search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.93k stars 2.32k forks source link

Successfull deployment, cannot browse internet (except google.com domains), can ping only #1066

Closed samkelleher closed 6 years ago

samkelleher commented 6 years ago

OS / Environment

Darwin myusername.local 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64

Cloud Provider

Digital Ocean

Summary of the problem

No internet connectivity, can ping hosts, just cannot browse to them using a browser. Only google.com domains load normally. Totally unsure how to debug or resolve. Fresh brand new deployment using algo-master.

Steps to reproduce the behavior

  1. Follow the setup steps as normal.

Full log

``` What provider would you like to use? 1. DigitalOcean 2. Amazon EC2 3. Microsoft Azure 4. Google Compute Engine 5. Scaleway 6. OpenStack (DreamCompute optimised) 7. Install to existing Ubuntu 16.04 server (Advanced) Enter the number of your desired provider : 1 Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): [pasted values will not be displayed] : Name the vpn server: [algo.local]: homehunt.local What region should the server be located in? 1. Amsterdam (Datacenter 2) 2. Amsterdam (Datacenter 3) 3. Frankfurt 4. London 5. New York (Datacenter 1) 6. New York (Datacenter 2) 7. New York (Datacenter 3) 8. San Francisco (Datacenter 1) 9. San Francisco (Datacenter 2) 10. Singapore 11. Toronto 12. Bangalore Enter the number of your desired region: [7]: 4 Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks? [y/N]: y Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi? [y/N]: y List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) : Do you want to install a DNS resolver on this VPN server, to block ads while surfing? [y/N]: n Do you want each user to have their own account for SSH tunneling? [y/N]: n Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N]: n Do you want to retain the CA key? (required to add users in the future, but less secure) [y/N]: n PLAY [Configure the server] ********************************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************************************** ok: [localhost] TASK [Local pre-tasks] ************************************************************************************************************************** included: /Users/sam/Repositories/algo/playbooks/local.yml for localhost TASK [Generate the SSH private key] ************************************************************************************************************* ok: [localhost] TASK [Generate the SSH public key] ************************************************************************************************************** ok: [localhost] TASK [Change mode for the SSH private key] ****************************************************************************************************** ok: [localhost] TASK [Ensure the dynamic inventory exists] ****************************************************************************************************** ok: [localhost] TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] ****************************************************************************** ok: [localhost] TASK [cloud-digitalocean : Delete the existing Algo SSH keys] *********************************************************************************** ok: [localhost] TASK [cloud-digitalocean : Upload the SSH key] ************************************************************************************************** changed: [localhost] TASK [cloud-digitalocean : Creating a droplet...] *********************************************************************************************** changed: [localhost] TASK [cloud-digitalocean : Add the droplet to an inventory group] ******************************************************************************* changed: [localhost] TASK [cloud-digitalocean : set_fact] ************************************************************************************************************ ok: [localhost] TASK [cloud-digitalocean : Tag the droplet] ***************************************************************************************************** changed: [localhost] TASK [cloud-digitalocean : Get droplets] ******************************************************************************************************** ok: [localhost] TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] ************************************************** ok: [localhost] TASK [cloud-digitalocean : Populate the dynamic inventory] ************************************************************************************** changed: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'homehunt.local', u'backup_ids': [], u'created_at': u'2018-08-22T01:05:10Z', u'snapshot_ids': [], u'size_slug': u's-1vcpu-1gb', u'id': 106921314, u'next_backup_window': None, u'vcpus': 1, u'features': [u'ipv6'], u'image': {u'min_disk_size': 20, u'name': u'18.04 x64', u'created_at': u'2018-08-14T20:03:35Z', u'slug': u'ubuntu-18-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'public': True, u'distribution': u'Ubuntu', u'type': u'snapshot', u'id': 37208325, u'size_gigabytes': 