Merge remote-tracking branch 'upstream/master'

README.md

@@ -58,11 +58,11 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua
      - Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/server-redhat-centos6.md)
      - Windows: See the [Windows documentation](docs/client-windows.md)
 
-4. Install Algo's remaining dependencies for your operating system. Using the same terminal window as the previous step run the command below.
+4. Install Algo's remaining dependencies for your operating system. Use the same terminal window as the previous step and run:
     ```bash
-    $ python -m virtualenv env && source env/bin/activate && python -m pip install -r requirements.txt
+    $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt
     ```
-    On macOS, you may be prompted to install `cc` which you should accept.
+    On macOS, you may be prompted to install `cc`. You should press accept if so.
 
 5. Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
 
@@ -128,18 +128,34 @@ If you want to perform these steps by hand, you will need to import the user cer
 Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
 ```
 
+### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop)
+
+Network Manager does not support AES-GCM. In order to support Linux Desktop clients, please choose the "compatible" cryptography and use at least Network Manager 1.4.1. See [Issue #263](https://github.com/trailofbits/algo/issues/263) for more information.
+
 ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.)
 
 Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
 
 #### Ubuntu Server 16.04 example
 
-1. `/etc/ipsec.d/certs`: copy `user.crt` here
-2. `/etc/ipsec.d/private`: copy `user.key` here
-3. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`
-4. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert`
-5. `sudo ipsec up <conn-name>`: start the ipsec tunnel
-6. `sudo ipsec down <conn-name>`: shutdown the ipsec tunnel
+1. `sudo apt-get install strongswan strongswan-plugin-openssl`: install strongSwan
+2. `/etc/ipsec.d/certs`: copy `user.crt` from `algo-master/configs/<name>/pki/certs`
+3. `/etc/ipsec.d/private`: copy `user.key` from `algo-master/configs/<name>/pki/private`
+4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs/<name>/cacert.pem`
+5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`
+6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update `leftcert` to match the `user.crt` filename
+7. `sudo ipsec restart`: pick up config changes
+8. `sudo ipsec up <conn-name>`: start the ipsec tunnel
+9. `sudo ipsec down <conn-name>`: shutdown the ipsec tunnel
+
+One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to `/etc/ipsec.conf`. Replace `192.168.1.1/24` with the subnet your LAN uses:
+
+    conn lan-passthrough
+    leftsubnet=192.168.1.1/24
+    rightsubnet=192.168.1.1/24
+    authby=never # No authentication necessary
+    type=pass # passthrough
+    auto=route # no need to ipsec up lan-passthrough
 
 ### Other Devices
 
@@ -198,6 +214,10 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file.
 
 -- [Romain Dillet](https://twitter.com/romaindillet/status/851037243728965632) for [TechCrunch](https://techcrunch.com/2017/04/09/how-i-made-my-own-vpn-server-in-15-minutes/)
 
+> If you’re uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution.
+
+-- [Thorin Klosowski](https://twitter.com/kingthor) for [Lifehacker](http://lifehacker.com/how-to-set-up-your-own-completely-free-vpn-in-the-cloud-1794302432)
+
 ## Support Algo VPN
 
 All donations support continued development. Thanks!

algo

@@ -55,7 +55,7 @@ security_enabled=${security_enabled:-n}
 if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi
 
 read -p "
-Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure)
+Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
 [y/N]: " -r Win10_Enabled
 Win10_Enabled=${Win10_Enabled:-n}
 if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
@@ -137,6 +137,8 @@ Name the vpn server:
     24. North Central US
     25. South India
     26. West India
+    27. East US
+    28. East US 2
 
 Enter the number of your desired region:
 [1]: " -r azure_region
@@ -169,6 +171,8 @@ Enter the number of your desired region:
     24) region="northcentralus" ;;
     25) region="southindia" ;;
     26) region="westindia" ;;
+    27) region="eastus" ;;
+    28) region="eastus2" ;;
   esac
 
   ROLES="azure vpn cloud"

config.cfg

@@ -58,9 +58,13 @@ SSH_keys:
   private: configs/algo.pem
   public: configs/algo.pem.pub
 
-dynamic_inventory_groups:
-  - azure
-  - digitalocean
-  - ec2
-  - gce
-  - local
+cloud_providers:
+  azure:
+    size: Basic_A0
+  digitalocean:
+    size: 512mb
+  ec2:
+    size: t2.micro
+  gce:
+    size: f1-micro
+  local:

playbooks/local.yml

@@ -19,6 +19,6 @@
     create: yes
     block: |
       [algo:children]
-      {% for group in dynamic_inventory_groups %}
+      {% for group in cloud_providers.keys() %}
       {{ group }}
       {% endfor %}

roles/cloud-azure/tasks/main.yml

@@ -80,7 +80,7 @@
     virtual_network: algo_net
     name: "{{ azure_server_name }}"
     ssh_password_enabled: false
-    vm_size: Basic_A0
+    vm_size: "{{ cloud_providers.azure.size }}"
     tags:
       Environment: Algo
     ssh_public_keys:
@@ -91,7 +91,7 @@
       sku: '16.04-LTS'
       version: latest
   register: azure_rm_virtualmachine
-  
+
   # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt?
 
 - set_fact:

roles/cloud-digitalocean/tasks/main.yml

@@ -45,7 +45,7 @@
     command: droplet
     name: "{{ do_server_name }}"
     region_id: "{{ do_region }}"
-    size_id: "512mb"
+    size_id: "{{ cloud_providers.digitalocean.size }}"
     image_id: "ubuntu-16-04-x64"
     ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
     unique_name: yes

roles/cloud-ec2/tasks/main.yml

@@ -90,7 +90,7 @@
     keypair: "VPNKEY"
     vpc_subnet_id: "{{ vpc.subnets[0].id }}"
     group: vpn-secgroup
-    instance_type: t2.micro
+    instance_type: "{{ cloud_providers.ec2.size }}"
     image: "{{ ami_image }}"
     wait: true
     region: "{{ region }}"

roles/cloud-gce/tasks/main.yml

@@ -13,7 +13,7 @@
   gce:
     instance_names: "{{ server_name }}"
     zone: "{{ zone }}"
-    machine_type: f1-micro
+    machine_type: "{{ cloud_providers.gce.size }}"
     image: ubuntu-1604
     service_account_email: "{{ service_account_email }}"
     credentials_file: "{{ credentials_file_path }}"

roles/ssh_tunneling/tasks/main.yml

@@ -53,9 +53,6 @@
     ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
   register: ssh_fingerprints
 
-- name: The known_hosts file created
-  template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
-
 - name: Fetch users SSH private keys
   fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes
   with_items: "{{ users }}"
@@ -66,7 +63,11 @@
   become: false
 
 - name: Fetch the known_hosts file
-  fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes
+  local_action:
+    module: template
+    src: known_hosts.j2
+    dest: configs/{{ IP_subject_alt_name }}/known_hosts
+  become: no
 
 - name: Build the client ssh config
   local_action: