wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-05 19:43:22 +02:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse source
This commit is contained in:
J 2017-04-16 12:16:06 -07:00
commit e7be828cab
9 changed files with 55 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
README.md
View file

@ -58,11 +58,11 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua
- Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/server-redhat-centos6.md) - Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/server-redhat-centos6.md)
- Windows: See the [Windows documentation](docs/client-windows.md) - Windows: See the [Windows documentation](docs/client-windows.md)
4. Install Algo's remaining dependencies for your operating system. Using the same terminal window as the previous step run the command below. 4. Install Algo's remaining dependencies for your operating system. Use the same terminal window as the previous step and run:
```bash ```bash
$ python -m virtualenv env && source env/bin/activate && python -m pip install -r requirements.txt $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt
``` ```
On macOS, you may be prompted to install `cc` which you should accept. On macOS, you may be prompted to install `cc`. You should press accept if so.
5. Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 5. Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
@ -128,18 +128,34 @@ If you want to perform these steps by hand, you will need to import the user cer
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
``` ```
### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop)
Network Manager does not support AES-GCM. In order to support Linux Desktop clients, please choose the "compatible" cryptography and use at least Network Manager 1.4.1. See [Issue #263](https://github.com/trailofbits/algo/issues/263) for more information.
### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.) ### Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.)
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
#### Ubuntu Server 16.04 example #### Ubuntu Server 16.04 example
1. `/etc/ipsec.d/certs`: copy `user.crt` here 1. `sudo apt-get install strongswan strongswan-plugin-openssl`: install strongSwan
2. `/etc/ipsec.d/private`: copy `user.key` here 2. `/etc/ipsec.d/certs`: copy `user.crt` from `algo-master/configs/<name>/pki/certs`
3. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key` 3. `/etc/ipsec.d/private`: copy `user.key` from `algo-master/configs/<name>/pki/private`
4. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update the value for `leftcert` 4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs/<name>/cacert.pem`
5. `sudo ipsec up <conn-name>`: start the ipsec tunnel 5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `xx.xxx.xx.xxx : ECDSA user.key`
6. `sudo ipsec down <conn-name>`: shutdown the ipsec tunnel 6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and update `leftcert` to match the `user.crt` filename
7. `sudo ipsec restart`: pick up config changes
8. `sudo ipsec up <conn-name>`: start the ipsec tunnel
9. `sudo ipsec down <conn-name>`: shutdown the ipsec tunnel
One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to `/etc/ipsec.conf`. Replace `192.168.1.1/24` with the subnet your LAN uses:
conn lan-passthrough
leftsubnet=192.168.1.1/24
rightsubnet=192.168.1.1/24
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
### Other Devices ### Other Devices
@ -198,6 +214,10 @@ The Algo VPN server now contains only the users listed in the `config.cfg` file.
-- [Romain Dillet](https://twitter.com/romaindillet/status/851037243728965632) for [TechCrunch](https://techcrunch.com/2017/04/09/how-i-made-my-own-vpn-server-in-15-minutes/) -- [Romain Dillet](https://twitter.com/romaindillet/status/851037243728965632) for [TechCrunch](https://techcrunch.com/2017/04/09/how-i-made-my-own-vpn-server-in-15-minutes/)
> If youre uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution.
-- [Thorin Klosowski](https://twitter.com/kingthor) for [Lifehacker](http://lifehacker.com/how-to-set-up-your-own-completely-free-vpn-in-the-cloud-1794302432)
## Support Algo VPN ## Support Algo VPN
All donations support continued development. Thanks! All donations support continued development. Thanks!

