wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 07:33:52 +02:00
Code Issues Projects Releases Wiki Activity

Improve Ubuntu Instructions (#419)

Browse source 
* Added note regarding DH group

* more complete

* clarified file sources

* remove trailing slash for consistency

* Added information on LAN Passthrough - a common home usecase
This commit is contained in:
Logan Collins 2017-04-16 08:56:17 -05:00 committed by Dan Guido
parent 42a663983e
commit de948186eb
1 changed files with 20 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
README.md
View file

@ -130,16 +130,28 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransf
### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.)
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
#### Ubuntu Server 16.04 example #### Ubuntu Server 16.04 example
1. `/etc/ipsec.d/certs`: copy `user.crt` here 1. Install Strongswan: `sudo apt-get install strongswan strongswan-plugin-openssl` Plugin required per [StrongSwan Documentation](https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites), as the ECP_256 DH group is supported by the openssl plugin.
2. `/etc/ipsec.d/private`: copy `user.key` here 2. `/etc/ipsec.d/certs`: copy `user.crt` here from `algo-master/configs/<name>/pki/certs`.
3. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` 3. `/etc/ipsec.d/private`: copy `user.key` here from `algo-master/configs/<name>/pki/private`.
4. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` 4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` here from `algo-master/configs/<name>/cacert.pem`.
5. `sudo ipsec up <conn-name>`: start the ipsec tunnel 5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`, like in `ipsec_user.secrets` but matching the `user.key` filename.
6. `sudo ipsec down <conn-name>`: shutdown the ipsec tunnel 6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` to match the `user.crt` filename.
7. `sudo ipsec restart`: pick up config changes
8. `sudo ipsec up <conn-name>`: start the ipsec tunnel
9. `sudo ipsec down <conn-name>`: shutdown the ipsec tunnel
## LAN Passthrough
To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf`, replacing `192.168.1.1/24` with whatever subnet your LAN uses:
conn lan-passthrough
leftsubnet=192.168.1.1/24
rightsubnet=192.168.1.1/24
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough - it will just work
### Other Devices ### Other Devices
@ -191,7 +203,6 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file.
-- [The Register](https://twitter.com/TheRegister/status/825076303657177088) -- [The Register](https://twitter.com/TheRegister/status/825076303657177088)
> Algo is really easy and secure. > Algo is really easy and secure.
-- [the grugq](https://twitter.com/thegrugq/status/786249040228786176) -- [the grugq](https://twitter.com/thegrugq/status/786249040228786176)
> I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you dont know much about development. Ive got to say that I was quite impressed with Trail of Bits approach. > I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you dont know much about development. Ive got to say that I was quite impressed with Trail of Bits approach.