search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

DigitalOcean: Failed to connect to host #1613

Closed anvarit closed 4 years ago

anvarit commented 5 years ago

Deployment host: Ubuntu 18.04 Default config.cfg (users changed / added) Amsterdam region in DO

Errors out with server unreachable. Server is created in DO and is reachable over port 22

Log: `

.env) root@ubuntu:/home/thomas/algo# ./algo
 [WARNING]: Could not match supplied host pattern, ignoring: vpn-host


PLAY [localhost] **


TASK [Gathering Facts] ****
ok: [localhost]


TASK [Ensure the requirements installed] **
ok: [localhost]


TASK [Set required ansible version as a fact] *****
ok: [localhost] => (item=ansible==2.8.3)


TASK [Verify Python meets Algo VPN requirements] **
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}


TASK [Verify Ansible meets Algo VPN requirements] *****
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}


PLAY [Ask user for the input] *****


TASK [Gathering Facts] ****
ok: [localhost]
[Cloud prompt]
What provider would you like to use?


    

  1. DigitalOcean
    2. 

  2. Amazon Lightsail
    3. 

  3. Amazon EC2
    4. 

  4. Microsoft Azure
    5. 

  5. Google Compute Engine
    6. 

  6. Hetzner Cloud
    7. 

  7. Vultr
    8. 

  8. Scaleway
    9. 

  9. OpenStack (DreamCompute optimised)
    10. 

  10. CloudStack (Exoscale optimised)
    11. 

  11. Install to existing Ubuntu 18.04 or 19.04 server (Advanced)
    12. 



Enter the number of your desired provider
:


TASK [Cloud prompt] ***
ok: [localhost]


TASK [Set facts based on the input] ***
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:


TASK [VPN server name prompt] *****
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:


TASK [Cellular On Demand prompt] **
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:


TASK [Wi-Fi On Demand prompt] *****
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:


TASK [Retain the PKI prompt] **
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:


TASK [DNS adblocking prompt] **
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:


TASK [SSH tunneling prompt] ***
ok: [localhost]


TASK [Set facts based on the input] ***
ok: [localhost]


PLAY [Provision the server] ***


TASK [Gathering Facts] ****
ok: [localhost]


--> Please include the following block of text when reporting issues:


Algo running on: Ubuntu 19.04 (Virtualized: vmware)
Created from git clone. Last commit: 88eaf30 Update README.md (#1602)
Python 3.7.3
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "X251bGw="
algo_dns_adblocking "True"
algo_ssh_tunneling "False"
wireguard_enabled "True"
dns_encryption "True"


TASK [Display the invocation environment] *****
changed: [localhost -> localhost]


TASK [Install the requirements] ***
changed: [localhost -> localhost]


TASK [Generate the SSH private key] ***
changed: [localhost]


TASK [Generate the SSH public key] ****
changed: [localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):


TASK [cloud-digitalocean : pause] *****
ok: [localhost]


TASK [cloud-digitalocean : Set the token as a fact] ***
ok: [localhost]


TASK [cloud-digitalocean : Get regions] ***
ok: [localhost]


TASK [cloud-digitalocean : Set facts about the regions] ***
ok: [localhost]


TASK [cloud-digitalocean : Set default region] ****
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?


    

  1. ams3     Amsterdam 3
    2. 

  2. blr1     Bangalore 1
    3. 

  3. fra1     Frankfurt 1
    4. 

  4. lon1     London 1
    5. 

  5. nyc1     New York 1
    6. 

  6. nyc3     New York 3
    7. 

  7. sfo2     San Francisco 2
    8. 

  8. sgp1     Singapore 1
    9. 

  9. tor1     Toronto 1
    10. 



Enter the number of your desired region
[6]
:


TASK [cloud-digitalocean : pause] *****
ok: [localhost]


TASK [cloud-digitalocean : Set additional facts] **
ok: [localhost]


TASK [cloud-digitalocean : Upload the SSH key] ****
changed: [localhost]


TASK [cloud-digitalocean : Creating a droplet...] *****
ok: [localhost]


TASK [cloud-digitalocean : set_fact] **
ok: [localhost]


TASK [Set subjectAltName as a fact] ***
ok: [localhost]


TASK [Add the server to an inventory group] ***
changed: [localhost]


TASK [Additional variables for the server] ****
changed: [localhost]


TASK [Wait until SSH becomes ready...] ****
ok: [localhost]


TASK [Linux | set OS specific facts] **
ok: [localhost]


TASK [Set config paths as facts] **
ok: [localhost]


TASK [Update config paths] ****
changed: [localhost]


TASK [debug] **
ok: [localhost] => {
    "IP_subject_alt_name": "178.62.244.24"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)


TASK [A short pause, in order to be sure the instance is ready] ***
ok: [localhost]


PLAY [Configure the server and install required software] *****


TASK [common : Check the system] **
fatal: [178.62.244.24]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '178.62.244.24' (ECDSA) to the list of known hosts.\r\nroot@178.62.244.24: Permission denied (publickey).", "unreachable": true}


PLAY RECAP ****
178.62.244.24              : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0

localhost                  : ok=39   changed=8    unreachable=0    failed=0    skipped=3    rescued=0    ignored=0
`

davidemyers commented 5 years ago

Is this repeatable (not just temporary slowness at AMS3)?

I wonder if there's a permissions issue (SSH can be very picky). I see you're running as root. For a cloud deployment you should only need root for installing python3-virtualenv. As a regular user, try cloning a new copy, re-running the python3 -m virtualenv ... stuff, and then try ./algo again.

jtyers commented 5 years ago

I was getting this too. I think algo (or more likely I) somehow managed to get the droplet into a state where the wrong SSH key was present in authorized_keys. Deleting the droplet and allowing algo to re-create it from scratch fixed it for me.

jackivanov commented 5 years ago

OK, we will inject the right SSH key via cloud-init to avoid any discrepancy