From 4ea1dcdf5a40f3aa731354cdceae89b92083792c Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 10 Apr 2019 12:20:00 +0300 Subject: [PATCH 1/7] Update deploy-from-script-or-cloud-init-to-localhost.md --- ...eploy-from-script-or-cloud-init-to-localhost.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md index 7a99d6b2..368db5a0 100644 --- a/docs/deploy-from-script-or-cloud-init-to-localhost.md +++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md @@ -19,15 +19,15 @@ The command will prepare the environment and install AlgoVPN with default parame `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. `WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false -`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false -`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false +`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false. +`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false. `SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false `ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE or Azure if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address. -`USERS` - list of VPN users. Comma-separated list. -`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo -`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master -`EXTRA_VARS` - Additional extra variables. -`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor` +`USERS` - list of VPN users. Comma-separated list. +`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo. +`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master. +`EXTRA_VARS` - Additional extra variables. +`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`. ## Examples From 1c7e1dc331142918d7b9324c217850467cc45b46 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Sat, 13 Apr 2019 11:53:45 +0200 Subject: [PATCH 2/7] Move `Delete the CA key` task to the appropriate role (#1393) --- roles/strongswan/tasks/openssl.yml | 10 ++++++++++ server.yml | 10 ---------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index 694bb83c..ffaa7062 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -209,3 +209,13 @@ - gencrl.changed notify: - rereadcrls + +- name: Delete the CA key + local_action: + module: file + path: "{{ ipsec_pki_path }}/private/cakey.pem" + state: absent + become: false + when: + - ipsec_enabled + - not algo_store_cakey diff --git a/server.yml b/server.yml index 40326830..349150cb 100644 --- a/server.yml +++ b/server.yml @@ -37,16 +37,6 @@ tags: ssh_tunneling - block: - - name: Delete the CA key - local_action: - module: file - path: "{{ ipsec_pki_path }}/private/cakey.pem" - state: absent - become: false - when: - - ipsec_enabled - - not algo_store_cakey - - name: Dump the configuration local_action: module: copy From 8f10647ec1bb4f09ffca00e315fb250ef60306de Mon Sep 17 00:00:00 2001 From: wtgtybhertgeghgtwtg Date: Wed, 17 Apr 2019 03:57:53 -0600 Subject: [PATCH 3/7] fix: get public IP from default interface (#1396) --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index 248f3784..ed385e73 100644 --- a/install.sh +++ b/install.sh @@ -50,7 +50,7 @@ getAlgo() { publicIpFromInterface() { echo "Couldn't find a valid ipv4 address, using the first IP found on the interfaces as the endpoint." DEFAULT_INTERFACE="$(ip -4 route list match default | grep -Eo "dev .*" | awk '{print $2}')" - ENDPOINT=$(ip -4 addr sh dev eth0 | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b') + ENDPOINT=$(ip -4 addr sh dev $DEFAULT_INTERFACE | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b') export ENDPOINT=$ENDPOINT echo "Using ${ENDPOINT} as the endpoint" } From a1117ecf0a25dde057b43c898d76e8f4f02139e7 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Wed, 17 Apr 2019 07:53:41 -0400 Subject: [PATCH 4/7] Update Adblock lists (#1394) Uses the Unified hosts file from @StevenBlack available [here](https://github.com/StevenBlack/hosts). This encompasses the Ad Away, MVPS, and Malware Domain lists, deleting duplicates for us, and also adds a bunch more. --- config.cfg | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/config.cfg b/config.cfg index 16411cf0..a652749f 100644 --- a/config.cfg +++ b/config.cfg @@ -70,9 +70,7 @@ reduce_mtu: 0 # If you load very large blocklists, you may also have to modify resource limits: # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf adblock_lists: - - "http://winhelp2002.mvps.org/hosts.txt" - - "https://adaway.org/hosts.txt" - - "https://www.malwaredomainlist.com/hostslist/hosts.txt" + - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://hosts-file.net/ad_servers.txt" # Enable DNS encryption. From 505538bcbb0f0e8907b9ac0cf5cc4511dfdae7dc Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Wed, 17 Apr 2019 11:44:58 -0400 Subject: [PATCH 5/7] Update README.md (#1380) Add mention of Wireguard SSID exclusion ability. --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c4016c85..40da8bd5 100644 --- a/README.md +++ b/README.md @@ -93,11 +93,13 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device. -On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. Enable "Connect on Demand" by editing the tunnel configuration in the WireGuard app. +On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. + +On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.) Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md). -If you prefer to use the built-in IPSEC VPN on Apple devices, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md). +If you prefer to use the built-in IPSEC VPN on Apple devices, or need "Connect on Demand" or excluded Wi-Fi networks automatically configured, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md). ### Android Devices @@ -247,4 +249,4 @@ All donations support continued development. Thanks! * Use our [referral code](https://m.do.co/c/4d7f4ff9cfe4) when you sign up to Digital Ocean for a $10 credit. * We also accept and appreciate contributions of new code and bugfixes via Github Pull Requests. -Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider purchasing an exception . As with the methods above, this will help support continued development. \ No newline at end of file +Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider purchasing an exception . As with the methods above, this will help support continued development. From a60d49f5fc427938dbbb292120bd52ecc33948b1 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 19 Apr 2019 10:57:31 +0200 Subject: [PATCH 6/7] Update deploy-from-script-or-cloud-init-to-localhost.md --- docs/deploy-from-script-or-cloud-init-to-localhost.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md index 368db5a0..6070562c 100644 --- a/docs/deploy-from-script-or-cloud-init-to-localhost.md +++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md @@ -8,7 +8,7 @@ You can copy-paste the snippet below to the user data (cloud-init or startup scr ``` #!/bin/bash -curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x +curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x ``` The command will prepare the environment and install AlgoVPN with default parameters. If you want to modify the behaviour you may define additional variables. @@ -38,7 +38,7 @@ The command will prepare the environment and install AlgoVPN with default parame export ONDEMAND_CELLULAR=true export WINDOWS=true export SSH_TUNNELING=true -curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x +curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x ``` ##### How to deploy locally without using cloud-init @@ -46,7 +46,7 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s ``` export METHOD=local export ONDEMAND_CELLULAR=true -curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x +curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x ``` ##### How to deploy a server using arguments @@ -54,5 +54,5 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s The arguments order as per [variables](#variables) above ``` -curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x -s local true false _null true true true true myvpnserver.com +curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x -s local true false _null true true true true myvpnserver.com ``` From 1e35753aa27ca06269035d0e05d780f0f9fd9f2a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Tue, 23 Apr 2019 12:36:12 +0200 Subject: [PATCH 7/7] Update openssl.yml (#1403) --- roles/strongswan/tasks/openssl.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index ffaa7062..fd38611a 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -151,6 +151,23 @@ with_items: "{{ users }}" register: p12 + - name: Build the client's p12 with the CA cert included + shell: > + umask 077; + {{ openssl_bin }} pkcs12 + -in certs/{{ item }}.crt + -inkey private/{{ item }}.key + -export + -name {{ item }} + -out private/{{ item }}_ca.p12 + -certfile cacert.pem + -passout pass:"{{ p12_export_password }}" + args: + chdir: "{{ ipsec_pki_path }}" + executable: bash + with_items: "{{ users }}" + register: p12 + - name: Copy the p12 certificates copy: src: "{{ ipsec_pki_path }}/private/{{ item }}.p12"