6
algo
View file

@ -55,7 +55,7 @@ security_enabled=${security_enabled:-n}
if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi
read -p " read -p "
Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure) Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: " -r Win10_Enabled [y/N]: " -r Win10_Enabled
Win10_Enabled=${Win10_Enabled:-n} Win10_Enabled=${Win10_Enabled:-n}
if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
@ -137,6 +137,8 @@ Name the vpn server:
24. North Central US 24. North Central US
25. South India 25. South India
26. West India 26. West India
27. East US
28. East US 2
Enter the number of your desired region: Enter the number of your desired region:
[1]: " -r azure_region [1]: " -r azure_region
@ -169,6 +171,8 @@ Enter the number of your desired region:
24) region="northcentralus" ;; 24) region="northcentralus" ;;
25) region="southindia" ;; 25) region="southindia" ;;
26) region="westindia" ;; 26) region="westindia" ;;
27) region="eastus" ;;
28) region="eastus2" ;;
esac esac
ROLES="azure vpn cloud" ROLES="azure vpn cloud"

16
config.cfg
View file

@ -58,9 +58,13 @@ SSH_keys:
private: configs/algo.pem private: configs/algo.pem
public: configs/algo.pem.pub public: configs/algo.pem.pub
dynamic_inventory_groups: cloud_providers:
- azure azure:
- digitalocean size: Basic_A0
- ec2 digitalocean:
- gce size: 512mb
- local ec2:
size: t2.micro
gce:
size: f1-micro
local:

2
playbooks/local.yml
View file

@ -19,6 +19,6 @@
create: yes create: yes
block: | block: |
[algo:children] [algo:children]
{% for group in dynamic_inventory_groups %} {% for group in cloud_providers.keys() %}
{{ group }} {{ group }}
{% endfor %} {% endfor %}

4
roles/cloud-azure/tasks/main.yml
View file

@ -80,7 +80,7 @@
virtual_network: algo_net virtual_network: algo_net
name: "{{ azure_server_name }}" name: "{{ azure_server_name }}"
ssh_password_enabled: false ssh_password_enabled: false
vm_size: Basic_A0 vm_size: "{{ cloud_providers.azure.size }}"
tags: tags:
Environment: Algo Environment: Algo
ssh_public_keys: ssh_public_keys:
@ -91,7 +91,7 @@
sku: '16.04-LTS' sku: '16.04-LTS'
version: latest version: latest
register: azure_rm_virtualmachine register: azure_rm_virtualmachine
# To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt? # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt?
- set_fact: - set_fact:

2
roles/cloud-digitalocean/tasks/main.yml
View file

@ -45,7 +45,7 @@
command: droplet command: droplet
name: "{{ do_server_name }}" name: "{{ do_server_name }}"
region_id: "{{ do_region }}" region_id: "{{ do_region }}"
size_id: "512mb" size_id: "{{ cloud_providers.digitalocean.size }}"
image_id: "ubuntu-16-04-x64" image_id: "ubuntu-16-04-x64"
ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
unique_name: yes unique_name: yes

2
roles/cloud-ec2/tasks/main.yml
View file

@ -90,7 +90,7 @@
keypair: "VPNKEY" keypair: "VPNKEY"
vpc_subnet_id: "{{ vpc.subnets[0].id }}" vpc_subnet_id: "{{ vpc.subnets[0].id }}"
group: vpn-secgroup group: vpn-secgroup
instance_type: t2.micro instance_type: "{{ cloud_providers.ec2.size }}"
image: "{{ ami_image }}" image: "{{ ami_image }}"
wait: true wait: true
region: "{{ region }}" region: "{{ region }}"

2
roles/cloud-gce/tasks/main.yml
View file

@ -13,7 +13,7 @@
gce: gce:
instance_names: "{{ server_name }}" instance_names: "{{ server_name }}"
zone: "{{ zone }}" zone: "{{ zone }}"
machine_type: f1-micro machine_type: "{{ cloud_providers.gce.size }}"
image: ubuntu-1604 image: ubuntu-1604
service_account_email: "{{ service_account_email }}" service_account_email: "{{ service_account_email }}"
credentials_file: "{{ credentials_file_path }}" credentials_file: "{{ credentials_file_path }}"

9
roles/ssh_tunneling/tasks/main.yml
View file

@ -53,9 +53,6 @@
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints register: ssh_fingerprints
- name: The known_hosts file created
template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
- name: Fetch users SSH private keys - name: Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}" with_items: "{{ users }}"
@ -66,7 +63,11 @@
become: false become: false
- name: Fetch the known_hosts file - name: Fetch the known_hosts file
fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes local_action:
module: template
src: known_hosts.j2
dest: configs/{{ IP_subject_alt_name }}/known_hosts
become: no
- name: Build the client ssh config - name: Build the client ssh config
local_action: local_action: