search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.65k stars 2.31k forks source link

Problems with Ubuntu 18.04 on AWS Lightsail (no internet, IPSec not working) #1569

Closed kakysha closed 5 years ago

kakysha commented 5 years ago

Created a new Lightsail instance with empty Ubuntu 18.04, picked option '10' (already existing ubuntu server) in algo setup process, all options left unchanged, only provided server IP and username. Ansible did the job successfully.

Two problems arise: 1) I can't connect to IPSec through my mac / iphone (tried wi-fi and LTE). "The vpn server did not respond" after certain timeout, though I can ssh into it. Both on mac and on iphone I installed profiles generated by algo in /configs/ dir. I can even ping everything from inside ssh while being on Ubuntu machine.

2) WireGuard both on mac and iphone successfully connects to the server, but there is no internet after vpn connection established.

I suppose these problems are interconnected somehow. The thing is, I have everything by default, picked most popular way to setup and still got into problems.

Steps to reproduce the behavior:

  1. Prepare clean Ubuntu 18.04 vps on AWS Lightsail
  2. Install algo, providing IP and username of the host.

Full log

ubuntu@ip-172-26-13-174:~$ sudo wg
interface: wg0
  public key: tCjECiBmSOYi1jWkN7vFGJPAvpFJ2UQ+vVavju2tTyM=
  private key: (hidden)
  listening port: 51820

peer: lQzVetWl9YBMRMrQmX65WloNYkHQcqeE0JYtCYotVSY=
  preshared key: (hidden)
  allowed ips: 10.19.49.2/32

peer: IJfrAkjYdNKjPMKjBXa8rWwLrgW9yRM3/weHQKnKKAg=
  preshared key: (hidden)
  allowed ips: 10.19.49.3/32

peer: BMN/6cweI/JpGK4nxo7yjJuW/wUxAyCG0ijguvfNhmQ=
  preshared key: (hidden)
  allowed ips: 10.19.49.4/32

peer: lCWSIQ1jIabNfMlfwQjTq/KkhN/wJd7hU29JxnaNHnw=
  preshared key: (hidden)
  allowed ips: 10.19.49.5/32
ubuntu@ip-172-26-13-174:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1021-aws, x86_64):
  uptime: 10 minutes, since Aug 29 23:39:20 2019
  malloc: sbrk 1339392, mmap 0, used 425552, free 913840
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke
Virtual IP pools (size/online/offline):
  10.19.48.0/24: 254/0/0
  fd9d:bc11:4020::/48: 2147483646/0/0
Listening IP addresses:
  172.26.13.174
  10.19.49.1
Connections:
ikev2-pubkey:  %any...%any  IKEv2, dpddelay=35s
ikev2-pubkey:   local:  [35.180.38.177] uses public key authentication
ikev2-pubkey:    cert:  "CN=35.180.38.177"
ikev2-pubkey:   remote: uses public key authentication
ikev2-pubkey:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none
ubuntu@ip-172-26-13-174:~$ service dnscrypt-proxy status
● dnscrypt-proxy.service - DNSCrypt-proxy client
   Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dnscrypt-proxy.service.d
           └─99-algo.conf
   Active: active (running) since Thu 2019-08-29 23:39:20 UTC; 10min ago
     Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
 Main PID: 779 (dnscrypt-proxy)
    Tasks: 7 (limit: 547)
   CGroup: /system.slice/dnscrypt-proxy.service
           └─779 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Source [/tmp/public-resolvers.md] loaded
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: dnscrypt-proxy 2.0.25
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Loading the set of IP blocking rules from [ip-blacklist.txt]
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Now listening to 172.25.84.2:53 [UDP]
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Now listening to 172.25.84.2:53 [TCP]
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.2.1:53
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.2.1:53
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: [cloudflare] OK (DoH) - rtt: 6ms
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: Server with the lowest initial latency: cloudflare (rtt: 6ms)
Aug 29 23:39:21 ip-172-26-13-174 dnscrypt-proxy[779]: dnscrypt-proxy is ready - live servers: 1
davidemyers commented 5 years ago

Did you open the necessary ports in the Lightsail firewall?

kakysha commented 5 years ago

Of course, no. Thank you for information, maybe this check should be at least traced by Ansible after setup is done? Now it works.