||||
matrix:
|
matrix:
|
||||||
fast_finish: true
|
fast_finish: true
|
||||||
include:
|
include:
|
||||||
- stage: Tests
|
- <<: *tests-and-linters
|
||||||
name: code checks and linters
|
- <<: *deploy-local
|
||||||
addons:
|
name: 'Ubuntu 18.04: local deployment from docker'
|
||||||
apt:
|
env: DEPLOY=docker UBUNTU_VERSION=18.04
|
||||||
packages:
|
- <<: *deploy-local
|
||||||
- shellcheck
|
name: 'Ubuntu 19.04: local deployment from docker'
|
||||||
script:
|
env: DEPLOY=docker UBUNTU_VERSION=19.04
|
||||||
- pip install ansible-lint
|
- <<: *deploy-cloudinit
|
||||||
- shellcheck algo install.sh
|
name: 'Ubuntu 18.04: cloud-init deployment'
|
||||||
- ansible-playbook main.yml --syntax-check
|
env: DEPLOY=cloud-init UBUNTU_VERSION=18.04
|
||||||
- ansible-lint -v roles/*/*/*.yml playbooks/*.yml *.yml
|
- <<: *deploy-cloudinit
|
||||||
|
name: 'Ubuntu 19.04: cloud-init deployment'
|
||||||
- stage: Deploy
|
env: DEPLOY=cloud-init UBUNTU_VERSION=19.04
|
||||||
name: local deployment from docker
|
|
||||||
addons:
|
|
||||||
apt:
|
|
||||||
sources: *default_sources
|
|
||||||
packages: *default_packages
|
|
||||||
env: DEPLOY=docker
|
|
||||||
before_install: *provisioning
|
|
||||||
before_script:
|
|
||||||
- docker build -t travis/algo .
|
|
||||||
- ./tests/local-deploy.sh
|
|
||||||
- ./tests/update-users.sh
|
|
||||||
script: *tests
|
|
||||||
|
|
||||||
- stage: Deploy
|
|
||||||
name: cloud-init deployment
|
|
||||||
addons:
|
|
||||||
apt:
|
|
||||||
sources: *default_sources
|
|
||||||
packages: *default_packages
|
|
||||||
env: DEPLOY=cloud-init
|
|
||||||
before_install: *provisioning
|
|
||||||
before_script:
|
|
||||||
- until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done
|
|
||||||
- ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & )
|
|
||||||
- |
|
|
||||||
until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do
|
|
||||||
echo 'Cloud init is not finished. Sleep for 30 seconds';
|
|
||||||
sleep 30;
|
|
||||||
done
|
|
||||||
- sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml
|
|
||||||
- sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ .
|
|
||||||
- sudo lxc file pull algo/root/algo-configs.tar ./
|
|
||||||
- sudo tar -C ./configs -zxf algo-configs.tar
|
|
||||||
script: *tests
|
|
||||||
|
|
||||||
notifications:
|
notifications:
|
||||||
email: false
|
email: false
|
||||||
|
|
|
@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC
|
||||||
* Blocks ads with a local DNS resolver (optional)
|
* Blocks ads with a local DNS resolver (optional)
|
||||||
* Sets up limited SSH users for tunneling traffic (optional)
|
* Sets up limited SSH users for tunneling traffic (optional)
|
||||||
* Based on current versions of Ubuntu and strongSwan
|
* Based on current versions of Ubuntu and strongSwan
|
||||||
* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu 18.04 LTS server
|
* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu server
|
||||||
|
|
||||||
## Anti-features
|
## Anti-features
|
||||||
|
|
||||||
|
@ -93,9 +93,9 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir
|
||||||
|
|
||||||
On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
|
On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
|
||||||
|
|
||||||
On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file.
|
On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file.
|
||||||
|
|
||||||
On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.)
|
On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.)
