search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.17k stars 1.99k forks source link

Setup on Debian #93

Closed skeeve42 closed 7 years ago

skeeve42 commented 9 years ago

I am trying to setup streisand on one VPS from another (on the same provider). Both are Debian 7. I did a fresh install on vps#2 but I keep getting the error below. I have root access via SSH to both servers. I don't understand when (if) and where (vps#1 or 2) to run ssh-keygen, so maybe that's the problem? I also don't know if by "following the defaults" I am supposed to leave the password bit blank or not.

root@myvps#1:~/streisand# nano inventory # I uncommented the last two lines and changed the IP to vps#2 root@myvps#1:~/streisand# nano ansible.cfg # I have tried it with host_key_checking both un- and commented out root@myvps#1:~/streisand# ansible-playbook playbooks/streisand.yml

PLAY [Configure the Server and install required software] *****

GATHERING FACTS *** fatal: [xxx.xxx.xxx.xxx] => SSH Error: data could not be sent to the remote host . Make sure this host can be reached over ssh

TASK: [common | Warn users if the server's Linux distribution is not Debian 7] * ** FATAL: no hosts matched or all hosts have already failed -- aborting

PLAY RECAP **** to retry, use: --limit @/root/streisand.retry

xxx.xxx.xxx.xxx : ok=0 changed=0 unreachable=1 failed=0

root@myvps#1:~/streisand#

Edit: I reinstalled Debian 7 on both VPSs and tried installing and running the script on each one (from the other one) and got the error above. I've tried running ssh-keygen on each (using a blank password on both) as well. I feel like I'm missing something...?

skeeve42 commented 9 years ago

I can ssh vps2 and ping vps2 from vps1 no problem. I get the same error (above) no matter what I do.

jlund commented 9 years ago

What username do you use when you connect?

skeeve42 commented 9 years ago

It's a fresh install, so I can only connect as root.

On Mon, Dec 1, 2014 at 11:34 AM, Joshua Lund notifications@github.com wrote:

What username do you use when you connect?

— Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/93#issuecomment-65017165.

jlund commented 9 years ago

Standard port 22? If you can SSH from vps1 to vps2 as root, then you should be good to go. That's all that Ansible would need in order to run from vps1 to configure vps2. Can you show me what command you type to SSH successfully (with the IP address filtered, of course)?

skeeve42 commented 9 years ago

ssh 'xxx.xxx.xxx.xxx'

I assume it's standard port 22. It's what I connect to both of them with from a third machine.

On Mon, Dec 1, 2014 at 12:52 PM, Joshua Lund notifications@github.com wrote:

Standard port 22? If you can SSH from vps1 to vps2 as root, then you should be good to go. That's all that Ansible would need in order to run from vps1 to configure vps2. Can you show me what command you type to SSH successfully (with the IP address filtered, of course)?

— Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/93#issuecomment-65020701.

jlund commented 9 years ago

Can you try running the ansible-playbook command with the -vvvv flag and pasting that output?

skeeve42 commented 9 years ago

root@vps1:~/streisand# ansible-playbook playbooks/streisand.yml -vvvv

PLAY [Configure the Server and install required software] *****

GATHERING FACTS ***

ESTABLISH CONNECTION FOR USER: root REMOTE_MODULE setup EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s - o ControlPath="/root/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthenti cation=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,pub lickey -o PasswordAuthentication=no -o ConnectTimeout=10 xxx.xxx.xxx.xxx /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python' fatal: [xxx.xxx.xxx.xxx] => SSH Error: data could not be sent to the remote host . Make sure this host can be reached over ssh TASK: [common | Warn users if the server's Linux distribution is not Debian 7] * ** FATAL: no hosts matched or all hosts have already failed -- aborting PLAY RECAP ******************************************************************** to retry, use: --limit @/root/streisand.retry xxx.xxx.xxx.xxx : ok=0 changed=0 unreachable=1 failed=0 root@vps1:~/streisand#
jlund commented 9 years ago

Thanks. So vps1 does not appear to be able to SSH to vps2 as root, at least not when Ansible tries to do it.

