search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.55k stars 2.31k forks source link

Timeout when waiting for search string OpenSSH #1683

Open TarekSalama opened 4 years ago

TarekSalama commented 4 years ago

I can't get Algo to install on Vultr. This is my log.

(.env) algo % ./algo
 [WARNING]: Could not match supplied host pattern, ignoring: vpn-host

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Playbook dir stat] *******************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***********
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Ensure the requirements installed] ***************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **********************************
ok: [localhost] => (item=ansible==2.8.3)

TASK [Verify Python meets Algo VPN requirements] *******************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] ******************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY [Ask user for the input] **************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Install to existing Ubuntu 18.04, 19.04, or 19.10 server (Advanced)

Enter the number of your desired provider
:

TASK [Cloud prompt] ************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:

TASK [VPN server name prompt] **************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:

TASK [DNS adblocking prompt] ***************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [SSH tunneling prompt] ****************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Mac OS X 10.15.2
Created from git clone. Last commit: 0629aa5 Update badge
Python 3.7.4
Runtime variables:
    algo_provider "vultr"
    algo_dns_adblocking "True"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] **************************************
changed: [localhost -> localhost]

TASK [Install the requirements] ************************************************
ok: [localhost -> localhost]

TASK [Generate the SSH private key] ********************************************
ok: [localhost]

TASK [Generate the SSH public key] *********************************************
ok: [localhost]

TASK [Copy the private SSH key to /tmp] ****************************************
ok: [localhost -> localhost]
[cloud-vultr : pause]
Enter the local path to your configuration INI file
(https://trailofbits.github.io/algo/cloud-vultr.html):
:

TASK [cloud-vultr : pause] *****************************************************
ok: [localhost]

TASK [cloud-vultr : Set the token as a fact] ***********************************
ok: [localhost]

TASK [cloud-vultr : Get regions] ***********************************************
ok: [localhost]

TASK [cloud-vultr : Format regions] ********************************************
ok: [localhost]

TASK [cloud-vultr : Set regions as a fact] *************************************
ok: [localhost]

TASK [cloud-vultr : Set default region] ****************************************
ok: [localhost]
[cloud-vultr : pause]
What region should the server be located in?
(https://www.vultr.com/locations/):
    1.   Sydney
    2.   Toronto
    3.   Frankfurt
    4.   Paris
    5.   London
    6.   Tokyo
    7.   Amsterdam
    8.   Singapore
    9.   Atlanta
    10.   Chicago
    11.   Dallas
    12.   Los Angeles
    13.   Miami
    14.   New Jersey
    15.   Seattle
    16.   Silicon Valley

Enter the number of your desired region
[14]
:

TASK [cloud-vultr : pause] *****************************************************
ok: [localhost]

TASK [cloud-vultr : Set the desired region as a fact] **************************
ok: [localhost]

TASK [cloud-vultr : Creating a firewall group] *********************************
ok: [localhost]

TASK [cloud-vultr : Creating firewall rules] ***********************************
ok: [localhost] => (item={'protocol': 'tcp', 'port': 4160, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
ok: [localhost] => (item={'protocol': 'tcp', 'port': 4160, 'ip': 'v6', 'cidr': '::/0'})
ok: [localhost] => (item={'protocol': 'udp', 'port': 500, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
ok: [localhost] => (item={'protocol': 'udp', 'port': 500, 'ip': 'v6', 'cidr': '::/0'})
ok: [localhost] => (item={'protocol': 'udp', 'port': 4500, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
ok: [localhost] => (item={'protocol': 'udp', 'port': 4500, 'ip': 'v6', 'cidr': '::/0'})
ok: [localhost] => (item={'protocol': 'udp', 'port': 51820, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
ok: [localhost] => (item={'protocol': 'udp', 'port': 51820, 'ip': 'v6', 'cidr': '::/0'})

TASK [cloud-vultr : Upload the startup script] *********************************
ok: [localhost]

TASK [cloud-vultr : Creating a server] *****************************************
changed: [localhost]

TASK [cloud-vultr : set_fact] **************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ********************************************
ok: [localhost]

TASK [Add the server to an inventory group] ************************************
changed: [localhost]

TASK [Additional variables for the server] *************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *****************************************
fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 320, "msg": "Timeout when waiting for search string OpenSSH in 155.138.160.61:4160"}
included: /Users/tarek/Documents/algo/playbooks/rescue.yml for localhost

TASK [debug] *******************************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [Fail the installation] ***************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP *********************************************************************
localhost                  : ok=38   changed=4    unreachable=0    failed=1    skipped=4    rescued=1    ignored=0
Cryptobyte commented 4 years ago

I'm having the same issue as well, tried:

Neither thing seems to work

davidemyers commented 4 years ago

I can recreate this. @jackivanov It looks like cloud-init/base.sh is not being run.

barrio commented 4 years ago

I'm getting the same error on a freshly created Hetzner CX11 running Ubuntu 20.04. I cloned the repo with git. Retry on another new vps of same the type also failed.

barrio commented 4 years ago

Retried once more with default config, also fails.

filipegorges commented 3 years ago

also having the same error, but attempting to run on an EC2 on region east-us-1

barrio commented 3 years ago

Would anyone please be so kind to open this issue again and give a comment? According to the docs Hetzner cloud is a supported provider and I followed the all steps as described in the docs . TNX

barrio commented 3 years ago

When using advanced setup with Ubuntu 20.04 on the same server, the playbook hangs at:

TASK [debug] ** ok: [localhost] => { "IP_subject_alt_name":

emil-simeonov-se commented 3 years ago

I can confirm that the issue still exists. No luck with provisioning Hetzner cloud instances (CX11). My server there is running Ubuntu 20.04. Is there any known workaround that could be applied?

combes commented 3 years ago

I can also confirm this issue still exists on master branch (728b8aae0637a4f3d8374782c4d9426e3b3ef177):

I had previously installed AlgoVPN and it ran fine, but had to change my trusted servers recently.

Errors:

TASK [Additional variables for the server]
changed: [localhost]

TASK [Wait until SSH becomes ready...] 
***
fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 321, "msg": "Timeout when waiting for search string OpenSSH in
TASK [Fail the installation] 
***
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

I'm guessing something changed on AWS, as I tried the version I used previously 060b4018801f17b87c9c7997cf8367f346de8390 and it also fails.

Can someone test Amazon Lightsail to isolate the issue? Thanks!

combes commented 3 years ago

I was able to get this working again by selecting "yes" for...

[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]

I previously had only one user listed in config.cfg but this time added two users.

sanketshahc commented 2 years ago

I was able to get this working again by selecting "yes" for...

[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]

I previously had only one user listed in config.cfg but this time added two users.

me too

rozag commented 2 years ago

I've encountered this issue (on this commit a103d8dd169beddb812863c9d77d5d7ce96d84e4) as well and have finally managed to solve it, hope this report helps someone in the future.

  1. I'm using DigitalOcean for other things, so I've decided to run algo there as well
  2. My first attempt was on macOS Big Sur 11.6.1, no luck, that's the error message I got: 
    fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 321, "msg": "Timeout when waiting for search string OpenSSH in ***.***.***.***:4160"}
  3. My first guess was that something is wrong with my home set-up. However, I had one other Ubuntu 18.04 droplet on DO, so I decided to use it as a localhost to spin another droplet with algo. No luck there as well, same error message.
  4. Then I found this issue and tried answering y for the SSH prompt. No luck either. Same error. 
    [SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
  5. Then I found the ufw disable in https://github.com/trailofbits/algo/issues/14378. Still no luck. Same error.
  6. Tried to use different ports as dicussed here https://github.com/trailofbits/algo/issues/1707 and here https://github.com/trailofbits/algo/issues/14129. Guess what? No luck.
  7. The solution. Finally, I've spotted that the IP in **.***.***.***:4160 is somewhat suspicious and looks like a VPC IP of DO. And that's when I finally found this https://github.com/trailofbits/algo/issues/14387 and this https://github.com/trailofbits/algo/issues/14420. Running ./algo -vvv confirmed that this internal private IP is the first item of v4 list (only meaningful part of JSON left): 
    {
  "data": {
    "droplet": {
      "networks": {
        "v4": [
          {
            "gateway": "XXX.XXX.XXX.XXX",
            "ip_address": "***.***.***.***",
            "netmask": "255.255.0.0",
            "type": "private"
          },
          {
            "gateway": "XXX.XXX.XXX.XXX",
            "ip_address": "+++.+++.+++.+++",
            "netmask": "255.255.240.0",
            "type": "public"
          }
        ]
      }
  }
}

    So, the +++.+++.+++.+++ IP should be used instead of ***.***.***.*** IP. We just need to make the algo use it. Fair enough, in the file ./roles/cloud-digitalocean/tasks/main.yml in the set_fact section change cloud_instance_ip value from 

    cloud_instance_ip: "{{ digital_ocean_droplet.data.droplet.networks.v4.0.ip_address }}"

    to

    cloud_instance_ip: "{{ digital_ocean_droplet.data.droplet.networks.v4.1.ip_address }}"

    That's it, we just need the 2nd item of the v4 list. After that everything works as expected. Hope it helps somebody.

mattc58 commented 2 years ago

Thank you @rozag, this worked for me today on Digital Ocean

sellersshrug0y commented 2 years ago

@rozag thank you!!

sashokpilipok7 commented 2 years ago

@rozag Thank you very much, but i have such issues after those changes.

` **fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'droplet'\n\nThe error appears to be in '/Users/***/algo/roles/cloud-digitalocean/tasks/main.yml': line 46, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- set_fact:\n ^ here\n"}**

TASK [include_tasks] *** included: /Users/****/algo/playbooks/rescue.yml for localhost

TASK [debug] *** ok: [localhost] => { "fail_hint": [ "Sorry, but something went wrong!", "Please check the troubleshooting guide.", "https://trailofbits.github.io/algo/troubleshooting.html" ] }

TASK [Fail the installation] *** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"} `