wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-13 16:23:00 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of github.com:trailofbits/algo

Browse source
This commit is contained in:
johnwesley 2019-04-24 12:32:23 -04:00
commit a35b0533d6
6 changed files with 45 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -93,11 +93,13 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir
On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device. On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. Enable "Connect on Demand" by editing the tunnel configuration in the WireGuard app. On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file.
On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.)
Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md). Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
If you prefer to use the built-in IPSEC VPN on Apple devices, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md). If you prefer to use the built-in IPSEC VPN on Apple devices, or need "Connect on Demand" or excluded Wi-Fi networks automatically configured, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md).
### Android Devices ### Android Devices
@ -247,4 +249,4 @@ All donations support continued development. Thanks!
* Use our [referral code](https://m.do.co/c/4d7f4ff9cfe4) when you sign up to Digital Ocean for a $10 credit. * Use our [referral code](https://m.do.co/c/4d7f4ff9cfe4) when you sign up to Digital Ocean for a $10 credit.
* We also accept and appreciate contributions of new code and bugfixes via Github Pull Requests. * We also accept and appreciate contributions of new code and bugfixes via Github Pull Requests.
Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider <a href="mailto:opensource@trailofbits.com">purchasing an exception</a> . As with the methods above, this will help support continued development. Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider <a href="mailto:opensource@trailofbits.com">purchasing an exception</a> . As with the methods above, this will help support continued development.

4
config.cfg
View file

@ -70,9 +70,7 @@ reduce_mtu: 0
# If you load very large blocklists, you may also have to modify resource limits: # If you load very large blocklists, you may also have to modify resource limits:
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
adblock_lists: adblock_lists:
- "http://winhelp2002.mvps.org/hosts.txt" - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
- "https://adaway.org/hosts.txt"
- "https://www.malwaredomainlist.com/hostslist/hosts.txt"
- "https://hosts-file.net/ad_servers.txt" - "https://hosts-file.net/ad_servers.txt"
# Enable DNS encryption. # Enable DNS encryption.

22
docs/deploy-from-script-or-cloud-init-to-localhost.md
View file

@ -8,7 +8,7 @@ You can copy-paste the snippet below to the user data (cloud-init or startup scr
``` ```
#!/bin/bash #!/bin/bash
curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
``` ```
The command will prepare the environment and install AlgoVPN with default parameters. If you want to modify the behaviour you may define additional variables. The command will prepare the environment and install AlgoVPN with default parameters. If you want to modify the behaviour you may define additional variables.
@ -19,15 +19,15 @@ The command will prepare the environment and install AlgoVPN with default parame
`ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false
`ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.
`WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false `WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false
`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false `STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false.
`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false `LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false.
`SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false `SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false
`ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE or Azure if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address. `ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE or Azure if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.
`USERS` - list of VPN users. Comma-separated list. `USERS` - list of VPN users. Comma-separated list.
`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo `REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo.
`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master `REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master.
`EXTRA_VARS` - Additional extra variables. `EXTRA_VARS` - Additional extra variables.
`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor` `ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`.
## Examples ## Examples
@ -38,7 +38,7 @@ The command will prepare the environment and install AlgoVPN with default parame
export ONDEMAND_CELLULAR=true export ONDEMAND_CELLULAR=true
export WINDOWS=true export WINDOWS=true
export SSH_TUNNELING=true export SSH_TUNNELING=true
curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
``` ```
##### How to deploy locally without using cloud-init ##### How to deploy locally without using cloud-init
@ -46,7 +46,7 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s
``` ```
export METHOD=local export METHOD=local
export ONDEMAND_CELLULAR=true export ONDEMAND_CELLULAR=true
curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
``` ```
##### How to deploy a server using arguments ##### How to deploy a server using arguments
@ -54,5 +54,5 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s
The arguments order as per [variables](#variables) above The arguments order as per [variables](#variables) above
``` ```
curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x -s local true false _null true true true true myvpnserver.com curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x -s local true false _null true true true true myvpnserver.com
``` ```

2
install.sh
View file

@ -50,7 +50,7 @@ getAlgo() {
publicIpFromInterface() { publicIpFromInterface() {
echo "Couldn't find a valid ipv4 address, using the first IP found on the interfaces as the endpoint." echo "Couldn't find a valid ipv4 address, using the first IP found on the interfaces as the endpoint."
DEFAULT_INTERFACE="$(ip -4 route list match default | grep -Eo "dev .*" | awk '{print $2}')" DEFAULT_INTERFACE="$(ip -4 route list match default | grep -Eo "dev .*" | awk '{print $2}')"
ENDPOINT=$(ip -4 addr sh dev eth0 | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b') ENDPOINT=$(ip -4 addr sh dev $DEFAULT_INTERFACE | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
export ENDPOINT=$ENDPOINT export ENDPOINT=$ENDPOINT
echo "Using ${ENDPOINT} as the endpoint" echo "Using ${ENDPOINT} as the endpoint"
} }

27
roles/strongswan/tasks/openssl.yml
View file

@ -151,6 +151,23 @@
with_items: "{{ users }}" with_items: "{{ users }}"
register: p12 register: p12
- name: Build the client's p12 with the CA cert included
shell: >
umask 077;
{{ openssl_bin }} pkcs12
-in certs/{{ item }}.crt
-inkey private/{{ item }}.key
-export
-name {{ item }}
-out private/{{ item }}_ca.p12
-certfile cacert.pem
-passout pass:"{{ p12_export_password }}"
args:
chdir: "{{ ipsec_pki_path }}"
executable: bash
with_items: "{{ users }}"
register: p12
- name: Copy the p12 certificates - name: Copy the p12 certificates
copy: copy:
src: "{{ ipsec_pki_path }}/private/{{ item }}.p12" src: "{{ ipsec_pki_path }}/private/{{ item }}.p12"
@ -209,3 +226,13 @@
- gencrl.changed - gencrl.changed
notify: notify:
- rereadcrls - rereadcrls
- name: Delete the CA key
local_action:
module: file
path: "{{ ipsec_pki_path }}/private/cakey.pem"
state: absent
become: false
when:
- ipsec_enabled
- not algo_store_cakey

10
server.yml
View file

@ -37,16 +37,6 @@
tags: ssh_tunneling tags: ssh_tunneling
- block: - block:
- name: Delete the CA key
local_action:
module: file
path: "{{ ipsec_pki_path }}/private/cakey.pem"
state: absent
become: false
when:
- ipsec_enabled
- not algo_store_cakey
- name: Dump the configuration - name: Dump the configuration
local_action: local_action:
module: copy module: copy