search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.55k stars 2.31k forks source link

Windows 10 | Algo Installation Fatal Error: Timeout when waiting for search string #1707

Open JasonWolf727 opened 4 years ago

JasonWolf727 commented 4 years ago

Operating System Windows 10

Describe the bug This bug occurs during the installation, and I'm not sure what this is. I've tried looking up solutions to the problem, but it only seems to have happened to Mac users.

To Reproduce Steps to reproduce the behavior:

  1. Follow steps for Windows installation of Algo and Ubuntu LTS packages
  2. Run ./algo

Expected behavior Installation without any errors.

Additional context I attempted uninstalling Ubuntu and Python 3.8 and reinstalling (Python 3.7 to see if the Mac solution back in the day would work) as well as uninstalling as much of Algo as I could find to try and fix the problem. Sadly, it didn't make a difference.

Full log

./algo
[WARNING]: Could not match supplied host pattern, ignoring: vpn-host                                                                                                                                                                                                                                                                                                                                                                                                                                                      PLAY [localhost] ****************************************************************************************************************** 
TASK [Gathering Facts]
***********************************************************************************************************ok: [localhost]
TASK [Playbook dir stat] **********************************************************************************************************ok: [localhost]
TASK [Ensure Ansible is not being run in a world writable directory]
**************************************************************
ok: [localhost] => {
"changed": false, 
"msg": "All assertions passed"
}
TASK [Ensure the requirements installed] ******************************************************************************************
ok: [localhost]
TASK [Set required ansible version as a fact] *************************************************************************************
ok: [localhost] => (item=ansible==2.8.3)
TASK [Verify Python meets Algo VPN requirements] **********************************************************************************
ok: [localhost] => {
"changed": false, 
"msg": "All assertions passed"}                                                                                                                                                                                                                                                                                                                                                 TASK [Verify Ansible meets Algo VPN requirements] *********************************************************************************
ok: [localhost] => {
"changed": false, 
"msg": "All assertions passed"                                                                                                                                       }                                                                                                                                                                                                                                                                                                                                                 PLAY [Ask user for the input] *****************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?                                                                                                                                         1. DigitalOcean                                                                                                                                                          2. Amazon Lightsail                                                                                                                                                      3. Amazon EC2                                                                                                                                                            4. Microsoft Azure                                                                                                                                                       5. Google Compute Engine                                                                                                                                                 6. Hetzner Cloud                                                                                                                                                         7. Vultr                                                                                                                                                                 8. Scaleway                                                                                                                                                              9. OpenStack (DreamCompute optimised)                                                                                                                                    10. CloudStack (Exoscale optimised)                                                                                                                                      11. Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)
Enter the number of your desired provider
:
TASK [Cloud prompt] ***************************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ***********************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server 
[algo]                                                                                                                                                                   :  
TASK [VPN server name prompt] *****************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]                                                                                                                                                                    : 
TASK [Cellular On Demand prompt] **************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi
[y/N]                                                                                                                                                                    : 
TASK [Wi-Fi On Demand prompt] *****************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand" (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)                                                                                      : 
TASK [Trusted Wi-Fi networks prompt] **********************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
: 
TASK [Retain the PKI prompt] ******************************************************************************************************
ok: [localhost]
[DNS adblocking prompt] 
Do you want to enable DNS ad blocking on this VPN server? 
[y/N]
: 
TASK [DNS adblocking prompt] ******************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling? 
[y/N] 
: 
TASK [SSH tunneling prompt] *******************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ***********************************************************************************************
ok: [localhost]
PLAY [Provision the server] *******************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************
ok: [localhost] 
--> Please include the following block of text when reporting issues:
Algo running on: Ubuntu 18.04.2 LTS (Virtualized: wsl)
Created from git fork. Last commit: 0efa4ea Ca certificate name constraints (#1675)
Python 3.6.7 
Runtime variables: 
algo_provider "digitalocean"
algo_ondemand_cellular "True"
algo_ondemand_wifi "True"
algo_ondemand_wifi_exclude "X251bGw="
algo_dns_adblocking "False"
algo_ssh_tunneling "False"
wireguard_enabled "True"
dns_encryption "True"
TASK [Display the invocation environment] *****************************************************************************************
changed: [localhost -> localhost]
TASK [Install the requirements] ***************************************************************************************************
changed: [localhost -> localhost]
TASK [Generate the SSH private key] ***********************************************************************************************
changed: [localhost]
TASK [Generate the SSH public key] ************************************************************************************************
changed: [localhost]
TASK [Copy the private SSH key to /tmp] *******************************************************************************************
changed: [localhost -> localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):

