wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 22:54:01 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into ec2updates

Browse source
This commit is contained in:
Defunct 2016-11-26 18:08:14 +00:00
commit d54ba6c7ce
7 changed files with 98 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -27,7 +27,9 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw
The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you.
1. Install the dependencies on OS X or Linux: `sudo easy_install pip && sudo pip install -r requirements.txt`
1. Install the dependencies
1.1. On OS X: `sudo easy_install pip && sudo pip install -r requirements.txt`
1.2. On Linux (deb based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt`
2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
3. Start the deploy and follow the instructions: `./algo`

32
algo
View file

@ -2,6 +2,8 @@
set -e
SKIP_TAGS="_null"
additional_roles () {
read -p "
Do you want to apply security enhancements?
@ -33,11 +35,31 @@ Do you want each user to have their own account for SSH tunneling?
ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi
read -p "
Do you want to enable VPN always when connected to Wi-Fi?
[y/N]: " -r OnDemandEnabled_WIFI
OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n}
if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi
if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then
read -p "
Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi)
: " -r OnDemandEnabled_WIFI_ECXLUDE
OnDemandEnabled_WIFI_ECXLUDE=${OnDemandEnabled_WIFI_ECXLUDE:-_null}
EXTRA_VARS+=" OnDemandEnabled_WIFI_ECXLUDE=$OnDemandEnabled_WIFI_ECXLUDE"
fi
read -p "
Do you want to enable VPN always when connected to the cellular network?
[y/N]: " -r OnDemandEnabled_Cellular
OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
}
deploy () {
ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}"
ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}"
}
@ -88,7 +110,7 @@ Enter the number of your desired region:
12) do_region="blr1" ;;
esac
ROLES="digitalocean vpn"
ROLES="digitalocean vpn cloud"
EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region"
}
@ -146,7 +168,7 @@ Enter the number of your desired region:
12) region="sa-east-1" ;;
esac
ROLES="ec2 vpn"
ROLES="ec2 vpn cloud"
EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
}
@ -199,7 +221,7 @@ Please choose the number of your zone. Press enter for default (#8) zone.
13) zone="asia-east1-c" ;;
esac
ROLES="gce vpn"
ROLES="gce vpn cloud"
EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone"
}
@ -219,7 +241,7 @@ Enter the public IP address of your server: (IMPORTANT! This IP is used to verif
ROLES="local vpn"
EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject"
SKIP_TAGS+=" cloud"
}
algo_provisioning () {

3
config.cfg
View file

@ -5,7 +5,8 @@ users:
- dan
- jack
# Add an email address to send logs if you're using auditd for monitoring,
# Add an email address to send logs if you're using auditd for monitoring.
# Avoid using '+' in your email address otherwise auditd will fail to start.
auditd_action_mail_acct: email@example.com
# Exported certificates will be protected by the password below:

8
roles/common/tasks/main.yml
View file

@ -12,6 +12,8 @@
args:
executable: /bin/bash
register: reboot_required
tags:
- cloud
- name: Reboot
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
@ -19,16 +21,22 @@
poll: 0
when: reboot_required is defined and reboot_required.stdout == 'required'
ignore_errors: true
tags:
- cloud
- name: Wait for shutdown
local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
tags:
- cloud
- name: Wait until SSH becomes ready...
local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
tags:
- cloud
- name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"

2
roles/vpn/handlers/main.yml
View file

@ -20,7 +20,7 @@
- "# Congratulations! #"
- "# Your Algo server is running. #"
- "# Config files and certificates are in the ./configs/ directory. #"
- "# Go to https://www.dnsleaktest.com/ after connecting #"
- "# Go to https://whoer.net/ after connecting #"
- "# and ensure that all your traffic passes through the VPN. #"
- "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
- "#----------------------------------------------------------------------#"

4
roles/vpn/tasks/main.yml
View file

@ -170,6 +170,9 @@
- name: Set facts for mobileconfigs
set_fact:
proxy_enabled: false
pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
- name: Build the mobileconfigs
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
@ -224,4 +227,3 @@
- include: iptables.yml
tags: iptables

64
roles/vpn/templates/mobileconfig.j2
View file

@ -6,7 +6,51 @@
<array>
<dict>
<key>IKEv2</key>
{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %}
<dict>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %}
{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %}
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
{% for network_name in WIFI_ECXLUDE_LIST %}
<string>{{ network_name }}</string>
{% endfor %}
</array>
</dict>
{% else %}
{% endif %}
<dict>
<key>Action</key>
{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
<dict>
<key>Action</key>
{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>Cellular</string>
</dict>
</array>
{% else %}
{% endif %}
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ChildSecurityAssociationParameters</key>
@ -44,7 +88,7 @@
<key>LocalIdentifier</key>
<string>{{ item.0 }}</string>
<key>PayloadCertificateUUID</key>
<string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<string>{{ pkcs12_PayloadCertificateUUID }}</string>
<key>CertificateType</key>
<string>ECDSA256</string>
<key>ServerCertificateIssuerCommonName</key>
@ -66,11 +110,11 @@
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
<string>com.apple.vpn.managed.{{ VPN_PayloadIdentifier }}</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
<string>{{ VPN_PayloadIdentifier }}</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
@ -111,11 +155,11 @@
<key>PayloadDisplayName</key>
<string>{{ item.0 }}.p12</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<string>com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }}</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<string>{{ pkcs12_PayloadCertificateUUID }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
@ -131,11 +175,11 @@
<key>PayloadDisplayName</key>
<string>{{ IP_subject_alt_name }}</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
<string>com.apple.security.root.{{ CA_PayloadIdentifier }}</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>32EA3AAA-D19E-43EF-B357-608218745A38</string>
<string>{{ CA_PayloadIdentifier }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
@ -148,16 +192,16 @@
{% endif %}
<key>PayloadIdentifier</key>
{% if proxy_enabled is defined and proxy_enabled == true %}
<string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA</string>
<string>donut.local.{{ 600000 | random | to_uuid | upper }}</string>
{% else %}
<string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
<string>donut.local.{{ 500000 | random | to_uuid | upper }}</string>
{% endif %}
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>743B04A8-5725-45A2-B1BB-836F8C16DB0A</string>
<string>{{ 400000 | random | to_uuid | upper }}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>