|
||||||
|
|
||||||
Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
|
Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
|
||||||
|
|
||||||
|
@ -122,7 +122,7 @@ Network Manager does not support AES-GCM. In order to support Linux Desktop clie
|
||||||
|
|
||||||
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
|
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
|
||||||
|
|
||||||
#### Ubuntu Server 18.04 example
|
#### Ubuntu Server example
|
||||||
|
|
||||||
1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan
|
1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan
|
||||||
2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.crt`
|
2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.crt`
|
||||||
|
|
10
config.cfg
10
config.cfg
|
@ -126,10 +126,10 @@ SSH_keys:
|
||||||
cloud_providers:
|
cloud_providers:
|
||||||
azure:
|
azure:
|
||||||
size: Basic_A0
|
size: Basic_A0
|
||||||
image: 18.04-LTS
|
image: 19.04
|
||||||
digitalocean:
|
digitalocean:
|
||||||
size: s-1vcpu-1gb
|
size: s-1vcpu-1gb
|
||||||
image: "ubuntu-18-04-x64"
|
image: "ubuntu-19-04-x64"
|
||||||
ec2:
|
ec2:
|
||||||
# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
|
# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
|
||||||
# Warning: the Algo script will take approximately 6 minutes longer to complete.
|
# Warning: the Algo script will take approximately 6 minutes longer to complete.
|
||||||
|
@ -139,11 +139,11 @@ cloud_providers:
|
||||||
use_existing_eip: false
|
use_existing_eip: false
|
||||||
size: t2.micro
|
size: t2.micro
|
||||||
image:
|
image:
|
||||||
name: "ubuntu-bionic-18.04"
|
name: "ubuntu-disco-19.04"
|
||||||
owner: "099720109477"
|
owner: "099720109477"
|
||||||
gce:
|
gce:
|
||||||
size: f1-micro
|
size: f1-micro
|
||||||
image: ubuntu-1804
|
image: ubuntu-1904
|
||||||
external_static_ip: false
|
external_static_ip: false
|
||||||
lightsail:
|
lightsail:
|
||||||
size: nano_1_0
|
size: nano_1_0
|
||||||
|
@ -156,7 +156,7 @@ cloud_providers:
|
||||||
flavor_ram: ">=512"
|
flavor_ram: ">=512"
|
||||||
image: Ubuntu-18.04
|
image: Ubuntu-18.04
|
||||||
vultr:
|
vultr:
|
||||||
os: Ubuntu 18.04 x64
|
os: Ubuntu 19.04 x64
|
||||||
size: 1024 MB RAM,25 GB SSD,1.00 TB BW
|
size: 1024 MB RAM,25 GB SSD,1.00 TB BW
|
||||||
local:
|
local:
|
||||||
|
|
||||||
|
|
|
@ -34,8 +34,8 @@ What provider would you like to use?
|
||||||
6. Google Compute Engine
|
6. Google Compute Engine
|
||||||
7. Scaleway
|
7. Scaleway
|
||||||
8. OpenStack (DreamCompute optimised)
|
8. OpenStack (DreamCompute optimised)
|
||||||
9. Install to existing Ubuntu 18.04 server (Advanced)
|
9. Install to existing Ubuntu server (Advanced)
|
||||||
|
|
||||||
Enter the number of your desired provider
|
Enter the number of your desired provider
|
||||||
:
|
:
|
||||||
1
|
1
|
||||||
|
@ -68,7 +68,7 @@ What region should the server be located in?
|
||||||
7. sfo2 San Francisco 2
|
7. sfo2 San Francisco 2
|
||||||
8. sgp1 Singapore 1
|
8. sgp1 Singapore 1
|
||||||
9. tor1 Toronto 1
|
9. tor1 Toronto 1
|
||||||
|
|
||||||
Enter the number of your desired region
|
Enter the number of your desired region
|
||||||
[6]
|
[6]
|
||||||
:
|
:
|
||||||
|
|
|
@ -4,7 +4,7 @@ You can use Algo to configure a local server as an AlgoVPN rather than create an
|
||||||
|
|
||||||
Install the Algo scripts on your server and follow the normal installation instructions, then choose:
|
Install the Algo scripts on your server and follow the normal installation instructions, then choose:
|
||||||
```
|
```
|
||||||
Install to existing Ubuntu 18.04 server (Advanced)
|
Install to existing Ubuntu 18.04 or 19.04 server (Advanced)
|
||||||
```
|
```
|
||||||
Make sure your server is running the operating system specified.
|
Make sure your server is running the operating system specified.
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support:
|
Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support:
|
||||||
|
|
||||||
1. the base operating system image that Algo uses (Ubuntu 18.04), and
|
1. the base operating system image that Algo uses (Ubuntu 18.04, 19.04), and
|
||||||
2. a minimum of certain kernel modules required for the strongSwan IPsec server.
|
2. a minimum of certain kernel modules required for the strongSwan IPsec server.
|
||||||
|
|
||||||
Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.
|
Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
- Configure [Vultr](cloud-vultr.md)
|
- Configure [Vultr](cloud-vultr.md)
|
||||||
* Advanced Deployment
|
* Advanced Deployment
|
||||||
- Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
|
- Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
|
||||||
- Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server
|
- Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server
|
||||||
- Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
|
- Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
|
||||||
* [FAQ](faq.md)
|
* [FAQ](faq.md)
|
||||||
* [Firewalls](firewalls.md)
|
* [Firewalls](firewalls.md)
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
- { name: Google Compute Engine, alias: gce }
|
- { name: Google Compute Engine, alias: gce }
|
||||||
- { name: Scaleway, alias: scaleway}
|
- { name: Scaleway, alias: scaleway}
|
||||||
- { name: OpenStack (DreamCompute optimised), alias: openstack }
|
- { name: OpenStack (DreamCompute optimised), alias: openstack }
|
||||||
- { name: Install to existing Ubuntu 18.04 server (Advanced), alias: local }
|
- { name: Install to existing Ubuntu 18.04 or 19.04 server (Advanced), alias: local }
|
||||||
vars_files:
|
vars_files:
|
||||||
- config.cfg
|
- config.cfg
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
/usr/bin/dnscrypt-proxy flags=(attach_disconnected) {
|
/usr/{s,}bin/dnscrypt-proxy flags=(attach_disconnected) {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/openssl>
|
#include <abstractions/openssl>
|
||||||
|
|
|
@ -2,8 +2,9 @@
|
||||||
- name: Add the repository
|
- name: Add the repository
|
||||||
apt_repository:
|
apt_repository:
|
||||||
state: present
|
state: present
|
||||||
codename: bionic
|
codename: "{{ ansible_distribution_release }}"
|
||||||
repo: ppa:shevchuk/dnscrypt-proxy
|
repo: ppa:shevchuk/dnscrypt-proxy
|
||||||
|
when: ansible_distribution_version is version_compare('19.04', '<')
|
||||||
register: result
|
register: result
|
||||||
until: result is succeeded
|
until: result is succeeded
|
||||||
retries: 10
|
retries: 10
|
||||||
|
|
|
@ -10,17 +10,26 @@
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
install_recommends: yes
|
install_recommends: yes
|
||||||
|
|
||||||
- name: Ubuntu | Enforcing ipsec with apparmor
|
- block:
|
||||||
command: aa-enforce "{{ item }}"
|
# https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238
|
||||||
|
- name: Ubuntu | Charon profile for apparmor configured
|
||||||
|
copy:
|
||||||
|
dest: /etc/apparmor.d/local/usr.lib.ipsec.charon
|
||||||
|
content: ' capability setpcap,'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: restart strongswan
|
||||||
|
|
||||||
|
- name: Ubuntu | Enforcing ipsec with apparmor
|
||||||
|
command: aa-enforce "{{ item }}"
|
||||||
|
changed_when: false
|
||||||
|
with_items:
|
||||||
|
- /usr/lib/ipsec/charon
|
||||||
|
- /usr/lib/ipsec/lookip
|
||||||
|
- /usr/lib/ipsec/stroke
|
||||||
|
tags: apparmor
|
||||||
when: apparmor_enabled|default(false)|bool
|
when: apparmor_enabled|default(false)|bool
|
||||||
changed_when: false
|
|
||||||
with_items:
|
|
||||||
- /usr/lib/ipsec/charon
|
|
||||||
- /usr/lib/ipsec/lookip
|
|
||||||
- /usr/lib/ipsec/stroke
|
|
||||||
notify:
|
|
||||||
- restart apparmor
|
|
||||||
tags: ['apparmor']
|
|
||||||
|
|
||||||
- name: Ubuntu | Enable services
|
- name: Ubuntu | Enable services
|
||||||
service: name={{ item }} enabled=yes
|
service: name={{ item }} enabled=yes
|
||||||
|
|
|
@ -19,7 +19,7 @@ systemctl restart lxd-bridge.service lxd-containers.service lxd.service
|
||||||
lxc profile set default raw.lxc lxc.aa_profile=unconfined
|
lxc profile set default raw.lxc lxc.aa_profile=unconfined
|
||||||
lxc profile set default security.privileged true
|
lxc profile set default security.privileged true
|
||||||
lxc profile show default
|
lxc profile show default
|
||||||
lxc launch ubuntu:18.04 algo
|
lxc launch ubuntu:${UBUNTU_VERSION} algo
|
||||||
|
|
||||||
ip addr
|
ip addr
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue