search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.65k stars 2.31k forks source link

Unsuccessful Google cloud setup #14600

Open MGelbana opened 1 year ago

MGelbana commented 1 year ago

Describe the bug

GCE setup doesn't succeed after following the documentation listed here.

Full log

./algo -e "provider=gce" -e "gce_credentials_file=$(pwd)/configs/gce.json"

PLAY [localhost] *******************************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] ***********************************************************************************************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
[WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking change in future.

TASK [Ensure the requirements installed] *******************************************************************************************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **************************************************************************************************************************************************************
ok: [localhost] => (item=ansible==6.1.0)

TASK [Just get the list from default pip] ******************************************************************************************************************************************************************
ok: [localhost]

TASK [Verify Python meets Algo VPN requirements] ***********************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] **********************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:
^M
TASK [VPN server name prompt] ******************************************************************************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
^M
TASK [Cellular On Demand prompt] ***************************************************************************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
^M
TASK [Wi-Fi On Demand prompt] ******************************************************************************************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
^M
TASK [Retain the PKI prompt] *******************************************************************************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
^M
TASK [DNS adblocking prompt] *******************************************************************************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
^M
TASK [SSH tunneling prompt] ********************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ********************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 22.04.2 LTS
Created from git fork. Last commit: 45fe0f5 change dockerhub docs references
Python 3.10.6
Runtime variables:
    algo_provider "gce"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "False"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ******************************************************************************************************************************************************************
changed: [localhost]

TASK [Install the requirements] ****************************************************************************************************************************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *************************************************************************************************************************************************************************
ok: [localhost]

TASK [Copy the private SSH key to /tmp] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [Include a provisioning role] *************************************************************************************************************************************************************************

TASK [cloud-gce : Install requirements] ********************************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-gce : set_fact] ********************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : set_fact] ********************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : set_fact] ********************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Get regions] *****************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Set facts about the regions] *************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Set facts about the default region] ******************************************************************************************************************************************************
ok: [localhost]
[cloud-gce : pause]
What region should the server be located in?
(https://cloud.google.com/compute/docs/regions-zones/#locations)
    1. asia-east1
    2. asia-east2
    3. asia-northeast1
    4. asia-northeast2
    5. asia-northeast3
    6. asia-south1
    7. asia-south2
    8. asia-southeast1
    9. asia-southeast2
    10. australia-southeast1
    11. australia-southeast2
    12. europe-central2
    13. europe-north1
    14. europe-southwest1
    15. europe-west1
    16. europe-west12
    17. europe-west2
    18. europe-west3
    19. europe-west4
    20. europe-west6
    21. europe-west8
    22. europe-west9
    23. me-central1
    24. me-west1
    25. northamerica-northeast1
    26. northamerica-northeast2
    27. southamerica-east1
    28. southamerica-west1
    29. us-central1
    30. us-east1
    31. us-east4
    32. us-east5
    33. us-south1
    34. us-west1
    35. us-west2
    36. us-west3
    37. us-west4

Enter the number of your desired region
[30]
:
15^M
TASK [cloud-gce : pause] ***********************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Set region as a fact] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Get zones] *******************************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Set random available zone as a fact] *****************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-gce : Network configured] **********************************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-gce : Firewall configured] *********************************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-gce : Instance created] ************************************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-gce : set_fact] ********************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ****************************************************************************************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] *****************************************************************************************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *********************************************************************************************************************************************************************
ok: [localhost]

TASK [Linux | set OS specific facts] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [Set config paths as facts] ***************************************************************************************************************************************************************************
ok: [localhost]

TASK [Update config paths] *********************************************************************************************************************************************************************************
changed: [localhost]

TASK [debug] ***********************************************************************************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "34.140.242.193"
}

TASK [Wait 600 seconds for target connection to become reachable/usable] ***********************************************************************************************************************************
ok: [localhost -> 34.140.242.193] => (item=34.140.242.193)

PLAY [Configure the server and install required software] **************************************************************************************************************************************************

TASK [Wait until the cloud-init completed] *****************************************************************************************************************************************************************
fatal: [34.140.242.193]: FAILED! => {"changed": false, "elapsed": 600, "msg": "Timeout when waiting for file /var/lib/cloud/data/result.json"}

TASK [include_tasks] ***************************************************************************************************************************************************************************************
included: /home/mgelbana/workspace/repos/open/algo/playbooks/rescue.yml for 34.140.242.193

TASK [debug] ***********************************************************************************************************************************************************************************************
ok: [34.140.242.193] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [Fail the installation] *******************************************************************************************************************************************************************************
fatal: [34.140.242.193]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP *************************************************************************************************************************************************************************************************
34.140.242.193             : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=1    ignored=0   
localhost                  : ok=47   changed=8    unreachable=0    failed=0    skipped=7    rescued=0    ignored=0
RearDoor commented 8 months ago

How exactly are you setting this up? Are you using cloud shell?

I am not sure if this will help you. I was setting a cloud vpn using the google cloud shell. I had to install pyenv as the google cloud shell only includes python 3.9 which doesn't support the latest ansible. After some tweaking I got it to work.

MGelbana commented 8 months ago

Thanks for your reply @RearDoor. I found that my ISP (And possibly the whole country) is blocking the Wireguard protocol handshake. I tried overcoming that but unfortunately I couldn't.