No internet after the installation is successfully complete

Describe the bug I don't have internet access after I run sudo systemctl start wg-quick@wg0. I also ran the following after I started WireGuard

sudo systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: active (exited) since Sat 2023-03-18 16:35:37 EET; 2s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 138176 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 138176 (code=exited, status=0/SUCCESS)
        CPU: 78ms

Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] ip -6 route add ::/0 dev wg0 table 51820
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] ip -6 rule add not fwmark 51820 table 51820
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] ip -6 rule add table main suppress_prefixlength 0
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] nft -f /dev/fd/63
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] ip -4 rule add not fwmark 51820 table 51820
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] ip -4 rule add table main suppress_prefixlength 0
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Mar 18 16:35:37 mgelbana-cairo wg-quick[138176]: [#] nft -f /dev/fd/63
Mar 18 16:35:37 mgelbana-cairo systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

To Reproduce I just followed the docs. Ran ./algo, used DigitalOcean and provided the API token.

Full log

❯ ./algo

PLAY [localhost] *******************************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] ***********************************************************************************************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
[WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking change in future.

TASK [Ensure the requirements installed] *******************************************************************************************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **************************************************************************************************************************************************************
ok: [localhost] => (item=ansible==6.1.0)

TASK [Just get the list from default pip] ******************************************************************************************************************************************************************
ok: [localhost]

TASK [Verify Python meets Algo VPN requirements] ***********************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] **********************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider
:
1^M
TASK [Cloud prompt] ****************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:
^M
TASK [VPN server name prompt] ******************************************************************************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
^M
TASK [Cellular On Demand prompt] ***************************************************************************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
^M
TASK [Wi-Fi On Demand prompt] ******************************************************************************************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
^M
TASK [Retain the PKI prompt] *******************************************************************************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
^M
TASK [DNS adblocking prompt] *******************************************************************************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
^M
TASK [SSH tunneling prompt] ********************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ********************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 22.04.2 LTS
Created from git fork. Last commit: 45fe0f5 change dockerhub docs references
Python 3.10.6
Runtime variables:
    algo_provider "digitalocean"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "False"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ******************************************************************************************************************************************************************
changed: [localhost]

TASK [Install the requirements] ****************************************************************************************************************************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *************************************************************************************************************************************************************************
ok: [localhost]

TASK [Copy the private SSH key to /tmp] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [Include a provisioning role] *************************************************************************************************************************************************************************
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
 (output is hidden):

TASK [cloud-digitalocean : pause] **************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the token as a fact] ********************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Get regions] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set facts about the regions] ****************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set default region] *************************************************************************************************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
    1. ams3     Amsterdam 3
    2. blr1     Bangalore 1
    3. fra1     Frankfurt 1
    4. lon1     London 1
    5. nyc1     New York 1
    6. nyc3     New York 3
    7. sfo3     San Francisco 3
    8. sgp1     Singapore 1
    9. syd1     Sydney 1
    10. tor1     Toronto 1

Enter the number of your desired region
[6]
:
9^M
TASK [cloud-digitalocean : pause] **************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set additional facts] ***********************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] **********************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : set_fact] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ****************************************************************************************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] *****************************************************************************************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *********************************************************************************************************************************************************************
ok: [localhost]

TASK [Linux | set OS specific facts] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [Set config paths as facts] ***************************************************************************************************************************************************************************
ok: [localhost]

TASK [Update config paths] *********************************************************************************************************************************************************************************
changed: [localhost]

TASK [debug] ***********************************************************************************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "170.64.146.226"
}

TASK [Wait 600 seconds for target connection to become reachable/usable] ***********************************************************************************************************************************
ok: [localhost -> 170.64.146.226] => (item=170.64.146.226)

PLAY [Configure the server and install required software] **************************************************************************************************************************************************

TASK [Wait until the cloud-init completed] *****************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [Ensure the config directory exists] ******************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [Dump the ssh config] *********************************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [common : Check the system] ***************************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : include_tasks] ******************************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/roles/common/tasks/ubuntu.yml for 170.64.146.226

TASK [common : Gather facts] *******************************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Install software updates] *******************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Check if reboot is required] ****************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : Reboot] *************************************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : Wait until the server becomes ready...] *****************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Install unattended-upgrades] ****************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Configure unattended-upgrades] **************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : Periodic upgrades configured] ***************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : Disable MOTD on login and SSHD] *************************************************************************************************************************************************************
changed: [170.64.146.226] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [170.64.146.226] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
[WARNING]: Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when running as another user. To avoid this, create the remote_tmp dir with the
correct permissions manually

TASK [common : Ensure fallback resolvers are set] **********************************************************************************************************************************************************
changed: [170.64.146.226]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [common : Loopback for services configured] ***********************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : systemd services enabled and started] *******************************************************************************************************************************************************
ok: [170.64.146.226] => (item=systemd-networkd)
ok: [170.64.146.226] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] ********************************************************************************************************************************************************
changed: [170.64.146.226]

RUNNING HANDLER [common : restart systemd-resolved] ********************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : Check apparmor support] *********************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Set fact if apparmor enabled] ***************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Define facts] *******************************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Set facts] **********************************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Set IPv6 support as a fact] *****************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Check size of MTU] **************************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Set OS specific facts] **********************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [common : Install tools] ******************************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [common : include_tasks] ******************************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/roles/common/tasks/iptables.yml for 170.64.146.226
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [common : Iptables configured] ************************************************************************************************************************************************************************
changed: [170.64.146.226] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.next_nth_usable' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by 
setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [common : Iptables configured] ************************************************************************************************************************************************************************
changed: [170.64.146.226] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})

TASK [common : Sysctl tuning] ******************************************************************************************************************************************************************************
changed: [170.64.146.226] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [170.64.146.226] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [170.64.146.226] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] ****************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [dns : Include tasks for Ubuntu] **********************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/roles/dns/tasks/ubuntu.yml for 170.64.146.226

TASK [dns : Install dnscrypt-proxy] ************************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] *****************************************************************************************************************************************
changed: [170.64.146.226]

TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *******************************************************************************************************************************************
ok: [170.64.146.226]

TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] *******************************************************************************************************************************
changed: [170.64.146.226]

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] *******************************************************************************************************************************
changed: [170.64.146.226]

TASK [dns : dnscrypt-proxy ip-blacklist configured] ********************************************************************************************************************************************************
changed: [170.64.146.226]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [dns : dnscrypt-proxy configured] *********************************************************************************************************************************************************************
changed: [170.64.146.226]
[WARNING]: flush_handlers task does not support when conditional

RUNNING HANDLER [dns : restart dnscrypt-proxy] *************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [dns : dnscrypt-proxy enabled and started] ************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [wireguard : Ensure the required directories exist] ***************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=configs/170.64.146.226/wireguard//.pki//preshared)
changed: [170.64.146.226 -> localhost] => (item=configs/170.64.146.226/wireguard//.pki//private)
changed: [170.64.146.226 -> localhost] => (item=configs/170.64.146.226/wireguard//.pki//public)
changed: [170.64.146.226 -> localhost] => (item=configs/170.64.146.226/wireguard//apple/ios)
changed: [170.64.146.226 -> localhost] => (item=configs/170.64.146.226/wireguard//apple/macos)

TASK [wireguard : Include tasks for Ubuntu] ****************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/roles/wireguard/tasks/ubuntu.yml for 170.64.146.226

TASK [wireguard : WireGuard installed] *********************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [wireguard : Set OS specific facts] *******************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [wireguard : Generate private keys] *******************************************************************************************************************************************************************
changed: [170.64.146.226] => (item=phone)
changed: [170.64.146.226] => (item=laptop)
changed: [170.64.146.226] => (item=desktop)
changed: [170.64.146.226] => (item=170.64.146.226)

TASK [wireguard : Save private keys] ***********************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost]

TASK [wireguard : Touch the lock file] *********************************************************************************************************************************************************************
changed: [170.64.146.226] => (item=phone)
changed: [170.64.146.226] => (item=laptop)
changed: [170.64.146.226] => (item=desktop)
changed: [170.64.146.226] => (item=170.64.146.226)

TASK [wireguard : Generate preshared keys] *****************************************************************************************************************************************************************
changed: [170.64.146.226] => (item=phone)
changed: [170.64.146.226] => (item=laptop)
changed: [170.64.146.226] => (item=desktop)
changed: [170.64.146.226] => (item=170.64.146.226)

TASK [wireguard : Save preshared keys] *********************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost]

TASK [wireguard : Touch the preshared lock file] ***********************************************************************************************************************************************************
changed: [170.64.146.226] => (item=phone)
changed: [170.64.146.226] => (item=laptop)
changed: [170.64.146.226] => (item=desktop)
changed: [170.64.146.226] => (item=170.64.146.226)

TASK [wireguard : Generate public keys] ********************************************************************************************************************************************************************
ok: [170.64.146.226] => (item=phone)
ok: [170.64.146.226] => (item=laptop)
ok: [170.64.146.226] => (item=desktop)
ok: [170.64.146.226] => (item=170.64.146.226)

TASK [wireguard : Save public keys] ************************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost]

TASK [wireguard : WireGuard user list updated] *************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [wireguard : set_fact] ********************************************************************************************************************************************************************************
ok: [170.64.146.226 -> localhost]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard users config generated] ********************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=[0, 'phone'])
changed: [170.64.146.226 -> localhost] => (item=[1, 'laptop'])
changed: [170.64.146.226 -> localhost] => (item=[2, 'desktop'])

TASK [wireguard : include_tasks] ***************************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/roles/wireguard/tasks/mobileconfig.yml for 170.64.146.226 => (item=ios)
included: /home/mgelbana/workspace/repos/open/algo/roles/wireguard/tasks/mobileconfig.yml for 170.64.146.226 => (item=macos)
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard apple mobileconfig generated] **************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=[0, 'phone'])
changed: [170.64.146.226 -> localhost] => (item=[1, 'laptop'])
changed: [170.64.146.226 -> localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard apple mobileconfig generated] **************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=[0, 'phone'])
changed: [170.64.146.226 -> localhost] => (item=[1, 'laptop'])
changed: [170.64.146.226 -> localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [wireguard : Generate QR codes] ***********************************************************************************************************************************************************************
ok: [170.64.146.226 -> localhost] => (item=[0, 'phone'])
ok: [170.64.146.226 -> localhost] => (item=[1, 'laptop'])
ok: [170.64.146.226 -> localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipv4' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipv6' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard configured] ********************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [wireguard : WireGuard enabled and started] ***********************************************************************************************************************************************************
changed: [170.64.146.226]

RUNNING HANDLER [wireguard : restart wireguard] ************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [strongswan : include_tasks] **************************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/roles/strongswan/tasks/ubuntu.yml for 170.64.146.226

TASK [strongswan : Set OS specific facts] ******************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [strongswan : Ubuntu | Install strongSwan] ************************************************************************************************************************************************************
changed: [170.64.146.226]

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] ****************************************************************************************************************************************
changed: [170.64.146.226]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] *************************************************************************************************************************************************
ok: [170.64.146.226] => (item=/usr/lib/ipsec/charon)
ok: [170.64.146.226] => (item=/usr/lib/ipsec/lookip)
ok: [170.64.146.226] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] ***************************************************************************************************************************************************************
ok: [170.64.146.226] => (item=apparmor)
ok: [170.64.146.226] => (item=strongswan-starter)
ok: [170.64.146.226] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] ***************************************************************************************************************************
changed: [170.64.146.226]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *****************************************************************************************************************************
changed: [170.64.146.226]

TASK [strongswan : Ensure that the strongswan user exists] *************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [strongswan : Install strongSwan] *********************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [strongswan : Setup the config files from our templates] **********************************************************************************************************************************************
changed: [170.64.146.226] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
changed: [170.64.146.226] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [170.64.146.226] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [170.64.146.226] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})

TASK [strongswan : Get loaded plugins] *********************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [strongswan : Disable unneeded plugins] ***************************************************************************************************************************************************************
changed: [170.64.146.226] => (item=pkcs1)
changed: [170.64.146.226] => (item=fips-prf)
changed: [170.64.146.226] => (item=mgf1)
changed: [170.64.146.226] => (item=bypass-lan)
changed: [170.64.146.226] => (item=eap-mschapv2)
changed: [170.64.146.226] => (item=sshkey)
changed: [170.64.146.226] => (item=rc2)
changed: [170.64.146.226] => (item=attr)
changed: [170.64.146.226] => (item=drbg)
changed: [170.64.146.226] => (item=agent)
changed: [170.64.146.226] => (item=counters)
changed: [170.64.146.226] => (item=md5)
changed: [170.64.146.226] => (item=xauth-generic)
changed: [170.64.146.226] => (item=aesni)
changed: [170.64.146.226] => (item=sha1)
changed: [170.64.146.226] => (item=constraints)
changed: [170.64.146.226] => (item=dnskey)
changed: [170.64.146.226] => (item=gmp)
changed: [170.64.146.226] => (item=xcbc)
changed: [170.64.146.226] => (item=updown)
changed: [170.64.146.226] => (item=connmark)
changed: [170.64.146.226] => (item=resolve)

TASK [strongswan : Ensure that required plugins are enabled] ***********************************************************************************************************************************************
changed: [170.64.146.226] => (item=revocation)
changed: [170.64.146.226] => (item=pkcs8)
changed: [170.64.146.226] => (item=stroke)
changed: [170.64.146.226] => (item=socket-default)
changed: [170.64.146.226] => (item=pkcs7)
changed: [170.64.146.226] => (item=gcm)
changed: [170.64.146.226] => (item=kernel-netlink)
changed: [170.64.146.226] => (item=pem)
changed: [170.64.146.226] => (item=pubkey)
changed: [170.64.146.226] => (item=aes)
changed: [170.64.146.226] => (item=openssl)
changed: [170.64.146.226] => (item=pkcs12)
changed: [170.64.146.226] => (item=sha2)
changed: [170.64.146.226] => (item=hmac)
changed: [170.64.146.226] => (item=x509)
changed: [170.64.146.226] => (item=random)
changed: [170.64.146.226] => (item=pgp)
changed: [170.64.146.226] => (item=nonce)

TASK [strongswan : debug] **********************************************************************************************************************************************************************************
ok: [170.64.146.226 -> localhost] => {
    "subjectAltName": "IP:170.64.146.226,IP:2400:6180:10:200::84:8000"
}

TASK [strongswan : Ensure the pki directories exist] *******************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=ecparams)
changed: [170.64.146.226 -> localhost] => (item=certs)
changed: [170.64.146.226 -> localhost] => (item=crl)
changed: [170.64.146.226 -> localhost] => (item=newcerts)
changed: [170.64.146.226 -> localhost] => (item=private)
changed: [170.64.146.226 -> localhost] => (item=public)
changed: [170.64.146.226 -> localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] ****************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=apple)
changed: [170.64.146.226 -> localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] *****************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=.rnd)
changed: [170.64.146.226 -> localhost] => (item=private/.rnd)
changed: [170.64.146.226 -> localhost] => (item=index.txt)
changed: [170.64.146.226 -> localhost] => (item=index.txt.attr)
changed: [170.64.146.226 -> localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] ****************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Build the CA pair] **********************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Copy the CA certificate] ****************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Generate the serial number] *************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Build the server pair] ******************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Build the client's pair] ****************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Build openssh public keys] **************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12] *****************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12 with the CA cert included] ***************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Copy the p12 certificates] **************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Get active users] ***********************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Copy the keys to the strongswan directory] **********************************************************************************************************************************************
changed: [170.64.146.226] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [170.64.146.226] => (item={'src': 'certs/170.64.146.226.crt', 'dest': 'certs/170.64.146.226.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [170.64.146.226] => (item={'src': 'private/170.64.146.226.key', 'dest': 'private/170.64.146.226.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})

TASK [strongswan : Register p12 PayloadContent] ************************************************************************************************************************************************************
ok: [170.64.146.226 -> localhost] => (item=phone)
ok: [170.64.146.226 -> localhost] => (item=laptop)
ok: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Set facts for mobileconfigs] ************************************************************************************************************************************************************
ok: [170.64.146.226 -> localhost]

TASK [strongswan : Build the mobileconfigs] ****************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost] => (item=None)
changed: [170.64.146.226 -> localhost]

TASK [strongswan : Build the client ipsec config file] *****************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Build the client ipsec secret file] *****************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost] => (item=phone)
changed: [170.64.146.226 -> localhost] => (item=laptop)
changed: [170.64.146.226 -> localhost] => (item=desktop)

TASK [strongswan : Restrict permissions for the local private directories] *********************************************************************************************************************************
ok: [170.64.146.226 -> localhost]

TASK [strongswan : strongSwan started] *********************************************************************************************************************************************************************
ok: [170.64.146.226]

RUNNING HANDLER [strongswan : restart strongswan] **********************************************************************************************************************************************************
changed: [170.64.146.226]

RUNNING HANDLER [strongswan : daemon-reload] ***************************************************************************************************************************************************************
ok: [170.64.146.226]

TASK [Dump the configuration] ******************************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]

TASK [Linux | Delete the PKI directory] ********************************************************************************************************************************************************************
changed: [170.64.146.226 -> localhost]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

TASK [debug] ***********************************************************************************************************************************************************************************************
ok: [170.64.146.226] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#                     Local DNS resolver 172.24.117.23, fd00::8:7517                   #\"",
            ""
        ],
        "    \"#        The p12 and SSH keys password for new users is @1X2dUxgR       #\"\n",
        "    ",
        "    \"#      Shell access: ssh -F configs/170.64.146.226/ssh_config algo        #\"\n"
    ]
}

PLAY RECAP *************************************************************************************************************************************************************************************************
170.64.146.226             : ok=107  changed=67   unreachable=0    failed=0    skipped=36   rescued=0    ignored=0   
localhost                  : ok=44   changed=5    unreachable=0    failed=0    skipped=5    rescued=0    ignored=0

When I SSH to the Algo server, I ran the following debugging command:

$ systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt client proxy
     Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/dnscrypt-proxy.service.d
             └─99-algo.conf
     Active: active (running) since Fri 2023-03-17 20:45:16 UTC; 17h ago
TriggeredBy: ● dnscrypt-proxy.socket
       Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
   Main PID: 3259 (dnscrypt-proxy)
      Tasks: 8 (limit: 1131)
     Memory: 7.9M
     CGroup: /system.slice/dnscrypt-proxy.service
             └─3259 /usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Mar 18 04:45:16 algo dnscrypt-proxy[3259]: -     4ms cloudflare-ipv6
Mar 18 04:45:16 algo dnscrypt-proxy[3259]: Server with the lowest initial latency: cloudflare (rtt: 2ms)
Mar 18 08:45:16 algo dnscrypt-proxy[3259]: Sorted latencies:
Mar 18 08:45:16 algo dnscrypt-proxy[3259]: -     2ms cloudflare
Mar 18 08:45:16 algo dnscrypt-proxy[3259]: -     3ms cloudflare-ipv6
Mar 18 08:45:16 algo dnscrypt-proxy[3259]: Server with the lowest initial latency: cloudflare (rtt: 2ms)
Mar 18 12:45:16 algo dnscrypt-proxy[3259]: Sorted latencies:
Mar 18 12:45:16 algo dnscrypt-proxy[3259]: -     2ms cloudflare
Mar 18 12:45:16 algo dnscrypt-proxy[3259]: -     3ms cloudflare-ipv6
Mar 18 12:45:16 algo dnscrypt-proxy[3259]: Server with the lowest initial latency: cloudflare (rtt: 2ms)

I also tried visiting http://1.1.1.1 through my browser, but the page didn't load.

trailofbits / algo

No internet after the installation is successfully complete #14589