search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.66k stars 2.31k forks source link

wireguard folder isn't created #1090

Closed heyitswither closed 6 years ago

heyitswither commented 6 years ago

OS / Environment (where do you run Algo on)


Linux vps190354 4.16.0-2-amd64 #1 SMP Debian 4.16.16-1 (2018-06-19) x86_64 GNU/Linux

Cloud Provider (where do you deploy Algo to)


Hosted on OVH, but I specified "local" when setting up algo

Summary of the problem

The wireguard folder in config/localhost/ isn't created.

Steps to reproduce the behavior

  1. Follow sets listed in README.

Full log


PLAY [Ask user for the input] **************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************
ok: [localhost]
[pause]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Vultr
    4. Microsoft Azure
    5. Google Compute Engine
    6. Scaleway
    7. OpenStack (DreamCompute optimised)
    8. Install to existing Ubuntu 18.04 server (Advanced)

Enter the number of your desired provider
:
8

TASK [pause] *******************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
y

TASK [pause] *******************************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
y

TASK [pause] *******************************************************************************************************************
ok: [localhost]
[pause]
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:

TASK [pause] *******************************************************************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
y

TASK [pause] *******************************************************************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [pause] *******************************************************************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:

TASK [pause] *******************************************************************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:

TASK [pause] *******************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************************************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ********************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *********************************************************************************************
ok: [localhost]
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:

TASK [local : pause] ***********************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************************************************************
ok: [localhost]
[local : pause]
Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[localhost]
:
139.99.107.55

TASK [local : pause] ***********************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as afact] *********************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ************************************************************************************
changed: [localhost]

TASK [debug] *******************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "139.99.107.55"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] ****************************************************************
ok: [localhost]

PLAY [Configure the server and install required software] **********************************************************************

TASK [common : Check the system] ***********************************************************************************************
changed: [localhost]

TASK [common : include_tasks] **************************************************************************************************
included: /home/tucker/algo/roles/common/tasks/ubuntu.yml for localhost
ok: [localhost] => (item=[u'python2.7', u'sudo'])

TASK [common : Ubuntu | Install prerequisites] *********************************************************************************

TASK [common : Ubuntu | Configure defaults] ************************************************************************************
ok: [localhost]

TASK [common : Gather facts] ***************************************************************************************************
ok: [localhost]

TASK [common : Install unattended-upgrades] ************************************************************************************
ok: [localhost]

TASK [common : Configure unattended-upgrades] **********************************************************************************
ok: [localhost]

TASK [common : Periodic upgrades configured] ***********************************************************************************
ok: [localhost]
ok: [localhost] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
ok: [localhost] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] *********************************************************************************

TASK [common : Loopback for services configured] *******************************************************************************
ok: [localhost]
ok: [localhost] => (item=systemd-networkd)
ok: [localhost] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] ***************************************************************************

TASK [common : Check apparmor support] *****************************************************************************************
changed: [localhost]

TASK [common : set_fact] *******************************************************************************************************
ok: [localhost]

TASK [common : set_fact] *******************************************************************************************************
ok: [localhost]
ok: [localhost] => (item=git)
ok: [localhost] => (item=screen)
ok: [localhost] => (item=apparmor-utils)
ok: [localhost] => (item=uuid-runtime)
ok: [localhost] => (item=coreutils)
ok: [localhost] => (item=iptables-persistent)
ok: [localhost] => (item=cgroup-tools)
ok: [localhost] => (item=openssl,linux-headers-4.16.0-2-amd64)

TASK [common : Install tools] **************************************************************************************************

TASK [common : Generate password for the CA key] *******************************************************************************
changed: [localhost -> localhost]

TASK [common : Generate p12 export password] ***********************************************************************************
changed: [localhost -> localhost]

TASK [common : Define facts] ***************************************************************************************************
ok: [localhost]

TASK [common : set_fact] *******************************************************************************************************
ok: [localhost]
ok: [localhost] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
ok: [localhost] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
ok: [localhost] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [common : Sysctl tuning] **************************************************************************************************

TASK [dns_adblocking : Dnsmasq installed] **************************************************************************************
ok: [localhost]

TASK [dns_adblocking : The dnsmasq directory created] **************************************************************************
ok: [localhost]

TASK [dns_adblocking : include_tasks] ******************************************************************************************
included: /home/tucker/algo/roles/dns_adblocking/tasks/ubuntu.yml for localhost

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *******************************************************
ok: [localhost]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ***********************************************************
changed: [localhost]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ***********************************************
ok: [localhost]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *********************************************
ok: [localhost]

TASK [dns_adblocking : Dnsmasq configured] *************************************************************************************
ok: [localhost]

TASK [dns_adblocking : Adblock script created] *********************************************************************************
ok: [localhost]

TASK [dns_adblocking : Adblock script added to cron] ***************************************************************************
ok: [localhost]

TASK [dns_adblocking : Update adblock hosts] ***********************************************************************************
changed: [localhost]

TASK [dns_adblocking : Dnsmasq enabled and started] ****************************************************************************
ok: [localhost]

TASK [dns_encryption : Include tasks for Ubuntu] *******************************************************************************
included: /home/tucker/algo/roles/dns_encryption/tasks/ubuntu.yml for localhost

TASK [dns_encryption : Add the repository] *************************************************************************************
ok: [localhost]

TASK [dns_encryption : Install dnscrypt-proxy] *********************************************************************************
ok: [localhost]

TASK [dns_encryption : Configure unattended-upgrades] **************************************************************************
ok: [localhost]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *******************************************************
ok: [localhost]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ****************************************************
ok: [localhost]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ****************************************
ok: [localhost]

TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] ****************************************************************
ok: [localhost]

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] *****************************************************************
ok: [localhost]

TASK [dns_encryption : dnscrypt-proxy configured] ******************************************************************************
ok: [localhost]

TASK [dns_encryption : dnscrypt-proxy enabled and started] *********************************************************************
ok: [localhost]

TASK [vpn : Ensure that the strongswan group exist] ****************************************************************************
ok: [localhost]

TASK [vpn : Ensure that the strongswan user exist] *****************************************************************************
ok: [localhost]

TASK [vpn : include_tasks] *****************************************************************************************************
included: /home/tucker/algo/roles/vpn/tasks/ubuntu.yml for localhost

TASK [vpn : set_fact] **********************************************************************************************************
ok: [localhost]

TASK [vpn : Ubuntu | Install strongSwan] ***************************************************************************************
ok: [localhost]
changed: [localhost] => (item=/usr/lib/ipsec/charon)
changed: [localhost] => (item=/usr/lib/ipsec/lookip)
changed: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************************************************************
ok: [localhost] => (item=apparmor)
ok: [localhost] => (item=strongswan)
ok: [localhost] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Enable services] ******************************************************************************************

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******************************************************
ok: [localhost]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********************************************************
ok: [localhost]

TASK [vpn : include_tasks] *****************************************************************************************************
included: /home/tucker/algo/roles/vpn/tasks/iptables.yml for localhost
ok: [localhost] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***********************************************************************************************

TASK [vpn : Install strongSwan] ************************************************************************************************
ok: [localhost]
ok: [localhost] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [localhost] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
ok: [localhost] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Setup the config files from our templates] *************************************************************************

TASK [vpn : Get loaded plugins] ************************************************************************************************
changed: [localhost]
ok: [localhost] => (item=aesni)
ok: [localhost] => (item=connmark)
ok: [localhost] => (item=rc2)
ok: [localhost] => (item=counters)
ok: [localhost] => (item=attr)
ok: [localhost] => (item=xcbc)
ok: [localhost] => (item=gmp)
ok: [localhost] => (item=dnskey)
ok: [localhost] => (item=pkcs1)
ok: [localhost] => (item=sha1)
ok: [localhost] => (item=agent)
ok: [localhost] => (item=bypass-lan)
ok: [localhost] => (item=constraints)
ok: [localhost] => (item=sshkey)
ok: [localhost] => (item=updown)
ok: [localhost] => (item=resolve)
ok: [localhost] => (item=md5)
ok: [localhost] => (item=mgf1)
ok: [localhost] => (item=fips-prf)
ok: [localhost] => (item=revocation)
ok: [localhost] => (item=kernel-netlink)
ok: [localhost] => (item=pubkey)
ok: [localhost] => (item=random)
ok: [localhost] => (item=socket-default)
ok: [localhost] => (item=aes)
ok: [localhost] => (item=hmac)
ok: [localhost] => (item=openssl)
ok: [localhost] => (item=x509)
ok: [localhost] => (item=pkcs12)
ok: [localhost] => (item=nonce)
ok: [localhost] => (item=gcm)
ok: [localhost] => (item=sha2)
ok: [localhost] => (item=pkcs7)
ok: [localhost] => (item=pgp)
ok: [localhost] => (item=stroke)
ok: [localhost] => (item=pkcs8)
ok: [localhost] => (item=pem)

TASK [vpn : Set subjectAltName as a fact] **************************************************************************************
ok: [localhost -> localhost]
ok: [localhost -> localhost] => (item=ecparams)
ok: [localhost -> localhost] => (item=certs)
ok: [localhost -> localhost] => (item=crl)
ok: [localhost -> localhost] => (item=newcerts)
ok: [localhost -> localhost] => (item=private)
ok: [localhost -> localhost] => (item=reqs)

TASK [vpn : Ensure the pki directories exist] **********************************************************************************
changed: [localhost -> localhost] => (item=.rnd)
changed: [localhost -> localhost] => (item=private/.rnd)
changed: [localhost -> localhost] => (item=index.txt)
changed: [localhost -> localhost] => (item=index.txt.attr)
changed: [localhost -> localhost] => (item=serial)

TASK [vpn : Ensure the files exist] ********************************************************************************************

TASK [vpn : Generate the openssl server configs] *******************************************************************************
ok: [localhost -> localhost]

TASK [vpn : Build the CA pair] *************************************************************************************************
ok: [localhost -> localhost]

TASK [vpn : Copy the CA certificate] *******************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Generate the serial number] ****************************************************************************************
ok: [localhost -> localhost]

TASK [vpn : Build the server pair] *********************************************************************************************
ok: [localhost -> localhost]
ok: [localhost -> localhost] => (item=tucker)
ok: [localhost -> localhost] => (item=public)

TASK [vpn : Build the client's pair] *******************************************************************************************
changed: [localhost -> localhost] => (item=tucker)
changed: [localhost -> localhost] => (item=public)

TASK [vpn : Build the client's p12] ********************************************************************************************
changed: [localhost -> localhost] => (item=tucker)
changed: [localhost -> localhost] => (item=public)

TASK [vpn : Copy the p12 certificates] *****************************************************************************************

TASK [vpn : Get active users] **************************************************************************************************
changed: [localhost -> localhost]
ok: [localhost] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/139.99.107.55/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
ok: [localhost] => (item={u'dest': u'/etc/ipsec.d/certs/139.99.107.55.crt', u'src': u'configs/139.99.107.55/pki/certs/139.99.107.55.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
ok: [localhost] => (item={u'dest': u'/etc/ipsec.d/private/139.99.107.55.key', u'src': u'configs/139.99.107.55/pki/private/139.99.107.55.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Copy the keys to the strongswan directory] *************************************************************************
changed: [localhost -> localhost] => (item=tucker)
changed: [localhost -> localhost] => (item=public)

TASK [vpn : Register p12 PayloadContent] ***************************************************************************************

TASK [vpn : Set facts for mobileconfigs] ***************************************************************************************
ok: [localhost -> localhost]
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)

TASK [vpn : Build the mobileconfigs] *******************************************************************************************
changed: [localhost -> localhost] => (item=tucker)
changed: [localhost -> localhost] => (item=public)

TASK [vpn : Build the client ipsec config file] ********************************************************************************
changed: [localhost -> localhost] => (item=tucker)
changed: [localhost -> localhost] => (item=public)

TASK [vpn : Build the client ipsec secret file] ********************************************************************************
changed: [localhost -> localhost] => (item=configs/139.99.107.55)

TASK [vpn : Restrict permissions for the local private directories] ************************************************************

TASK [vpn : strongSwan started] ************************************************************************************************
changed: [localhost]

RUNNING HANDLER [dns_adblocking : restart apparmor] ****************************************************************************
changed: [localhost]

RUNNING HANDLER [vpn : restart strongswan] *************************************************************************************
changed: [localhost]

TASK [Delete the CA key] *******************************************************************************************************
ok: [localhost -> localhost]

TASK [Dump the configuration] **************************************************************************************************
changed: [localhost -> localhost]

TASK [Create a symlink if deploying to localhost] ******************************************************************************
ok: [localhost]

TASK [debug] *******************************************************************************************************************
ok: [localhost] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#               Local DNS resolver 172.16.0.1              #\"",
            ""
        ],
        "    \"#                The p12 and SSH keys password for new users is ********             #\"\n",
        "    ",
        "    "
    ]
}

PLAY RECAP *********************************************************************************************************************
localhost                  : ok=108  changed=24   unreachable=0    failed=0
davidemyers commented 6 years ago

Try installing on Ubuntu 18.04.

heyitswither commented 6 years ago

@davidemyers not an option for me

jackivanov commented 6 years ago

fixed already here.

heyitswither commented 6 years ago

@jackivanov already had that commit, and I didn't have an issue with the localhost symlink, it was with the Wireshark folder.

jackivanov commented 6 years ago

Are you deploying to Debian? We don't support it