From 1ff67bfa12864e4b637d59d146d011b5e89c55a0 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Thu, 13 Oct 2016 15:27:06 +0200 Subject: [PATCH 01/53] Initial commit of reorg'd docs --- ADVANCED.md | 81 -------------------- CONTRIBUTING.md | 4 +- README.md | 129 ++++++++++--------------------- algo | 30 ++++---- config.cfg | 3 +- deploy.yml | 1 - docs/ADVANCED.md | 135 +++++++++++++++++++++++++++++++++ docs/ROLES.md | 32 ++++++++ requirements.txt | 1 + roles/cloud-ec2/tasks/main.yml | 4 +- 10 files changed, 228 insertions(+), 192 deletions(-) delete mode 100644 ADVANCED.md create mode 100644 docs/ADVANCED.md create mode 100644 docs/ROLES.md diff --git a/ADVANCED.md b/ADVANCED.md deleted file mode 100644 index 00de5fef..00000000 --- a/ADVANCED.md +++ /dev/null @@ -1,81 +0,0 @@ -### Cloud Providers - -**digitalocean** -*Requirement variables:* -- do_access_token -- do_ssh_name -- do_server_name -- do_region - -*Possible regions:* -- ams2 -- ams3 -- fra1 -- lon1 -- nyc1 -- nyc2 -- nyc3 -- sfo1 -- sfo2 -- sgp1 -- tor1 -- blr1 - -**gce** -*Requirement variables:* -- credentials_file -- server_name -- ssh_public_key -- zone - -*Possible zones:* -- us-central1-a -- us-central1-b -- us-central1-c -- us-central1-f -- us-east1-b -- us-east1-c -- us-east1-d -- europe-west1-b -- europe-west1-c -- europe-west1-d -- asia-east1-a -- asia-east1-b -- asia-east1-c - -**ec2** -*Requirement variables:* -- aws_access_key -- aws_secret_key -- aws_server_name -- ssh_public_key -- region - -*Possible regions:* -- us-east-1 -- us-west-1 -- us-west-2 -- ap-south-1 -- ap-northeast-2 -- ap-southeast-1 -- ap-southeast-2 -- ap-northeast-1 -- eu-central-1 -- eu-west-1 -- sa-east-1 - -**local installation** -*Requirement variables:* -- server_ip -- server_user -- IP_subject_alt_name - -### Deployment - -Start the deploy with extra variables and tags that you need. -Example for DigitalOcean: - -``` -ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' -``` - diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9a1001f0..c3a7ac52 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,8 +1,8 @@ ### Common Issues * Check that you're using at least Ansible 2.1 -* If installing to a local server, try using a fresh install -* Please review the [FAQ](https://github.com/trailofbits/algo#faq) in the readme +* If installing to a local server, use a fresh install of Ubuntu 16.04 +* Please review the [FAQ](https://github.com/trailofbits/algo#faq) ### Coding Guidelines diff --git a/README.md b/README.md index 5cb7148f..c1252134 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,11 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Features -* Supports only IKEv2 -* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH -* Generates mobileconfig profiles to auto-configure Apple devices +* Supports only IKEv2 w/ a single cipher suite: AES GCM, SHA2 HMAC, and P-256 DH +* Generates Apple Profiles to auto-configure iOS and macOS devices * Provides helper scripts to add and remove users * Blocks ads with a local DNS resolver and HTTP proxy (optional) +* Sets up limited SSH tunnels for each user (optional) * Based on current versions of Ubuntu and StrongSwan * Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server @@ -23,120 +23,71 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw * Does not claim to provide anonymity or censorship avoidance * Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster) -## Included Roles +## Initial Setup -Ansible scripts are organized into roles. The roles used by Algo are described in detail below. - -### Required Roles - -* **Common** - * Installs several required packages and software updates, then reboots if necessary - * Configures network interfaces and enables packet forwarding on them -* **VPN** - * Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges - * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user - * Bundles the appropriate certificates into Apple mobileconfig profiles for each user - -### Optional Roles - -* **Security Enhancements** - * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied - * Modify operating system features like core dumps, kernel parameters, and SUID binaries to limit possible attacks - * Modifies SSH to use only modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP - * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834) -* **Ad Blocking and Compression HTTP Proxy** - * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset - * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy - * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations -* **DNS Ad Blocking** - * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains - * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations -* **Security Monitoring and Logging** - * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents - * Emails aggregated Logs to a configured address on a regular basis -* **SSH Tunneling** - * Adds a restricted `algo` group to SSH with no shell access and limited forwarding options - * Creates one limited, local account per user and an SSH public key for each - -## Usage - -### Requirements - -* ansible >= 2.1 -* python >= 2.6 -* [dopy=0.3.5](https://github.com/Wiredcraft/dopy) -* [boto](https://github.com/boto/boto) -* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python) -* [apache-libcloud](https://github.com/apache/libcloud) -* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS) -* [six](https://github.com/JioCloud/python-six) -* SHell or BASH -* libselinux-python (for RedHat based distros) - -### Roles and Tags -**Cloud roles:** -- role: cloud-digitalocean, tags: digitalocean -- role: cloud-ec2, tags: ec2 -- role: cloud-gce, tags: gce - -**Server roles:** -- role: vpn, tags: vpn -- role: dns_adblocking, tags: dns, adblock -- role: proxy, tags: proxy, adblock -- role: logging, tags: logging -- role: security, tags: security -- role: ssh_tunneling, tags: ssh_tunneling - -### Cloud Deployment - -To install the dependencies on OS X or Linux: +The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. +1. Install the dependencies on OS X or Linux: ``` sudo easy_install pip sudo pip install -r requirements.txt ``` -Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. - -Start the deploy and follow the instructions: - +2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. +3. Start the deploy and follow the instructions: ``` ./algo ``` -When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user. +That's it! You now have an Algo VPN server on the internet. -### Local Deployment +Note: for local or scripted deployment instructions see the [Advanced Usage](/docs/ADVANCED.md) documentation. -It is possible to download Algo to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA and using a PPA requires installing `software-properties-common`. tl;dr: -``` -sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible -sudo apt-get update && sudo apt-get install ansible -git clone https://github.com/trailofbits/algo -cd algo && ./algo -``` +## User Management -### User Management +### Configuration Files -If you want to add or delete users, update the `users` list in `config.cfg` and run the command: +After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. +* [adsf].mobileconfig: Apple Configuration Profiles. These are all-in-one configuration files for iOS and macOS devices. Open them to a compatible device to fully configure the VPN. Note that they can be installed via AirDrop. +* asdf +* asdf + +### Adding or Removing Users + +Algo's own scripts can easily add and remove users from the VPN server. + +1. Update the `users` list in your `config.cfg` +2. Run the command: ``` ./algo update-users ``` +The Algo VPN server now only contains the users listed in the `config.cfg` file. + +## SSH Tunneling + +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. + +Use the following command to SSH tunnel through the server: + +```asdf``` + +[explain the options] + ## FAQ -### Has this been audited? +### Has Algo been audited? -No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use algo at your own risk. +No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use Algo at your own risk. ### Why aren't you using Tor? -The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/). +The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/). ### Why aren't you using Racoon, LibreSwan, or OpenSwan? -Raccoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version. +Racoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version. ### Why aren't you using a memory-safe or verified IKE daemon? @@ -148,4 +99,4 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi ### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD? -Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free, Open, and HardenedBSD. Follow along on our progress in [this issue](https://github.com/trailofbits/algo/issues/35). +Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35). diff --git a/algo b/algo index bf1ebe4d..8f406a68 100755 --- a/algo +++ b/algo @@ -4,11 +4,11 @@ set -e digitalocean () { read -p " -Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens): +Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): : " -rs do_access_token read -p " -Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security): +Enter an existing SSH key name (https://cloud.digitalocean.com/settings/security): : " -r do_ssh_name read -p " @@ -32,9 +32,9 @@ Name the vpn server: 12. Bangalore Enter the number of your desired region: [7]: " -r region - region=${region:-7} + region=${region:-7} - case "$region" in + case "$region" in 1) do_region="ams2" ;; 2) do_region="ams3" ;; 3) do_region="fra1" ;; @@ -49,22 +49,22 @@ Enter the number of your desired region: 12) do_region="blr1" ;; esac -ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" +ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } ec2 () { read -p " Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -: " -rs aws_access_key +[asdf...]: " -rs aws_access_key read -p " Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -: " -rs aws_secret_key +[asdf...]: " -rs aws_secret_key read -p " Enter the local path to your SSH public key: -: " -r ssh_public_key +[adsf]: " -r ssh_public_key read -p " Name the vpn server: @@ -86,7 +86,7 @@ Name the vpn server: 11. sa-east-1 South America (São Paulo) Enter the number of your desired region: [1]: " -r aws_region - aws_region=${aws_region:-1} + aws_region=${aws_region:-1} case "$aws_region" in 1) region="us-east-1" ;; @@ -155,7 +155,7 @@ Please choose the number of your zone. Press enter for default (#8) zone. 13) zone="asia-east1-c" ;; esac -ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" +ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } @@ -173,7 +173,7 @@ What user should we use to login on the server? (ignore if you're deploying to l Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) : " -r IP_subject - ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" + ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" } algo_provisioning () { @@ -184,7 +184,7 @@ algo_provisioning () { 3. Google Compute Engine 4. Install to existing Ubuntu server -Enter the number of your desired provider +Enter the number of your desired provider : " read -r N @@ -198,12 +198,12 @@ Enter the number of your desired provider esac } - + user_management () { ansible-playbook users.yml } case "$1" in - update-users) user_management ;; - *) algo_provisioning ;; + update-users) user_management ;; + *) algo_provisioning ;; esac diff --git a/config.cfg b/config.cfg index 4704920d..8fe25827 100644 --- a/config.cfg +++ b/config.cfg @@ -5,7 +5,7 @@ users: - dan - jack -# If you're using auditd for monitoring, add an email address to send logs +# Add an email address to send logs if you're using auditd for monitoring, auditd_action_mail_acct: email@example.com ### Advanced users only below this line ### @@ -15,7 +15,6 @@ easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 easyrsa_p12_export_password: vpnpws - # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False diff --git a/deploy.yml b/deploy.yml index 4e6ca209..9fbf792f 100644 --- a/deploy.yml +++ b/deploy.yml @@ -38,4 +38,3 @@ handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md new file mode 100644 index 00000000..98770335 --- /dev/null +++ b/docs/ADVANCED.md @@ -0,0 +1,135 @@ +# Advanced Usage + +## Requirements + +Before you begin, make sure you have installed all the dependencies necessary for your use case. Algo depends on the software below and most of it will be installed via the `requirements.txt` file. + +* ansible >= 2.1 +* python >= 2.6 +* [dopy=0.3.5](https://github.com/Wiredcraft/dopy) +* [boto](https://github.com/boto/boto) +* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python) +* [apache-libcloud](https://github.com/apache/libcloud) +* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS) +* [six](https://github.com/JioCloud/python-six) +* SHell or BASH +* libselinux-python (for RedHat based distros) + +## Local Deployment + +It is possible to download the Algo scripts to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA, and using a PPA requires installing `software-properties-common`. + +tl;dr: + +``` +sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible +sudo apt-get update && sudo apt-get install ansible +git clone https://github.com/trailofbits/algo +cd algo && ./algo +``` + +## Scripted Deployment + +Example for DigitalOcean: + +``` +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=my_secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +``` + +### Roles + +Cloud roles: + +- role: cloud-digitalocean, tags: digitalocean +- role: cloud-ec2, tags: ec2 +- role: cloud-gce, tags: gce + +Server roles: + +- role: vpn, tags: vpn +- role: dns_adblocking, tags: dns, adblock +- role: proxy, tags: proxy, adblock +- role: logging, tags: logging +- role: security, tags: security +- role: ssh_tunneling, tags: ssh_tunneling + +### Digital Ocean + +Required variables: + +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +Possible regions: + +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +### Google Cloud Engine + +Required variables: + +- credentials_file +- server_name +- ssh_public_key +- zone + +Possible zones: + +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +### Amazon EC2 + +Required variables: + +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +Possible regions: + +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + +### Local Installation + +Required variables: + +- server_ip +- server_user +- IP_subject_alt_name \ No newline at end of file diff --git a/docs/ROLES.md b/docs/ROLES.md new file mode 100644 index 00000000..8e1df28b --- /dev/null +++ b/docs/ROLES.md @@ -0,0 +1,32 @@ +# Ansible Roles + +## Required Roles + +* **Common** + * Installs several required packages and software updates, then reboots if necessary + * Configures network interfaces and enables packet forwarding on them +* **VPN** + * Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges + * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user + * Bundles the appropriate certificates into Apple mobileconfig profiles for each user + * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834) + +## Optional Roles + +* **Security Enhancements (Reccommended)** + * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied + * Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks + * Enhances SSH with modern ciphers and seccomp, and restricts access to older, unwanted features like X11 forwarding and SFTP +* **Ad Blocking and Compression HTTP Proxy** + * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset + * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy + * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations +* **DNS Ad Blocking** + * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains + * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations +* **Security Monitoring and Logging** + * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents + * Sends logs to a configured email address on a regular basis +* **SSH Tunneling** + * Adds a restricted `algo` group with no shell access and limited SSH forwarding options + * Creates one limited, local account per user and an SSH public key for each diff --git a/requirements.txt b/requirements.txt index a666d82a..36b226c9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ +ansible>=2.1 dopy==0.3.5 boto azure>=0.7.1 diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 4f25e1b0..eace8c4d 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Locate official Ubuntu 16.04 AMI for region. +- name: Locate official Ubuntu 16.04 AMI for region ec2_ami_find: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" @@ -13,7 +13,7 @@ - set_fact: ami_image: "{{ ami_search.results[0].ami_id }}" -- name: Add ssh public key. +- name: Add ssh public key ec2_key: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" From f00f608efe00f130747b6adefe95714207c95e13 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Thu, 13 Oct 2016 15:50:24 +0200 Subject: [PATCH 02/53] better defaults --- algo | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/algo b/algo index 8f406a68..c0cec1d7 100755 --- a/algo +++ b/algo @@ -56,15 +56,15 @@ ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_t ec2 () { read -p " Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -[asdf...]: " -rs aws_access_key +[AKIA...]: " -rs aws_access_key read -p " Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): -[asdf...]: " -rs aws_secret_key +[ABCD...]: " -rs aws_secret_key read -p " Enter the local path to your SSH public key: -[adsf]: " -r ssh_public_key +[~/.ssh/id_rsa.pub]: " -r ssh_public_key read -p " Name the vpn server: From d88ef9c0efdd025b83813dfbd559238211813f88 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Thu, 13 Oct 2016 16:35:32 +0200 Subject: [PATCH 03/53] change EC2 instructions --- algo | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/algo b/algo index c0cec1d7..0e891da2 100755 --- a/algo +++ b/algo @@ -55,16 +55,18 @@ ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_t ec2 () { read -p " -Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [AKIA...]: " -rs aws_access_key read -p " -Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key read -p " Enter the local path to your SSH public key: -[~/.ssh/id_rsa.pub]: " -r ssh_public_key +: " -r ssh_public_key read -p " Name the vpn server: From c9d757500528528929a11741c92853cf51f2cb37 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sat, 15 Oct 2016 19:31:22 +0200 Subject: [PATCH 04/53] reorganize the readme to be even simpler --- README.md | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 3a28e3c9..3e832b03 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw * Does not claim to provide anonymity or censorship avoidance * Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster) -## Initial Setup +## Deploy the Algo Server The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. @@ -34,18 +34,13 @@ sudo pip install -r requirements.txt ``` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. -3. Start the deploy and follow the instructions: -``` -./algo -``` +3. Start the deploy and follow the instructions: `./algo` That's it! You now have an Algo VPN server on the internet. Note: for local or scripted deployment instructions see the [Advanced Usage](/docs/ADVANCED.md) documentation. -## User Management - -### Configuration Files +## Configure the VPN Clients After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. @@ -53,19 +48,7 @@ After Algo finishes setting up the server, you can find all the certificates and * asdf * asdf -### Adding or Removing Users - -Algo's own scripts can easily add and remove users from the VPN server. - -1. Update the `users` list in your `config.cfg` -2. Run the command: -``` -./algo update-users -``` - -The Algo VPN server now only contains the users listed in the `config.cfg` file. - -## SSH Tunneling +## Setup an SSH Tunnel If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. @@ -75,6 +58,15 @@ Use the following command to SSH tunnel through the server: asdf then explain the options used +## Adding or Removing Users + +Algo's own scripts can easily add and remove users from the VPN server. + +1. Update the `users` list in your `config.cfg` +2. Run the command: `./algo update-users` + +The Algo VPN server now only contains the users listed in the `config.cfg` file. + ## FAQ ### Has Algo been audited? From 1d83c3f627e25c785101480330a6f4125d23aa08 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Oct 2016 17:47:35 +0200 Subject: [PATCH 05/53] better contributor guidelines --- CONTRIBUTING.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c3a7ac52..8074f82a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,9 +1,14 @@ -### Common Issues +### Troubleshooting -* Check that you're using at least Ansible 2.1 +* Check that you installed all the dependencies with pip and have Ansible 2.1+ * If installing to a local server, use a fresh install of Ubuntu 16.04 + +### Filing New Issues + * Please review the [FAQ](https://github.com/trailofbits/algo#faq) +* Please include the full output from your terminal window if appropriate -### Coding Guidelines +### Pull Requests -* Please review any Pull Requests with [ansible-lint](https://github.com/willthames/ansible-lint) +* Run [ansible-lint](https://github.com/willthames/ansible-lint) on any new ansible scripts +* Run [shellcheck](https://github.com/koalaman/shellcheck) on any new shell scripts From 95cabea3b360a947c294d9bab79b76ee4ce45d49 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Oct 2016 23:05:20 +0200 Subject: [PATCH 06/53] better user instructions --- README.md | 29 ++++++++++++++++++++--------- config.cfg | 5 ++++- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3e832b03..e7468889 100644 --- a/README.md +++ b/README.md @@ -42,21 +42,32 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to adequately secure and transmit these files since many contain private keys. +After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. -* [adsf].mobileconfig: Apple Configuration Profiles. These are all-in-one configuration files for iOS and macOS devices. Open them to a compatible device to fully configure the VPN. Note that they can be installed via AirDrop. -* asdf -* asdf +### Apple Devices + +Find the corresponding mobileconfig (Apple Profile) for the user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. Installing a profile will fully configure the VPN. + +### StrongSwan Clients (e.g., OpenWRT) + +Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. + +### Other Devices + +* ca.crt: CA Certificate +* user_ipsec.conf: StrongSwan client configuration +* user_ipsec.secrets: StrongSwan client configuration +* user.crt: User Certificate +* user.key: User Private Key +* user.mobileconfig: Apple Profile +* user.p12: User Certificate and Private Key (in PKCS#12 format) +* user.ssh.pem (optional): SSH authorized_key file ## Setup an SSH Tunnel If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. -Use the following command to SSH tunnel through the server: - -```asdf``` - -asdf then explain the options used +Make sure to access the server using 'ssh -N' for any limited accounts. ## Adding or Removing Users diff --git a/config.cfg b/config.cfg index e6c6b9a0..c9cedd81 100644 --- a/config.cfg +++ b/config.cfg @@ -8,12 +8,15 @@ users: # Add an email address to send logs if you're using auditd for monitoring, auditd_action_mail_acct: email@example.com +# Exported certificates will be protected by the password below: +easyrsa_p12_export_password: vpnpws + + ### Advanced users only below this line ### easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 -easyrsa_p12_export_password: vpnpws # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False From f92574a5c569449b9306d841eef5c49debc9bd92 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Mon, 17 Oct 2016 16:08:39 +0200 Subject: [PATCH 07/53] easier to read --- README.md | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index e7468889..6d1e1ce9 100644 --- a/README.md +++ b/README.md @@ -27,12 +27,7 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. -1. Install the dependencies on OS X or Linux: -``` -sudo easy_install pip -sudo pip install -r requirements.txt -``` - +1. Install the dependencies on OS X or Linux: `sudo easy_install pip && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` @@ -42,18 +37,20 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. +Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. ### Apple Devices -Find the corresponding mobileconfig (Apple Profile) for the user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. Installing a profile will fully configure the VPN. +Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. ### StrongSwan Clients (e.g., OpenWRT) -Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. +Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device. ### Other Devices +Depending on the platform, you may need one or multiple of the following files. + * ca.crt: CA Certificate * user_ipsec.conf: StrongSwan client configuration * user_ipsec.secrets: StrongSwan client configuration @@ -61,13 +58,12 @@ Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificat * user.key: User Private Key * user.mobileconfig: Apple Profile * user.p12: User Certificate and Private Key (in PKCS#12 format) -* user.ssh.pem (optional): SSH authorized_key file ## Setup an SSH Tunnel -If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg`. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server. +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `config` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. -Make sure to access the server using 'ssh -N' for any limited accounts. +Make sure to access the server using 'ssh -N' with these limited accounts. ## Adding or Removing Users From 443f42ca32042f07beb88abacc4bc1645badd143 Mon Sep 17 00:00:00 2001 From: defunct Date: Mon, 17 Oct 2016 13:07:54 -0400 Subject: [PATCH 08/53] #99 also --- algo | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/algo b/algo index 3ee1bc4f..ec8da23d 100755 --- a/algo +++ b/algo @@ -113,9 +113,9 @@ gce () { Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): : " -r credentials_file - read -p " + read -e -p " Enter the local path to your SSH public key: -: " -r ssh_public_key +: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key read -p " Name the vpn server: From ac4698677e5fa5b70323aaa25141eb91ccdbc9ed Mon Sep 17 00:00:00 2001 From: defunct Date: Tue, 18 Oct 2016 10:35:34 -0400 Subject: [PATCH 09/53] Add new Ohio region --- docs/ADVANCED.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md index 2bd50f26..ad057e8e 100644 --- a/docs/ADVANCED.md +++ b/docs/ADVANCED.md @@ -117,6 +117,7 @@ Required variables: Possible regions: - us-east-1 +- us-east-2 - us-west-1 - us-west-2 - ap-south-1 @@ -134,4 +135,4 @@ Required variables: - server_ip - server_user -- IP_subject_alt_name \ No newline at end of file +- IP_subject_alt_name From 7a32802521b3ce59137c93189808eff122408695 Mon Sep 17 00:00:00 2001 From: defunct Date: Tue, 18 Oct 2016 10:39:12 -0400 Subject: [PATCH 10/53] Add EC2 Ohio region --- algo | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/algo b/algo index ec8da23d..6921beff 100755 --- a/algo +++ b/algo @@ -76,32 +76,34 @@ Name the vpn server: read -p " What region should the server be located in? 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) + 2. us-east-2 US East (Ohio) + 3. us-west-1 US West (N. California) + 4. us-west-2 US West (Oregon) + 5. ap-south-1 Asia Pacific (Mumbai) + 6. ap-northeast-2 Asia Pacific (Seoul) + 7. ap-southeast-1 Asia Pacific (Singapore) + 8. ap-southeast-2 Asia Pacific (Sydney) + 9. ap-northeast-1 Asia Pacific (Tokyo) + 10. eu-central-1 EU (Frankfurt) + 11. eu-west-1 EU (Ireland) + 12. sa-east-1 South America (São Paulo) Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} case "$aws_region" in 1) region="us-east-1" ;; - 2) region="us-west-1" ;; - 3) region="us-west-2" ;; - 4) region="ap-south-1" ;; - 5) region="ap-northeast-2" ;; - 6) region="ap-southeast-1" ;; - 7) region="ap-southeast-2" ;; - 8) region="ap-northeast-1" ;; - 9) region="eu-central-1" ;; - 10) region="eu-west-1" ;; - 11) region="sa-east-1" ;; + 2) region="us-east-2" ;; + 3) region="us-west-1" ;; + 4) region="us-west-2" ;; + 5) region="ap-south-1" ;; + 6) region="ap-northeast-2" ;; + 7) region="ap-southeast-1" ;; + 8) region="ap-southeast-2" ;; + 9) region="ap-northeast-1" ;; + 10) region="eu-central-1" ;; + 11) region="eu-west-1" ;; + 12) region="sa-east-1" ;; esac ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" From 7ad0a343d5a7a2287782fc5aae1fb202597a4646 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 21 Oct 2016 20:27:14 +0300 Subject: [PATCH 11/53] add prompts for optional features. resolved #103 --- algo | 89 ++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/algo b/algo index 6921beff..cb98f294 100755 --- a/algo +++ b/algo @@ -2,11 +2,50 @@ set -e +additional_roles () { +read -p " +Do you want to apply security enhancements? +[y/N]: " -r security_enabled +security_enabled=${security_enabled:-n} +if [[ "$security_enabled" == 'y' ]]; then ROLES+=" security"; fi + +read -p " +Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? +[y/N]: " -r proxy_enabled +proxy_enabled=${proxy_enabled:-n} +if [[ "$proxy_enabled" == 'y' ]]; then ROLES+=" proxy"; fi + +read -p " +Do you want to install a local DNS resolver to block ads while surfing? +[y/N]: " -r dns_enabled +dns_enabled=${dns_enabled:-n} +if [[ "$dns_enabled" == 'y' ]]; then ROLES+=" dns"; fi + +read -p " +Do you want to use auditd for security monitoring (see config.cfg)? +[y/N]: " -r logging_enabled +logging_enabled=${logging_enabled:-n} +if [[ "$logging_enabled" == 'y' ]]; then ROLES+=" logging"; fi + +read -p " +Do you want each user to have their own account for SSH tunneling? +[y/N]: " -r ssh_tunneling_enabled +ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} +if [[ "$ssh_tunneling_enabled" == 'y' ]]; then ROLES+=" ssh_tunneling"; fi + +} + +deploy () { + + ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" + +} + digitalocean () { read -p " Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): : " -rs do_access_token - + read -p " Enter an existing SSH key name (https://cloud.digitalocean.com/settings/security): : " -r do_ssh_name @@ -30,10 +69,10 @@ Name the vpn server: 10. Singapore 11. Toronto 12. Bangalore -Enter the number of your desired region: +Enter the number of your desired region: [7]: " -r region region=${region:-7} - + case "$region" in 1) do_region="ams2" ;; 2) do_region="ams3" ;; @@ -48,9 +87,9 @@ Enter the number of your desired region: 11) do_region="tor1" ;; 12) do_region="blr1" ;; esac - -ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" +ROLES="digitalocean vpn" +EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } ec2 () { @@ -63,7 +102,7 @@ Note: Make sure to use either your root key (recommended) or an IAM user with an Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key - + read -e -p " Enter the local path to your SSH public key: : " -i "~/.ssh/id_rsa.pub" -r ssh_public_key @@ -87,13 +126,13 @@ Name the vpn server: 10. eu-central-1 EU (Frankfurt) 11. eu-west-1 EU (Ireland) 12. sa-east-1 South America (São Paulo) -Enter the number of your desired region: +Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} - - case "$aws_region" in + + case "$aws_region" in 1) region="us-east-1" ;; - 2) region="us-east-2" ;; + 2) region="us-east-2" ;; 3) region="us-west-1" ;; 4) region="us-west-2" ;; 5) region="ap-south-1" ;; @@ -105,16 +144,16 @@ Enter the number of your desired region: 11) region="eu-west-1" ;; 12) region="sa-east-1" ;; esac - -ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" + ROLES="ec2 vpn" + EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" } gce () { read -p " -Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): +Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): : " -r credentials_file - + read -e -p " Enter the local path to your SSH public key: : " -i "~/.ssh/id_rsa.pub" -r ssh_public_key @@ -141,9 +180,9 @@ Name the vpn server: 13. East Asia (Taiwan C) Please choose the number of your zone. Press enter for default (#8) zone. [8]: " -r region - region=${region:-8} - - case "$region" in + region=${region:-8} + + case "$region" in 1) zone="us-central1-a" ;; 2) zone="us-central1-b" ;; 3) zone="us-central1-c" ;; @@ -158,16 +197,16 @@ Please choose the number of your zone. Press enter for default (#8) zone. 12) zone="asia-east1-b" ;; 13) zone="asia-east1-c" ;; esac - -ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" + ROLES="gce vpn" + EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } non_cloud () { read -p " Enter IP address of your server: (use localhost for local installation) : " -r server_ip - + read -p " What user should we use to login on the server? (ignore if you're deploying to localhost) [root]: " -r server_user @@ -176,8 +215,10 @@ What user should we use to login on the server? (ignore if you're deploying to l read -p " Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) : " -r IP_subject - - ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" + + ROLES="local vpn" + EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" + } algo_provisioning () { @@ -201,6 +242,8 @@ Enter the number of your desired provider *) exit 1 ;; esac + additional_roles + deploy } user_management () { @@ -210,4 +253,4 @@ user_management () { case "$1" in update-users) user_management ;; *) algo_provisioning ;; -esac +esac From 13649dc7876c1ad5cd3f8d36ab74b2a874a0c9f6 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 22 Oct 2016 19:42:53 +0400 Subject: [PATCH 12/53] Update README.md #104 --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 6d1e1ce9..4cc84732 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,10 @@ Certificates and configuration files that users will need are placed in the `con Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. +### Android Devices + +You need to install the [StrongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use. + ### StrongSwan Clients (e.g., OpenWRT) Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device. From 154bb523cf1a8dcc0546476498d319bd737dd858 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 17:53:08 +0300 Subject: [PATCH 13/53] set AllowTcpForwarding to local --- roles/ssh_tunneling/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index ea4d086e..7083431d 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -6,7 +6,7 @@ marker: '# ANSIBLE_MANAGED_ssh_tunneling_role' block: | Match Group algo - AllowTcpForwarding remote + AllowTcpForwarding local AllowAgentForwarding no AllowStreamLocalForwarding no PermitTunnel no From b029a95405644554ffe5da7b8a13a3ec4b62b2c1 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 18:08:33 +0300 Subject: [PATCH 14/53] ignore swp files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9df513b3..e1c9fea7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.retry configs/* inventory_users +*.kate-swp From 20fe13f30eecc337bc0ad40acc42effc225e1c1f Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 18:08:58 +0300 Subject: [PATCH 15/53] Fix SSH keys permissions --- roles/ssh_tunneling/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 7083431d..ff787161 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -57,5 +57,10 @@ fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes with_items: "{{ users }}" +- name: Change mode for SSH private keys + local_action: file path=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem mode=0600 + with_items: "{{ users }}" + become: false + - name: Fetch the known_hosts file fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes From 961bec4358de5aaae7a3bcd84d4ef6c1be7191d4 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 18:09:16 +0300 Subject: [PATCH 16/53] Fix prompts --- algo | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/algo b/algo index cb98f294..1727abf3 100755 --- a/algo +++ b/algo @@ -7,31 +7,31 @@ read -p " Do you want to apply security enhancements? [y/N]: " -r security_enabled security_enabled=${security_enabled:-n} -if [[ "$security_enabled" == 'y' ]]; then ROLES+=" security"; fi +if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi read -p " Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? [y/N]: " -r proxy_enabled proxy_enabled=${proxy_enabled:-n} -if [[ "$proxy_enabled" == 'y' ]]; then ROLES+=" proxy"; fi +if [[ "$proxy_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" proxy"; fi read -p " Do you want to install a local DNS resolver to block ads while surfing? [y/N]: " -r dns_enabled dns_enabled=${dns_enabled:-n} -if [[ "$dns_enabled" == 'y' ]]; then ROLES+=" dns"; fi +if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi read -p " Do you want to use auditd for security monitoring (see config.cfg)? [y/N]: " -r logging_enabled logging_enabled=${logging_enabled:-n} -if [[ "$logging_enabled" == 'y' ]]; then ROLES+=" logging"; fi +if [[ "$logging_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" logging"; fi read -p " Do you want each user to have their own account for SSH tunneling? [y/N]: " -r ssh_tunneling_enabled ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} -if [[ "$ssh_tunneling_enabled" == 'y' ]]; then ROLES+=" ssh_tunneling"; fi +if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi } From ef45ac25918cb33d81bc82e5d32a7fe54ca331c8 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 24 Oct 2016 19:16:34 +0400 Subject: [PATCH 17/53] Update README.md #105 --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4cc84732..d3372f7d 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,10 @@ Depending on the platform, you may need one or multiple of the following files. If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `config` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. -Make sure to access the server using 'ssh -N' with these limited accounts. +Make sure to access the server using 'ssh -N' with these limited accounts. +In order to make a tunnel you have to run this command: +`ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem` +Don't forget to change `ip` and `user`. And then you can configure your browsers to use 127.0.0.1:1080 as sock4/5 ## Adding or Removing Users From 46f46e88df00ec72593430eba14230cae77dc40c Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 25 Oct 2016 21:33:46 +0300 Subject: [PATCH 18/53] fix dependencies --- roles/proxy/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/proxy/meta/main.yml b/roles/proxy/meta/main.yml index e985f927..ef71a470 100644 --- a/roles/proxy/meta/main.yml +++ b/roles/proxy/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - { role: common, tags: common } + - { role: vpn, tags: vpn } From 0b7e464b7ec10a4f5da84adc4873f375cd4b68a3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 26 Oct 2016 18:56:23 +0300 Subject: [PATCH 19/53] extra vars added to use local DNS #110 --- algo | 2 +- config.cfg | 4 ---- roles/vpn/templates/ipsec.conf.j2 | 2 +- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/algo b/algo index 1727abf3..c24fe1e3 100755 --- a/algo +++ b/algo @@ -19,7 +19,7 @@ read -p " Do you want to install a local DNS resolver to block ads while surfing? [y/N]: " -r dns_enabled dns_enabled=${dns_enabled:-n} -if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi +if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; EXTRA_VARS+=" local_dns=Y"; fi read -p " Do you want to use auditd for security monitoring (see config.cfg)? diff --git a/config.cfg b/config.cfg index c9cedd81..6db3c7e8 100644 --- a/config.cfg +++ b/config.cfg @@ -27,10 +27,6 @@ vpn_network_ipv6: 'fd9d:bc11:4020::/48' server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" -# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False) -service_dns: True - -# If you don't want to use a local DNS resolver (option `service_dns`) you need to define DNS servers in this list. dns_servers: - 8.8.8.8 - 8.8.4.4 diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index fa29458d..2bd6ad10 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -17,7 +17,7 @@ conn %default right=%any rightauth=pubkey rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }} -{% if service_dns is defined and service_dns == "Y" %} +{% if local_dns is defined and local_dns == "Y" %} rightdns={{ local_service_ip }} {% else %} rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} From a71ce7c52adf12f425ab33793b395b0b04e240eb Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 26 Oct 2016 19:10:49 +0300 Subject: [PATCH 20/53] Fix for SSH timeout and attempts #111 --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index dc8f8cd4..1a3afab2 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,5 +8,5 @@ host_key_checking = False record_host_keys = False [ssh_connection] -ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null +ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o ConnectTimeout=6 -o ConnectionAttempts=30 scp_if_ssh = True From 37a8af5c1b7f30d8a8386195f10fdf7a92ea0ed3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 28 Oct 2016 21:00:11 +0300 Subject: [PATCH 21/53] skip-tags added. Fixed #121 --- algo | 12 +++++++----- roles/common/tasks/main.yml | 8 ++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/algo b/algo index c24fe1e3..9acb841d 100755 --- a/algo +++ b/algo @@ -2,6 +2,8 @@ set -e +SKIP_TAGS="_null" + additional_roles () { read -p " Do you want to apply security enhancements? @@ -37,7 +39,7 @@ if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi deploy () { - ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" + ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}" } @@ -88,7 +90,7 @@ Enter the number of your desired region: 12) do_region="blr1" ;; esac -ROLES="digitalocean vpn" +ROLES="digitalocean vpn cloud" EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } @@ -145,7 +147,7 @@ Enter the number of your desired region: 12) region="sa-east-1" ;; esac - ROLES="ec2 vpn" + ROLES="ec2 vpn cloud" EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" } @@ -198,7 +200,7 @@ Please choose the number of your zone. Press enter for default (#8) zone. 13) zone="asia-east1-c" ;; esac - ROLES="gce vpn" + ROLES="gce vpn cloud" EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } @@ -218,7 +220,7 @@ Enter the public IP address of your server: (IMPORTANT! This IP is used to verif ROLES="local vpn" EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" - + SKIP_TAGS+=" cloud" } algo_provisioning () { diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 44aa3452..4b6e2ee1 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,8 @@ args: executable: /bin/bash register: reboot_required + tags: + - cloud - name: Reboot shell: sleep 2 && shutdown -r now "Ansible updates triggered" @@ -19,16 +21,22 @@ poll: 0 when: reboot_required is defined and reboot_required.stdout == 'required' ignore_errors: true + tags: + - cloud - name: Wait for shutdown local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' become: false + tags: + - cloud - name: Wait until SSH becomes ready... local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' become: false + tags: + - cloud - name: Disable MOTD on login and SSHD replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" From 341ac5aaf3ea3741e736ae1f8acf72a8fe0b6e62 Mon Sep 17 00:00:00 2001 From: Nima Fatemi Date: Fri, 28 Oct 2016 19:48:28 +0000 Subject: [PATCH 22/53] Avoid using + for email address using + in email add (eg email+auditd@domain.tld) would cause auditd fail to start see #117 --- config.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config.cfg b/config.cfg index 6db3c7e8..26f14584 100644 --- a/config.cfg +++ b/config.cfg @@ -5,7 +5,8 @@ users: - dan - jack -# Add an email address to send logs if you're using auditd for monitoring, +# Add an email address to send logs if you're using auditd for monitoring. +# Avoid using '+' in your email address otherwise auditd will fail to start. auditd_action_mail_acct: email@example.com # Exported certificates will be protected by the password below: From 4198696e1f8e4933648fb22c1debe9702060d395 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 3 Nov 2016 17:21:18 +0300 Subject: [PATCH 23/53] Fixed #108 --- roles/vpn/tasks/main.yml | 4 +++- roles/vpn/templates/mobileconfig.j2 | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index fbe4b94e..6fff583c 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -170,6 +170,9 @@ - name: Set facts for mobileconfigs set_fact: proxy_enabled: false + pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" + VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" + CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 @@ -224,4 +227,3 @@ - include: iptables.yml tags: iptables - diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 5714839f..762848ab 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -44,7 +44,7 @@ LocalIdentifier {{ item.0 }} PayloadCertificateUUID - 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + {{ pkcs12_PayloadCertificateUUID }} CertificateType ECDSA256 ServerCertificateIssuerCommonName @@ -66,11 +66,11 @@ PayloadDisplayName VPN PayloadIdentifier - com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53 + com.apple.vpn.managed.