search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.55k stars 2.31k forks source link

Installation on localhost #14535

Open gtrhayrug opened 1 year ago

gtrhayrug commented 1 year ago

Hi, I have installed a VM on Ubuntu 20.04. I have opened 500/4500/51820 UDP and route it to the VM ip. Using adguard, as explained on deploy-to-ubuntu, i changed the dns server, dns_encryption, etc. After installation of requirements, i started the installation process with :

And installation failed after a long pause ....

Any idea ? What i'm doing wrong ?

First part :

`PLAY [localhost] **

TASK [Gathering Facts] **** ok: [localhost]

TASK [Playbook dir stat] ** ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ** ok: [localhost] => { "changed": false, "msg": "All assertions passed" } [DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking change in future.

TASK [Ensure the requirements installed] ** ok: [localhost]

TASK [Set required ansible version as a fact] ***** ok: [localhost] => (item=ansible==6.1.0)

TASK [Just get the list from default pip] ***** ok: [localhost]

TASK [Verify Python meets Algo VPN requirements] ** ok: [localhost] => { "changed": false, "msg": "All assertions passed" }

TASK [Verify Ansible meets Algo VPN requirements] ***** ok: [localhost] => { "changed": false, "msg": "All assertions passed" } [WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] *****

TASK [Gathering Facts] **** ok: [localhost] [Cloud prompt] What provider would you like to use?

  1. DigitalOcean
  2. Amazon Lightsail
  3. Amazon EC2
  4. Microsoft Azure
  5. Google Compute Engine
  6. Hetzner Cloud
  7. Vultr
  8. Scaleway
  9. OpenStack (DreamCompute optimised)
  10. CloudStack (Exoscale optimised)
  11. Linode
  12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider : 12^M TASK [Cloud prompt] *** ok: [localhost]

TASK [Set facts based on the input] * ok: [localhost] [Cellular On Demand prompt] Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks? [y/N] : N^M TASK [Cellular On Demand prompt] ** ok: [localhost] [Wi-Fi On Demand prompt] Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N] : N^M TASK [Wi-Fi On Demand prompt] *** ok: [localhost] [Retain the PKI prompt] Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) [y/N] : y^M TASK [Retain the PKI prompt] ** ok: [localhost] [DNS adblocking prompt] Do you want to enable DNS ad blocking on this VPN server? [y/N] : y^M TASK [DNS adblocking prompt] ** ok: [localhost] [SSH tunneling prompt] Do you want each user to have their own account for SSH tunneling? [y/N] : y^M TASK [SSH tunneling prompt] *** ok: [localhost]

TASK [Set facts based on the input] *** ok: [localhost]

PLAY [Provision the server] ***

TASK [Gathering Facts] **** ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 20.04.5 LTS (Virtualized: kvm) Created from git clone. Last commit: 347f864 Ansible upgrade 6.1 (#14500) Python 3.8.10 Runtime variables: algo_provider "local" algo_ondemand_cellular "False" algo_ondemand_wifi "False" algo_ondemand_wifi_exclude "X251bGw=" algo_dns_adblocking "True" algo_ssh_tunneling "True" wireguard_enabled "True" dns_encryption "False"

TASK [Display the invocation environment] ***** changed: [localhost]

TASK [Install the requirements] *** ok: [localhost]

TASK [Include a provisioning role] **** [local : pause] https://trailofbits.github.io/algo/deploy-to-ubuntu.html

Local installation might break your server. Use at your own risk.

Proceed? Press ENTER to continue or CTRL+C and A to abort...: ^M TASK [local : pause] ** ok: [localhost] => (item=https://trailofbits.github.io/algo/deploy-to-ubuntu.html

Local installation might break your server. Use at your own risk.

Proceed? Press ENTER to continue or CTRL+C and A to abort...) [local : pause] Enter the IP address of your server: (or use localhost for local installation): [localhost] : 127.0.0.1^M TASK [local : pause] ** ok: [localhost]

TASK [local : Set the facts] ** ok: [localhost] [local : pause] What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost) [root] : ^M TASK [local : pause] ** ok: [localhost]

TASK [local : Set the facts] ** ok: [localhost] [local : pause] Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [127.0.0.1] : ^M TASK [local : pause] ** ok: [localhost]

TASK [local : Set the facts] ** ok: [localhost]

TASK [Set subjectAltName as a fact] *** ok: [localhost] [WARNING]: A duplicate localhost-like entry was found (127.0.0.1). First found localhost was localhost

TASK [Add the server to an inventory group] *** changed: [localhost]

TASK [Wait until SSH becomes ready...] **** ok: [localhost]

TASK [debug] ** ok: [localhost] => { "IP_subject_alt_name": "127.0.0.1" }`

Second part after the pause.... (timeout):

`TASK [Wait 600 seconds for target connection to become reachable/usable] ** failed: [localhost -> 127.0.0.1] (item=127.0.0.1) => {"ansible_loop_var": "item", "changed": false, "elapsed": 778, "item": "127.0.0.1", "msg": "timed out waiting for ping module test: Data could not be sent to remote host \"127.0.0.1\". Make sure this host can be reached over ssh: Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.\r\nroot@127.0.0.1: Permission denied (publickey,password).\r\n"}

TASK [include_tasks] ** included: /home/boss/algo/playbooks/rescue.yml for localhost

TASK [debug] ** ok: [localhost] => { "fail_hint": [ "Sorry, but something went wrong!", "Please check the troubleshooting guide.", "https://trailofbits.github.io/algo/troubleshooting.html" ] }

TASK [Fail the installation] ** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP **** localhost : ok=33 changed=2 unreachable=0 failed=1 skipped=11 rescued=1 ignored=0`

JJMellens commented 1 year ago

The problem is with the SSH connection; you have to make sure that algo can access your server over SSH. I'm not sure how best-practice this is but since you seem to be installing on localhost, you can solve it by generating a keypair with ssh-keygen adding the contents of id_rsa.pub to ~/.ssh/authorized_keys. I'm not sure if algo can work with a password-protected private key, but I don't think so, so leaving it blank works.

TC1977 commented 1 year ago

The problem here is your response to the item:

Enter the IP address of your server: (or use localhost for local installation): [localhost] : 127.0.0.1^M

Don't enter "127.0.0.1", or anything else. Just hit return and let it go with "localhost".

Then, when it asks for the public IP address:

Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [127.0.0.1] : ^M TASK [local : pause]

You're going with the default (which you actually set in the prior prompt, instead of letting it go), thereby causing your VM to try to SSH into itself. Which is causing an error. Put in the public IP address of your server (e.g., 142.251.167.100 for "google.com"), which is the IP that your clients are going to try to connect to after your local install is done.

(Yes, you could put in 127.0.0.1 in the first prompt, and then put in the public IP in the second prompt. But I think you're being confused into thinking that 127.0.0.1 is an acceptable default for the second prompt, and it isn't.)