wireguard error generating Public Keys

[aidanthehorrible]

Describe the bug When I did ./algo, it gets to "TASK [wireguard : Generate public keys]" but then gives me this error:

TASK [wireguard : Generate public keys] *** fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/192.168.1.159/wireguard//.pki//private/phone"} included: /home/ubuntu/algo/playbooks/rescue.yml for localhost

I have already attempted to do the steps in the troubleshooting guide such as doing:

sudo rm -rf /etc/wireguard/ rm -rf configs/ And my version of Ubuntu Server is 21.04 (arm64)

To Reproduce

Steps to reproduce the behavior:

1. Clone and configure Algo VPN
2. Run ./algo

Expected behavior

The script completes.

Additional context

Add any other context about the problem here.

Full log

[WARNING]: Could not match supplied host pattern, ignoring: vpn-host

PLAY [localhost] **

TASK [Gathering Facts] **** ok: [localhost]

TASK [Playbook dir stat] ** ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ** ok: [localhost] => { "changed": false, "msg": "All assertions passed" }

TASK [Ensure the requirements installed] ** ok: [localhost]

TASK [Set required ansible version as a fact] ***** ok: [localhost] => (item=ansible==2.9.20)

TASK [Verify Python meets Algo VPN requirements] ** ok: [localhost] => { "changed": false, "msg": "All assertions passed" }

TASK [Verify Ansible meets Algo VPN requirements] ***** ok: [localhost] => { "changed": false, "msg": "All assertions passed" } [WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] *****

TASK [Gathering Facts] **** ok: [localhost] [Cloud prompt] What provider would you like to use?

1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider :

TASK [Cloud prompt] *** ok: [localhost]

TASK [Set facts based on the input] *** ok: [localhost] [Cellular On Demand prompt] Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks? [y/N] :

TASK [Cellular On Demand prompt] ** ok: [localhost] [Wi-Fi On Demand prompt] Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N] :

TASK [Wi-Fi On Demand prompt] ***** ok: [localhost] [Retain the PKI prompt] Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) [y/N] :

TASK [Retain the PKI prompt] ** ok: [localhost] [DNS adblocking prompt] Do you want to enable DNS ad blocking on this VPN server? [y/N] :

TASK [DNS adblocking prompt] ** ok: [localhost] [SSH tunneling prompt] Do you want each user to have their own account for SSH tunneling? [y/N] :

TASK [SSH tunneling prompt] *** ok: [localhost]

TASK [Set facts based on the input] *** ok: [localhost]

PLAY [Provision the server] ***

TASK [Gathering Facts] **** ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 21.04 Created from git fork. Last commit: 1c6702d azure regions (#14277) Python 3.9.5 Runtime variables: algo_provider "local" algo_ondemand_cellular "False" algo_ondemand_wifi "False" algo_ondemand_wifi_exclude "X251bGw=" algo_dns_adblocking "False" algo_ssh_tunneling "False" wireguard_enabled "True" dns_encryption "True"

TASK [Display the invocation environment] ***** changed: [localhost]

TASK [Install the requirements] *** ok: [localhost] [local : pause] Enter the IP address of your server: (or use localhost for local installation): [localhost] :

TASK [local : pause] ** ok: [localhost]

TASK [local : Set the facts] ** ok: [localhost] [local : pause] Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [localhost] :

TASK [local : pause] ** ok: [localhost]

TASK [local : Set the facts] ** ok: [localhost]

TASK [Set subjectAltName as a fact] *** ok: [localhost]

TASK [Add the server to an inventory group] *** changed: [localhost]

TASK [Linux | set OS specific facts] ** ok: [localhost]

TASK [Set config paths as facts] ** ok: [localhost]

TASK [Update config paths] **** changed: [localhost]

TASK [debug] ** ok: [localhost] => { "IP_subject_alt_name": "192.168.1.159" } [WARNING]: Reset is not implemented for this connection

TASK [Wait 600 seconds for target connection to become reachable/usable] ** ok: [localhost] => (item=localhost)

PLAY [Configure the server and install required software] *****

TASK [common : Check the system] ** ok: [localhost] included: /home/ubuntu/algo/roles/common/tasks/ubuntu.yml for localhost

TASK [common : Gather facts] ** ok: [localhost]

TASK [common : Install unattended-upgrades] *** ok: [localhost]

TASK [common : Configure unattended-upgrades] ***** ok: [localhost]

TASK [common : Periodic upgrades configured] ** ok: [localhost]

TASK [common : Disable MOTD on login and SSHD] **** ok: [localhost] => (item={'regexp': '^session.optional.pam_motd.so.', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'}) ok: [localhost] => (item={'regexp': '^session.optional.pam_motd.so.', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})

TASK [common : Ensure fallback resolvers are set] ***** ok: [localhost]

TASK [common : Loopback for services configured] ** ok: [localhost]

TASK [common : systemd services enabled and started] ** ok: [localhost] => (item=systemd-networkd) ok: [localhost] => (item=systemd-resolved)

TASK [common : Check apparmor support] **** ok: [localhost]

TASK [common : Set fact if apparmor enabled] ** ok: [localhost]

TASK [common : Define facts] ** ok: [localhost]

TASK [common : Set facts] ***** ok: [localhost]

TASK [common : Set IPv6 support as a fact] **** ok: [localhost]

TASK [common : Check size of MTU] ***** ok: [localhost]

TASK [common : Set OS specific facts] ***** ok: [localhost]

TASK [common : Install tools] ***** ok: [localhost] included: /home/ubuntu/algo/roles/common/tasks/iptables.yml for localhost

TASK [common : Iptables configured] *** ok: [localhost] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Sysctl tuning] ***** ok: [localhost] => (item={'item': 'net.ipv4.ip_forward', 'value': 1}) ok: [localhost] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1}) included: /home/ubuntu/algo/roles/dns/tasks/ubuntu.yml for localhost

TASK [Install dnscrypt-proxy] ***** ok: [localhost]

TASK [Ubuntu | Configure AppArmor policy for dnscrypt-proxy] ** ok: [localhost]

TASK [Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] **** ok: [localhost]

TASK [Ubuntu | Ensure that the dnscrypt-proxy service directory exist] **** ok: [localhost]

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] ** ok: [localhost]

TASK [dnscrypt-proxy ip-blacklist configured] ***** ok: [localhost]

TASK [dnscrypt-proxy configured] ** ok: [localhost] [WARNING]: flush_handlers task does not support when conditional

TASK [dnscrypt-proxy enabled and started] ***** ok: [localhost]

TASK [wireguard : Ensure the required directories exist] ** changed: [localhost] => (item=configs/192.168.1.159/wireguard//.pki//preshared) changed: [localhost] => (item=configs/192.168.1.159/wireguard//.pki//private) changed: [localhost] => (item=configs/192.168.1.159/wireguard//.pki//public) changed: [localhost] => (item=configs/192.168.1.159/wireguard//apple/ios) changed: [localhost] => (item=configs/192.168.1.159/wireguard//apple/macos) included: /home/ubuntu/algo/roles/wireguard/tasks/ubuntu.yml for localhost

TASK [wireguard : WireGuard installed] **** ok: [localhost]

TASK [wireguard : Set OS specific facts] ** ok: [localhost]

TASK [wireguard : Generate private keys] ** ok: [localhost] => (item=phone) ok: [localhost] => (item=laptop) ok: [localhost] => (item=desktop) ok: [localhost] => (item=192.168.1.159)

TASK [wireguard : Generate preshared keys] **** ok: [localhost] => (item=phone) ok: [localhost] => (item=laptop) ok: [localhost] => (item=desktop) ok: [localhost] => (item=192.168.1.159) [WARNING]: Unable to find 'configs/192.168.1.159/wireguard//.pki//private/phone' in expected paths (use -vvvvv to see paths)

TASK [wireguard : Generate public keys] *** fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/192.168.1.159/wireguard//.pki//private/phone"} included: /home/ubuntu/algo/playbooks/rescue.yml for localhost

TASK [debug] ** ok: [localhost] => { "fail_hint": [ "Sorry, but something went wrong!", "Please check the troubleshooting guide.", "https://trailofbits.github.io/algo/troubleshooting.html" ] }

TASK [Fail the installation] ** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP **** localhost : ok=68 changed=4 unreachable=0 failed=1 skipped=35 rescued=1 ignored=0

[davidemyers]

Are you sure both configs and /etc/wireguard were empty when you ran the command that produced the output you posted above? From the output it looks like there were files leftover from a previous run in /etc/wireguard.

Also note that Algo is not tested against Ubuntu Server 21.04, but it should still work.

[aidanthehorrible]

It probably ended up being the configs and /etc/wireguard/. I installed Ubuntu Server 20.04.3 and it ended up working first try. Thanks!

[AlexeySalmin]

If empty /etc/wireguard is a prerequisite then it would be better to check it as such early in the setup process, rather than to explain this over and over in documentation and gh issues.