From 42a663983e6c735d275a244408cfb635da356a12 Mon Sep 17 00:00:00 2001 From: donlockhart Date: Sun, 16 Apr 2017 08:39:55 -0400 Subject: [PATCH 01/13] Added East US and East US 2 regions to Azure. (#424) --- algo | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/algo b/algo index a9d4914c..f0bacbfa 100755 --- a/algo +++ b/algo @@ -137,6 +137,8 @@ Name the vpn server: 24. North Central US 25. South India 26. West India + 27. East US + 28. East US 2 Enter the number of your desired region: [1]: " -r azure_region @@ -169,6 +171,8 @@ Enter the number of your desired region: 24) region="northcentralus" ;; 25) region="southindia" ;; 26) region="westindia" ;; + 27) region="eastus" ;; + 28) region="eastus2" ;; esac ROLES="azure vpn cloud" From de948186eb12a96efe49a30ad47fb26e6f544389 Mon Sep 17 00:00:00 2001 From: Logan Collins Date: Sun, 16 Apr 2017 08:56:17 -0500 Subject: [PATCH 02/13] Improve Ubuntu Instructions (#419) * Added note regarding DH group * more complete * clarified file sources * remove trailing slash for consistency * Added information on LAN Passthrough - a common home usecase --- README.md | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 7572d6df..9002b1b8 100644 --- a/README.md +++ b/README.md @@ -130,16 +130,28 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransf ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) -Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. - #### Ubuntu Server 16.04 example -1. `/etc/ipsec.d/certs`: copy `user.crt` here -2. `/etc/ipsec.d/private`: copy `user.key` here -3. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` -4. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` -5. `sudo ipsec up `: start the ipsec tunnel -6. `sudo ipsec down `: shutdown the ipsec tunnel +1. Install Strongswan: `sudo apt-get install strongswan strongswan-plugin-openssl` Plugin required per [StrongSwan Documentation](https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites), as the ECP_256 DH group is supported by the openssl plugin. +2. `/etc/ipsec.d/certs`: copy `user.crt` here from `algo-master/configs//pki/certs`. +3. `/etc/ipsec.d/private`: copy `user.key` here from `algo-master/configs//pki/private`. +4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` here from `algo-master/configs//cacert.pem`. +5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`, like in `ipsec_user.secrets` but matching the `user.key` filename. +6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` to match the `user.crt` filename. +7. `sudo ipsec restart`: pick up config changes +8. `sudo ipsec up `: start the ipsec tunnel +9. `sudo ipsec down `: shutdown the ipsec tunnel + +## LAN Passthrough + +To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf`, replacing `192.168.1.1/24` with whatever subnet your LAN uses: + + conn lan-passthrough + leftsubnet=192.168.1.1/24 + rightsubnet=192.168.1.1/24 + authby=never # No authentication necessary + type=pass # passthrough + auto=route # no need to ipsec up lan-passthrough - it will just work ### Other Devices @@ -191,7 +203,6 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file. -- [The Register](https://twitter.com/TheRegister/status/825076303657177088) > Algo is really easy and secure. - -- [the grugq](https://twitter.com/thegrugq/status/786249040228786176) > I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you don’t know much about development. I’ve got to say that I was quite impressed with Trail of Bits’ approach. From 089bf64c91f5d239c9a4825cc890f9aeb26d2c70 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 10:00:57 -0400 Subject: [PATCH 03/13] Update README.md --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 9002b1b8..1a9b19a1 100644 --- a/README.md +++ b/README.md @@ -130,21 +130,21 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransf ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) +Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. + #### Ubuntu Server 16.04 example -1. Install Strongswan: `sudo apt-get install strongswan strongswan-plugin-openssl` Plugin required per [StrongSwan Documentation](https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites), as the ECP_256 DH group is supported by the openssl plugin. -2. `/etc/ipsec.d/certs`: copy `user.crt` here from `algo-master/configs//pki/certs`. -3. `/etc/ipsec.d/private`: copy `user.key` here from `algo-master/configs//pki/private`. -4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` here from `algo-master/configs//cacert.pem`. -5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`, like in `ipsec_user.secrets` but matching the `user.key` filename. -6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` to match the `user.crt` filename. +1. `sudo apt-get install strongswan strongswan-plugin-openssl`: install strongSwan +2. `/etc/ipsec.d/certs`: copy `user.crt` from `algo-master/configs//pki/certs` +3. `/etc/ipsec.d/private`: copy `user.key` from `algo-master/configs//pki/private` +4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs//cacert.pem` +5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` +6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update `leftcert` to match the `user.crt` filename 7. `sudo ipsec restart`: pick up config changes 8. `sudo ipsec up `: start the ipsec tunnel 9. `sudo ipsec down `: shutdown the ipsec tunnel -## LAN Passthrough - -To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf`, replacing `192.168.1.1/24` with whatever subnet your LAN uses: +One common use case is to let your computer access your local LAN without going through the VPN. To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf` and replace `192.168.1.1/24` with the subnet your LAN uses: conn lan-passthrough leftsubnet=192.168.1.1/24 From 3ef96f7848adfa9239df427836d2ca559397e39b Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 10:02:34 -0400 Subject: [PATCH 04/13] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1a9b19a1..92443886 100644 --- a/README.md +++ b/README.md @@ -144,14 +144,14 @@ Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, 8. `sudo ipsec up `: start the ipsec tunnel 9. `sudo ipsec down `: shutdown the ipsec tunnel -One common use case is to let your computer access your local LAN without going through the VPN. To enable your device to access other devices on the LAN, add the following to `/etc/ipsec.conf` and replace `192.168.1.1/24` with the subnet your LAN uses: +One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to `/etc/ipsec.conf`. Replace `192.168.1.1/24` with the subnet your LAN uses: conn lan-passthrough leftsubnet=192.168.1.1/24 rightsubnet=192.168.1.1/24 authby=never # No authentication necessary type=pass # passthrough - auto=route # no need to ipsec up lan-passthrough - it will just work + auto=route # no need to ipsec up lan-passthrough ### Other Devices From 38f85a6e78d7ad7df228e6aa401f49aa597d2853 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 10:12:07 -0400 Subject: [PATCH 05/13] Add Linux Desktop to compatible prompt --- algo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/algo b/algo index f0bacbfa..20b03a90 100755 --- a/algo +++ b/algo @@ -55,7 +55,7 @@ security_enabled=${security_enabled:-n} if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi read -p " -Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure) +Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N]: " -r Win10_Enabled Win10_Enabled=${Win10_Enabled:-n} if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi From 87316ea3ea837c3fdf74e7ae503b36c4bcb7e61c Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 10:13:47 -0400 Subject: [PATCH 06/13] Add note about Network Manager --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 92443886..84d23de3 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,10 @@ If you want to perform these steps by hand, you will need to import the user cer Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none ``` +### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop) + +Network Manager does not support AES-GCM. In order to support Linux Desktop clients, please choose the "compatible" cryptography and use at least Network Manager 1.4.1. See [Issue #263](https://github.com/trailofbits/algo/issues/263) for more information. + ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. From bf75a1bb035d20cf478e8df1d9b6fccbfaef8411 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 16 Apr 2017 16:18:54 +0200 Subject: [PATCH 07/13] move generating of the known_hosts file to local_action (#425) --- roles/ssh_tunneling/tasks/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 1cf23684..578fb793 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -53,9 +53,6 @@ ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null register: ssh_fingerprints -- name: The known_hosts file created - template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts - - name: Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes with_items: "{{ users }}" @@ -66,7 +63,11 @@ become: false - name: Fetch the known_hosts file - fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes + local_action: + module: template + src: known_hosts.j2 + dest: configs/{{ IP_subject_alt_name }}/known_hosts + become: no - name: Build the client ssh config local_action: From 16329fe0883f6e29cd624d101a27fe33eb9c31cd Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 16 Apr 2017 16:19:47 +0200 Subject: [PATCH 08/13] Instance size (#404) * Escaping Special Characters #388 * Make instance sizes more flexible to edit #355 --- config.cfg | 16 ++++++++++------ playbooks/local.yml | 2 +- roles/cloud-azure/tasks/main.yml | 4 ++-- roles/cloud-digitalocean/tasks/main.yml | 2 +- roles/cloud-ec2/tasks/main.yml | 2 +- roles/cloud-gce/tasks/main.yml | 2 +- 6 files changed, 16 insertions(+), 12 deletions(-) diff --git a/config.cfg b/config.cfg index 747bae5f..b869dd2f 100644 --- a/config.cfg +++ b/config.cfg @@ -58,9 +58,13 @@ SSH_keys: private: configs/algo.pem public: configs/algo.pem.pub -dynamic_inventory_groups: - - azure - - digitalocean - - ec2 - - gce - - local +cloud_providers: + azure: + size: Basic_A0 + digitalocean: + size: 512mb + ec2: + size: t2.micro + gce: + size: f1-micro + local: diff --git a/playbooks/local.yml b/playbooks/local.yml index e852bc20..a7cc2d7e 100644 --- a/playbooks/local.yml +++ b/playbooks/local.yml @@ -19,6 +19,6 @@ create: yes block: | [algo:children] - {% for group in dynamic_inventory_groups %} + {% for group in cloud_providers.keys() %} {{ group }} {% endfor %} diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 17c6ce36..d3b831a8 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -80,7 +80,7 @@ virtual_network: algo_net name: "{{ azure_server_name }}" ssh_password_enabled: false - vm_size: Basic_A0 + vm_size: "{{ cloud_providers.azure.size }}" tags: Environment: Algo ssh_public_keys: @@ -91,7 +91,7 @@ sku: '16.04-LTS' version: latest register: azure_rm_virtualmachine - + # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt? - set_fact: diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index a472fb56..28dd7f15 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -45,7 +45,7 @@ command: droplet name: "{{ do_server_name }}" region_id: "{{ do_region }}" - size_id: "512mb" + size_id: "{{ cloud_providers.digitalocean.size }}" image_id: "ubuntu-16-04-x64" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" unique_name: yes diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index be0b0d4e..46a29425 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -90,7 +90,7 @@ keypair: "VPNKEY" vpc_subnet_id: "{{ vpc.subnets[0].id }}" group: vpn-secgroup - instance_type: t2.micro + instance_type: "{{ cloud_providers.ec2.size }}" image: "{{ ami_image }}" wait: true region: "{{ region }}" diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 5c6a1f66..fce69ce3 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -13,7 +13,7 @@ gce: instance_names: "{{ server_name }}" zone: "{{ zone }}" - machine_type: f1-micro + machine_type: "{{ cloud_providers.gce.size }}" image: ubuntu-1604 service_account_email: "{{ service_account_email }}" credentials_file: "{{ credentials_file_path }}" From bdd0b854316331da66668601b84153a645b7933f Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 16 Apr 2017 16:40:10 +0200 Subject: [PATCH 09/13] Upgrade pip inside virtualenv. Fixes #409 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 84d23de3..812c8095 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua 4. Install Algo's remaining dependencies for your operating system. Using the same terminal window as the previous step run the command below. ```bash - $ python -m virtualenv env && source env/bin/activate && python -m pip install -r requirements.txt + $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt ``` On macOS, you may be prompted to install `cc` which you should accept. From 9a8f3d9dd01948f6e7436b0821b23124e2258221 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 11:10:11 -0400 Subject: [PATCH 10/13] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 812c8095..0cd16c8e 100644 --- a/README.md +++ b/README.md @@ -207,6 +207,7 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file. -- [The Register](https://twitter.com/TheRegister/status/825076303657177088) > Algo is really easy and secure. + -- [the grugq](https://twitter.com/thegrugq/status/786249040228786176) > I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you don’t know much about development. I’ve got to say that I was quite impressed with Trail of Bits’ approach. From 98efa75b6c4bb7ae4ef51f996932e0d94f4a9121 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 12:15:16 -0400 Subject: [PATCH 11/13] more endorsements! --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 0cd16c8e..90992db1 100644 --- a/README.md +++ b/README.md @@ -214,6 +214,10 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file. -- [Romain Dillet](https://twitter.com/romaindillet/status/851037243728965632) for [TechCrunch](https://techcrunch.com/2017/04/09/how-i-made-my-own-vpn-server-in-15-minutes/) +> If you’re uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution. + +-- [Thorin Klosowski](https://twitter.com/kingthor) for [Lifehacker](http://lifehacker.com/how-to-set-up-your-own-completely-free-vpn-in-the-cloud-1794302432) + ## Support Algo VPN All donations support continued development. Thanks! From 32d906f04df47e35f6b1eb9fd92e512617c317f8 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 13:58:06 -0400 Subject: [PATCH 12/13] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 90992db1..cce1f1b0 100644 --- a/README.md +++ b/README.md @@ -58,11 +58,11 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua - Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/server-redhat-centos6.md) - Windows: See the [Windows documentation](docs/client-windows.md) -4. Install Algo's remaining dependencies for your operating system. Using the same terminal window as the previous step run the command below. +4. Install Algo's remaining dependencies for your operating system. Use the same terminal window as the previous step and run: ```bash $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt ``` - On macOS, you may be prompted to install `cc` which you should accept. + On macOS, you may be prompted to install `cc`. You should press accept. 5. Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. From 4cd3c2e4ef3aca84c880f28e65cdb2e9e262f5d2 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 16 Apr 2017 14:07:14 -0400 Subject: [PATCH 13/13] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cce1f1b0..0427e8c9 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua ```bash $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt ``` - On macOS, you may be prompted to install `cc`. You should press accept. + On macOS, you may be prompted to install `cc`. You should press accept if so. 5. Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.