mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-08 04:53:08 +02:00
db02a8f8aa
- Add no_log directives to all cloud provider credential handling - Set privacy-focused defaults (StrongSwan logging disabled, DNSCrypt syslog off) - Implement privacy role with log rotation, history clearing, and log filtering - Add Privacy Considerations section to README - Make all privacy features configurable and enabled by default This update significantly reduces Algo's logging footprint to enhance user privacy while maintaining the ability to enable logging for debugging when needed.
295 lines
11 KiB
INI
295 lines
11 KiB
INI
---
|
|
|
|
# This is the list of users to generate.
|
|
# Every device must have a unique user.
|
|
# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
|
|
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
|
|
# Email addresses are not allowed.
|
|
users:
|
|
- phone
|
|
- laptop
|
|
- desktop
|
|
|
|
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
|
|
|
|
# Change default SSH port for the cloud roles only
|
|
# It doesn't apply if you deploy to your existing Ubuntu Server
|
|
ssh_port: 4160
|
|
|
|
# Deploy StrongSwan to enable IPsec support
|
|
ipsec_enabled: true
|
|
|
|
# Deploy WireGuard
|
|
# WireGuard will listen on 51820/UDP. You might need to change to another port
|
|
# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
|
|
# mobile data networks.
|
|
wireguard_enabled: true
|
|
wireguard_port: 51820
|
|
|
|
# This feature allows you to configure the Algo server to send outbound traffic
|
|
# through a different external IP address than the one you are establishing the VPN connection with.
|
|
# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
|
|
# Available for the following cloud providers:
|
|
# - DigitalOcean
|
|
alternative_ingress_ip: false
|
|
|
|
# Reduce the MTU of the VPN tunnel
|
|
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
|
|
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
|
|
# VPN tunnel some network connections will hang. Algo will attempt to set this
|
|
# automatically based on your server, but if connections hang you might need to
|
|
# adjust this yourself.
|
|
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
|
|
reduce_mtu: 0
|
|
|
|
# Algo will use the following lists to block ads. You can add new block lists
|
|
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
|
|
# /usr/local/sbin/adblock.sh
|
|
# If you load very large blocklists, you may also have to modify resource limits:
|
|
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
|
|
adblock_lists:
|
|
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
|
|
|
# Enable DNS encryption.
|
|
# If 'false', 'dns_servers' should be specified below.
|
|
# DNS encryption can not be disabled if DNS adblocking is enabled
|
|
dns_encryption: true
|
|
|
|
# Block traffic between connected clients. Change this to false to enable
|
|
# connected clients to reach each other, as well as other computers on the
|
|
# same LAN as your Algo server (i.e. the "road warrior" setup). In this
|
|
# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
|
|
BetweenClients_DROP: true
|
|
|
|
# Block SMB/CIFS traffic
|
|
block_smb: true
|
|
|
|
# Block NETBIOS traffic
|
|
block_netbios: true
|
|
|
|
# Your Algo server will automatically install security updates. Some updates
|
|
# require a reboot to take effect but your Algo server will not reboot itself
|
|
# automatically unless you change 'enabled' below from 'false' to 'true', in
|
|
# which case a reboot will take place if necessary at the time specified (as
|
|
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
|
|
unattended_reboot:
|
|
enabled: false
|
|
time: 06:00
|
|
|
|
### Advanced users only below this line ###
|
|
|
|
# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
|
|
# providers may be specified, but avoid mixing providers that filter results
|
|
# (like Cisco) with those that don't (like Cloudflare) or you could get
|
|
# inconsistent results. The list of available public providers can be found
|
|
# here:
|
|
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
|
|
dnscrypt_servers:
|
|
ipv4:
|
|
- cloudflare
|
|
# - google
|
|
# - <YourCustomServer> # E.g., if using NextDNS, this will be something like NextDNS-abc123.
|
|
# You must also fill in custom_server_stamps below. You may specify
|
|
# multiple custom servers.
|
|
ipv6:
|
|
- cloudflare-ipv6
|
|
|
|
custom_server_stamps:
|
|
# YourCustomServer: 'sdns://...'
|
|
|
|
# DNS servers which will be used if 'dns_encryption' is 'false'.
|
|
# Fallback resolvers for systemd-resolved
|
|
# The default is to use Cloudflare.
|
|
dns_servers:
|
|
ipv4:
|
|
- 1.1.1.1
|
|
- 1.0.0.1
|
|
ipv6:
|
|
- 2606:4700:4700::1111
|
|
- 2606:4700:4700::1001
|
|
|
|
# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
|
|
# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
|
|
pki_in_tmpfs: true
|
|
|
|
# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
|
|
keys_clean_all: false
|
|
|
|
# StrongSwan log level
|
|
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
|
|
# Privacy enhancement: Set to -1 to disable logging of VPN connection details
|
|
# Level 2 logs connection attempts and authentication which may reveal usage patterns
|
|
# Level -1 disables logging entirely for enhanced privacy
|
|
strongswan_log_level: -1
|
|
|
|
### Privacy Enhancements ###
|
|
# Additional privacy measures to reduce server-side traces of VPN usage
|
|
# These settings help protect user privacy by minimizing log retention and filtering sensitive data
|
|
|
|
# Enable enhanced privacy features
|
|
# Set to false to disable all privacy enhancements (useful for debugging)
|
|
privacy_enhancements_enabled: true
|
|
|
|
# Log rotation and retention settings
|
|
privacy_log_rotation:
|
|
# Maximum age for logs in days (shorter = more private, but less debugging info)
|
|
max_age: 7
|
|
# Maximum size for individual log files in MB
|
|
max_size: 10
|
|
# Number of rotated files to keep
|
|
rotate_count: 3
|
|
# Compress rotated logs to save space
|
|
compress: true
|
|
# Force daily rotation
|
|
daily_rotation: true
|
|
|
|
# History clearing configuration
|
|
privacy_history_clearing:
|
|
# Clear bash/shell history after deployment
|
|
clear_bash_history: true
|
|
# Clear system command history logs
|
|
clear_system_history: true
|
|
# Disable persistent history for system users
|
|
disable_service_history: true
|
|
|
|
# Log filtering to exclude VPN-related entries
|
|
privacy_log_filtering:
|
|
# Filter out VPN connection logs (WireGuard, StrongSwan, etc.)
|
|
exclude_vpn_logs: true
|
|
# Filter out detailed authentication logs (reduces security logging - use with caution)
|
|
exclude_auth_logs: false
|
|
# Filter kernel messages related to VPN traffic
|
|
filter_kernel_vpn_logs: true
|
|
|
|
# Automatic cleanup policies
|
|
privacy_auto_cleanup:
|
|
# Enable automatic cleanup of old logs and temporary files
|
|
enabled: true
|
|
# Cleanup frequency: daily, weekly, or monthly
|
|
frequency: "daily"
|
|
# Remove temporary files older than N days
|
|
temp_files_max_age: 1
|
|
# Clean package manager cache
|
|
clean_package_cache: true
|
|
|
|
# Advanced privacy settings (use with caution)
|
|
privacy_advanced:
|
|
# Disable logging of successful SSH connections (keeps failures for security)
|
|
disable_ssh_success_logs: false
|
|
# Reduce kernel log verbosity to minimize VPN traces
|
|
reduce_kernel_verbosity: true
|
|
# Clear all logs on system shutdown (extreme privacy measure)
|
|
clear_logs_on_shutdown: false
|
|
|
|
# rightsourceip for ipsec
|
|
# ipv4
|
|
strongswan_network: 10.48.0.0/16
|
|
# ipv6
|
|
strongswan_network_ipv6: '2001:db8:4160::/48'
|
|
|
|
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
|
|
# This option will keep the "connection" open in the eyes of NAT.
|
|
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
|
|
wireguard_PersistentKeepalive: 0
|
|
|
|
# WireGuard network configuration
|
|
wireguard_network_ipv4: 10.49.0.0/16
|
|
wireguard_network_ipv6: 2001:db8:a160::/48
|
|
|
|
# Randomly generated IP address for the local dns resolver
|
|
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
|
|
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
|
|
|
|
# Hide sensitive data
|
|
no_log: true
|
|
|
|
congrats:
|
|
common: |
|
|
"# Congratulations! #"
|
|
"# Your Algo server is running. #"
|
|
"# Config files and certificates are in the ./configs/ directory. #"
|
|
"# Go to https://whoer.net/ after connecting #"
|
|
"# and ensure that all your traffic passes through the VPN. #"
|
|
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
|
|
p12_pass: |
|
|
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
|
|
ca_key_pass: |
|
|
"# The CA key password is {{ CA_password|default(omit) }} #"
|
|
ssh_access: |
|
|
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
|
|
|
|
SSH_keys:
|
|
comment: algo@ssh
|
|
private: configs/algo.pem
|
|
private_tmp: /tmp/algo-ssh.pem
|
|
public: configs/algo.pem.pub
|
|
|
|
cloud_providers:
|
|
azure:
|
|
size: Standard_B1S
|
|
osDisk:
|
|
# The storage account type to use for the OS disk. Possible values:
|
|
# 'Standard_LRS', 'Premium_LRS', 'StandardSSD_LRS', 'UltraSSD_LRS',
|
|
# 'Premium_ZRS', 'StandardSSD_ZRS', 'PremiumV2_LRS'.
|
|
type: Standard_LRS
|
|
image:
|
|
publisher: Canonical
|
|
offer: 0001-com-ubuntu-minimal-jammy-daily
|
|
sku: minimal-22_04-daily-lts
|
|
version: latest
|
|
digitalocean:
|
|
# See docs for extended droplet options, pricing, and availability.
|
|
# Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ...
|
|
size: s-1vcpu-1gb
|
|
image: "ubuntu-22-04-x64"
|
|
ec2:
|
|
# Change the encrypted flag to "false" to disable AWS volume encryption.
|
|
encrypted: true
|
|
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
|
|
# Additional prompt will be raised to determine which IP to use
|
|
use_existing_eip: false
|
|
size: t2.micro
|
|
image:
|
|
name: "ubuntu-jammy-22.04"
|
|
arch: x86_64
|
|
owner: "099720109477"
|
|
# Change instance_market_type from "on-demand" to "spot" to launch a spot
|
|
# instance. See deploy-from-ansible.md for spot's additional IAM permission
|
|
instance_market_type: on-demand
|
|
gce:
|
|
size: e2-micro
|
|
image: ubuntu-2204-lts
|
|
external_static_ip: false
|
|
lightsail:
|
|
size: nano_2_0
|
|
image: ubuntu_22_04
|
|
scaleway:
|
|
size: DEV1-S
|
|
image: Ubuntu 22.04 Jammy Jellyfish
|
|
arch: x86_64
|
|
hetzner:
|
|
server_type: cpx11
|
|
image: ubuntu-22.04
|
|
openstack:
|
|
flavor_ram: ">=512"
|
|
image: Ubuntu-22.04
|
|
cloudstack:
|
|
size: Micro
|
|
image: Linux Ubuntu 22.04 LTS 64-bit
|
|
disk: 10
|
|
vultr:
|
|
os: Ubuntu 22.04 LTS x64
|
|
size: vc2-1c-1gb
|
|
linode:
|
|
type: g6-nanode-1
|
|
image: linode/ubuntu22.04
|
|
local:
|
|
|
|
fail_hint:
|
|
- Sorry, but something went wrong!
|
|
- Please check the troubleshooting guide.
|
|
- https://trailofbits.github.io/algo/troubleshooting.html
|
|
|
|
booleans_map:
|
|
Y: true
|
|
y: true
|