Encrypting issue

[ghost]

I have made it through the last step of running the playbook but failed(forgot to screenshot). But after I tried it again from where I started, I got "ERROR! input is already encrypted" in the "Encrypting the variables" session. What should I do to fix this?

[ghost]

I have made it through the last step of running the playbook but failed(forgot to screenshot). But after I tried it again from where I started, I got "ERROR! input is already encrypted" in the "Encrypting the variables" session. What should I do to fix this?

Now it says "client_loop: send disconnect: Connection reset". This always pops up no matter how many times I've tried. And I have to wait 10min to reconnect to the server because it seems that the IP is locked when I enter the "new vault password."

[notthebee]

It's hard to see what exactly went wrong, since you don't have the exact error message.

In general, if something went wrong while running the playbook, you need to execute the playbook itself, not the bootstrap.sh:

cd ~/ansible-easy-vpn
ansible-playbook run.yml

However, since you mentioned the 'new vault password', you've probably already started from scratch already.

The client_loop: send disconnect: Connection reset looks like a connectivity issue between your host and the VPS. There's no IP banning functionality included with the script, so I don't think it's related to the playbook

[ghost]

It's hard to see what exactly went wrong, since you don't have the exact error message.

In general, if something went wrong while running the playbook, you need to execute the playbook itself, not the bootstrap.sh:

cd ~/ansible-easy-vpn
ansible-playbook run.yml

However, since you mentioned the 'new vault password', you've probably already started from scratch already.

The client_loop: send disconnect: Connection reset looks like a connectivity issue between your host and the VPS. There's no IP banning functionality included with the script, so I don't think it's related to the playbook

So I use the command to execute the playbook again. However, after I enter the vault password, it gives another warning. [WARNING]: While constructing a mapping from /root/ansible-easy-vpn/custom.yml, line 1, column 1, found a duplicate dict key (username). Using last defined value only. [WARNING]: While constructing a mapping from /root/ansible-easy-vpn/custom.yml, line 1, column 1, found a duplicate dict key (root_host). Using last defined value only. [WARNING]: While constructing a mapping from /root/ansible-easy-vpn/custom.yml, line 1, column 1, found a duplicate dict key (dns_nameservers). Using last defined value only. [WARNING]: While constructing a mapping from /root/ansible-easy-vpn/custom.yml, line 1, column 1, found a duplicate dict key (enable_ssh_keygen). Using last defined value only.

[WARNING]: There was a vault format error in /root/ansible-easy-vpn/secret.yml: Vault format unhexlify error: Non-hexadecimal digit found

[notthebee]

[WARNING]: While constructing a mapping from /root/ansible-easy-vpn/custom.yml, line 1, column 1, found a duplicate dict key (username). Using last defined value only.

That's because you've re-run the script multiple times without removing custom.yml first. Ultimately it's harmless though.

[WARNING]: There was a vault format error in /root/ansible-easy-vpn/secret.yml: Vault format unhexlify error: Non-hexadecimal digit found

That looks like you've edited the Vault file directly with a text editor, instead of using ansible-vault edit

[ghost]

Thanks for you explanation. But how can I re-run the playbook from scratch without any mistakes. I am pretty much a newbie to computer.

[notthebee]

The easiest would be to remove both custom.yml and secret.yml files inside the ansible-easy-vpn folder and re-run bootstrap.sh

[ghost]

I follow what you say and rerun the playbook. All the tasks passed except the last one. What should I do?

TASK [system : Allow sudo group to have passwordless sudo] ***** fatal: [localhost]: FAILED! => changed=false msg: Destination /etc/sudoers does not exist ! rc: 257

PLAY RECAP ***** localhost : ok=9 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

[notthebee]

What distribution are you running this on?

[ghost]

What distribution are you running this on?

command prompt for windows 10

[notthebee]

What is the Linux distribution installed on your VPS?

[ghost]

What is the Linux distribution installed on your VPS?

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

[notthebee]

Try to do the following:

apt install -y sudo
cd $HOME/ansible-easy-vpn
ansible-playbook run.yml

[ghost]

Thanks! It seems that it works. But the running process froze again. Guess I have to wait patiently for it to move.

[notthebee]

By "running process" do you mean the client_loop: send disconnect: Connection reset issue?

This is either an issue with your OS, internet connection or the VPS

[ghost]

YES!!! It does work. Thank you for your time and patience. Hope you have a good day.

[ghost]

By "running process" do you mean the client_loop: send disconnect: Connection reset issue?

This is either an issue with your OS, internet connection or the VPS

Emm... But why does it show this after I type the command. The command: scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 ~/.ssh/id_vpn_dainianx The problem: root@199.180.255.186's password: ~/.ssh/id_vpn_dainianx: No such file or directory

[ghost]

I am now able to login to wireguard. Because I get stuck at this step, I have closed the command prompt window. Now I cannot generate the QR code and and thus register device. What should I do now to set up two-factoe authentification?

By "running process" do you mean the client_loop: send disconnect: Connection reset issue? This is either an issue with your OS, internet connection or the VPS

Emm... But why does it show this after I type the command. The command: scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 ~/.ssh/id_vpn_dainianx The problem: root@199.180.255.186's password: ~/.ssh/id_vpn_dainianx: No such file or directory

[notthebee]

You should still be able to log into the server with the root account and copy the key.

[notthebee]

As for the No such file or directory error, read the Windows part in the FAQ: https://github.com/notthebee/ansible-easy-vpn/blob/main/FAQ.md#q-when-i-try-to-copy-the-ssh-key-to-my-windows-machine-i-get-an-error

[ghost]

You should still be able to log into the server with the root account and copy the key.

No, i can't log into the server right now. No idea what's wrong. All the tasks passed or changed. Below is what happens after I enter the vault password.

TASK [Gathering Facts] ***** ok: [localhost]

TASK [set_fact] **** ok: [localhost]

TASK [system : Configure the system] *** included: /root/ansible-easy-vpn/roles/system/tasks/essential.yml for localhost

TASK [system : Generate the locale] **** ok: [localhost]

TASK [system : Update and upgrade apt packages] **** ok: [localhost]

TASK [system : Install unattended upgrades package] **** ok: [localhost]

TASK [system : Copy unattended-upgrades configuration files in place] ** ok: [localhost] => (item=10periodic) ok: [localhost] => (item=50unattended-upgrades)

TASK [system : Configure the user account] ***** included: /root/ansible-easy-vpn/roles/system/tasks/user.yml for localhost

TASK [system : Ensure group sudo exists] *** ok: [localhost]

TASK [system : Allow sudo group to have passwordless sudo] ***** ok: [localhost]

TASK [system : Create a login user] **** changed: [localhost]

TASK [system : Ensure group "dainianx" exists] ***** ok: [localhost]

TASK [system : Chmod the user home directory] ** changed: [localhost]

TASK [system : Check if the Ansible playbook is copied to the new user directory] ** ok: [localhost]

TASK [system : Copy the Ansible playbook to the new user] ** skipping: [localhost]

TASK [docker : Set amd64 arch] ***** ok: [localhost]

TASK [docker : Set arm64 arch] ***** skipping: [localhost]

TASK [docker : Include OS-specific variables] ** ok: [localhost]

TASK [docker : Install required system packages] *** ok: [localhost]

TASK [docker : Add Docker GPG apt Key] ***** ok: [localhost]

TASK [docker : Add Docker Repository] ** ok: [localhost]

TASK [docker : Attempt installation] *** ok: [localhost]

TASK [docker : Ensure group docker exists] ***** ok: [localhost]

TASK [docker : Add user "dainianx" to group docker] **** ok: [localhost]

TASK [docker : Install Docker Module for Python] *** ok: [localhost]

TASK [docker : Make sure Docker is running and enabled] **** ok: [localhost]

TASK [docker : Create the wg network] ** ok: [localhost]

TASK [fail2ban : Install fail2ban] ***** ok: [localhost]

TASK [fail2ban : Disable e-mail notifications on jail stop and start] ** ok: [localhost]

TASK [fail2ban : Install the jail.local file] ** ok: [localhost]

TASK [fail2ban : Make sure the fail2ban systemd service is enabled and started] **** ok: [localhost]

TASK [ufw : Install UFW] *** ok: [localhost]

TASK [ufw : Enable UFW logging] **** ok: [localhost]

TASK [ufw : Reset all rules] *** changed: [localhost]

TASK [ufw : Allow the defined ports] *** changed: [localhost] => (item={'port': '51820', 'proto': 'udp'}) changed: [localhost] => (item={'port': '80', 'proto': 'tcp'}) changed: [localhost] => (item={'port': '443', 'proto': 'tcp'}) changed: [localhost] => (item={'port': 22, 'proto': 'tcp'})

TASK [ufw : Deny everything else and enable UFW] *** changed: [localhost]

TASK [dns : Create the adguard-unbound-doh config folders] ***** skipping: [localhost] => (item=adguard-unbound-doh) skipping: [localhost] => (item=adguard-unbound-doh/adguard) skipping: [localhost] => (item=adguard-unbound-doh/build) skipping: [localhost] => (item=adguard-unbound-doh/dnscrypt-proxy) skipping: [localhost] => (item=adguard-unbound-doh/adguard/work) skipping: [localhost] => (item=adguard-unbound-doh/adguard/conf) skipping: [localhost]

TASK [dns : Copy the docker folder to /opt/docker] ***** skipping: [localhost]

TASK [dns : Template the adguard-unbound Dockerfile] *** skipping: [localhost]

TASK [dns : Build the adguard-unbound Docker image] **** skipping: [localhost]

TASK [dns : Copy Adguard config] *** skipping: [localhost]

TASK [dns : Template the dnscrypt-proxy config] **** skipping: [localhost]

TASK [dns : Make sure the adguard-unbound-doh container is created and running] **** skipping: [localhost]

TASK [authelia : Create the config folder] ***** changed: [localhost]

TASK [authelia : Copy the main config] ***** changed: [localhost]

TASK [authelia : Copy the users database] ** changed: [localhost]

TASK [authelia : Make sure the Redis container is created and running] ***** ok: [localhost]

TASK [authelia : Make sure the Authelia container is created and running] ** ok: [localhost]

TASK [authelia : Add a 2FA alias to .bashrc] *** ok: [localhost]

TASK [bunkerweb : Create the folders] ** ok: [localhost]

TASK [bunkerweb : Copy the env file] *** ok: [localhost]

TASK [bunkerweb : Make sure the Bunkerweb container is created and running] **** ok: [localhost]

TASK [wireguard : Set the DNS facts] *** ok: [localhost]

TASK [wireguard : Make sure the Wireguard container is created and running] **** ok: [localhost]

TASK [chriswayg.msmtp-mailer : Update apt cache.] ** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Remove other MTAs.] ***** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Install msmtp and mailx on Debian.] ***** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Install msmtp and s-nail on Archlinux.] ***** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Install msmtp and mailx on Alpine.] ***** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Overwrite busybox sendmail link to point to mSMTP.] ***** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Copy mstprc conf file.] ***** skipping: [localhost]

TASK [chriswayg.msmtp-mailer : Copy aliases conf file.] **** skipping: [localhost]

TASK [ssh : Check if there's authorized_keys] ** ok: [localhost]

TASK [ssh : Install cryptography and PyOpenSSL] **** ok: [localhost]

TASK [ssh : Create the SSH directory] ** changed: [localhost]

TASK [ssh : Generate an SSH key pair] ** skipping: [localhost]

TASK [ssh : Install the public key] **** skipping: [localhost]

TASK [ssh : Install the existing public key] *** skipping: [localhost]

TASK [ssh : Copy the existing public key to a new user (AWS)] ** skipping: [localhost]

TASK [ssh : Update SSH configuration to be more secure] **** ok: [localhost] => (item={'regexp': '^#?PasswordAuthentication', 'line': 'PasswordAuthentication no'}) ok: [localhost] => (item={'regexp': '^#?PermitRootLogin', 'line': 'PermitRootLogin no'}) ok: [localhost] => (item={'regexp': '^#?Port', 'line': 'Port 22'}) ok: [localhost] => (item={'regexp': '^#?PermitEmptyPasswords', 'line': 'PermitEmptyPasswords no'}) ok: [localhost] => (item={'regexp': '^#?X11Forwarding', 'line': 'X11Forwarding no'})

TASK [ssh : Get public IP] ***** skipping: [localhost]

TASK [ssh : Restart sshd] ** skipping: [localhost]

TASK [ssh : Schedule a reboot if required] ***** skipping: [localhost]

TASK [ssh : Specify the action after user input] *** skipping: [localhost]

TASK [ssh : Specify the action after user input] *** skipping: [localhost]

TASK [ssh : Display user instructions] ***** skipping: [localhost]

TASK [ssh : Display user instructions] ***** skipping: [localhost]

TASK [ssh : Display user instructions] ***** skipping: [localhost]

TASK [ssh : Reboot the system if updates are pending] ** skipping: [localhost]

RUNNING HANDLER [Restart authelia] ***** changed: [localhost]

PLAY RECAP ***** localhost : ok=50 changed=10 unreachable=0 failed=0 skipped=30 rescued=0 ignored=0

root@box:~#

[notthebee]

Yes, I meant SSH, not WebUI.

The "6 steps" thing only shows on the first run. They're basically as follows:

1. Open new terminal
scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 .ssh/id_vpn_dainianx

2. Test the connection
ssh -p 22 -i .ssh/id_vpn_dainianx dainianx@199.180.255.186
Make sure the prompt says `Enter passphrase for key` and not `Enter password for user`

The rest is the same as the video. Type show_2fa and follow the link

[ghost]

Yes, I meant SSH, not WebUI.

The "6 steps" thing only shows on the first run. They're basically as follows:

1. Open new terminal
scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 .ssh/id_vpn_dainianx

2. Test the connection
ssh -p 22 -i .ssh/id_vpn_dainianx dainianx@199.180.255.186
Make sure the prompt says `Enter passphrase for key` and not `Enter password for user`

The rest is the same as the video. Type show_2fa and follow the link

C:\Users\hs>scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 .ssh/id_vpn_dainianx root@199.180.255.186's password: id_ssh_ed25519 100% 443 2.4KB/s 00:00

C:\Users\hs>ssh -p 22 -i .ssh/id_vpn_dainianx dainianx@199.180.255.186 Enter passphrase for key '.ssh/id_vpn_dainianx': dainianx@199.180.255.186's password: Linux box 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jan 8 10:41:57 2023 from 120.239.243.159 dainianx@box:~$ show_2fa dainianx@box:~$

This is what I got after entering the two commands. No link generated.

[ghost]

Yes, I meant SSH, not WebUI. The "6 steps" thing only shows on the first run. They're basically as follows:

1. Open new terminal
scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 .ssh/id_vpn_dainianx

2. Test the connection
ssh -p 22 -i .ssh/id_vpn_dainianx dainianx@199.180.255.186
Make sure the prompt says `Enter passphrase for key` and not `Enter password for user`

The rest is the same as the video. Type show_2fa and follow the link

C:\Users\hs>scp -P 22 root@199.180.255.186:/tmp/id_ssh_ed25519 .ssh/id_vpn_dainianx root@199.180.255.186's password: id_ssh_ed25519 100% 443 2.4KB/s 00:00

C:\Users\hs>ssh -p 22 -i .ssh/id_vpn_dainianx dainianx@199.180.255.186 Enter passphrase for key '.ssh/id_vpn_dainianx': dainianx@199.180.255.186's password: Linux box 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jan 8 10:41:57 2023 from 120.239.243.159 dainianx@box:~$ show_2fa dainianx@box:~$

This is what I got after entering the two commands. No link generated.

At a loss why there is no link generated after show_2fa

[notthebee]

You need to login at auth.domain.com first and request the 2FA token, as mentioned in the video

[ghost]

You need to login at auth.domain.com first and request the 2FA token, as mentioned in the video

Bad Gateway 502 The request was not completed. The server received an invalid response from the upstream server. Can't open the webpage. I have tried what the FAQ said but nothing helped.

[notthebee]

Hard to say why it's 502ing without having the logs: docker logs authelia

[ghost]

Hard to say why it's 502ing without having the logs: docker logs authelia

There are tons of words that it extend the max I could reply. Should I post all of them?

[ghost]

docker logs authelia.docx

[notthebee]

Failure running the storage provider startup check: the encryption key is not valid against the schema check value

This means that you've re-run the playbook from scratch without removing the Authelia configuration files first. I think it would be the easiest for you to erase the VPS and start from scratch. There should be an option in your VPS' WebUI to 'Reprovision' or 'Reinstall'.

[ghost]

It doesn't have that option. Instead, I reload the OS. But when I try to connect to the VPS via ssh, the following error pops up. @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:XKHS5JTcpmX2Y/2STSBHoBoBz12bUg/QKvrdaR8K5pY. Please contact your system administrator. Add correct host key in C:\Users\hs/.ssh/known_hosts to get rid of this message. Offending ECDSA key in C:\Users\hs/.ssh/known_hosts:2 ECDSA host key for 199.180.255.186 has changed and you have requested strict checking. Host key verification failed.

[notthebee]

This error is not related to the playbook

[notthebee]

Yep, wg.your-domain.com

[ghost]

OMG!!! After two days' struggle, I finally manage to set up my own VPN. Now I can watch your videos on my phone in China lol.

[notthebee]

Glad it worked out at the end :) I will close the issue now