Can you try running ssh-keygen on vps1, and then copying the resulting id_rsa.pub file from vps1 to /root/.ssh/authorized_keys on vps2?

skeeve42 commented 9 years ago

root@vps1:~/streisand# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@vps1 The key's randomart image is: +--[ RSA 2048]----+ | . .. . .+.. | | . X. .X. | | . X . X.. .. | | = XXX X | | XXX X | | XXX . | | XXXX . | | . = . | | . . | +-----------------+ root@vps1:~/streisand# ssh-copy-id xxx.xxx.xxx.xxx root@xxx.xxx.xxx.xxx's password: Now try logging into the machine, with "ssh 'xxx.xxx.xxx.xxx'", and check in

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

root@vps1:~/streisand# ssh 'xxx.xxx.xxx.xxx' Linux vps2 2.6.32-042stab092.3 #1 SMP Sun Jul 20 13:27:24 MSK 2014 64

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Dec 1 05:08:43 2014 from ip.of.vps.1 root@vps2:~# exit logout Connection to xxx.xxx.xxx.xxx closed. root@vps1:~/streisand# ansible-playbook playbooks/streisand.yml -vvvv

PLAY [Configure the Server and install required software] **

GATHERING FACTS ****

ESTABLISH CONNECTION FOR USER: root REMOTE_MODULE setup EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=6 o ControlPath="/root/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuth cation=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased lickey -o PasswordAuthentication=no -o ConnectTimeout=10 xxx.xxx.xxx.xxx /bi -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python' fatal: [xxx.xxx.xxx.xxx] => SSH Error: data could not be sent to the remote . Make sure this host can be reached over ssh TASK: [common | Warn users if the server's Linux distribution is not Debian ** FATAL: no hosts matched or all hosts have already failed -- aborting PLAY RECAP ***************************************************************** to retry, use: --limit @/root/streisand.retry xxx.xxx.xxx.xxx : ok=0 changed=0 unreachable=1 failed=0 root@vps1:~/streisand#
jlund commented 9 years ago

Long shot, but try ansible-playbook -c paramiko playbooks/streisand.yml -vvvv.

Are you positive that the IP address in the inventory file is correct?

skeeve42 commented 9 years ago

Inventory file uncommented parts: [localhost] 127.0.0.1 ansible_python_interpreter=python [streisand-host] xxx.xxx.xxx.xxx #IP of vps2 (defintely right)

root@vps1:~/streisand# nano inventory root@vps1:~/streisand# ansible-playbook -c paramiko playbooks/streisand.yml -vvvv

PLAY [Configure the Server and install required software] *****

GATHERING FACTS ***

ESTABLISH CONNECTION FOR USER: root on PORT 22 TO xxx.xxx.xxx.xxx REMOTE_MODULE setup EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14174 14031.36-119134709661074 && echo $HOME/.ansible/tmp/ansible-tmp-1417414031.36-11 9134709661074' PUT /tmp/tmpNdN3Na TO /root/.ansible/tmp/ansible-tmp-141741403 1.36-119134709661074/setup EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi n/python /root/.ansible/tmp/ansible-tmp-1417414031.36-119134709661074/setup; rm -rf /root/.ansible/tmp/ansible-tmp-1417414031.36-119134709661074/ >/dev/null 2>& 1' failed: [xxx.xxx.xxx.xxx] => {"failed": true, "parsed": false} /bin/sh: 1: /usr/bin/python: not found TASK: [common | Warn users if the server's Linux distribution is not Debian 7] *** FATAL: no hosts matched or all hosts have already failed -- aborting PLAY RECAP ******************************************************************** to retry, use: --limit @/root/streisand.retry xxx.xxx.xxx.xxx : ok=0 changed=0 unreachable=0 failed=1 root@vps1:~/streisand#
jlund commented 9 years ago

Ah, interesting. It looks like Python might not be installed on vps2. Can you run apt-get install python on vps2?

skeeve42 commented 9 years ago

Ahhh, when I did a clean install I never ran update and upgrade. It appears to be working now. So was python the problem all this time?

jlund commented 9 years ago

It looks like it! Python is typically installed by default on most distributions so I didn't even think of that until I saw the error message. Paramiko is a Python SSH library, so that's why the issue surfaced with the addition of that flag.

skeeve42 commented 9 years ago

Well that's good news! Things appeared to be going fine, but then it failed:

TASK: [openvpn | Restart OpenVPN so the 10.8.0.0 interface is available to dnsmasq] ***

ESTABLISH CONNECTION FOR USER: root on PORT 22 TO xxx.xxx.xxx.xxx REMOTE_MODULE service name=openvpn state=restarted EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14174 15655.85-235289032662885 && echo $HOME/.ansible/tmp/ansible-tmp-1417415655.85-23 5289032662885' PUT /tmp/tmp1DNkWB TO /root/.ansible/tmp/ansible-tmp-141741565 5.85-235289032662885/service EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi n/python /root/.ansible/tmp/ansible-tmp-1417415655.85-235289032662885/service; r m -rf /root/.ansible/tmp/ansible-tmp-1417415655.85-235289032662885/ >/dev/null 2>&1' failed: [xxx.xxx.xxx.xxx] => {"failed": true} msg: SIOCSIFADDR: No such device : ERROR while getting interface flags: No such device SIOCSIFDSTADDR: No such device : ERROR while getting interface flags: No such device SIOCSIFMTU: No such device FATAL: all hosts have already failed -- aborting PLAY RECAP ******************************************************************** to retry, use: --limit @/root/streisand.retry xxx.xxx.xxx.xxx : ok=55 changed=50 unreachable=0 failed=1 root@vps1:~/streisand#

Ran it again and it errored in the same location.

jlund commented 9 years ago

Bummer. It looks like your VPS provider does not allow you to create a TUN device on your virtual server. This is a known issue that is relatively common with OpenVZ virtualization. You can comment out the OpenVPN role in streisand.yml and run the playbook again. All of the other services should still work.

skeeve42 commented 9 years ago

I have successfully ran OpenVPN before from this server. The link you provided discusses eth0 and venet0, which was an issue for me as well but it wasn't terribly hard to fix once the commands were set properly.

jlund commented 9 years ago

If you have any tips, that would be great. Or if you can point out a good OpenVZ provider (not necessarily the one you are using) I can try to find time to figure out how to work around the lack of this standard device.

skeeve42 commented 9 years ago

I've done it multiple ways, but this git: https://github.com/Nyr/openvpn-install was a simple run and go setup that worked for me. Edis is a decent provider that has OpenVZ.

skeeve42 commented 9 years ago

OpenVPN forums iptables post: https://forums.openvpn.net/topic7722.html Here is the change I was thinking about.

#Apply forwarding for OpenVPN Tunneling
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     #10.8.0.0 ? Check your OpenVPN server.conf to be sure
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 100.200.255.256   #Use your OpenVPN server's real external IP here

compare to this part in \playbooks\roles\openvpn\vars\main.yml

openvpn_firewall_rules:
  - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
  - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
skeeve42 commented 9 years ago

I edited \playbooks\roles\openvpn\vars\main.yml as follows:

openvpn_firewall_rules:
  - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
  - iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source ip.of.my.vps
#  - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE

But unfortunately, it errored in the same location.

TASK: [openvpn | Restart OpenVPN so the 10.8.0.0 interface is available to dnsmasq] ***

So then I had the bright idea to run this script again https://github.com/Nyr/openvpn-install and it immediately told me that TUN/TAP wasn't enabled. Of course, it was enabled in my control panel, so I disabled, rebooted, reenabled it, and rebooted. When I ran the script again it didn't give the TUN/TAP error, so I ran streisand again. This time it made it past that task no problem but then it errored here:

TASK: [ssh | Register the server's SSH fingerprints] **************************
<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
<ip.of.my.vps> REMOTE_MODULE command ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
<ip.of.my.vps> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14183
58780.0-252981324625432 && echo $HOME/.ansible/tmp/ansible-tmp-1418358780.0-252981324625432'
<ip.of.my.vps> PUT /tmp/tmpSXOB13 TO /root/.ansible/tmp/ansible-tmp-1418358780.0-252981324625432/command
<ip.of.my.vps> EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1418358780.0-252981324625432/command; rm
 -rf /root/.ansible/tmp/ansible-tmp-1418358780.0-252981324625432/ >/dev/null 2>&1'
failed: [ip.of.my.vps] => (item=ssh_host_ecdsa_key.pub) => {"changed": true,"cmd": ["ssh-keygen", "-lf", "/etc/ssh/ssh_host_ecdsa_key.pub"], "delta": "0:00:00.005188", "end": "2014-12-12 04:33:01.922006", "item": "ssh_host_ecdsa_key.pub", "rc": 1, "start": "2014-12-12 04:33:01.916818", "warnings": []}
stderr: /etc/ssh/ssh_host_ecdsa_key.pub: No such file or directory
<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
<ip.of.my.vps> REMOTE_MODULE command ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
<ip.of.my.vps> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14183
58783.46-60112188458377 && echo $HOME/.ansible/tmp/ansible-tmp-1418358783.46-601
12188458377'
<ip.of.my.vps> PUT /tmp/tmpsq24iS TO /root/.ansible/tmp/ansible-tmp-141835878
3.46-60112188458377/command
<ip.of.my.vps> EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi
n/python /root/.ansible/tmp/ansible-tmp-1418358783.46-60112188458377/command; rm
 -rf /root/.ansible/tmp/ansible-tmp-1418358783.46-60112188458377/ >/dev/null 2>&1'
changed: [ip.of.my.vps] => (item=ssh_host_rsa_key.pub) => {"changed": true, "
cmd": ["ssh-keygen", "-lf", "/etc/ssh/ssh_host_rsa_key.pub"], "delta": "0:00:00.
004928", "end": "2014-12-12 04:33:05.814874", "item": "ssh_host_rsa_key.pub", "r
c": 0, "start": "2014-12-12 04:33:05.809946", "stderr": "", "stdout": "2048 62:d
f:4a:18:49:33:83:5f:d0:36:16:9a:88:be:32:f4  root@myvps (RSA)", "warnings": []}

FATAL: all hosts have already failed -- aborting

Much farther along than before!

skeeve42 commented 9 years ago

It keeps failing at the same place and now I can't log in via SSH...any thoughts?

TASK: [ssh | Register the server's SSH fingerprints] **************************
<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
<ip.of.my.vps> REMOTE_MODULE command ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_k
ey.pub
<ip.of.my.vps> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14186
21474.66-210625995844751 && echo $HOME/.ansible/tmp/ansible-tmp-1418621474.66-21
0625995844751'
<ip.of.my.vps> PUT /tmp/tmpjzByC1 TO /root/.ansible/tmp/ansible-tmp-141862147
4.66-210625995844751/command
<ip.of.my.vps> EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi
n/python /root/.ansible/tmp/ansible-tmp-1418621474.66-210625995844751/command; r
m -rf /root/.ansible/tmp/ansible-tmp-1418621474.66-210625995844751/ >/dev/null 2
>&1'
failed: [ip.of.my.vps] => (item=ssh_host_ecdsa_key.pub) => {"changed": true,
"cmd": ["ssh-keygen", "-lf", "/etc/ssh/ssh_host_ecdsa_key.pub"], "delta": "0:00:
00.005189", "end": "2014-12-15 05:31:16.347682", "item": "ssh_host_ecdsa_key.pub
", "rc": 1, "start": "2014-12-15 05:31:16.342493", "warnings": []}
stderr: /etc/ssh/ssh_host_ecdsa_key.pub: No such file or directory
<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
<ip.of.my.vps> REMOTE_MODULE command ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
.pub
<ip.of.my.vps> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14186
21477.72-54804006803683 && echo $HOME/.ansible/tmp/ansible-tmp-1418621477.72-548
04006803683'
<ip.of.my.vps> PUT /tmp/tmpISRMGE TO /root/.ansible/tmp/ansible-tmp-141862147
7.72-54804006803683/command
<ip.of.my.vps> EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi
n/python /root/.ansible/tmp/ansible-tmp-1418621477.72-54804006803683/command; rm
 -rf /root/.ansible/tmp/ansible-tmp-1418621477.72-54804006803683/ >/dev/null 2>&
1'
changed: [ip.of.my.vps] => (item=ssh_host_rsa_key.pub) => {"changed": true, "
cmd": ["ssh-keygen", "-lf", "/etc/ssh/ssh_host_rsa_key.pub"], "delta": "0:00:00.
004874", "end": "2014-12-15 05:31:19.468637", "item": "ssh_host_rsa_key.pub", "r
c": 0, "start": "2014-12-15 05:31:19.463763", "stderr": "", "stdout": "2048 62:d
f:4a:18:49:33:83:5f:d0:36:16:9a:88:be:32:f4  root@myvps (RSA)", "warning
s": []}

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/root/streisand.retry

ip.of.my.vps            : ok=89   changed=23   unreachable=0    failed=1

root@myvps:~/streisand#
skeeve42 commented 9 years ago

Since I didn't know what I was doing with ssh-keygen, it seems likely I did something beforehand to mess up this part...? I suppose I can try everything again on a clean install. :/

I realized I didn't have the line in ansible.cfg commented out, but now I've tried it both ways with the same hangup above.

# host_key_checking = False
skeeve42 commented 9 years ago

ssh_host_ecdsa_key.pub does not exist. There is a ssh_host_dsa_key.pub

Is streisand supposed to create the key at some point?

I decided to copy the files ssh_host_dsa_key and ssh_host_dsa_key.pub to ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub respectively to see if I could get it to continue and it worked. Then it stopped here:

TASK: [tor-bridge | Install the package to keep the Tor signing key current] ***

<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
<ip.of.my.vps> REMOTE_MODULE apt name=deb.torproject.org-keyring
<ip.of.my.vps> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14188
01306.12-134409834649498 && echo $HOME/.ansible/tmp/ansible-tmp-1418801306.12-13
4409834649498'
<ip.of.my.vps> PUT /tmp/tmpVyiZuM TO /root/.ansible/tmp/ansible-tmp-141880130
6.12-134409834649498/apt
<ip.of.my.vps> EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi
n/python /root/.ansible/tmp/ansible-tmp-1418801306.12-134409834649498/apt; rm -r
f /root/.ansible/tmp/ansible-tmp-1418801306.12-134409834649498/ >/dev/null 2>&1'
failed: [ip.of.my.vps] => {"failed": true}
stderr: E: There are problems and -y was used without --force-yes

stdout: Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  deb.torproject.org-keyring
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 5268 B of archives.
After this operation, 7168 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  deb.torproject.org-keyring

msg: 'apt-get install 'deb.torproject.org-keyring'' failed: E: There are problem
s and -y was used without --force-yes

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/root/streisand.retryr

ip.of.my.vps            : ok=100  changed=33   unreachable=0    failed=1

root@myvps:~/streisand#

So I manually ran apt-get install deb.torproject.org-keyring on the server and then ran streisand again and ran into a similar problem here:

TASK: [tor-bridge | Install obfsproxy and Tor] ********************************
<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
<ip.of.my.vps> REMOTE_MODULE apt name=obfsproxy,tor
<ip.of.my.vps> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-14188
02165.63-221824011799936 && echo $HOME/.ansible/tmp/ansible-tmp-1418802165.63-22
1824011799936'
<ip.of.my.vps> PUT /tmp/tmpJ2Pg3L TO /root/.ansible/tmp/ansible-tmp-141880216
5.63-221824011799936/apt
<ip.of.my.vps> EXEC /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bi
n/python /root/.ansible/tmp/ansible-tmp-1418802165.63-221824011799936/apt; rm -r
f /root/.ansible/tmp/ansible-tmp-1418802165.63-221824011799936/ >/dev/null 2>&1'
failed: [ip.of.my.vps] => (item=obfsproxy,tor) => {"failed": true, "item": "o
bfsproxy,tor"}
stderr: E: There are problems and -y was used without --force-yes

stdout: Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  libevent-2.0-5 libyaml-0-2 python-crypto python-openssl python-pam
  python-pyasn1 python-pyptlib python-serial python-twisted python-twisted-bin
  python-twisted-conch python-twisted-core python-twisted-lore
  python-twisted-mail python-twisted-names python-twisted-news
  python-twisted-runner python-twisted-web python-twisted-words python-yaml
  python-zope.interface tor-geoipdb torsocks
Suggested packages:
  python-crypto-dbg python-crypto-doc python-openssl-doc python-openssl-dbg
  doc-base python-wxgtk2.8 python-wxgtk2.6 python-wxgtk python-twisted-bin-dbg
  python-tk python-gtk2 python-glade2 python-qt3 python-twisted-runner-dbg
  mixmaster xul-ext-torbutton socat tor-arm polipo privoxy apparmor-utils
The following NEW packages will be installed:
  libevent-2.0-5 libyaml-0-2 obfsproxy python-crypto python-openssl python-pam
  python-pyasn1 python-pyptlib python-serial python-twisted python-twisted-bin
  python-twisted-conch python-twisted-core python-twisted-lore
  python-twisted-mail python-twisted-names python-twisted-news
  python-twisted-runner python-twisted-web python-twisted-words python-yaml
  python-zope.interface tor tor-geoipdb torsocks
0 upgraded, 25 newly installed, 0 to remove and 1 not upgraded.
Need to get 6755 kB of archives.
After this operation, 24.9 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  tor python-pyptlib obfsproxy tor-geoipdb

msg: 'apt-get install 'obfsproxy' 'tor'' failed: E: There are problems and -y wa
s used without --force-yes

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/root/streisand.retry

ip.of.my.vps            : ok=101  changed=24   unreachable=0    failed=1

root@myvps:~/streisand#

I also manually installed nginx and maybe something else. Will update once it gets through the install again.

skeeve42 commented 9 years ago

Success! But...?

TASK: [streisand-gateway | Success!] ******************************************
<ip.of.my.vps> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO ip.of.my.vps
created 'pause' ActionModule: pause_type=prompt, duration_unit=minutes, calculat
ed_seconds=None, prompt=[ip.of.my.vps] Server setup is complete. The `cheesei
sgreat.html` instructions file in the generated-docs folder is ready to give to
friends, family members, and fellow activists. Press Enter to continue.:
[ip.of.my.vps]
Server setup is complete. The `myvps.html` instructions file in the gene
rated-docs folder is ready to give to friends, family members, and fellow activi
sts. Press Enter to continue.:

ok: [ip.of.my.vps] => {"changed": false, "delta": 2063, "rc": 0, "start": "20
14-12-17 10:39:18.007359", "stderr": "", "stdout": "Paused for 34.38 minutes", "
stop": "2014-12-17 11:13:41.033787", "user_input": ""}

TASK: [streisand-gateway | Attempt to open the instructions on Linux (if applica
ble). Errors in this task are ignored because the `xdg-open` command is not always available.] ***
fatal: [ip.of.my.vps] => error while evaluating conditional: hostvars['127.0.0.1']['ansible_system'] == "Linux"

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/root/streisand.retry

ip.of.my.vps            : ok=189  changed=70   unreachable=1    failed=0

root@myvps:~/streisand#

Looks like it's not a big deal? I'll be able to test it out later...

To recap:

jlund commented 9 years ago

I really appreciate your thorough documentation! It's extremely helpful, and I can't thank you enough. I'm going to sign up for an Edis account and do what I can to address all of the issues that you raised.

The last error is happening because you are not running Streisand on a desktop system where the browser window with the instructions can be opened automatically. The run did complete successfully though. Your experience has convinced me that it would be worthwhile to come up with some alternate playbooks to cover local runs (i.e. a server configuring itself) and headless remote runs (i.e. a server configuring another server). The original assumption was that people would only be running the playbooks from their desktop/laptop, and everything is based on that assumption including the final step that failed for you.

There's obviously some work to be done on making the setup more resilient to failure on nonstandard configurations and on providers who alter their images. Debian and Ubuntu both include Python by default in their distribution, but clearly some providers use images where it has been removed for unknown reasons. Your provider also seems to not generate an ECDSA SSH key even though this is also a default behavior for Debian and Ubuntu.

The final issue you brought up should be fixed now if you upgrade to Ansible 1.8.2. I figured that one out today.

skeeve42 commented 9 years ago

It really is no problem and I appreciate all the hard work you've put into this project! A local run would be awesome, especially if it worked on generic Debian 7 VPS's. The Debian 7 image on Edis is marked "minimal" which is likely to be the cause of the missing bits. Speaking of the instructions not opening automatically...my SSH connection closed abruptly and the window showing the instructions closed, leaving me in a bit of a lurch as to what to do--until I figured out that you already had a generated-docs folder with instructions. Nice!!

jlund commented 9 years ago

I accidentally replied to an old version of your comment :)

skeeve42 commented 9 years ago

Update: L2TP/IPSEC was installed on my Windows machine and phone without issue (though it was also blocked in less than 24 hours). OpenVPN SSL tunnel did not work properly on my Windows machine or Android. As I mentioned, I did not edit streisand on this install and it likely has the wrong iptables and I haven't had a chance to fix them, hopefully that's all that needs to be done. Shadowsocks has been working great on my android. I have not yet tried SSH or Tor.

skeeve42 commented 9 years ago

Shadowsocks has continued to work great on two android devices, but because of iOS limitations, it's pretty worthless on there for using anything besides the shadowsocks browser. I still haven't been able to get OpenVPN to work, which is really the best option for iOS and my windows machine. Where does streisand put iptables? Usually the ipv4 and ipv6 rules are in /etc/iptables but I don't see them there (in fact, there is no iptables folder). I suppose I could try wiping the machine and starting again from scratch with streisand properly edited...

pjrobertson commented 9 years ago

Just as an FYI, I came across this (or a similar problem) on two new Debian installs. Here's my error:

TASK: [ssh | Register the server's SSH fingerprints] ************************** 
failed: [xx.xx.xx.xx] => (item=ssh_host_ecdsa_key.pub) => {"changed": true, "cmd": ["ssh-keygen", "-lf", "/etc/ssh/ssh_host_ecdsa_key.pub"], "delta": "0:00:00.100678", "end": "2015-05-16 00:13:33.600625", "item": "ssh_host_ecdsa_key.pub", "rc": 1, "start": "2015-05-16 00:13:33.499947", "warnings": []}
stderr: /etc/ssh/ssh_host_ecdsa_key.pub: No such file or directory
changed: [xx.xx.xx.xx] => (item=ssh_host_rsa_key.pub)

FATAL: all hosts have already failed -- aborting

On one, running sudo apt-get upgrade worked, on the other I had to run this:

sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
jlund commented 9 years ago

Do you mind me asking which provider this was on?

pjrobertson commented 9 years ago

One was with https://bandwagonhost.com/ and the other https://www.weloveservers.net/

Funny thing is - I set up a streisand instance on bandwagonhost just fine about 2 months ago. The only thing that happened on both servers was that I had internet dropouts/SSH timeouts whilst both were setting up (I'm in China). Perhaps that could be a part of it?

skeeve42 commented 9 years ago

I never went back in to try to fix this since Shadowsocks worked so well for all my devices. I'd really like to be able to use OpenVPN though. @jlund , I am willing to give you access to one of my VPSs for a bit if you'd like to do some testing/troubleshooting. Side question @pjrobertson , how were the speeds using those servers in China? The price is certainly right.

pjrobertson commented 9 years ago

It's very dependent on the GFW itself. I can get anything from 0.5Mbps-3.5Mbps. It's tcp over tcp, so not ideal of course, but it's stable. I've had trouble getting shadowsocks to work on my Mac, and it's annoying that each app needs to be set up to use the proxy. Hence why I prefer OpenVPN+stunnel

EDIT: Managed to get shadowsocks working. It's no faster at the moment. (Those speeds are for the US west coast servers, the UK servers are much slower)

nickkilla commented 9 years ago

@skeeve42 OpenVPN is a targeted protocol by the GFW. Rarely will it work.

pjrobertson commented 9 years ago

I'm using OpenVPN with stunnel. Works perfectly. Just to clarify - those speeds are for both OpenVPN+stunnel and shadowsocks

skeeve42 commented 9 years ago

@nickkilla It's true that regular OpenVPN has been targeted, but it still works great when obfuscated. @pjrobertson Shadowsocks was updated so that you can use a QRcode to set it up on every device, making it a little easier. Those speeds aren't too bad--thanks for the heads up.

nickkilla commented 9 years ago

@skeeve42 Hmm haven't tried it obfuscated yet, might look into that. Happy shadowsocks user here.

honglio commented 9 years ago

I get the same error when runing streisand install process on vps1 and hosting the remote server on vps2. I fix the error by running ssh-keygen on vps1, and then copying the resulting id_rsa.pub file from vps1 to /root/.ssh/authorized_keys on vps2. Thanks @skeeve42 @jlund

skeeve42 commented 9 years ago

I had to do this again (see my Dec 17, 2014 comment) on a fresh install on bandwagonhosts:

ssh_host_ecdsa_key.pub does not exist. There is a ssh_host_dsa_key.pub

Is streisand supposed to create the key at some point?

I decided to copy the files ssh_host_dsa_key and ssh_host_dsa_key.pub to ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub respectively to see if I could get it to continue and it worked.

Rob-Johnson commented 9 years ago

+1 I found I had to create ssh_host_ecdsa_key.pub

cpu commented 7 years ago

This thread has covered a few separate issues and it sufficiently old as to be unactionable. I'm going to close it and I encourage anyone still having problems to open fresh issues following the issue template. Thanks!