{{ VPN_PayloadIdentifier }} PayloadType com.apple.vpn.managed PayloadUUID - D247A30B-6023-4C8E-B3E3-FF1910A65E53 + {{ VPN_PayloadIdentifier }} PayloadVersion 1 Proxies @@ -111,11 +111,11 @@ PayloadDisplayName {{ item.0 }}.p12 PayloadIdentifier - com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }} PayloadType com.apple.security.pkcs12 PayloadUUID - 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + {{ pkcs12_PayloadCertificateUUID }} PayloadVersion 1 @@ -131,11 +131,11 @@ PayloadDisplayName {{ IP_subject_alt_name }} PayloadIdentifier - com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38 + com.apple.security.root.{{ CA_PayloadIdentifier }} PayloadType com.apple.security.root PayloadUUID - 32EA3AAA-D19E-43EF-B357-608218745A38 + {{ CA_PayloadIdentifier }} PayloadVersion 1 @@ -148,16 +148,16 @@ {% endif %} PayloadIdentifier {% if proxy_enabled is defined and proxy_enabled == true %} - donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA + donut.local.{{ 600000 | random | to_uuid | upper }} {% else %} - donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE + donut.local.{{ 500000 | random | to_uuid | upper }} {% endif %} PayloadRemovalDisallowed PayloadType Configuration PayloadUUID - 743B04A8-5725-45A2-B1BB-836F8C16DB0A + {{ 400000 | random | to_uuid | upper }} PayloadVersion 1 From fb237512566495e6e0c6aacee0ec259ef388329f Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 3 Nov 2016 18:05:56 +0300 Subject: [PATCH 24/53] inplemented #109 --- algo | 20 +++++++++++++ roles/vpn/templates/mobileconfig.j2 | 44 +++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/algo b/algo index 9acb841d..4911274d 100755 --- a/algo +++ b/algo @@ -35,6 +35,26 @@ Do you want each user to have their own account for SSH tunneling? ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi +read -p " +Do you want to enable VPN always when connected to Wi-Fi? +[y/N]: " -r OnDemandEnabled_WIFI +OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n} +if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi + +if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then + read -p " +Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi) +: " -r OnDemandEnabled_WIFI_ECXLUDE + OnDemandEnabled_WIFI_ECXLUDE=${OnDemandEnabled_WIFI_ECXLUDE:-_null} + EXTRA_VARS+=" OnDemandEnabled_WIFI_ECXLUDE=$OnDemandEnabled_WIFI_ECXLUDE" +fi + +read -p " +Do you want to enable VPN always when connected to the cellular network? +[y/N]: " -r OnDemandEnabled_Cellular +OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} +if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi + } deploy () { diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 762848ab..d7ac8998 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -6,7 +6,51 @@ IKEv2 +{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} + OnDemandEnabled + 1 + OnDemandRules + +{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %} +{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %} + + Action + Disconnect + InterfaceTypeMatch + WiFi + SSIDMatch + +{% for network_name in WIFI_ECXLUDE_LIST %} + {{ network_name }} +{% endfor %} + + +{% else %} +{% endif %} + + Action +{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %} + Connect + {% else %} + Disconnect +{% endif %} + InterfaceTypeMatch + WiFi + + + Action +{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %} + Connect + {% else %} + Disconnect +{% endif %} + InterfaceTypeMatch + Cellular + + +{% else %} +{% endif %} AuthenticationMethod Certificate ChildSecurityAssociationParameters From fe0bbd7c76ef9ea46dd1390a0004615670dd16fc Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Sun, 6 Nov 2016 09:40:07 -0800 Subject: [PATCH 25/53] Add missing tags in common playbook If the common playbook is invoked with the "cloud" tag, non-cloud tasks will be skipped. On GCE this causes "Install tools" to be skipped, apparmor-utils is not installed, and then the "Enforcing ipsec with apparmor" step fails. --- roles/common/tasks/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 4b6e2ee1..9cdb88dc 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -2,9 +2,13 @@ - name: Gather Facts setup: + tags: + - always - name: Install software updates apt: update_cache=yes upgrade=dist + tags: + - cloud - name: Check if reboot is required shell: > @@ -43,6 +47,8 @@ with_items: - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } + tags: + - cloud - name: Install tools apt: name="{{ item }}" state=latest @@ -55,24 +61,36 @@ - sendmail - iptables-persistent - cgroup-tools + tags: + - always - name: Loopback for services configured template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg notify: - restart loopback + tags: + - always - name: Loopback included into the network config lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present notify: - restart loopback + tags: + - always - meta: flush_handlers + tags: + - always - name: Enable packet forwarding for IPv4 sysctl: name="{{ item }}" value=1 with_items: - net.ipv4.ip_forward - net.ipv4.conf.all.forwarding + tags: + - always - name: Enable packet forwarding for IPv6 sysctl: name=net.ipv6.conf.all.forwarding value=1 + tags: + - always From a805dc0beff12ac5dd4a63ae9a7d43f01119de46 Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Sun, 6 Nov 2016 09:42:58 -0800 Subject: [PATCH 26/53] Use /var/run/reboot-required to determine if a restart is needed The current check only looks to see if a new kernel was installed. --- roles/common/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 9cdb88dc..a5730ac1 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,7 +12,7 @@ - name: Check if reboot is required shell: > - if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi + if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi args: executable: /bin/bash register: reboot_required From 7b8e610b4da462b91f37c7dff595bbca93a07a81 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 23 Nov 2016 20:28:05 +0300 Subject: [PATCH 27/53] Update readme. Fix #120 --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d3372f7d..2bd41a89 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,9 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. -1. Install the dependencies on OS X or Linux: `sudo easy_install pip && sudo pip install -r requirements.txt` +1. Install the dependencies +1.1. On OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` +1.2. On Linux (deb based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` From cc04b8822055307d6ef0e333a2d96bc801482aeb Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 23 Nov 2016 20:34:53 +0300 Subject: [PATCH 28/53] Change the site in the congrats handler to whoer.net in order to clarify the message at the end of the install about testing VPN. Fix #110 --- roles/vpn/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 84e08b04..26ba6fff 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -20,7 +20,7 @@ - "# Congratulations! #" - "# Your Algo server is running. #" - "# Config files and certificates are in the ./configs/ directory. #" - - "# Go to https://www.dnsleaktest.com/ after connecting #" + - "# Go to https://whoer.net/ after connecting #" - "# and ensure that all your traffic passes through the VPN. #" - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - "#----------------------------------------------------------------------#" From c472b9c3c69cb0f2d3157f34d450e74c27716ef9 Mon Sep 17 00:00:00 2001 From: Defunct Date: Thu, 27 Oct 2016 19:00:43 +0000 Subject: [PATCH 29/53] resolves #118 - AWS env keys --- roles/cloud-ec2/tasks/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index eace8c4d..e2b0a65c 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,7 +1,7 @@ - name: Locate official Ubuntu 16.04 AMI for region ec2_ami_find: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" owner: 099720109477 sort: name @@ -15,8 +15,8 @@ - name: Add ssh public key ec2_key: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: VPNKEY region: "{{ region }}" key_material: "{{ item }}" @@ -25,8 +25,8 @@ - name: Configure EC2 security group ec2_group: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: vpn-secgroup description: Security group for VPN servers region: "{{ region }}" @@ -51,8 +51,8 @@ - name: Launch instance ec2: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" keypair: "VPNKEY" group: vpn-secgroup instance_type: t2.nano From a1bd290a88448f481d938abf41f514b6fdf46eb1 Mon Sep 17 00:00:00 2001 From: Defunct Date: Thu, 27 Oct 2016 19:29:19 +0000 Subject: [PATCH 30/53] support older bash versions - resolves #116 --- algo | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/algo b/algo index c24fe1e3..eba3eb42 100755 --- a/algo +++ b/algo @@ -103,9 +103,10 @@ Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key - read -e -p " -Enter the local path to your SSH public key: -: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key + + read -p " +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key_file +ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: @@ -154,9 +155,9 @@ gce () { Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): : " -r credentials_file - read -e -p " -Enter the local path to your SSH public key: -: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key + read -p " +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key +ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: From 92525a3bcaa2b7a92aa2e02c80729cdb49287f1a Mon Sep 17 00:00:00 2001 From: Defunct Date: Sun, 13 Nov 2016 18:44:41 +0000 Subject: [PATCH 31/53] resolves #126 - incorrect private key usage w/o ssh-agent --- algo | 8 ++++---- roles/cloud-ec2/tasks/main.yml | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/algo b/algo index eba3eb42..8eeb05af 100755 --- a/algo +++ b/algo @@ -105,10 +105,10 @@ Note: Make sure to use either your root key (recommended) or an IAM user with an read -p " -Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key_file -ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key + ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub} - read -p " +read -p " Name the vpn server: [algo]: " -r aws_server_name aws_server_name=${aws_server_name:-algo} @@ -157,7 +157,7 @@ Enter the local path to your credentials JSON file (https://support.google.com/c read -p " Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key -ssh_public_key=${ssh_public_key_file:-$HOME/.ssh/id_rsa.pub} + ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index e2b0a65c..4b8de61e 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -66,6 +66,7 @@ - name: Add new instance to host group add_host: hostname: "{{ item.public_ip }}" + ansible_ssh_private_key_file: "{{ ssh_public_key[:-4] }}" groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" From d2df960c0356415cd1eab34540841a062441a65b Mon Sep 17 00:00:00 2001 From: fkt Date: Sat, 26 Nov 2016 18:05:06 +0000 Subject: [PATCH 32/53] Show congrats message at the end - #115 --- deploy.yml | 15 +++++++++++++++ roles/vpn/handlers/main.yml | 12 ------------ roles/vpn/tasks/main.yml | 2 -- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/deploy.yml b/deploy.yml index 9fbf792f..7fecd165 100644 --- a/deploy.yml +++ b/deploy.yml @@ -38,3 +38,18 @@ handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' + + post_tasks: + - shell: | + echo "#----------------------------------------------------------------------#" + echo "# Congratulations! #" + echo "# Your Algo server is running. #" + echo "# Config files and certificates are in the ./configs/ directory. #" + echo "# Go to https://whoer.net/ after connecting #" + echo "# and ensure that all your traffic passes through the VPN. #" + echo "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" + echo "#----------------------------------------------------------------------#" + tags: always + register: congrats + - debug: msg="{{ congrats.stdout_lines }}" + tags: always diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 26ba6fff..32885b5f 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -12,15 +12,3 @@ - name: restart iptables service: name=netfilter-persistent state=restarted - -- name: congrats - debug: - msg: - - "#----------------------------------------------------------------------#" - - "# Congratulations! #" - - "# Your Algo server is running. #" - - "# Config files and certificates are in the ./configs/ directory. #" - - "# Go to https://whoer.net/ after connecting #" - - "# and ensure that all your traffic passes through the VPN. #" - - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - - "#----------------------------------------------------------------------#" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 6fff583c..53734b76 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -222,8 +222,6 @@ - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes - notify: - - congrats - include: iptables.yml tags: iptables From 4e963fcfe528e3f2679f7431865abd2de348e842 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 26 Nov 2016 23:22:12 +0300 Subject: [PATCH 33/53] mobileconfig fix --- roles/vpn/templates/mobileconfig.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index d7ac8998..e7966216 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -6,8 +6,8 @@ IKEv2 -{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} +{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} OnDemandEnabled 1 OnDemandRules From ace3eccc48bccb8bc2b71e8baad582efcac517fd Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 26 Nov 2016 23:42:04 +0300 Subject: [PATCH 34/53] Issue template --- .github/ISSUE_TEMPLATE.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE.md diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 00000000..0689e365 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,27 @@ +### OS / Environment + + + +### Ansible version + + + +### Version of components from `requirements.txt` + + + +### Summary of the problem + + + +### Steps to reproduce the behavior + + + +### Expected behavior + + + +### Actual behavior + + From dc80f0817a7d102f3506a499a6ff876a1a484a29 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 27 Nov 2016 01:37:17 +0300 Subject: [PATCH 35/53] Windows RSA support #9 --- algo | 6 ++++++ config.cfg | 2 -- roles/vpn/templates/client_ipsec.conf.j2 | 8 ++++++++ roles/vpn/templates/client_ipsec.secrets.j2 | 5 ++++- roles/vpn/templates/easy-rsa.vars.j2 | 4 ++++ roles/vpn/templates/ipsec.conf.j2 | 8 ++++++++ roles/vpn/templates/ipsec.secrets.j2 | 5 ++++- 7 files changed, 34 insertions(+), 4 deletions(-) diff --git a/algo b/algo index 4911274d..cd224d84 100755 --- a/algo +++ b/algo @@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network? OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi +read -p " +Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers) +[y/N]: " -r Win10_Enabled +Win10_Enabled=${Win10_Enabled:-n} +if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi + } deploy () { diff --git a/config.cfg b/config.cfg index 26f14584..51f00219 100644 --- a/config.cfg +++ b/config.cfg @@ -59,8 +59,6 @@ ipsec_config: dpddelay: '35s' rekey: 'no' keyexchange: 'ikev2' - ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!' - esp: 'aes128gcm16-sha2_256-ecp256!' compress: 'yes' fragmentation: 'yes' diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index 3b01ff16..2e97c36b 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }} {{ key }}={{ value }} {% endfor %} +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! +{% else %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256 + esp=aes128gcm16-sha2_256-ecp256 +{% endif %} + right={{ IP_subject_alt_name }} rightid={{ IP_subject_alt_name }} rightsubnet=0.0.0.0/0 diff --git a/roles/vpn/templates/client_ipsec.secrets.j2 b/roles/vpn/templates/client_ipsec.secrets.j2 index ec4a30fa..61603129 100644 --- a/roles/vpn/templates/client_ipsec.secrets.j2 +++ b/roles/vpn/templates/client_ipsec.secrets.j2 @@ -1,2 +1,5 @@ +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key +{% else %} {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key - +{% endif %} diff --git a/roles/vpn/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2 index 50159aa6..2805b3b6 100644 --- a/roles/vpn/templates/easy-rsa.vars.j2 +++ b/roles/vpn/templates/easy-rsa.vars.j2 @@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only" # * rsa # * ec +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +set_var EASYRSA_ALGO rsa +{% else %} set_var EASYRSA_ALGO ec +{% endif %} # Define the named curve, used in ec mode only: diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index 2bd6ad10..c412994d 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -7,6 +7,14 @@ conn %default {{ key }}={{ value }} {% endfor %} +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! +{% else %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256 + esp=aes128gcm16-sha2_256-ecp256 +{% endif %} + left=%any leftauth=pubkey leftid={{ IP_subject_alt_name }} diff --git a/roles/vpn/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2 index d5793aea..2226f04e 100644 --- a/roles/vpn/templates/ipsec.secrets.j2 +++ b/roles/vpn/templates/ipsec.secrets.j2 @@ -1,2 +1,5 @@ +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +: RSA {{ IP_subject_alt_name }}.key +{% else %} : ECDSA {{ IP_subject_alt_name }}.key - +{% endif %} From 553b5bd0b40abc5ce4828fe80ecb02a03b8ea7f7 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 27 Nov 2016 12:44:05 +0300 Subject: [PATCH 36/53] fix in the mobileconfig template --- roles/vpn/templates/mobileconfig.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index e7966216..1ccb0374 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -90,7 +90,11 @@ PayloadCertificateUUID {{ pkcs12_PayloadCertificateUUID }} CertificateType +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + RSA2048 +{% else %} ECDSA256 +{% endif %} ServerCertificateIssuerCommonName {{ IP_subject_alt_name }} RemoteAddress From 67c7dc07130cb992d15301e7bfe1479f06f12171 Mon Sep 17 00:00:00 2001 From: defunct Date: Sun, 27 Nov 2016 12:55:05 -0500 Subject: [PATCH 37/53] opens #126 This commit reverts changes in 437d659 to avoid breaking changes. --- roles/cloud-ec2/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 4b8de61e..e2b0a65c 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -66,7 +66,6 @@ - name: Add new instance to host group add_host: hostname: "{{ item.public_ip }}" - ansible_ssh_private_key_file: "{{ ssh_public_key[:-4] }}" groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" From 204ba59cf4b8fb191aa4bd420978126eeed64efb Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 29 Nov 2016 22:14:18 +0300 Subject: [PATCH 38/53] modify ciphers #9 --- roles/vpn/templates/ipsec.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index c412994d..58089c10 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -9,10 +9,10 @@ conn %default {% if Win10_Enabled is defined and Win10_Enabled == "Y" %} ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! - esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048! {% else %} - ike=aes128gcm16-sha2_256-prfsha256-ecp256 - esp=aes128gcm16-sha2_256-ecp256 + ike=aes128gcm16-sha2_256-prfsha256-ecp256! + esp=aes128gcm16-sha2_256-ecp256! {% endif %} left=%any From 5f1420f9e1acd730a6d52ecff5535e7fa84b10ef Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 29 Nov 2016 23:00:01 +0300 Subject: [PATCH 39/53] Windows support implemented --- README.md | 8 ++++++++ roles/vpn/tasks/main.yml | 12 ++++++++++++ roles/vpn/templates/client_windows.ps1.j2 | 3 +++ 3 files changed, 23 insertions(+) create mode 100644 roles/vpn/templates/client_windows.ps1.j2 diff --git a/README.md b/README.md index 2bd41a89..e9e4bc9a 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,14 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. +### Windows Devices + +You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.
+Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:
+`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 +8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)
+Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine. + ### Apple Devices Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 53734b76..dacc7368 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -191,6 +191,8 @@ with_items: - "{{ users }}" + + - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" @@ -215,6 +217,16 @@ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes with_items: "{{ users }}" +- name: Build the windows client powershell script + template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600 + when: Win10_Enabled is defined and Win10_Enabled == "Y" + with_items: "{{ users }}" + +- name: Fetch users windows scripts + fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes + when: Win10_Enabled is defined and Win10_Enabled == "Y" + with_items: "{{ users }}" + - name: Restrict permissions file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root with_items: diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2 new file mode 100644 index 00000000..9b6d1970 --- /dev/null +++ b/roles/vpn/templates/client_windows.ps1.j2 @@ -0,0 +1,3 @@ +certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12 +Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required +Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none From f1e07734a8039e720af41ebc46a7df20c69ffbe4 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 6 Dec 2016 20:14:08 +0300 Subject: [PATCH 40/53] Fixed. #137 --- config.cfg | 4 ++++ roles/vpn/tasks/main.yml | 5 ----- users.yml | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/config.cfg b/config.cfg index 51f00219..34a1908e 100644 --- a/config.cfg +++ b/config.cfg @@ -64,3 +64,7 @@ ipsec_config: # IP address for the proxy and the local dns resolver local_service_ip: 172.16.0.1 + +pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" +VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" +CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index dacc7368..f5951a45 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -170,9 +170,6 @@ - name: Set facts for mobileconfigs set_fact: proxy_enabled: false - pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" - VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" - CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 @@ -191,8 +188,6 @@ with_items: - "{{ users }}" - - - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" diff --git a/users.yml b/users.yml index 6bdbf2e4..fb79ba20 100644 --- a/users.yml +++ b/users.yml @@ -139,7 +139,7 @@ remove: yes force: yes when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" - with_items: "{{ valid_users.stdout_lines }}" + with_items: "{{ valid_users.stdout_lines | default('null') }}" - name: SSH | Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes From 8985228d52691772f28eff24d03543975836a749 Mon Sep 17 00:00:00 2001 From: Defunct Date: Fri, 9 Dec 2016 16:06:19 +0000 Subject: [PATCH 41/53] EC2 Canada - resolves #141 --- algo | 2 ++ 1 file changed, 2 insertions(+) diff --git a/algo b/algo index 8f1db943..75eda1ae 100755 --- a/algo +++ b/algo @@ -155,6 +155,7 @@ Name the vpn server: 10. eu-central-1 EU (Frankfurt) 11. eu-west-1 EU (Ireland) 12. sa-east-1 South America (São Paulo) + 13. ca-central-1 Canada (Central) Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} @@ -172,6 +173,7 @@ Enter the number of your desired region: 10) region="eu-central-1" ;; 11) region="eu-west-1" ;; 12) region="sa-east-1" ;; + 13) region="ca-central-1" ;; esac ROLES="ec2 vpn cloud" From 2f43feca770022e78266f0e8d9bd2984d9648e0c Mon Sep 17 00:00:00 2001 From: Defunct Date: Fri, 9 Dec 2016 20:45:12 +0000 Subject: [PATCH 42/53] Sort by latest AMI - resolves #140 --- roles/cloud-ec2/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index e2b0a65c..ae4fbab7 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -4,7 +4,7 @@ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" owner: 099720109477 - sort: name + sort: creationDate sort_order: descending sort_end: 1 region: "{{ region }}" From 960de104de6e4ec42406ee7ad02daa9177e0cb74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Attila=20Gy=C3=B6rffy?= Date: Sat, 10 Dec 2016 15:53:34 +0200 Subject: [PATCH 43/53] Fix configs path in the README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e9e4bc9a..f04b853a 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do ## Configure the VPN Clients -Certificates and configuration files that users will need are placed in the `config` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. +Certificates and configuration files that users will need are placed in the `configs` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. ### Windows Devices @@ -75,7 +75,7 @@ Depending on the platform, you may need one or multiple of the following files. ## Setup an SSH Tunnel -If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `config` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. Make sure to access the server using 'ssh -N' with these limited accounts. In order to make a tunnel you have to run this command: From 5d98d4207f76b6bda1ab0c47fa23a234dd08d641 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 10 Dec 2016 21:09:34 +0300 Subject: [PATCH 44/53] Azure support #26 --- algo | 81 ++++++++++++++++++++++++++- azure.yml | 96 -------------------------------- deploy.yml | 3 +- requirements.txt | 2 +- roles/cloud-azure/tasks/main.yml | 70 +++++++++++++++++++++++ 5 files changed, 152 insertions(+), 100 deletions(-) delete mode 100644 azure.yml diff --git a/algo b/algo index 8f1db943..667642d7 100755 --- a/algo +++ b/algo @@ -69,6 +69,81 @@ deploy () { } +azure () { + read -p " +Enter your azure secret (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_secret + + read -p " + +Enter your azure tenant (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_tenant + + read -p " + +Enter your azure client_id (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_client_id + + read -p " + +Enter your azure subscription_id (https://docs.ansible.com/ansible/guide_azure.html#authenticating-with-azure) +You can skip this step if you want to use your defaults credentials from ~/.azure/credentials +[...]: " -rs azure_subscription_id + + read -e -p " + +Enter the local path to your SSH public key: +: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key + + read -p " +Name the vpn server: +[algo]: " -r azure_server_name + azure_server_name=${azure_server_name:-algo} + + read -p " + What region should the server be located in? + 1. South Central US + 2. Central US + 3. North Europe + 4. West Europe + 5. Southeast Asia + 6. Japan West + 7. Japan East + 8. Australia Southeast + 9. Australia East + 10. Canada Central + 11. West US 2 + 12. West Central US + 13. UK South + 14. UK West +Enter the number of your desired region: +[1]: " -r azure_region + azure_region=${azure_region:-1} + + case "$azure_region" in + 1) region="southcentralus" ;; + 2) region="centralus" ;; + 3) region="northeurope" ;; + 4) region="westeurope" ;; + 5) region="southeastasia" ;; + 6) region="japanwest" ;; + 7) region="japaneast" ;; + 8) region="australiasoutheast" ;; + 9) region="australiaeast" ;; + 10) region="canadacentral" ;; + 11) region="westus2" ;; + 12) region="westcentralus" ;; + 13) region="uksouth" ;; + 14) region="ukwest" ;; + esac + + ROLES="azure vpn cloud" + EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region" +} + digitalocean () { read -p " Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): @@ -256,7 +331,8 @@ algo_provisioning () { 1. DigitalOcean 2. Amazon EC2 3. Google Compute Engine - 4. Install to existing Ubuntu server + 4. Microsoft Azure + 5. Install to existing Ubuntu server Enter the number of your desired provider : " @@ -267,7 +343,8 @@ Enter the number of your desired provider 1) digitalocean; ;; 2) ec2; ;; 3) gce; ;; - 4) non_cloud; ;; + 4) azure; ;; + 5) non_cloud; ;; *) exit 1 ;; esac diff --git a/azure.yml b/azure.yml deleted file mode 100644 index ec15d2cc..00000000 --- a/azure.yml +++ /dev/null @@ -1,96 +0,0 @@ -- name: Configure the server and install required software - hosts: localhost - gather_facts: false - - vars: - regions: - "1": "East US" - "2": "West US" - "3": "South Central US" - "4": "North Europe" - "5": "East Asia" - "6": "Japan East" - "7": "West Europe" - "8": "Southeast Asia" - "9": "Japan West" - "10": "North Central US" - "11": "Central US" - "12": "Brazil South" - "13": "East US 2" - "14": "Australia Southeast" - "15": "Australia East" - - #vars_prompt: - #- name: "azure_subscription_id" - #prompt: "Enter your subscription ID (https://blogs.msdn.microsoft.com/mschray/2015/05/13/getting-your-azure-guid-subscription-id/):\n" - #private: yes - - #- name: "management_cert_path" - #prompt: "Enter the local path to your management cert [ex: ~/.ssh/id_rsa.pub] (https://azure.microsoft.com/en-us/documentation/articles/azure-api-management-certs/):\n" - #private: no - - #- name: "ssh_public_key" - #prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n" - #private: no - - #- name: "region" - #prompt: > - #What region should the server be located in? - #1. East US - #2. West US - #3. South Central US - #4. North Europe - #5. East Asia - #6. Japan East - #7. West Europe - #8. Southeast Asia - #9. Japan West - #10. North Central US - #11. Central US - #12. Brazil South - #13. East US 2 - #14. Australia Southeast - #15. Australia East - #Enter the number of your desired region: - #default: "7" - #private: no - - #- name: "azure_server_name" - #prompt: "Name the vpn server:\n" - #default: "algo.local" - #private: no - - #- name: "dns_enabled" - #prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" - #default: "Y" - #private: no - - #- name: "auditd_enabled" - #prompt: "Do you want to use auditd ? (Y or N):\n" - #default: "Y" - #private: no - - roles: - - cloud-azure - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - security - - proxy - - vpn - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - diff --git a/deploy.yml b/deploy.yml index 7fecd165..b6c8380a 100644 --- a/deploy.yml +++ b/deploy.yml @@ -8,6 +8,7 @@ - { role: cloud-digitalocean, tags: ['digitalocean'] } - { role: cloud-ec2, tags: ['ec2'] } - { role: cloud-gce, tags: ['gce'] } + - { role: cloud-azure, tags: ['azure'] } - { role: local, tags: ['local'] } - name: Post-provisioning tasks @@ -21,7 +22,7 @@ pre_tasks: - name: Common pre-tasks include: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] + tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'pre' ] - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml diff --git a/requirements.txt b/requirements.txt index 36b226c9..3039915a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ ansible>=2.1 dopy==0.3.5 boto -azure>=0.7.1 +azure==2.0.0rc5 apache-libcloud six diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 8b137891..d894b2e5 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -1 +1,71 @@ +--- +- set_fact: + resource_group: "Algo_{{ region }}" + +- name: Create a resource group + azure_rm_resourcegroup: + secret: "{{ azure_secret | default(lookup('env','AZURE_CLIENT_ID')) }}" + tenant: "{{ azure_tenant | default(lookup('env','AZURE_SECRET')) }}" + client_id: "{{ azure_client_id | default(lookup('env','AZURE_SUBSCRIPTION_ID')) }}" + subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_TENANT')) }}" + name: "{{ resource_group }}" + location: "{{ region }}" + tags: + service: algo + +- name: Create a virtual network + azure_rm_virtualnetwork: + resource_group: "{{ resource_group }}" + name: algo_net + address_prefixes: "10.10.0.0/16" + tags: + service: algo + +- name: Create a subnet + azure_rm_subnet: + resource_group: "{{ resource_group }}" + name: algo_subnet + address_prefix: "10.10.0.0/24" + virtual_network: algo_net + tags: + service: algo + +- name: Create an instance + azure_rm_virtualmachine: + secret: "{{ azure_secret | default(lookup('env','AZURE_CLIENT_ID')) }}" + tenant: "{{ azure_tenant | default(lookup('env','AZURE_SECRET')) }}" + client_id: "{{ azure_client_id | default(lookup('env','AZURE_SUBSCRIPTION_ID')) }}" + subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_TENANT')) }}" + resource_group: "{{ resource_group }}" + admin_username: ubuntu + virtual_network: algo_net + name: "{{ azure_server_name }}" + ssh_password_enabled: false + vm_size: Standard_D1 + tags: + service: algo + ssh_public_keys: + - { path: "/home/ubuntu/.ssh/authorized_keys", key_data: "{{ lookup('file', '{{ ssh_public_key }}') }}" } + image: + offer: UbuntuServer + publisher: Canonical + sku: '16.04-LTS' + version: latest + register: azure_rm_virtualmachine + +- set_fact: + ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}" + +- name: Add the instance to an inventory group + add_host: + name: "{{ ip_address }}" + groups: vpn-host + ansible_ssh_user: ubuntu + ansible_python_interpreter: "/usr/bin/python2.7" + easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: azure + ipv6_support: no + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ ip_address }} timeout=320" From 95e7ecc2b2f13ed2e80672dceaae66cd9fa2e3d5 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Mon, 12 Dec 2016 02:41:45 -0500 Subject: [PATCH 45/53] Update README.md --- README.md | 47 +++++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index f04b853a..b5965673 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Features -* Supports only IKEv2 w/ a single cipher suite: AES GCM, SHA2 HMAC, and P-256 DH +* Supports only IKEv2 w/ a single cipher suite: AES-GCM, HMAC-SHA2, and P-256 DH * Generates Apple Profiles to auto-configure iOS and macOS devices * Provides helper scripts to add and remove users * Blocks ads with a local DNS resolver and HTTP proxy (optional) -* Sets up limited SSH tunnels for each user (optional) -* Based on current versions of Ubuntu and StrongSwan -* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server +* Sets up limited SSH users for tunneling traffic (optional) +* Based on current versions of Ubuntu and strongSwan +* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, Microsoft Azure or your own server ## Anti-features @@ -25,11 +25,13 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Deploy the Algo Server -The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. +The easiest way to get an Algo server running is to let it setup a _new_ virtual machine in the cloud for you. + +1. Install the dependencies for your operating system: + + OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` -1. Install the dependencies -1.1. On OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` -1.2. On Linux (deb based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` @@ -41,14 +43,6 @@ Note: for local or scripted deployment instructions see the [Advanced Usage](/do Certificates and configuration files that users will need are placed in the `configs` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server. -### Windows Devices - -You have to import the corresponding client certificate to The Personal store and the corresponding CA certificate to The Local Machine Trusted Root store.