0.34}, u'memory': 1024, u'region': {u'available': True, u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage', u'image_transfer'], u'slug': u'lon1', u'name': u'London 1', u'sizes': [u'32gb', u'16gb', u'2gb', u'1gb', u'4gb', u'8gb', u'512mb', u'64gb', u'48gb', u'c-16', u's-1vcpu-3gb', u'c-32', u'c-2', u'c-4', u'c-8', u'm-1vcpu-8gb', u'm-16gb', u'm-32gb', u'm-64gb', u'm-128gb', u'm-224gb', u's-1vcpu-1gb', u's-1vcpu-2gb', u's-2vcpu-2gb', u's-3vcpu-1gb', u's-2vcpu-4gb', u's-4vcpu-8gb', u's-6vcpu-16gb', u's-8vcpu-32gb', u's-12vcpu-48gb', u's-16vcpu-64gb', u's-20vcpu-96gb', u's-24vcpu-128gb', u's-32vcpu-192gb']}, u'disk': 25, u'networks': {u'v4': [{u'ip_address': u'ip.address', u'netmask': u'255.255.192.0', u'type': u'public', u'gateway': u'178.62.0.1'}], u'v6': [{u'ip_address': u'2A03:B0C0:0001:00D0:0000:0000:00B6:E001', u'netmask': 64, u'type': u'public', u'gateway': u'2A03:B0C0:0001:00D0:0000:0000:0000:0001'}]}, u'tags': [u'Environment:Algo'], u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 1024, u'disk': 25, u'slug': u's-1vcpu-1gb'}}) TASK [cloud-digitalocean : Delete the new Algo SSH key] ***************************************************************************************** FAILED - RETRYING: Delete the new Algo SSH key (10 retries left). ok: [localhost] TASK [Local post-tasks] ************************************************************************************************************************* included: /Users/sam/Repositories/algo/playbooks/post.yml for localhost TASK [Wait until SSH becomes ready...] ********************************************************************************************************** ok: [localhost] TASK [A short pause, in order to be sure the instance is ready] ********************************************************************************* Pausing for 20 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) ok: [localhost] TASK [include_tasks] **************************************************************************************************************************** included: /Users/sam/Repositories/algo/playbooks/local_ssh.yml for localhost TASK [Ensure the local ssh directory is exist] ************************************************************************************************** ok: [localhost] TASK [Copy the algo ssh key to the local ssh directory] ***************************************************************************************** ok: [localhost] PLAY [Configure the server and install required software] *************************************************************************************** TASK [Common pre-tasks] ************************************************************************************************************************* included: /Users/sam/Repositories/algo/playbooks/common.yml for ip.address TASK [Check the system] ************************************************************************************************************************* changed: [ip.address] TASK [Ubuntu pre-tasks] ************************************************************************************************************************* included: /Users/sam/Repositories/algo/playbooks/ubuntu.yml for ip.address TASK [Ubuntu | Install prerequisites] *********************************************************************************************************** changed: [ip.address] => (item=sleep 10) changed: [ip.address] => (item=apt-get update -qq) changed: [ip.address] => (item=apt-get install -qq -y python2.7 sudo) TASK [Ubuntu | Configure defaults] ************************************************************************************************************** changed: [ip.address] TASK [FreeBSD pre-tasks] ************************************************************************************************************************ skipping: [ip.address] TASK [include_tasks] **************************************************************************************************************************** included: /Users/sam/Repositories/algo/playbooks/facts/main.yml for ip.address TASK [Gather Facts] ***************************************************************************************************************************** ok: [ip.address] TASK [Ensure the algo ssh key exist on the server] ********************************************************************************************** ok: [ip.address] TASK [Check if IPv6 configured] ***************************************************************************************************************** ok: [ip.address] TASK [Set facts if the deployment in a cloud] *************************************************************************************************** ok: [ip.address] TASK [Generate password for the CA key] ********************************************************************************************************* changed: [ip.address -> localhost] TASK [Generate p12 export password] ************************************************************************************************************* changed: [ip.address -> localhost] TASK [Define password facts] ******************************************************************************************************************** ok: [ip.address] TASK [Define the commonName] ******************************************************************************************************************** ok: [ip.address] TASK [common : Install tools] ******************************************************************************************************************* TASK [common : Sysctl tuning] ******************************************************************************************************************* TASK [common : Install tools] ******************************************************************************************************************* TASK [common : Sysctl tuning] ******************************************************************************************************************* TASK [common : Install tools] ******************************************************************************************************************* TASK [common : Sysctl tuning] ******************************************************************************************************************* TASK [common : include_tasks] ******************************************************************************************************************* included: /Users/sam/Repositories/algo/roles/common/tasks/ubuntu.yml for ip.address TASK [common : Install software updates] ******************************************************************************************************** changed: [ip.address] TASK [common : Upgrade the ca certificates] ***************************************************************************************************** ok: [ip.address] TASK [common : Check if reboot is required] ***************************************************************************************************** changed: [ip.address] TASK [common : Reboot] ************************************************************************************************************************** changed: [ip.address] TASK [common : Wait until SSH becomes ready...] ************************************************************************************************* ok: [ip.address -> localhost] TASK [common : Include unatteded upgrades configuration] **************************************************************************************** included: /Users/sam/Repositories/algo/roles/common/tasks/unattended-upgrades.yml for ip.address TASK [common : Install unattended-upgrades] ***************************************************************************************************** ok: [ip.address] TASK [common : Configure unattended-upgrades] *************************************************************************************************** changed: [ip.address] TASK [common : Periodic upgrades configured] **************************************************************************************************** changed: [ip.address] TASK [common : Disable MOTD on login and SSHD] ************************************************************************************************** changed: [ip.address] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'}) changed: [ip.address] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'}) TASK [common : Loopback for services configured] ************************************************************************************************ changed: [ip.address] TASK [common : systemd services enabled and started] ******************************************************************************************** ok: [ip.address] => (item=systemd-networkd) ok: [ip.address] => (item=systemd-resolved) RUNNING HANDLER [common : restart systemd-networkd] ********************************************************************************************* changed: [ip.address] TASK [common : Check apparmor support] ********************************************************************************************************** changed: [ip.address] TASK [common : set_fact] ************************************************************************************************************************ ok: [ip.address] TASK [common : set_fact] ************************************************************************************************************************ ok: [ip.address] TASK [common : include_tasks] ******************************************************************************************************************* skipping: [ip.address] TASK [common : Install tools] ******************************************************************************************************************* ok: [ip.address] => (item=git) ok: [ip.address] => (item=screen) changed: [ip.address] => (item=apparmor-utils) ok: [ip.address] => (item=uuid-runtime) ok: [ip.address] => (item=coreutils) changed: [ip.address] => (item=iptables-persistent) changed: [ip.address] => (item=cgroup-tools) ok: [ip.address] => (item=openssl,linux-headers-4.15.0-30-generic) TASK [common : Sysctl tuning] ******************************************************************************************************************* changed: [ip.address] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1}) changed: [ip.address] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1}) changed: [ip.address] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1}) TASK [wireguard : WireGuard repository configured] ********************************************************************************************** changed: [ip.address] TASK [wireguard : WireGuard installed] ********************************************************************************************************** changed: [ip.address] TASK [wireguard : Configure unattended-upgrades] ************************************************************************************************ changed: [ip.address] TASK [wireguard : Ensure the required directories exist] **************************************************************************************** changed: [ip.address -> localhost] => (item=private) changed: [ip.address -> localhost] => (item=public) TASK [wireguard : Delete the lock files] ******************************************************************************************************** skipping: [ip.address] => (item=sam) skipping: [ip.address] => (item=ip.address) TASK [wireguard : Generate private keys] ******************************************************************************************************** changed: [ip.address] => (item=sam) changed: [ip.address] => (item=ip.address) [WARNING]: As of Ansible 2.4, the parameter 'executable' is no longer supported with the 'command' module. Not using 'bash'. TASK [wireguard : Save private keys] ************************************************************************************************************ changed: [ip.address] => (item=None) changed: [ip.address] => (item=None) TASK [wireguard : Touch the lock file] ********************************************************************************************************** changed: [ip.address] => (item=sam) changed: [ip.address] => (item=ip.address) TASK [wireguard : Generate public keys] ********************************************************************************************************* ok: [ip.address] => (item=sam) ok: [ip.address] => (item=ip.address) TASK [wireguard : Save public keys] ************************************************************************************************************* changed: [ip.address] => (item=None) changed: [ip.address] => (item=None) TASK [wireguard : WireGuard configured] ********************************************************************************************************* changed: [ip.address] TASK [wireguard : WireGuard reload-module-on-update] ******************************************************************************************** changed: [ip.address] TASK [wireguard : WireGuard users config generated] ********************************************************************************************* changed: [ip.address -> localhost] => (item=(0, u'sam')) TASK [wireguard : WireGuard enabled and started] ************************************************************************************************ changed: [ip.address] RUNNING HANDLER [wireguard : restart wireguard] ************************************************************************************************* changed: [ip.address] TASK [dns_encryption : Include tasks for Ubuntu] ************************************************************************************************ skipping: [ip.address] TASK [dns_encryption : Include tasks for FreeBSD] *********************************************************************************************** skipping: [ip.address] TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] ********************************************************************************** skipping: [ip.address] TASK [dns_encryption : dnscrypt-proxy configured] *********************************************************************************************** skipping: [ip.address] TASK [dns_encryption : dnscrypt-proxy enabled and started] ************************************************************************************** skipping: [ip.address] TASK [vpn : Ensure that the strongswan group exist] ********************************************************************************************* changed: [ip.address] TASK [vpn : Ensure that the strongswan user exist] ********************************************************************************************** changed: [ip.address] TASK [vpn : include_tasks] ********************************************************************************************************************** included: /Users/sam/Repositories/algo/roles/vpn/tasks/ubuntu.yml for ip.address TASK [vpn : set_fact] *************************************************************************************************************************** ok: [ip.address] TASK [vpn : Ubuntu | Install strongSwan] ******************************************************************************************************** changed: [ip.address] TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ********************************************************************************************* changed: [ip.address] => (item=/usr/lib/ipsec/charon) changed: [ip.address] => (item=/usr/lib/ipsec/lookip) changed: [ip.address] => (item=/usr/lib/ipsec/stroke) TASK [vpn : Ubuntu | Enable services] *********************************************************************************************************** ok: [ip.address] => (item=apparmor) ok: [ip.address] => (item=strongswan) ok: [ip.address] => (item=netfilter-persistent) TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] ************************************************************************ changed: [ip.address] TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ************************************************************************* changed: [ip.address] TASK [vpn : include_tasks] ********************************************************************************************************************** included: /Users/sam/Repositories/algo/roles/vpn/tasks/iptables.yml for ip.address TASK [vpn : Iptables configured] **************************************************************************************************************** changed: [ip.address] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'}) TASK [vpn : Iptables configured] **************************************************************************************************************** changed: [ip.address] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'}) TASK [vpn : include_tasks] ********************************************************************************************************************** skipping: [ip.address] TASK [vpn : Install strongSwan] ***************************************************************************************************************** ok: [ip.address] TASK [vpn : include_tasks] ********************************************************************************************************************** included: /Users/sam/Repositories/algo/roles/vpn/tasks/ipsec_configuration.yml for ip.address TASK [vpn : Setup the config files from our templates] ****************************************************************************************** changed: [ip.address] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [ip.address] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [ip.address] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) TASK [vpn : Get loaded plugins] ***************************************************************************************************************** changed: [ip.address] TASK [vpn : Disable unneeded plugins] *********************************************************************************************************** skipping: [ip.address] => (item=hmac) skipping: [ip.address] => (item=pubkey) changed: [ip.address] => (item=rc2) changed: [ip.address] => (item=aesni) changed: [ip.address] => (item=xauth-generic) skipping: [ip.address] => (item=pem) changed: [ip.address] => (item=resolve) changed: [ip.address] => (item=connmark) skipping: [ip.address] => (item=pkcs7) changed: [ip.address] => (item=eap-mschapv2) skipping: [ip.address] => (item=random) skipping: [ip.address] => (item=stroke) skipping: [ip.address] => (item=pkcs12) skipping: [ip.address] => (item=kernel-netlink) skipping: [ip.address] => (item=sha2) skipping: [ip.address] => (item=aes) skipping: [ip.address] => (item=x509) changed: [ip.address] => (item=sha1) skipping: [ip.address] => (item=gcm) changed: [ip.address] => (item=agent) skipping: [ip.address] => (item=openssl) changed: [ip.address] => (item=md4) skipping: [ip.address] => (item=revocation) skipping: [ip.address] => (item=pgp) changed: [ip.address] => (item=bypass-lan) changed: [ip.address] => (item=mgf1) changed: [ip.address] => (item=fips-prf) skipping: [ip.address] => (item=socket-default) changed: [ip.address] => (item=attr) changed: [ip.address] => (item=constraints) changed: [ip.address] => (item=pkcs1) changed: [ip.address] => (item=updown) changed: [ip.address] => (item=md5) skipping: [ip.address] => (item=nonce) changed: [ip.address] => (item=dnskey) changed: [ip.address] => (item=sshkey) changed: [ip.address] => (item=xcbc) skipping: [ip.address] => (item=pkcs8) changed: [ip.address] => (item=counters) changed: [ip.address] => (item=gmp) TASK [vpn : Ensure that required plugins are enabled] ******************************************************************************************* changed: [ip.address] => (item=hmac) changed: [ip.address] => (item=pubkey) skipping: [ip.address] => (item=rc2) skipping: [ip.address] => (item=aesni) skipping: [ip.address] => (item=xauth-generic) changed: [ip.address] => (item=pem) skipping: [ip.address] => (item=resolve) skipping: [ip.address] => (item=connmark) changed: [ip.address] => (item=pkcs7) skipping: [ip.address] => (item=eap-mschapv2) changed: [ip.address] => (item=random) changed: [ip.address] => (item=stroke) changed: [ip.address] => (item=pkcs12) changed: [ip.address] => (item=kernel-netlink) changed: [ip.address] => (item=sha2) changed: [ip.address] => (item=aes) changed: [ip.address] => (item=x509) skipping: [ip.address] => (item=sha1) changed: [ip.address] => (item=gcm) skipping: [ip.address] => (item=agent) changed: [ip.address] => (item=openssl) skipping: [ip.address] => (item=md4) changed: [ip.address] => (item=revocation) changed: [ip.address] => (item=pgp) skipping: [ip.address] => (item=bypass-lan) skipping: [ip.address] => (item=mgf1) skipping: [ip.address] => (item=fips-prf) changed: [ip.address] => (item=socket-default) skipping: [ip.address] => (item=attr) skipping: [ip.address] => (item=constraints) skipping: [ip.address] => (item=pkcs1) skipping: [ip.address] => (item=updown) skipping: [ip.address] => (item=md5) changed: [ip.address] => (item=nonce) skipping: [ip.address] => (item=dnskey) skipping: [ip.address] => (item=sshkey) skipping: [ip.address] => (item=xcbc) changed: [ip.address] => (item=pkcs8) skipping: [ip.address] => (item=counters) skipping: [ip.address] => (item=gmp) TASK [vpn : include_tasks] ********************************************************************************************************************** included: /Users/sam/Repositories/algo/roles/vpn/tasks/openssl.yml for ip.address TASK [vpn : Set subjectAltName as a fact] ******************************************************************************************************* ok: [ip.address -> localhost] TASK [vpn : Ensure the pki directory does not exist] ******************************************************************************************** skipping: [ip.address] TASK [vpn : Ensure the pki directories exist] *************************************************************************************************** changed: [ip.address -> localhost] => (item=ecparams) changed: [ip.address -> localhost] => (item=certs) changed: [ip.address -> localhost] => (item=crl) changed: [ip.address -> localhost] => (item=newcerts) changed: [ip.address -> localhost] => (item=private) changed: [ip.address -> localhost] => (item=reqs) TASK [vpn : Ensure the files exist] ************************************************************************************************************* changed: [ip.address -> localhost] => (item=.rnd) changed: [ip.address -> localhost] => (item=private/.rnd) changed: [ip.address -> localhost] => (item=index.txt) changed: [ip.address -> localhost] => (item=index.txt.attr) changed: [ip.address -> localhost] => (item=serial) TASK [vpn : Generate the openssl server configs] ************************************************************************************************ changed: [ip.address -> localhost] TASK [vpn : Build the CA pair] ****************************************************************************************************************** changed: [ip.address -> localhost] TASK [vpn : Copy the CA certificate] ************************************************************************************************************ changed: [ip.address -> localhost] TASK [vpn : Generate the serial number] ********************************************************************************************************* changed: [ip.address -> localhost] TASK [vpn : Build the server pair] ************************************************************************************************************** changed: [ip.address -> localhost] TASK [vpn : Build the client's pair] ************************************************************************************************************ changed: [ip.address -> localhost] => (item=sam) TASK [vpn : Build the client's p12] ************************************************************************************************************* changed: [ip.address -> localhost] => (item=sam) TASK [vpn : Copy the p12 certificates] ********************************************************************************************************** changed: [ip.address -> localhost] => (item=sam) TASK [vpn : Get active users] ******************************************************************************************************************* changed: [ip.address -> localhost] TASK [vpn : Revoke non-existing users] ********************************************************************************************************** skipping: [ip.address] => (item=sam) TASK [vpn : Genereate new CRL file] ************************************************************************************************************* skipping: [ip.address] TASK [vpn : Copy the CRL to the vpn server] ***************************************************************************************************** skipping: [ip.address] TASK [vpn : include_tasks] ********************************************************************************************************************** included: /Users/sam/Repositories/algo/roles/vpn/tasks/distribute_keys.yml for ip.address TASK [vpn : Copy the keys to the strongswan directory] ****************************************************************************************** changed: [ip.address] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/ip.address/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) changed: [ip.address] => (item={u'dest': u'/etc/ipsec.d/certs/ip.address.crt', u'src': u'configs/ip.address/pki/certs/ip.address.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) changed: [ip.address] => (item={u'dest': u'/etc/ipsec.d/private/ip.address.key', u'src': u'configs/ip.address/pki/private/ip.address.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) TASK [vpn : include_tasks] ********************************************************************************************************************** included: /Users/sam/Repositories/algo/roles/vpn/tasks/client_configs.yml for ip.address TASK [vpn : Register p12 PayloadContent] ******************************************************************************************************** changed: [ip.address -> localhost] => (item=sam) TASK [vpn : Set facts for mobileconfigs] ******************************************************************************************************** ok: [ip.address -> localhost] TASK [vpn : Build the mobileconfigs] ************************************************************************************************************ changed: [ip.address] => (item=None) TASK [vpn : Build the client ipsec config file] ************************************************************************************************* changed: [ip.address -> localhost] => (item=sam) TASK [vpn : Build the client ipsec secret file] ************************************************************************************************* changed: [ip.address -> localhost] => (item=sam) TASK [vpn : Create the windows check file] ****************************************************************************************************** skipping: [ip.address] TASK [vpn : Check if the windows check file exists] ********************************************************************************************* ok: [ip.address -> localhost] TASK [vpn : Build the windows client powershell script] ***************************************************************************************** skipping: [ip.address] => (item=[u'sam', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/sam.p12 | base64', u'end': u'2018-08-22 02:11:08.269788', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEdQIBAzCCBDsGCSqGSIb3DQEHAaCCBCwEggQoMIIEJDCCAs8GCSqGSIb3DQEHBqCCAsAwggK8AgEAMIICtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIU9YAE/4VLo0CAggAgIICiNvF8mHSmb/S+BEsASBMp34q/tJaqhFxKBrVBsqqOFVOUXvkodd0njCiU/tTjkfjoTp2ovlXC0Y/0qKM2TaS+lrfuPzEyUQiPzhBLj5sOW9bOVa30Fy1HaIMQRE/899ls43fsSXjp2vX6lTsaW2tgtv2gepY5RN8vU34cJkFU6wUfuCdGsJI4I9n3aoXA8gxMwh/8iAoim5N4aySj+ki73aFRKFJW9TCFPLM8tmE9latkCwBZ6S9MgB9HOqMCoHHWrA9NBO3pzWqm7DGLx7i71Sx65NAGZsV9wXnsDvavpUvS6balXPHsewUbiCkSOwjM30oiGLecGP2X2SnaZspSqqid94j7FlzzfsyF93i8Wlq0VYeVn3kud5wdG/Z4QtJKncbhV6OM6Hw3Ow3TTVV0m6ht1ZJVEJ1HxlCEL6a4oVK7YNyg7Ip6UwTwnIpLaqCEZ7DW3HGhNxOVEiBznOSxUq5iDDTdQlkOgbE24XSxh3JJIQpB5TjBGhvWsityRFrIohB+laRGTs5cg0KG8LHZPGb2LyOwtskzGPZ8G4/pSpKLpQuUITG26lJrfd2AQjAy1MV6Jr5Jc/UynUFTEXmtTIbQMfptXtEq0U/QYoK77sWx3cca1O+SnBkB8uqpWghHPcSOTIW/AX25ez3/PJJ3z7lW+8SASJIKJXsL9zRdIZ1qk3BFo3pYnfErcZKKByVZy2uTDepPr43cucLzivH88Qbu1cL9IyptSXJD+0et0/rHXENt8e5slQRND8a3TReMS4bNCb5o0Ge1DPAXM6gabx/EVBPRx7s9ws3pTJzJVt099xsJ6gxQFzkqswYtrLA2uoRUbpCteArKp1LI7wYUzLBzfzG5mzfjTCCAU0GCSqGSIb3DQEHAaCCAT4EggE6MIIBNjCCATIGCyqGSIb3DQEMCgECoIHkMIHhMBwGCiqGSIb3DQEMAQMwDgQI3SjIJEAVfnkCAggABIHAVt4jt1W3X+bLCrAnl0c7aKhWFcJ/GEY0E6Y9c3R2I/JBdT0yL6VvZ4pTSojhDVYhVZd2jUFJKQekn5dUpvSSQW68HBV2Rv8SAT+ZGCfJLARdBR0Nel9AFFca097iLZFtRUpcCLrcy9sceuUYutrrtiyn6qfkA8hVJwAw7/uUeM+0/vWmXBfSDklbEtt8Ro+Yj1IyMzQVh27Q4Nt64BhV9ise9qf7u+gnb4707oyCALQb5R5PwcvIHsaEFn9VDyCvMTwwFQYJKoZIhvcNAQkUMQgeBgBzAGEAbTAjBgkqhkiG9w0BCRUxFgQUI0ZZcHXBge4AXtzu5tvmzxKwnhkwMTAhMAkGBSsOAwIaBQAEFD5wvCtu1GCHIs9q9PqYFcJfgh8XBAgtK0ShNkAU7gICCAA=', 'item': u'sam', u'delta': u'0:00:00.017878', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/ip.address/pki/', u'_raw_params': u'cat private/sam.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEdQIBAzCCBDsGCSqGSIb3DQEHAaCCBCwEggQoMIIEJDCCAs8GCSqGSIb3DQEHBqCCAsAwggK8AgEAMIICtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIU9YAE/4VLo0CAggAgIICiNvF8mHSmb/S+BEsASBMp34q/tJaqhFxKBrVBsqqOFVOUXvkodd0njCiU/tTjkfjoTp2ovlXC0Y/0qKM2TaS+lrfuPzEyUQiPzhBLj5sOW9bOVa30Fy1HaIMQRE/899ls43fsSXjp2vX6lTsaW2tgtv2gepY5RN8vU34cJkFU6wUfuCdGsJI4I9n3aoXA8gxMwh/8iAoim5N4aySj+ki73aFRKFJW9TCFPLM8tmE9latkCwBZ6S9MgB9HOqMCoHHWrA9NBO3pzWqm7DGLx7i71Sx65NAGZsV9wXnsDvavpUvS6balXPHsewUbiCkSOwjM30oiGLecGP2X2SnaZspSqqid94j7FlzzfsyF93i8Wlq0VYeVn3kud5wdG/Z4QtJKncbhV6OM6Hw3Ow3TTVV0m6ht1ZJVEJ1HxlCEL6a4oVK7YNyg7Ip6UwTwnIpLaqCEZ7DW3HGhNxOVEiBznOSxUq5iDDTdQlkOgbE24XSxh3JJIQpB5TjBGhvWsityRFrIohB+laRGTs5cg0KG8LHZPGb2LyOwtskzGPZ8G4/pSpKLpQuUITG26lJrfd2AQjAy1MV6Jr5Jc/UynUFTEXmtTIbQMfptXtEq0U/QYoK77sWx3cca1O+SnBkB8uqpWghHPcSOTIW/AX25ez3/PJJ3z7lW+8SASJIKJXsL9zRdIZ1qk3BFo3pYnfErcZKKByVZy2uTDepPr43cucLzivH88Qbu1cL9IyptSXJD+0et0/rHXENt8e5slQRND8a3TReMS4bNCb5o0Ge1DPAXM6gabx/EVBPRx7s9ws3pTJzJVt099xsJ6gxQFzkqswYtrLA2uoRUbpCteArKp1LI7wYUzLBzfzG5mzfjTCCAU0GCSqGSIb3DQEHAaCCAT4EggE6MIIBNjCCATIGCyqGSIb3DQEMCgECoIHkMIHhMBwGCiqGSIb3DQEMAQMwDgQI3SjIJEAVfnkCAggABIHAVt4jt1W3X+bLCrAnl0c7aKhWFcJ/GEY0E6Y9c3R2I/JBdT0yL6VvZ4pTSojhDVYhVZd2jUFJKQekn5dUpvSSQW68HBV2Rv8SAT+ZGCfJLARdBR0Nel9AFFca097iLZFtRUpcCLrcy9sceuUYutrrtiyn6qfkA8hVJwAw7/uUeM+0/vWmXBfSDklbEtt8Ro+Yj1IyMzQVh27Q4Nt64BhV9ise9qf7u+gnb4707oyCALQb5R5PwcvIHsaEFn9VDyCvMTwwFQYJKoZIhvcNAQkUMQgeBgBzAGEAbTAjBgkqhkiG9w0BCRUxFgQUI0ZZcHXBge4AXtzu5tvmzxKwnhkwMTAhMAkGBSsOAwIaBQAEFD5wvCtu1GCHIs9q9PqYFcJfgh8XBAgtK0ShNkAU7gICCAA='], u'start': u'2018-08-22 02:11:08.251910', '_ansible_ignore_errors': None, 'failed': False}]) TASK [vpn : Restrict permissions for the local private directories] ***************************************************************************** changed: [ip.address -> localhost] => (item=configs/ip.address) RUNNING HANDLER [dns_adblocking : restart apparmor] ********************************************************************************************* changed: [ip.address] RUNNING HANDLER [vpn : restart strongswan] ****************************************************************************************************** changed: [ip.address] RUNNING HANDLER [vpn : daemon-reload] *********************************************************************************************************** changed: [ip.address] RUNNING HANDLER [vpn : restart iptables] ******************************************************************************************************** changed: [ip.address] TASK [vpn : strongSwan started] ***************************************************************************************************************** ok: [ip.address] TASK [debug] ************************************************************************************************************************************ ok: [ip.address] => { "msg": [ [ "\"# Congratulations! #\"", "\"# Your Algo server is running. #\"", "\"# Config files and certificates are in the ./configs/ directory. #\"", "\"# Go to https://whoer.net/ after connecting #\"", "\"# and ensure that all your traffic passes through the VPN. #\"", "\"# Local DNS resolver 172.16.0.1 #\"", "" ], " \"# The p12 and SSH keys password for new users is removed #\"\n", " ", " \"# Shell access: ssh -i configs/algo.pem root@ip.address #\"\n" ] } TASK [Delete the CA key] ************************************************************************************************************************ changed: [ip.address -> localhost] PLAY RECAP ************************************************************************************************************************************** ip.address : ok=95 changed=63 unreachable=0 failed=0 localhost : ok=23 changed=5 unreachable=0 failed=0 ```
TC1977 commented 6 years ago

If you can ping hosts then you have internet connectivity. 😄 Nowadays the usual cause of this is a DNS problem. SSH into the server and try systemctl status dnscrypt-proxy and see what you get.

samkelleher commented 6 years ago 
root@homehunt:~# systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt-proxy client
   Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dnscrypt-proxy.service.d
           └─99-capabilities.conf
   Active: active (running) since Wed 2018-08-22 03:07:31 UTC; 19min ago
     Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
 Main PID: 3414 (dnscrypt-proxy)
    Tasks: 7 (limit: 1152)
   CGroup: /system.slice/dnscrypt-proxy.service
           └─3414 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: dnscrypt-proxy 2.0.16
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: Loading the set of IP blocking rules from [ip-blacklist.txt]
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: Now listening to 172.16.0.1:5353 [UDP]
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: Now listening to 172.16.0.1:5353 [TCP]
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.2.1:53
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.2.1:53
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: [cloudflare] OK (DoH) - rtt: 3ms
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: [cloudflare-ipv6] OK (DoH) - rtt: 8ms
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: Server with the lowest initial latency: cloudflare (rtt: 3ms)
Aug 22 03:07:31 homehunt dnscrypt-proxy[3414]: dnscrypt-proxy is ready - live servers: 2

dns-crypt proxy seems to be okay. On a client, I try the ping and curl commands:

$ ping whoer.net
PING whoer.net (104.25.39.26): 56 data bytes
64 bytes from 104.25.39.26: icmp_seq=0 ttl=60 time=9.201 ms
64 bytes from 104.25.39.26: icmp_seq=1 ttl=60 time=10.632 ms
64 bytes from 104.25.39.26: icmp_seq=2 ttl=60 time=34.610 ms
^C
--- whoer.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.201/18.148/34.610/11.655 ms
$ curl https://whoer.net

The ping works, but the curl just times out. I'm puzzled as to what the issue is.

davidemyers commented 6 years ago

Perhaps your Internet connection uses a smaller MTU than usual. Uncomment the max_mss option in config.cfg and deploy a new Droplet. The suggested value of 1316 is not necessarily optimal for your situation though.

samkelleher commented 6 years ago

Thanks @davidemyers - I uncommented the suggested max_mss value at 1316 and everything appears to be working normally.

My Internet connection is 'The Cloud' a 'free' WiFi service deployed by Sky. Quite nasty.