diff --git a/README.md b/README.md index 7572d6df..0427e8c9 100644 --- a/README.md +++ b/README.md @@ -58,11 +58,11 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua - Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/server-redhat-centos6.md) - Windows: See the [Windows documentation](docs/client-windows.md) -4. Install Algo's remaining dependencies for your operating system. Using the same terminal window as the previous step run the command below. +4. Install Algo's remaining dependencies for your operating system. Use the same terminal window as the previous step and run: ```bash - $ python -m virtualenv env && source env/bin/activate && python -m pip install -r requirements.txt + $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt ``` - On macOS, you may be prompted to install `cc` which you should accept. + On macOS, you may be prompted to install `cc`. You should press accept if so. 5. Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. @@ -128,18 +128,34 @@ If you want to perform these steps by hand, you will need to import the user cer Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none ``` +### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop) + +Network Manager does not support AES-GCM. In order to support Linux Desktop clients, please choose the "compatible" cryptography and use at least Network Manager 1.4.1. See [Issue #263](https://github.com/trailofbits/algo/issues/263) for more information. + ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. #### Ubuntu Server 16.04 example -1. `/etc/ipsec.d/certs`: copy `user.crt` here -2. `/etc/ipsec.d/private`: copy `user.key` here -3. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` -4. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` -5. `sudo ipsec up `: start the ipsec tunnel -6. `sudo ipsec down `: shutdown the ipsec tunnel +1. `sudo apt-get install strongswan strongswan-plugin-openssl`: install strongSwan +2. `/etc/ipsec.d/certs`: copy `user.crt` from `algo-master/configs//pki/certs` +3. `/etc/ipsec.d/private`: copy `user.key` from `algo-master/configs//pki/private` +4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs//cacert.pem` +5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` +6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update `leftcert` to match the `user.crt` filename +7. `sudo ipsec restart`: pick up config changes +8. `sudo ipsec up `: start the ipsec tunnel +9. `sudo ipsec down `: shutdown the ipsec tunnel + +One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to `/etc/ipsec.conf`. Replace `192.168.1.1/24` with the subnet your LAN uses: + + conn lan-passthrough + leftsubnet=192.168.1.1/24 + rightsubnet=192.168.1.1/24 + authby=never # No authentication necessary + type=pass # passthrough + auto=route # no need to ipsec up lan-passthrough ### Other Devices @@ -198,6 +214,10 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file. -- [Romain Dillet](https://twitter.com/romaindillet/status/851037243728965632) for [TechCrunch](https://techcrunch.com/2017/04/09/how-i-made-my-own-vpn-server-in-15-minutes/) +> If you’re uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution. + +-- [Thorin Klosowski](https://twitter.com/kingthor) for [Lifehacker](http://lifehacker.com/how-to-set-up-your-own-completely-free-vpn-in-the-cloud-1794302432) + ## Support Algo VPN All donations support continued development. Thanks! diff --git a/algo b/algo index a9d4914c..20b03a90 100755 --- a/algo +++ b/algo @@ -55,7 +55,7 @@ security_enabled=${security_enabled:-n} if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi read -p " -Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure) +Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N]: " -r Win10_Enabled Win10_Enabled=${Win10_Enabled:-n} if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi @@ -137,6 +137,8 @@ Name the vpn server: 24. North Central US 25. South India 26. West India + 27. East US + 28. East US 2 Enter the number of your desired region: [1]: " -r azure_region @@ -169,6 +171,8 @@ Enter the number of your desired region: 24) region="northcentralus" ;; 25) region="southindia" ;; 26) region="westindia" ;; + 27) region="eastus" ;; + 28) region="eastus2" ;; esac ROLES="azure vpn cloud" diff --git a/config.cfg b/config.cfg index 747bae5f..b869dd2f 100644 --- a/config.cfg +++ b/config.cfg @@ -58,9 +58,13 @@ SSH_keys: private: configs/algo.pem public: configs/algo.pem.pub -dynamic_inventory_groups: - - azure - - digitalocean - - ec2 - - gce - - local +cloud_providers: + azure: + size: Basic_A0 + digitalocean: + size: 512mb + ec2: + size: t2.micro + gce: + size: f1-micro + local: diff --git a/playbooks/local.yml b/playbooks/local.yml index e852bc20..a7cc2d7e 100644 --- a/playbooks/local.yml +++ b/playbooks/local.yml @@ -19,6 +19,6 @@ create: yes block: | [algo:children] - {% for group in dynamic_inventory_groups %} + {% for group in cloud_providers.keys() %} {{ group }} {% endfor %} diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 17c6ce36..d3b831a8 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -80,7 +80,7 @@ virtual_network: algo_net name: "{{ azure_server_name }}" ssh_password_enabled: false - vm_size: Basic_A0 + vm_size: "{{ cloud_providers.azure.size }}" tags: Environment: Algo ssh_public_keys: @@ -91,7 +91,7 @@ sku: '16.04-LTS' version: latest register: azure_rm_virtualmachine - + # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt? - set_fact: diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index a472fb56..28dd7f15 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -45,7 +45,7 @@ command: droplet name: "{{ do_server_name }}" region_id: "{{ do_region }}" - size_id: "512mb" + size_id: "{{ cloud_providers.digitalocean.size }}" image_id: "ubuntu-16-04-x64" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" unique_name: yes diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index be0b0d4e..46a29425 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -90,7 +90,7 @@ keypair: "VPNKEY" vpc_subnet_id: "{{ vpc.subnets[0].id }}" group: vpn-secgroup - instance_type: t2.micro + instance_type: "{{ cloud_providers.ec2.size }}" image: "{{ ami_image }}" wait: true region: "{{ region }}" diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 5c6a1f66..fce69ce3 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -13,7 +13,7 @@ gce: instance_names: "{{ server_name }}" zone: "{{ zone }}" - machine_type: f1-micro + machine_type: "{{ cloud_providers.gce.size }}" image: ubuntu-1604 service_account_email: "{{ service_account_email }}" credentials_file: "{{ credentials_file_path }}" diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 1cf23684..578fb793 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -53,9 +53,6 @@ ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null register: ssh_fingerprints -- name: The known_hosts file created - template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts - - name: Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes with_items: "{{ users }}" @@ -66,7 +63,11 @@ become: false - name: Fetch the known_hosts file - fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes + local_action: + module: template + src: known_hosts.j2 + dest: configs/{{ IP_subject_alt_name }}/known_hosts + become: no - name: Build the client ssh config local_action: