Lightsail is not workign

[vvorlov]

Describe the bug

VPN is not working with Lightsail. Wireguard connected but there is no Internet after connection. Usual macOS client don't connect, freezes on Connecting... state.

To Reproduce

Steps to reproduce the behavior:

1. Connect to Lightsail intance via ssh
2. Run script:

   
   #!/bin/bash
   export USERS=phone
   export REPO_BRANCH=master
   export STORE_PKI=true
   curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x

1. I don't know why but you need to run the script twice. At first run it will install dependencies and at the second run it will configure the VPN.

3. Run `chmod 775` for every certs in `/opt/algo/configs/<IP>`

3. Download certs

scp -i eu-north-1.pem ubuntu@13.48.104.144:/opt/algo/configs/13.48.104.144/wireguard/phone.conf ~/Downloads/phone.conf

scp -i eu-north-1.pem ubuntu@13.48.104.144:/opt/algo/configs/13.48.104.144/ipsec/apple/phone.mobileconfig ~/Downloads/phone.mobileconfig

4. Configure Wireguard or built-in macOS client.

**Expected behavior**

VPN should work but it doesn't

**Full log**

<!--- Put here the FULL LOG after you run the ./algo script below -->

ubuntu@ip-172-26-0-161:~$ export USERS=phone ubuntu@ip-172-26-0-161:~$ export REPO_BRANCH=master ubuntu@ip-172-26-0-161:~$ export STORE_PKI=true ubuntu@ip-172-26-0-161:~$ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x

• set -ex
• METHOD=cloud
• ONDEMAND_CELLULAR=false
• ONDEMAND_WIFI=false
• ONDEMAND_WIFI_EXCLUDE=_null
• STORE_PKI=true
• DNS_ADBLOCKING=false
• SSH_TUNNELING=false
• ENDPOINT=localhost
• USERS=phone
• REPO_SLUG=trailofbits/algo
• REPO_BRANCH=master
• EXTRA_VARS=placeholder=null
• ANSIBLE_EXTRA_ARGS=
• cd /opt/
• test cloud = cloud
• publicIpFromMetadata
• curl -s http://169.254.169.254/metadata/v1/vendor-data
• grep DigitalOcean ++ curl -s http://169.254.169.254/latest/meta-data/services/domain
• test amazonaws.com = amazonaws.com ++ curl -s http://169.254.169.254/latest/meta-data/public-ipv4
• ENDPOINT=13.48.104.144
• grep -oE '\b([0-9]{1,3}.){3}[0-9]{1,3}\b'
• echo 13.48.104.144 13.48.104.144
• export ENDPOINT=13.48.104.144
• ENDPOINT=13.48.104.144
• echo 'Using 13.48.104.144 as the endpoint' Using 13.48.104.144 as the endpoint
• installRequirements
• export DEBIAN_FRONTEND=noninteractive
• DEBIAN_FRONTEND=noninteractive
• apt-get update Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Hit:2 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal InRelease
  Get:3 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB] Get:4 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1135 kB] Get:5 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB] Get:6 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8628 kB] Get:7 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [205 kB] Get:8 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [9104 B] Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [643 kB] Get:10 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [91.7 kB] Get:11 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 c-n-f Metadata [536 B] Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [675 kB] Get:13 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [115 kB] Get:14 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [13.0 kB] Get:15 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [21.8 kB] Get:16 http://security.ubuntu.com/ubuntu focal-security/multiverse Translation-en [4948 B] Get:17 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [536 B] Get:18 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe Translation-en [5124 kB] Get:19 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 c-n-f Metadata [265 kB] Get:20 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [144 kB] Get:21 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/multiverse Translation-en [104 kB] Get:22 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/multiverse amd64 c-n-f Metadata [9136 B] Get:23 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1469 kB] Get:24 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [291 kB] Get:25 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [14.7 kB] Get:26 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [694 kB] Get:27 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [99.0 kB] Get:28 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 c-n-f Metadata [532 B] Get:29 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [892 kB] Get:30 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [196 kB] Get:31 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [19.9 kB] Get:32 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [24.8 kB] Get:33 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/multiverse Translation-en [6928 B] Get:34 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [620 B] Get:35 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [42.0 kB] Get:36 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/main Translation-en [10.0 kB] Get:37 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/main amd64 c-n-f Metadata [864 B] Get:38 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/restricted amd64 c-n-f Metadata [116 B] Get:39 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [19.5 kB] Get:40 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/universe Translation-en [13.4 kB] Get:41 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/universe amd64 c-n-f Metadata [672 B] Get:42 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/multiverse amd64 c-n-f Metadata [116 B] Fetched 21.3 MB in 4s (5948 kB/s)
  Reading package lists... Done
• apt-get install python3-virtualenv jq -y Reading package lists... Done Building dependency tree
  Reading state information... Done The following additional packages will be installed: libjq1 libonig5 python-pip-whl python3-appdirs python3-distlib python3-filelock The following NEW packages will be installed: jq libjq1 libonig5 python-pip-whl python3-appdirs python3-distlib python3-filelock python3-virtualenv 0 upgraded, 8 newly installed, 0 to remove and 224 not upgraded. Need to get 2316 kB of archives. After this operation, 4405 kB of additional disk space will be used. Get:1 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libonig5 amd64 6.9.4-1 [142 kB] Get:2 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libjq1 amd64 1.6-1ubuntu0.20.04.1 [121 kB] Get:3 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 jq amd64 1.6-1ubuntu0.20.04.1 [50.2 kB] Get:4 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 python-pip-whl all 20.0.2-5ubuntu1.6 [1805 kB] Get:5 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/main amd64 python3-appdirs all 1.4.3-2.1 [10.8 kB] Get:6 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 python3-distlib all 0.3.0-1 [116 kB] Get:7 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 python3-filelock all 3.0.12-2 [7948 B] Get:8 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 python3-virtualenv all 20.0.17-1ubuntu0.4 [62.7 kB] Fetched 2316 kB in 0s (5123 kB/s)
  Selecting previously unselected package libonig5:amd64. (Reading database ... 59624 files and directories currently installed.) Preparing to unpack .../0-libonig5_6.9.4-1_amd64.deb ... Unpacking libonig5:amd64 (6.9.4-1) ... Selecting previously unselected package libjq1:amd64. Preparing to unpack .../1-libjq1_1.6-1ubuntu0.20.04.1_amd64.deb ... Unpacking libjq1:amd64 (1.6-1ubuntu0.20.04.1) ... Selecting previously unselected package jq. Preparing to unpack .../2-jq_1.6-1ubuntu0.20.04.1_amd64.deb ... Unpacking jq (1.6-1ubuntu0.20.04.1) ... Selecting previously unselected package python-pip-whl. Preparing to unpack .../3-python-pip-whl_20.0.2-5ubuntu1.6_all.deb ... Unpacking python-pip-whl (20.0.2-5ubuntu1.6) ... Selecting previously unselected package python3-appdirs. Preparing to unpack .../4-python3-appdirs_1.4.3-2.1_all.deb ... Unpacking python3-appdirs (1.4.3-2.1) ... Selecting previously unselected package python3-distlib. Preparing to unpack .../5-python3-distlib_0.3.0-1_all.deb ... Unpacking python3-distlib (0.3.0-1) ... Selecting previously unselected package python3-filelock. Preparing to unpack .../6-python3-filelock_3.0.12-2_all.deb ... Unpacking python3-filelock (3.0.12-2) ... Selecting previously unselected package python3-virtualenv. Preparing to unpack .../7-python3-virtualenv_20.0.17-1ubuntu0.4_all.deb ... Unpacking python3-virtualenv (20.0.17-1ubuntu0.4) ... Setting up python3-filelock (3.0.12-2) ... Setting up python3-distlib (0.3.0-1) ... Setting up python-pip-whl (20.0.2-5ubuntu1.6) ... Setting up python3-appdirs (1.4.3-2.1) ... Setting up libonig5:amd64 (6.9.4-1) ... Setting up libjq1:amd64 (1.6-1ubuntu0.20.04.1) ... Setting up python3-virtualenv (20.0.17-1ubuntu0.4) ... Setting up jq (1.6-1ubuntu0.20.04.1) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for libc-bin (2.31-0ubuntu9) ...
• deployAlgo
• getAlgo
• '[' '!' -d algo ']'
• git clone https://github.com/trailofbits/algo -b master algo Cloning into 'algo'... remote: Enumerating objects: 7270, done. remote: Counting objects: 100% (19/19), done. remote: Compressing objects: 100% (14/14), done. remote: Total 7270 (delta 3), reused 15 (delta 2), pack-reused 7251 Receiving objects: 100% (7270/7270), 2.93 MiB | 1.75 MiB/s, done. Resolving deltas: 100% (4178/4178), done.
• cd algo ++ command -v python3
• python3 -m virtualenv --python=/usr/bin/python3 .venv created virtual environment CPython3.8.2.final.0-64 in 282ms creator CPython3Posix(dest=/opt/algo/.venv, clear=False, global=False) seeder FromAppData(download=False, pip=latest, setuptools=latest, wheel=latest, pkg_resources=latest, via=copy, app_data_dir=/home/ubuntu/.local/share/virtualenv/seed-app-data/v1.0.1.debian.1) activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
• . .venv/bin/activate ++ '[' .venv/bin/activate = bash ']' ++ deactivate nondestructive ++ unset -f pydoc ++ '[' -z '' ']' ++ '[' -z '' ']' ++ '[' -n /usr/bin/bash ']' ++ hash -r ++ '[' -z '' ']' ++ unset VIRTUAL_ENV ++ '[' '!' nondestructive = nondestructive ']' ++ VIRTUAL_ENV=/opt/algo/.venv ++ export VIRTUAL_ENV ++ _OLD_VIRTUAL_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ PATH=/opt/algo/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ export PATH ++ '[' -z '' ']' ++ '[' -z '' ']' ++ _OLD_VIRTUAL_PS1= ++ '[' x '!=' x ']' +++ basename /opt/algo/.venv ++ PS1='(.venv) ' ++ export PS1 ++ alias pydoc ++ true ++ '[' -n /usr/bin/bash ']' ++ hash -r
• python3 -m pip install -U pip virtualenv WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting pip Downloading pip-21.3.1-py3-none-any.whl (1.7 MB) |████████████████████████████████| 1.7 MB 13.3 MB/s Collecting virtualenv Downloading virtualenv-20.13.0-py2.py3-none-any.whl (6.5 MB) |████████████████████████████████| 6.5 MB 19.8 MB/s Collecting platformdirs<3,>=2 Downloading platformdirs-2.4.1-py3-none-any.whl (14 kB) Collecting distlib<1,>=0.3.1 Downloading distlib-0.3.4-py2.py3-none-any.whl (461 kB) |████████████████████████████████| 461 kB 53.9 MB/s Collecting six<2,>=1.9.0 Downloading six-1.16.0-py2.py3-none-any.whl (11 kB) Collecting filelock<4,>=3.2 Downloading filelock-3.4.2-py3-none-any.whl (9.9 kB) Installing collected packages: pip, platformdirs, distlib, six, filelock, virtualenv Attempting uninstall: pip Found existing installation: pip 20.0.2 Uninstalling pip-20.0.2: Successfully uninstalled pip-20.0.2 Successfully installed distlib-0.3.4 filelock-3.4.2 pip-21.3.1 platformdirs-2.4.1 six-1.16.0 virtualenv-20.13.0
• python3 -m pip install -r requirements.txt WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you should use sudo's -H flag. Collecting ansible-core==2.12.1 Downloading ansible-core-2.12.1.tar.gz (7.4 MB) |████████████████████████████████| 7.4 MB 12.9 MB/s
  Preparing metadata (setup.py) ... done Collecting ansible==5.0.1 Downloading ansible-5.0.1.tar.gz (38.4 MB) |████████████████████████████████| 38.4 MB 25.7 MB/s
  Preparing metadata (setup.py) ... done Collecting jinja2~=3.0.3 Downloading Jinja2-3.0.3-py3-none-any.whl (133 kB) |████████████████████████████████| 133 kB 89.1 MB/s
  Collecting netaddr Downloading netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB) |████████████████████████████████| 1.9 MB 55.8 MB/s
  Collecting PyYAML Downloading PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (701 kB) |████████████████████████████████| 701 kB 61.1 MB/s
  Collecting cryptography Downloading cryptography-36.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (3.6 MB) |████████████████████████████████| 3.6 MB 53.2 MB/s
  Collecting packaging Downloading packaging-21.3-py3-none-any.whl (40 kB) |████████████████████████████████| 40 kB 63.1 MB/s
  Collecting resolvelib<0.6.0,>=0.5.3 Downloading resolvelib-0.5.4-py2.py3-none-any.whl (12 kB) Collecting MarkupSafe>=2.0 Downloading MarkupSafe-2.0.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (30 kB) Collecting cffi>=1.12 Downloading cffi-1.15.0-cp38-cp38-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (446 kB) |████████████████████████████████| 446 kB 61.2 MB/s
  Collecting pyparsing!=3.0.5,>=2.0.2 Downloading pyparsing-3.0.6-py3-none-any.whl (97 kB) |████████████████████████████████| 97 kB 79.3 MB/s
  Collecting pycparser Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB) |████████████████████████████████| 118 kB 87.0 MB/s
  Building wheels for collected packages: ansible-core, ansible Building wheel for ansible-core (setup.py) ... done Created wheel for ansible-core: filename=ansible_core-2.12.1-py3-none-any.whl size=2073412 sha256=1cc80783524337f62e423d49471645320287f064916b085e69c1f2a0a8831608 Stored in directory: /tmp/pip-ephem-wheel-cache-x4hrm7ht/wheels/34/bd/63/4f3348987a1079c559b4f10f5a8460784d8ac803d46e762d87 Building wheel for ansible (setup.py) ... done Created wheel for ansible: filename=ansible-5.0.1-py3-none-any.whl size=63329150 sha256=dfc4db27abb04e6e3df592097f3dfeecd52f8117fe7affd57dae69e70caa54c9 Stored in directory: /tmp/pip-ephem-wheel-cache-x4hrm7ht/wheels/49/d9/63/4fbb1645ba5df43761442923fa171897aaab39a0cd969d7361 Successfully built ansible-core ansible Installing collected packages: pycparser, pyparsing, MarkupSafe, cffi, resolvelib, PyYAML, packaging, jinja2, cryptography, ansible-core, netaddr, ansible main: line 29: 2863 Killed python3 -m pip install -r requirements.txt ubuntu@ip-172-26-0-161:~$ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
• set -ex
• METHOD=cloud
• ONDEMAND_CELLULAR=false
• ONDEMAND_WIFI=false
• ONDEMAND_WIFI_EXCLUDE=_null
• STORE_PKI=true
• DNS_ADBLOCKING=false
• SSH_TUNNELING=false
• ENDPOINT=localhost
• USERS=phone
• REPO_SLUG=trailofbits/algo
• REPO_BRANCH=master
• EXTRA_VARS=placeholder=null
• ANSIBLE_EXTRA_ARGS=
• cd /opt/
• test cloud = cloud
• publicIpFromMetadata
• curl -s http://169.254.169.254/metadata/v1/vendor-data
• grep DigitalOcean ++ curl -s http://169.254.169.254/latest/meta-data/services/domain
• test amazonaws.com = amazonaws.com ++ curl -s http://169.254.169.254/latest/meta-data/public-ipv4
• ENDPOINT=13.48.104.144
• echo 13.48.104.144
• grep -oE '\b([0-9]{1,3}.){3}[0-9]{1,3}\b' 13.48.104.144
• export ENDPOINT=13.48.104.144
• ENDPOINT=13.48.104.144
• echo 'Using 13.48.104.144 as the endpoint' Using 13.48.104.144 as the endpoint
• installRequirements
• export DEBIAN_FRONTEND=noninteractive
• DEBIAN_FRONTEND=noninteractive
• apt-get update Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease Hit:2 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal InRelease Hit:3 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:4 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease Reading package lists... Done
• apt-get install python3-virtualenv jq -y Reading package lists... Done Building dependency tree
  Reading state information... Done jq is already the newest version (1.6-1ubuntu0.20.04.1). python3-virtualenv is already the newest version (20.0.17-1ubuntu0.4). 0 upgraded, 0 newly installed, 0 to remove and 224 not upgraded.
• deployAlgo
• getAlgo
• '[' '!' -d algo ']'
• cd algo ++ command -v python3