(output is hidden): 
TASK [cloud-digitalocean : pause] *************************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set the token as a fact] *******************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Get regions] *******************************************************************************************
ok: [localhost] 
TASK [cloud-digitalocean : Set facts about the regions] ***************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set default region] ************************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3     Amsterdam 3 
2. blr1     Bangalore 1 
3. fra1     Frankfurt 1
4. lon1     London 1
5. nyc1     New York 1 
6. nyc3     New York 3
7. sfo2     San Francisco 2 
8. sgp1     Singapore 1
9. tor1     Toronto 1 
Enter the number of your desired region 
[6] 
:  
TASK [cloud-digitalocean : pause] *************************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set additional facts] **********************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] ************************************************************************************
changed: [localhost] 
TASK [cloud-digitalocean : Creating a droplet...] *********************************************************************************
changed: [localhost]
TASK [cloud-digitalocean : set_fact] **********************************************************************************************
ok: [localhost]
TASK [Set subjectAltName as a fact] ***********************************************************************************************
ok: [localhost]
TASK [Add the server to an inventory group] ***************************************************************************************
changed: [localhost]
TASK [Additional variables for the server] ****************************************************************************************
changed: [localhost]
TASK [Wait until SSH becomes ready...] ********************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 321, "msg": "Timeout when waiting for search string OpenSSH in 167.71.243.49:4160"}
included: /home/jasonwolf727/algo/playbooks/rescue.yml for localhost
TASK [debug] **********************************************************************************************************************
ok: [localhost] => { 
"fail_hint": [
"Sorry, but something went wrong!",
"Please check the troubleshooting guide.", 
"https://trailofbits.github.io/algo/troubleshooting.html"
]  
}                                                                                                                                                                                                                                                                                                                              TASK [Fail the installation] ******************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}
PLAY RECAP ************************************************************************************************************************
localhost                  : ok=39   changed=9    unreachable=0    failed=1    skipped=0    rescued=1    ignored=0
davidemyers commented 4 years ago

Algo moves the SSH port to 4160. If you've used DigitalOcean before could you have set up a firewall that blocks this port? Or is it possible something on your local network or Windows system is blocking this port?

JasonWolf727 commented 4 years ago

Algo moves the SSH port to 4160. If you've used DigitalOcean before could you have set up a firewall that blocks this port? Or is it possible something on your local network or Windows system is blocking this port?

I bet it'ss likely the case that the port is blocked; I'm a student at a somewhat small university, and they block a good amount of stuff. Does there happen to be a list of other good port choices to try? (And correct me if I'm wrong, is changing the port done in the config.cfg file?)

davidemyers commented 4 years ago

In config.cfg try changing ssh_port to 22 (the SSH default), which they hopefully have not blocked.

Edited to add: Hopefully they haven't blocked the WireGuard port of 51820 either. If it's blocked try the OpenVPN port 1194.

JasonWolf727 commented 4 years ago

In config.cfg try changing ssh_port to 22 (the SSH default), which they hopefully have not blocked.

Edited to add: Hopefully they haven't blocked the WireGuard port of 51820 either. If it's blocked try the OpenVPN port 1194.

Ok; I tried changing the ssh_port to 22 and it sadly still didn't work. Then I thought to try installing while on a VPN; after all, maybe I could still connect through the WireGuard port after the installation finished. So I used a free vpn, and the installation went through successfully. (Once the installation finished I turned it off.)

I went to go test if it would connect to one of my users (my Windows 10 desktop) and installed WireGuard. I found the .conf for my desktop in the config folder for algo, and set it up in WireGuard. I tried activating it, which it did, went to my browser to test if I had internet, aaand..... nothing. Sadly, I think the WireGuard port must be blocked by my university as well (seriously, it's annoying how much they block).

Now, is there a way to edit the config to try the different WireGuard port you suggested earlier without having to destroy the droplet and install an entirely new one? And also, would you have any other suggestions that I could try out?

davidemyers commented 4 years ago

Changing the WireGuard port after the fact is not terribly difficult, but if your network is blocking SSH I have a feeling it will be difficult to find a port to use for WireGuard.

To change the WireGuard port, log in to the VPN server and change 51820 to your desired port in the following files:

/etc/iptables/rules.v4
/etc/iptables/rules.v6
/etc/wireguard/wg0.conf

Then reboot the server. After that change the port for the Endpoint in the WireGuard app on your client(s).

As a last resort you can try port 53, but that requires changes to more than just the files above so you should deploy a new server instead. This port might not work over a mobile data network.

As a last last resort you can deploy a server with ipsec_enabled: false and try using the IPsec ports of 500 or 4500. I can't recall anyone having tried this.

TC1977 commented 4 years ago

Don't forget to sudo netfilter-persistent save after changing the iptables rules. This only applies if you change the iptables rules by using the sudo iptables -A... and sudo ip6tables -A... commands.

davidemyers commented 4 years ago

Don't forget to sudo netfilter-persistent save after changing the iptables rules.

That will overwrite any changes made to rules.v4 and rules.v6.

codedmon commented 4 years ago

Had anyone tried tunneling UDP through TCP? This forum discusses it but I'm not sure how secure it is.

https://news.ycombinator.com/item?id=17846891

My work WiFi blocks UDP but OpenVPN works, which is TCP. I would rather use Wireguard though.