wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 15:43:54 +02:00
Code Issues Projects Releases Wiki Activity

Some fixes

Browse source
This commit is contained in:
Evgeniy Ivanov 2016-08-18 12:17:46 +03:00
parent e618cdf0ce
commit a9b10baf1d
7 changed files with 25 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config.cfg
View file

@ -10,6 +10,7 @@ easyrsa_reinit_existent: False
vpn_network: 10.19.48.0/24 vpn_network: 10.19.48.0/24
vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64' vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64'
server_name: "{{ ansible_ssh_host }}" server_name: "{{ ansible_ssh_host }}"
IP_subject_alt_name: "{{ ansible_ssh_host }}"
# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False) # Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
service_dns: True service_dns: True

12
non-cloud.yml
View file

@ -6,6 +6,7 @@
- name: "server_ip" - name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n" prompt: "Enter IP address of your server: (use localhost for local installation)\n"
default: localhost
private: no private: no
- name: "server_user" - name: "server_user"
@ -28,6 +29,10 @@
default: "vpn" default: "vpn"
private: yes private: yes
- name: "IP_subject_alt_name"
prompt: "Enter public IP address of your server: (IMPORTANT! This IP is using to verify the certificate)\n"
private: no
tasks: tasks:
- name: Add the server to the vpn-host group - name: Add the server to the vpn-host group
add_host: add_host:
@ -38,6 +43,7 @@
dns_enabled: "{{ dns_enabled }}" dns_enabled: "{{ dns_enabled }}"
auditd_enabled: " {{ auditd_enabled }}" auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Post-provisioning tasks - name: Post-provisioning tasks
hosts: vpn-host hosts: vpn-host
@ -53,9 +59,9 @@
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles: roles:
- common #- common
- security #- security
- proxy #- proxy
- vpn - vpn
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

6
roles/vpn/tasks/main.yml
View file

@ -67,7 +67,7 @@
- name: Build the server pair - name: Build the server pair
shell: > shell: >
./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&& ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass&&
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
args: args:
chdir: '{{ easyrsa_dir }}/easyrsa3/' chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -99,12 +99,12 @@
- restart strongswan - restart strongswan
- name: Copy the server cert to the strongswan directory - name: Copy the server cert to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600 copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=root group=root mode=0600
notify: notify:
- restart strongswan - restart strongswan
- name: Copy the server key to the strongswan directory - name: Copy the server key to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600 copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=root group=root mode=0600
notify: notify:
- restart strongswan - restart strongswan

4
roles/vpn/templates/easy-rsa.vars.j2
View file

@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# This is best left alone. Interactively you will set this manually, and BATCH # This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves. # callers are expected to set this themselves.
set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}" set_var EASYRSA_REQ_CN "{{ IP_subject_alt_name }}"
# Cryptographic digest to use. # Cryptographic digest to use.
# Do not change this default unless you understand the security implications. # Do not change this default unless you understand the security implications.
@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
# in batch mode without any user input, confirmation on dangerous operations, # in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode. # or most output. Setting this to any non-blank string enables batch mode.
set_var EASYRSA_BATCH "{{ ansible_ssh_host }}" set_var EASYRSA_BATCH "{{ IP_subject_alt_name }}"

4
roles/vpn/templates/ipsec.conf.j2
View file

@ -15,8 +15,8 @@ conn %default
left=%any left=%any
leftauth=pubkey leftauth=pubkey
leftid={{ ansible_ssh_host }} leftid={{ IP_subject_alt_name }}
leftcert={{ ansible_ssh_host }}.crt leftcert={{ IP_subject_alt_name }}.crt
leftsendcert=always leftsendcert=always
leftsubnet=0.0.0.0/0,::/0 leftsubnet=0.0.0.0/0,::/0

2
roles/vpn/templates/ipsec.secrets.j2
View file

@ -1,2 +1,2 @@
: ECDSA {{ ansible_ssh_host }}.key : ECDSA {{ IP_subject_alt_name }}.key

12
roles/vpn/templates/mobileconfig.j2
View file

@ -48,11 +48,11 @@
<key>CertificateType</key> <key>CertificateType</key>
<string>ECDSA256</string> <string>ECDSA256</string>
<key>ServerCertificateIssuerCommonName</key> <key>ServerCertificateIssuerCommonName</key>
<string>{{ ansible_ssh_host }}</string> <string>{{ IP_subject_alt_name }}</string>
<key>RemoteAddress</key> <key>RemoteAddress</key>
<string>{{ ansible_ssh_host }}</string> <string>{{ IP_subject_alt_name }}</string>
<key>RemoteIdentifier</key> <key>RemoteIdentifier</key>
<string>{{ ansible_ssh_host }}</string> <string>{{ IP_subject_alt_name }}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key> <key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer> <integer>0</integer>
</dict> </dict>
@ -81,7 +81,7 @@
<integer>0</integer> <integer>0</integer>
</dict> </dict>
<key>UserDefinedName</key> <key>UserDefinedName</key>
<string>{{ ansible_ssh_host }} IKEv2</string> <string>{{ IP_subject_alt_name }} IKEv2</string>
<key>VPNType</key> <key>VPNType</key>
<string>IKEv2</string> <string>IKEv2</string>
</dict> </dict>
@ -117,7 +117,7 @@
<key>PayloadDescription</key> <key>PayloadDescription</key>
<string>Adds a CA root certificate</string> <string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key> <key>PayloadDisplayName</key>
<string>{{ ansible_ssh_host }}</string> <string>{{ IP_subject_alt_name }}</string>
<key>PayloadIdentifier</key> <key>PayloadIdentifier</key>
<string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string> <string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
<key>PayloadType</key> <key>PayloadType</key>
@ -129,7 +129,7 @@
</dict> </dict>
</array> </array>
<key>PayloadDisplayName</key> <key>PayloadDisplayName</key>
<string>{{ ansible_ssh_host }} IKEv2</string> <string>{{ IP_subject_alt_name }} IKEv2</string>
<key>PayloadIdentifier</key> <key>PayloadIdentifier</key>
<string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string> <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
<key>PayloadRemovalDisallowed</key> <key>PayloadRemovalDisallowed</key>