trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

Confirming: one can create a Wireguard server _without_ IPSec, correct? #1578

Closed johnnyutahh closed 5 years ago

johnnyutahh commented 5 years ago

Summary:

I want to confirm: using Algo VPN, one can create a fully-functional, properly-working Wireguard server completely without installing IPSec-based stuff, correct?

If so, I presume this means running the Ansible installation with only role=wireguard, or something similar - also correct?

More details:

Further, as I understand it, Wireguard is a (purposely) completely different animal than an IPSec-based VPN server. As such, I do not understand why the install options appear so "intermingled" (between Wireguard and IPSec) for the Algo installation docs. I'd feel more comfortable if the docs explicitly outlined these procedures for the following the options:

  1. do this to install IPSec
  2. do this to install Wireguard
  3. do this to do both (if for some reason you need to support clients for both 1. and 2.)

Instead, I'm left to guess (?) what roles and variables (?) need to be provided to ansible-playbook in what combinations, not (yet, anyway) understanding what roles/variables/defaults depend on the others.

I love the flexible concept of the Ansible roles/variables/parameters; I do not like having to guess which combinations work and which ones do not work. To suggest all combinations are known, tested systems triggers my skepticism: the Algo team tested (and continue to automated regression test new versions of software used in the all the combinations) ALL the combinations? Seems far fetched. Impressive if this is done, though. I'd hate to be the one running that larger-scoped (because of all the combinations), automated, ongoing test harness/system. Unless... there really are a limited number of interdependent combinations, and everything is simply an "add on", with each component independently functioning/operating? If so, why not simply spell out 1., 2., and 3. as per above?

In any case: for my team's environment, we are investigating creating a completely-new ecosystem/network of hosts that are devoid of any IPSec-VPN and employ only Wireguard. And I want to ensure Algo can play nicely with this kind of approach, before I spend time trying to make it work. (Hopefully, it's easy... but I'm first writing this investigative, proactive note attempting to generate more confidence before we try to build a Wireguard rig via Algo.)

davidemyers commented 5 years ago

Algo installs both IPsec and WireGuard by default. To prevent the installation of IPsec, edit config.cfg and set ipsec_enabled: false.

TC1977 commented 5 years ago

As in the deploy from Ansible docs, if you're looking for a non-interactive way to deploy a Wireguard-only server, you can use --skip-tags ipsec which will skip all the tasks labeled ipsec (strongswan, etc). If you try to install using only the wireguard role you'll likely fail.

So for example, I just installed a Wireguard-only server on AWS using the following command:

ansible-playbook main.yml --skip-tags ipsec -e "provider=ec2
> server_name=algotest1
> ondemand_cellular=false
> ondemand_wifi=false
> dns_adblocking=true
> ssh_tunneling=true
> store_pki=false
> region=us-east-1"

and then entering my AWS access key and secret key at the prompts. (I could've added those into the command but chose not to 🤷‍♂ ).

So I kind of obliquely mentioned how to do this in the Ansible docs, but I admit it could be more clear. Should explicit instructions for IPsec-only or Wireguard-only be added to the docs?

I don't know how anyone could test every single combination of roles and variables - just with the five Boolean variables listed, plus the provider variable which has eight (soon to be nine) options, that's 256 options right there.

EDIT: Keep in mind that the usage of tags was deprecated, and that any extra variables you need (normally specified in config.cfg or otherwise) can be specified with -e. So the following command works as well, and will probably hold up better to future codebase changes:

ansible-playbook main.yml -e "ipsec_enabled=false"

You can of course also specify any other variables you need (although store_pki isn't required when IPsec is disabled). And ansible-playbook main.yml -e "wireguard_enabled=false" works to create an IPsec-only server.