--- # This is the list of users to generate. # Every device must have a unique user. # You can add up to 65,534 new users over the lifetime of an AlgoVPN. # User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123". # Email addresses are not allowed. users: - phone - laptop - desktop ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed. # SSH port for cloud deployments (doesn't apply to existing Ubuntu servers) ssh_port: 4160 # VPN protocols to deploy ipsec_enabled: true wireguard_enabled: true wireguard_port: 51820 # Change if blocked by your network (avoid 53/UDP) # Use different IP for outbound traffic (DigitalOcean only) alternative_ingress_ip: false # Reduce MTU if connections hang (0 = auto-detect) # See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn reduce_mtu: 0 # Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more) adblock_lists: - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # DNS encryption (required if using ad blocking) dns_encryption: true # Client isolation (set false for "road warrior" setup where clients can reach each other) BetweenClients_DROP: true block_smb: true # Block SMB/CIFS traffic block_netbios: true # Block NETBIOS traffic # Automatic reboot for security updates (time in server's timezone, default UTC) unattended_reboot: enabled: false time: 06:00 ### Privacy Settings ### # StrongSwan connection logging (-1 = disabled, 2 = debug) strongswan_log_level: -1 # Master switch for privacy enhancements (log rotation, history clearing, etc.) # Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml privacy_enhancements_enabled: true ### Advanced users only below this line ### # DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md) dnscrypt_servers: ipv4: - cloudflare # - google # - YourCustomServer # For NextDNS etc., add stamp below ipv6: - cloudflare-ipv6 custom_server_stamps: # YourCustomServer: 'sdns://...' # DNS servers when encryption is disabled dns_servers: ipv4: - 1.1.1.1 - 1.0.0.1 ipv6: - 2606:4700:4700::1111 - 2606:4700:4700::1001 # Store PKI in RAM disk when not retaining (MacOS/Linux only) pki_in_tmpfs: true # Regenerate ALL user certs on update-users (not just new users) keys_clean_all: false ### VPN Network Configuration ### strongswan_network: 10.48.0.0/16 strongswan_network_ipv6: '2001:db8:4160::/48' wireguard_network_ipv4: 10.49.0.0/16 wireguard_network_ipv6: 2001:db8:a160::/48 # Keep NAT connections alive (0 = disabled) wireguard_PersistentKeepalive: 0 ### Experimental Performance Options ### # These are experimental and may cause issues. Enable at your own risk. # performance_skip_optional_reboots: false # Skip non-kernel reboots # performance_parallel_crypto: false # Parallel key generation # performance_parallel_packages: false # Batch package installation # performance_preinstall_packages: false # Pre-install via cloud-init # performance_parallel_services: false # Configure VPN services in parallel # Randomly generated IP address for the local dns resolver local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" # Hide sensitive data in Ansible output during deployment (passwords, keys, etc.) # This is NOT related to privacy/logging on the VPN server itself algo_no_log: true congrats: common: | "# Congratulations! #" "# Your Algo server is running. #" "# Config files and certificates are in the ./configs/ directory. #" "# Go to https://whoer.net/ after connecting #" "# and ensure that all your traffic passes through the VPN. #" "# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #" p12_pass: | "# The p12 and SSH keys password for new users is {{ p12_export_password }} #" ca_key_pass: | "# The CA key password is {{ CA_password|default(omit) }} #" ssh_access: | "# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #" SSH_keys: comment: algo@ssh private: configs/algo.pem private_tmp: /tmp/algo-ssh.pem public: configs/algo.pem.pub cloud_providers: azure: size: Standard_B1S osDisk: # The storage account type to use for the OS disk. Possible values: # 'Standard_LRS', 'Premium_LRS', 'StandardSSD_LRS', 'UltraSSD_LRS', # 'Premium_ZRS', 'StandardSSD_ZRS', 'PremiumV2_LRS'. type: Standard_LRS image: publisher: Canonical offer: 0001-com-ubuntu-minimal-jammy-daily sku: minimal-22_04-daily-lts version: latest digitalocean: # See docs for extended droplet options, pricing, and availability. # Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ... size: s-1vcpu-1gb image: "ubuntu-22-04-x64" ec2: # Change the encrypted flag to "false" to disable AWS volume encryption. encrypted: true # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP # Additional prompt will be raised to determine which IP to use use_existing_eip: false size: t2.micro image: name: "ubuntu-jammy-22.04" arch: x86_64 owner: "099720109477" # Change instance_market_type from "on-demand" to "spot" to launch a spot # instance. See deploy-from-ansible.md for spot's additional IAM permission instance_market_type: on-demand gce: size: e2-micro image: ubuntu-2204-lts external_static_ip: false lightsail: size: nano_2_0 image: ubuntu_22_04 scaleway: size: DEV1-S image: Ubuntu 22.04 Jammy Jellyfish arch: x86_64 hetzner: server_type: cpx11 image: ubuntu-22.04 openstack: flavor_ram: ">=512" image: Ubuntu-22.04 cloudstack: size: Micro image: Linux Ubuntu 22.04 LTS 64-bit disk: 10 vultr: os: Ubuntu 22.04 LTS x64 size: vc2-1c-1gb linode: type: g6-nanode-1 image: linode/ubuntu22.04 local: fail_hint: - Sorry, but something went wrong! - Please check the troubleshooting guide. - https://trailofbits.github.io/algo/troubleshooting.html booleans_map: Y: true y: true