• python3 -m virtualenv --python=/usr/bin/python3 .venv created virtual environment CPython3.8.2.final.0-64 in 338ms creator CPython3Posix(dest=/opt/algo/.venv, clear=False, global=False) seeder FromAppData(download=False, pip=latest, setuptools=latest, wheel=latest, pkg_resources=latest, via=copy, app_data_dir=/home/ubuntu/.local/share/virtualenv/seed-app-data/v1.0.1.debian.1) activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
• . .venv/bin/activate ++ '[' .venv/bin/activate = bash ']' ++ deactivate nondestructive ++ unset -f pydoc ++ '[' -z '' ']' ++ '[' -z '' ']' ++ '[' -n /usr/bin/bash ']' ++ hash -r ++ '[' -z '' ']' ++ unset VIRTUAL_ENV ++ '[' '!' nondestructive = nondestructive ']' ++ VIRTUAL_ENV=/opt/algo/.venv ++ export VIRTUAL_ENV ++ _OLD_VIRTUAL_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ PATH=/opt/algo/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ export PATH ++ '[' -z '' ']' ++ '[' -z '' ']' ++ _OLD_VIRTUAL_PS1= ++ '[' x '!=' x ']' +++ basename /opt/algo/.venv ++ PS1='(.venv) ' ++ export PS1 ++ alias pydoc ++ true ++ '[' -n /usr/bin/bash ']' ++ hash -r
• python3 -m pip install -U pip virtualenv WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Requirement already up-to-date: pip in ./.venv/lib/python3.8/site-packages (21.3.1) Requirement already up-to-date: virtualenv in ./.venv/lib/python3.8/site-packages (20.13.0) Requirement already satisfied, skipping upgrade: filelock<4,>=3.2 in ./.venv/lib/python3.8/site-packages (from virtualenv) (3.4.2) Requirement already satisfied, skipping upgrade: six<2,>=1.9.0 in ./.venv/lib/python3.8/site-packages (from virtualenv) (1.16.0) Requirement already satisfied, skipping upgrade: distlib<1,>=0.3.1 in ./.venv/lib/python3.8/site-packages (from virtualenv) (0.3.4) Requirement already satisfied, skipping upgrade: platformdirs<3,>=2 in ./.venv/lib/python3.8/site-packages (from virtualenv) (2.4.1)
• python3 -m pip install -r requirements.txt WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Requirement already satisfied: ansible-core==2.12.1 in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 1)) (2.12.1) Requirement already satisfied: ansible==5.0.1 in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 2)) (5.0.1) Requirement already satisfied: jinja2~=3.0.3 in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 3)) (3.0.3) Requirement already satisfied: netaddr in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 4)) (0.8.0) Requirement already satisfied: packaging in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (21.3) Requirement already satisfied: cryptography in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (36.0.1) Requirement already satisfied: resolvelib<0.6.0,>=0.5.3 in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (0.5.4) Requirement already satisfied: PyYAML in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (6.0) Requirement already satisfied: MarkupSafe>=2.0 in ./.venv/lib/python3.8/site-packages (from jinja2~=3.0.3->-r requirements.txt (line 3)) (2.0.1) Requirement already satisfied: pyparsing!=3.0.5,>=2.0.2 in ./.venv/lib/python3.8/site-packages (from packaging->ansible-core==2.12.1->-r requirements.txt (line 1)) (3.0.6) Requirement already satisfied: cffi>=1.12 in ./.venv/lib/python3.8/site-packages (from cryptography->ansible-core==2.12.1->-r requirements.txt (line 1)) (1.15.0) Requirement already satisfied: pycparser in ./.venv/lib/python3.8/site-packages (from cffi>=1.12->cryptography->ansible-core==2.12.1->-r requirements.txt (line 1)) (2.21)
• cd /opt/algo
• . .venv/bin/activate ++ '[' .venv/bin/activate = bash ']' ++ deactivate nondestructive ++ unset -f pydoc ++ '[' -z _ ']' ++ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ export PATH ++ unset _OLD_VIRTUALPATH ++ '[' -z '' ']' ++ '[' -n /usr/bin/bash ']' ++ hash -r ++ '[' -z ']' ++ PS1= ++ export PS1 ++ unset _OLD_VIRTUAL_PS1 ++ unset VIRTUAL_ENV ++ '[' '!' nondestructive = nondestructive ']' ++ VIRTUAL_ENV=/opt/algo/.venv ++ export VIRTUAL_ENV ++ _OLD_VIRTUAL_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ PATH=/opt/algo/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ++ export PATH ++ '[' -z '' ']' ++ '[' -z '' ']' ++ _OLD_VIRTUAL_PS1= ++ '[' x '!=' x ']' +++ basename /opt/algo/.venv ++ PS1='(.venv) ' ++ export PS1 ++ alias pydoc ++ true ++ '[' -n /usr/bin/bash ']' ++ hash -r
• export HOME=/root
• HOME=/root
• export ANSIBLE_LOCAL_TEMP=/root/.ansible/tmp
• ANSIBLE_LOCAL_TEMP=/root/.ansible/tmp
• export ANSIBLE_REMOTE_TEMP=/root/.ansible/tmp
• ANSIBLE_REMOTE_TEMP=/root/.ansible/tmp
• tee /var/log/algo.log ++ echo phone ++ jq -Rc 'split(",")'
• ansible-playbook main.yml -e provider=local -e ondemand_cellular=false -e ondemand_wifi=false -e ondemand_wifi_exclude=_null -e store_pki=true -e dns_adblocking=false -e ssh_tunneling=false -e endpoint=13.48.104.144 -e 'users=["phone"]' -e server=localhost -e ssh_user=root -e placeholder=null --skip-tags debug

PLAY [localhost] ***

TASK [Gathering Facts] ***** ok: [localhost]

TASK [Playbook dir stat] *** ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] *** ok: [localhost] => { "changed": false, "msg": "All assertions passed" } [WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking change in future.

TASK [Ensure the requirements installed] *** ok: [localhost]

TASK [Set required ansible version as a fact] ** ok: [localhost] => (item=ansible-core==2.12.1)

TASK [Verify Python meets Algo VPN requirements] *** ok: [localhost] => { "changed": false, "msg": "All assertions passed" }

TASK [Verify Ansible meets Algo VPN requirements] ** ok: [localhost] => { "changed": false, "msg": "All assertions passed" } [WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] **

TASK [Gathering Facts] ***** ok: [localhost]

TASK [Set facts based on the input] **** ok: [localhost]

TASK [Set facts based on the input] **** ok: [localhost]

PLAY [Provision the server] ****

TASK [Gathering Facts] ***** ok: [localhost]

TASK [Install the requirements] **** changed: [localhost]

TASK [Include a provisioning role] *****

TASK [local : Set the facts] *** ok: [localhost]

TASK [local : Set the facts] *** ok: [localhost]

TASK [Set subjectAltName as a fact] **** ok: [localhost]

TASK [Add the server to an inventory group] **** changed: [localhost]

TASK [debug] *** ok: [localhost] => { "IP_subject_alt_name": "13.48.104.144" } [WARNING]: Reset is not implemented for this connection

TASK [Wait 600 seconds for target connection to become reachable/usable] *** ok: [localhost] => (item=localhost)

PLAY [Configure the server and install required software] **

TASK [common : Check the system] *** ok: [localhost]

TASK [common : include_tasks] ** included: /opt/algo/roles/common/tasks/ubuntu.yml for localhost

TASK [common : Gather facts] *** ok: [localhost]

TASK [common : Install unattended-upgrades] **** ok: [localhost]

TASK [common : Configure unattended-upgrades] ** changed: [localhost]

TASK [common : Periodic upgrades configured] *** changed: [localhost]

TASK [common : Disable MOTD on login and SSHD] ***** changed: [localhost] => (item={'regexp': '^session.optional.pam_motd.so.', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'}) changed: [localhost] => (item={'regexp': '^session.optional.pam_motd.so.', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})

TASK [common : Ensure fallback resolvers are set] ** changed: [localhost]

TASK [common : Loopback for services configured] *** changed: [localhost]

TASK [common : systemd services enabled and started] *** ok: [localhost] => (item=systemd-networkd) ok: [localhost] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] **** changed: [localhost]

RUNNING HANDLER [common : restart systemd-resolved] **** changed: [localhost]

TASK [common : Check apparmor support] ***** ok: [localhost]

TASK [common : Set fact if apparmor enabled] *** ok: [localhost]

TASK [common : Define facts] *** ok: [localhost]

TASK [common : Set facts] ** ok: [localhost]

TASK [common : Set IPv6 support as a fact] ***** ok: [localhost]

TASK [common : Check size of MTU] ** ok: [localhost]

TASK [common : Set OS specific facts] ** ok: [localhost]

TASK [common : Install tools] ** changed: [localhost]

TASK [common : include_tasks] ** included: /opt/algo/roles/common/tasks/iptables.yml for localhost

TASK [common : Iptables configured] **** changed: [localhost] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Iptables configured] **** changed: [localhost] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})

TASK [common : Sysctl tuning] ** changed: [localhost] => (item={'item': 'net.ipv4.ip_forward', 'value': 1}) changed: [localhost] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1}) changed: [localhost] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] **** changed: [localhost]

TASK [dns : Include tasks for Ubuntu] ** included: /opt/algo/roles/dns/tasks/ubuntu.yml for localhost

TASK [dns : Install dnscrypt-proxy] **** changed: [localhost]

TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] ***** changed: [localhost]

TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *** ok: [localhost]

TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] *** changed: [localhost]

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] *** changed: [localhost]

TASK [dns : dnscrypt-proxy ip-blacklist configured] **** changed: [localhost]

TASK [dns : dnscrypt-proxy configured] ***** changed: [localhost] [WARNING]: flush_handlers task does not support when conditional

RUNNING HANDLER [dns : restart dnscrypt-proxy] ***** changed: [localhost]

TASK [dns : dnscrypt-proxy enabled and started] **** ok: [localhost]

TASK [wireguard : Ensure the required directories exist] *** changed: [localhost] => (item=configs/13.48.104.144/wireguard//.pki//preshared) changed: [localhost] => (item=configs/13.48.104.144/wireguard//.pki//private) changed: [localhost] => (item=configs/13.48.104.144/wireguard//.pki//public) changed: [localhost] => (item=configs/13.48.104.144/wireguard//apple/ios) changed: [localhost] => (item=configs/13.48.104.144/wireguard//apple/macos)

TASK [wireguard : Include tasks for Ubuntu] **** included: /opt/algo/roles/wireguard/tasks/ubuntu.yml for localhost

TASK [wireguard : WireGuard installed] ***** changed: [localhost]

TASK [wireguard : Set OS specific facts] *** ok: [localhost]

TASK [wireguard : Generate private keys] *** changed: [localhost] => (item=phone) changed: [localhost] => (item=13.48.104.144)

TASK [wireguard : Save private keys] *** changed: [localhost] => (item=None) changed: [localhost] => (item=None) changed: [localhost]

TASK [wireguard : Touch the lock file] ***** changed: [localhost] => (item=phone) changed: [localhost] => (item=13.48.104.144)

TASK [wireguard : Generate preshared keys] ***** changed: [localhost] => (item=phone) changed: [localhost] => (item=13.48.104.144)

TASK [wireguard : Save preshared keys] ***** changed: [localhost] => (item=None) changed: [localhost] => (item=None) changed: [localhost]

TASK [wireguard : Touch the preshared lock file] *** changed: [localhost] => (item=phone) changed: [localhost] => (item=13.48.104.144)

TASK [wireguard : Generate public keys] **** ok: [localhost] => (item=phone) ok: [localhost] => (item=13.48.104.144)

TASK [wireguard : Save public keys] **** changed: [localhost] => (item=None) changed: [localhost] => (item=None) changed: [localhost]

TASK [wireguard : WireGuard user list updated] ***** changed: [localhost] => (item=phone)

TASK [wireguard : set_fact] **** ok: [localhost]

TASK [wireguard : WireGuard users config generated] **** changed: [localhost] => (item=[0, 'phone'])

TASK [wireguard : include_tasks] *** included: /opt/algo/roles/wireguard/tasks/mobileconfig.yml for localhost => (item=ios) included: /opt/algo/roles/wireguard/tasks/mobileconfig.yml for localhost => (item=macos)

TASK [wireguard : WireGuard apple mobileconfig generated] ** changed: [localhost] => (item=[0, 'phone'])

TASK [wireguard : WireGuard apple mobileconfig generated] ** changed: [localhost] => (item=[0, 'phone'])

TASK [wireguard : Generate QR codes] *** ok: [localhost] => (item=[0, 'phone'])

TASK [wireguard : WireGuard configured] **** changed: [localhost]

TASK [wireguard : WireGuard enabled and started] *** changed: [localhost]

RUNNING HANDLER [wireguard : restart wireguard] **** changed: [localhost]

TASK [strongswan : include_tasks] ** included: /opt/algo/roles/strongswan/tasks/ubuntu.yml for localhost

TASK [strongswan : Set OS specific facts] ** ok: [localhost]

TASK [strongswan : Ubuntu | Install strongSwan] **** changed: [localhost]

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] **** changed: [localhost]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ***** ok: [localhost] => (item=/usr/lib/ipsec/charon) ok: [localhost] => (item=/usr/lib/ipsec/lookip) ok: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] *** ok: [localhost] => (item=apparmor) ok: [localhost] => (item=strongswan-starter) ok: [localhost] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] *** changed: [localhost]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *** changed: [localhost]

TASK [strongswan : Ensure that the strongswan user exists] ***** ok: [localhost]

TASK [strongswan : Install strongSwan] ***** ok: [localhost]

TASK [strongswan : Setup the config files from our templates] ** changed: [localhost] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'}) changed: [localhost] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'}) changed: [localhost] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'}) changed: [localhost] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})

TASK [strongswan : Get loaded plugins] ***** ok: [localhost]

TASK [strongswan : Disable unneeded plugins] *** changed: [localhost] => (item=connmark) changed: [localhost] => (item=bypass-lan) changed: [localhost] => (item=rc2) changed: [localhost] => (item=sha1) changed: [localhost] => (item=md5) changed: [localhost] => (item=counters) changed: [localhost] => (item=resolve) changed: [localhost] => (item=sshkey) changed: [localhost] => (item=agent) changed: [localhost] => (item=xcbc) changed: [localhost] => (item=mgf1) changed: [localhost] => (item=xauth-generic) changed: [localhost] => (item=eap-mschapv2) changed: [localhost] => (item=updown) changed: [localhost] => (item=dnskey) changed: [localhost] => (item=constraints) changed: [localhost] => (item=pkcs1) changed: [localhost] => (item=aesni) changed: [localhost] => (item=drbg) changed: [localhost] => (item=attr) changed: [localhost] => (item=gmp) changed: [localhost] => (item=fips-prf)

TASK [strongswan : Ensure that required plugins are enabled] *** changed: [localhost] => (item=aes) changed: [localhost] => (item=x509) changed: [localhost] => (item=pkcs7) changed: [localhost] => (item=nonce) changed: [localhost] => (item=pkcs8) changed: [localhost] => (item=gcm) changed: [localhost] => (item=stroke) changed: [localhost] => (item=pem) changed: [localhost] => (item=revocation) changed: [localhost] => (item=socket-default) changed: [localhost] => (item=hmac) changed: [localhost] => (item=pkcs12) changed: [localhost] => (item=random) changed: [localhost] => (item=pubkey) changed: [localhost] => (item=kernel-netlink) changed: [localhost] => (item=pgp) changed: [localhost] => (item=sha2) changed: [localhost] => (item=openssl)

TASK [strongswan : debug] ** ok: [localhost] => { "subjectAltName": "IP:13.48.104.144,IP:2a05:d016:68d:f200:c553:15be:6c28:e8d8" }

TASK [strongswan : Ensure the pki directories exist] *** changed: [localhost] => (item=ecparams) changed: [localhost] => (item=certs) changed: [localhost] => (item=crl) changed: [localhost] => (item=newcerts) changed: [localhost] => (item=private) changed: [localhost] => (item=public) changed: [localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] **** changed: [localhost] => (item=apple) changed: [localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] ***** changed: [localhost] => (item=.rnd) changed: [localhost] => (item=private/.rnd) changed: [localhost] => (item=index.txt) changed: [localhost] => (item=index.txt.attr) changed: [localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] **** changed: [localhost]

TASK [strongswan : Build the CA pair] ** changed: [localhost]

TASK [strongswan : Copy the CA certificate] **** changed: [localhost]

TASK [strongswan : Generate the serial number] ***** changed: [localhost]

TASK [strongswan : Build the server pair] ** changed: [localhost]

TASK [strongswan : Build the client's pair] **** changed: [localhost] => (item=phone)

TASK [strongswan : Build openssh public keys] ** changed: [localhost] => (item=phone)

TASK [strongswan : Build the client's p12] ***** changed: [localhost] => (item=phone)

TASK [strongswan : Build the client's p12 with the CA cert included] *** changed: [localhost] => (item=phone)

TASK [strongswan : Copy the p12 certificates] ** changed: [localhost] => (item=phone)

TASK [strongswan : Get active users] *** changed: [localhost]

TASK [strongswan : Copy the keys to the strongswan directory] ** changed: [localhost] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'}) changed: [localhost] => (item={'src': 'certs/13.48.104.144.crt', 'dest': 'certs/13.48.104.144.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'}) changed: [localhost] => (item={'src': 'private/13.48.104.144.key', 'dest': 'private/13.48.104.144.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})

TASK [strongswan : Register p12 PayloadContent] **** ok: [localhost] => (item=phone)

TASK [strongswan : Set facts for mobileconfigs] **** ok: [localhost]

TASK [strongswan : Build the mobileconfigs] **** changed: [localhost] => (item=None) changed: [localhost]

TASK [strongswan : Build the client ipsec config file] ***** changed: [localhost] => (item=phone)

TASK [strongswan : Build the client ipsec secret file] ***** changed: [localhost] => (item=phone)

TASK [strongswan : Restrict permissions for the local private directories] ***** ok: [localhost]

TASK [strongswan : strongSwan started] ***** ok: [localhost]

RUNNING HANDLER [strongswan : restart strongswan] ** changed: [localhost]

RUNNING HANDLER [strongswan : daemon-reload] *** ok: [localhost]

TASK [Dump the configuration] ** changed: [localhost]

TASK [Create a symlink if deploying to localhost] ** changed: [localhost]

TASK [debug] *** ok: [localhost] => { "msg": [ [ "\"# Congratulations! #\"", "\"# Your Algo server is running. #\"", "\"# Config files and certificates are in the ./configs/ directory. #\"", "\"# Go to https://whoer.net/ after connecting #\"", "\"# and ensure that all your traffic passes through the VPN. #\"", "\"# Local DNS resolver 172.28.68.46, fd00::c:442e #\"", "" ], " \"# The p12 and SSH keys password for new users is r15RG4_Sw #\"\n", " \"# The CA key password is ueHAJDCWyIa9bbAg #\"\n", " " ] }

PLAY RECAP ***** localhost : ok=118 changed=65 unreachable=0 failed=0 skipped=65 rescued=0 ignored=0

[davidemyers]

Since you created the Lightsail instance yourself (rather then letting Algo create it for you) make sure you open the necessary ports in the Lightsail firewall. See AlgoVPN and Firewalls.

[vvorlov]

Great, thank you a lot!