-Add an IKEv2 connection in the network settings and then, activate additional ciphers via powershell:
-`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 -8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` (change Algo on the vpn connection name)
-Also, you can find the powershell script and the p12 certificate in the configs directory and run it as Administrator on your machine. - ### Apple Devices Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN. @@ -57,6 +51,15 @@ Find the corresponding mobileconfig (Apple Profile) for each user and send it to You need to install the [StrongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use. +### Windows + +Import your user certificate to your Personal certificate store and your CA certificate to the Local Machine Trusted Root certificate store. Then, add an IKEv2 connection in the network settings and activate additional ciphers for it via Powershell (change the ConnectionName to the name of your IKEv2 connection): + +`Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 +8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none` + +Note that an all-in-one Powershell script that imports your personal certificate, sets up the VPN connection, and activates the stronger ciphers for it is included in the `configs` folder. + ### StrongSwan Clients (e.g., OpenWRT) Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device. @@ -72,15 +75,15 @@ Depending on the platform, you may need one or multiple of the following files. * user.key: User Private Key * user.mobileconfig: Apple Profile * user.p12: User Certificate and Private Key (in PKCS#12 format) +* user_windows.ps1: Powershell script to setup a VPN connection on Windows ## Setup an SSH Tunnel -If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key file will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited. This is done to ensure that users have the least access required to tunnel through the server. +If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited (`ssh -N` is required). This is done to ensure that users have the least access required to tunnel through the server. -Make sure to access the server using 'ssh -N' with these limited accounts. -In order to make a tunnel you have to run this command: -`ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem` -Don't forget to change `ip` and `user`. And then you can configure your browsers to use 127.0.0.1:1080 as sock4/5 +Use the command below to start an SSH tunnel, replacing `ip` and `user` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through Algo. + + `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem` ## Adding or Removing Users @@ -89,7 +92,7 @@ Algo's own scripts can easily add and remove users from the VPN server. 1. Update the `users` list in your `config.cfg` 2. Run the command: `./algo update-users` -The Algo VPN server now only contains the users listed in the `config.cfg` file. +The Algo VPN server now contains only the users listed in the `config.cfg` file. ## FAQ From eee20f4ede63565f287cae316f46eda3184a0e12 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 17:40:31 +0300 Subject: [PATCH 46/53] additional columns --- .github/ISSUE_TEMPLATE.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 0689e365..d3775717 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -10,6 +10,7 @@ + ### Summary of the problem @@ -18,6 +19,10 @@ +### The way of deployment (cloud or local) + + + ### Expected behavior @@ -25,3 +30,7 @@ ### Actual behavior + +### Full log + + From 028c1e7736f1568672912309c9f54d695569b175 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 18:04:51 +0300 Subject: [PATCH 47/53] Fixed #147 --- algo | 2 +- deploy.yml | 2 +- playbooks/common.yml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/algo b/algo index deb070cd..e24d71e5 100755 --- a/algo +++ b/algo @@ -324,7 +324,7 @@ Enter the public IP address of your server: (IMPORTANT! This IP is used to verif ROLES="local vpn" EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" - SKIP_TAGS+=" cloud" + SKIP_TAGS+=" cloud update-alternatives" } algo_provisioning () { diff --git a/deploy.yml b/deploy.yml index b6c8380a..dca53ef2 100644 --- a/deploy.yml +++ b/deploy.yml @@ -22,7 +22,7 @@ pre_tasks: - name: Common pre-tasks include: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'pre' ] + tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ] - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml diff --git a/playbooks/common.yml b/playbooks/common.yml index d84a6eb0..eb7a695b 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -3,3 +3,5 @@ - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + tags: + - update-alternatives From aba7f2e1d1514b4ce5588a7b8ff5c890dd17d6e7 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 18:13:58 +0300 Subject: [PATCH 48/53] dirty fix #148 --- playbooks/common.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/common.yml b/playbooks/common.yml index eb7a695b..36a051c6 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -1,5 +1,5 @@ - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 From 0f1b79e6663b7ea436e7f4c35be9eae21794ed6d Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 12 Dec 2016 18:52:34 +0300 Subject: [PATCH 49/53] DNS fix --- config.cfg | 10 ++++++---- roles/vpn/templates/ipsec.conf.j2 | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/config.cfg b/config.cfg index 34a1908e..296de4de 100644 --- a/config.cfg +++ b/config.cfg @@ -29,10 +29,12 @@ server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" dns_servers: - - 8.8.8.8 - - 8.8.4.4 - - 2001:4860:4860::8888 - - 2001:4860:4860::8844 + ipv4: + - 8.8.8.8 + - 8.8.4.4 + ipv6: + - 2001:4860:4860::8888 + - 2001:4860:4860::8844 strongswan_enabled_plugins: - aes diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index 58089c10..6b60e36e 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -28,7 +28,7 @@ conn %default {% if local_dns is defined and local_dns == "Y" %} rightdns={{ local_service_ip }} {% else %} - rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} + rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} {% endif %} conn ikev2-pubkey From d0d180b47d260c14963ac4bd69ec60bbf8c5be39 Mon Sep 17 00:00:00 2001 From: kennwhite Date: Mon, 12 Dec 2016 15:14:58 -0500 Subject: [PATCH 50/53] Change default instance to free tier (t2.micro) I know this is a bit goofy, but the t2.nano is not in the free tier for AWS even though it is smaller than the t2.micro instance. See: https://aws.amazon.com/blogs/aws/ec2-update-t2-nano-instances-now-available/ (the "PS" at the bottom), confirmed on pricing page. The difference is $4.30 per mo vs. free/$8.76 per mo. Maybe add this to config questions, but at least one reviewer has noted this as an issue for his just-setup AWS free account. --- roles/cloud-ec2/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index ae4fbab7..0be4f379 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -55,7 +55,7 @@ aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" keypair: "VPNKEY" group: vpn-secgroup - instance_type: t2.nano + instance_type: t2.micro image: "{{ ami_image }}" wait: true region: "{{ region }}" From f2d27aaaa4b078d4a723cbb883203eac30ce578a Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 13 Dec 2016 08:44:19 +0300 Subject: [PATCH 51/53] SSH fix for old bash versions #160 --- algo | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/algo b/algo index e24d71e5..bd4aaf30 100755 --- a/algo +++ b/algo @@ -93,10 +93,10 @@ Enter your azure subscription_id (https://docs.ansible.com/ansible/guide_azure.h You can skip this step if you want to use your defaults credentials from ~/.azure/credentials [...]: " -rs azure_subscription_id - read -e -p " + read -p " -Enter the local path to your SSH public key: -: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key +Enter the local path to your SSH public key (~/.ssh/id_rsa.pub): " -r ssh_public_key + ssh_public_key=${ssh_public_key:-$HOME/.ssh/id_rsa.pub} read -p " Name the vpn server: From 2d2223d0e40c55e262fae84947783437992303ee Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 13 Dec 2016 09:08:12 +0300 Subject: [PATCH 52/53] a fix for ipv6 provisioning on DO #158 --- playbooks/digitalocean.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml index 703e5d05..78b652b2 100644 --- a/playbooks/digitalocean.yml +++ b/playbooks/digitalocean.yml @@ -1,5 +1,6 @@ - name: Enable IPv6 on the droplet - uri: + local_action: + module: uri url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" method: POST body: @@ -8,15 +9,18 @@ status_code: 201 HEADER_Authorization: "Bearer {{ do_access_token }}" HEADER_Content-Type: "application/json" + become: no - name: Get Droplet networks - uri: + local_action: + module: uri url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" method: GET status_code: 200 HEADER_Authorization: "Bearer {{ do_access_token }}" HEADER_Content-Type: "application/json" register: droplet_info + become: no - name: IPv6 configured template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 From 6f00c6bf7e1dd29cb27fe0e980f1fb19e394e625 Mon Sep 17 00:00:00 2001 From: Kevin Chen Date: Tue, 13 Dec 2016 01:26:02 -0500 Subject: [PATCH 53/53] README: Add apt dependencies for pypi cryptography. The cryptography library requires gcc and some development headers that aren't installed by default on Ubuntu. Source: https://cryptography.io/en/latest/installation/#building-cryptography-on-linux --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b5965673..8164cf80 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ The easiest way to get an Algo server running is to let it setup a _new_ virtual 1. Install the dependencies for your operating system: OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` - Linux (deb-based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo easy_install pip && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo`