trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.93k stars 2.32k forks source link

Algo installer hangs when deploying a Amazon Lightsail instance #14386

Closed burntfalafel closed 2 years ago

burntfalafel commented 2 years ago

The algo installer just hangs after creating the new instance in Amazon Lightsail (this is confirmed). , I'm stuck at this point for hours: "TASK [common : Gather facts] ***** ok: [..*.**]". If I want to ssh into the instance (` ssh -i configs/algo.pem ubuntu@.**.***`), I get a long waiting time before getting this error;

ssh: connect to host *.***.**.** port 22: Connection timed out

To confirm the key provided works with any instance I create with the same lightsail account.

It won't resolve after I followed the troubleshooting guide and removed all cloud firewalls.

Steps to reproduce the behavior:

  1. Set up account in Amazon LightSail.
  2. On your local PC install algo and dependencies.
  3. Run ./algo
  4. Follow steps according the instructions provided. You should see it getting stuck at step TASK [common : Gather facts]

Expected behavior

Algo set up with no issue.

Additional context

I very similarly had created an algo instance on a different computer using a different Amazon Lightsail account a month back - it worked flawlessly. I am not sure what is happening as of now.

Full log


PLAY [localhost] *******************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] ***********************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in
breaking change in future.

TASK [Ensure the requirements installed] *******************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **************************************************************************
ok: [localhost] => (item=ansible-core==2.12.1)

TASK [Verify Python meets Algo VPN requirements] ***********************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] **********************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] ******************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider
:
2^M
TASK [Cloud prompt] ****************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:
algoo^M
TASK [VPN server name prompt] ******************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
^M
TASK [Cellular On Demand prompt] ***************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
^M
TASK [Wi-Fi On Demand prompt] ******************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
^M
TASK [Retain the PKI prompt] *******************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
^M
TASK [DNS adblocking prompt] *******************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
y^M
TASK [SSH tunneling prompt] ********************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************
ok: [localhost]

PLAY [Provision the server] ********************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Arch Linux
Created from git clone. Last commit: 7203f33 Bump ansible-core from 2.11.3 to 2.12.1 (#14375)
Python 3.9.9
Runtime variables:
    algo_provider "lightsail"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "False"
    algo_ssh_tunneling "True"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ******************************************************************************
changed: [localhost]

TASK [Install the requirements] ****************************************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *************************************************************************************
ok: [localhost]

TASK [Copy the private SSH key to /tmp] ********************************************************************************
ok: [localhost]

TASK [Include a provisioning role] *************************************************************************************

TASK [cloud-lightsail : Install requirements] **************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md)
 (output is hidden):

TASK [cloud-lightsail : pause] *****************************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 (output is hidden):

TASK [cloud-lightsail : pause] *****************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : set_fact] **************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Get regions] ***********************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Set facts about the regions] *******************************************************************
ok: [localhost]

TASK [cloud-lightsail : Set the default region] ************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
What region should the server be located in?
(https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/)
    1.  ap-northeast-1       Tokyo
    2.  ap-northeast-2       Seoul
    3.  ap-south-1           Mumbai
    4.  ap-southeast-1       Singapore
    5.  ap-southeast-2       Sydney
    6.  ca-central-1         Montreal
    7.  eu-central-1         Frankfurt
    8.  eu-north-1           Stockholm
    9.  eu-west-1            Ireland
    10. eu-west-2            London
    11. eu-west-3            Paris
    12. us-east-1            Virginia
    13. us-east-2            Ohio
    14. us-west-2            Oregon

Enter the number of your desired region
[12]
:
9^M
TASK [cloud-lightsail : pause] *****************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : set_fact] **************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Deploy the template] ***************************************************************************
changed: [localhost]

TASK [cloud-lightsail : set_fact] **************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ****************************************************************************
changed: [localhost]

TASK [Additional variables for the server] *****************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *********************************************************************************
ok: [localhost]

TASK [Linux | set OS specific facts] ***********************************************************************************
ok: [localhost]

TASK [Set config paths as facts] ***************************************************************************************
ok: [localhost]

TASK [Update config paths] *********************************************************************************************
changed: [localhost]

TASK [debug] ***********************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "**.**.*****"
}

TASK [Wait 600 seconds for target connection to become reachable/usable] ***********************************************
ok: [localhost -> **.**.*****] => (item=**.**.*****)

PLAY [Configure the server and install required software] **************************************************************

TASK [Wait until the cloud-init completed] *****************************************************************************
ok: [**.**.*****]

TASK [Ensure the config directory exists] ******************************************************************************
changed: [**.**.*****-> localhost]

TASK [Dump the ssh config] *********************************************************************************************
changed: [**.**.*****-> localhost]

TASK [common : Check the system] ***************************************************************************************
ok: [**.**.*****]

TASK [common : include_tasks] ******************************************************************************************
included: /home/user/algo/roles/common/tasks/ubuntu.yml for**.**.*****

TASK [common : Gather facts] *******************************************************************************************
ok: [**.**.*****]
burntfalafel commented 2 years ago

image Just to add, ^Instance created successfully; this is for a different zone I was trying but.

davidemyers commented 2 years ago

ssh -i configs/algo.pem ubuntu@**.**.***

Try instead: ssh -p 4160 -i configs/algo.pem algo@**.**.***

The point where it's hanging is likely where many updated software packages are being installed, but I'm able to get past that point with us-east-1.

burntfalafel commented 2 years ago

I was thinking the same but this is the CPU utiliz for the new instance eu-west-2a I had made a while back; image

I'll try the us-east-1 region and get back to you.

burntfalafel commented 2 years ago

I was able successfully deploy the instance on a separate VPS. I think my local wifi router might be blocking something. Anyways thanks!