gringonsk
commented
4 years ago the problem with nat in the digital ocean droplet can be solved by replacing ipfw to pf :
wan="vtnet0" nat on $wan from !($wan) -> ($wan:0)
Open gringonsk opened 4 years ago
gringonsk
commented
4 years ago the problem with nat in the digital ocean droplet can be solved by replacing ipfw to pf :
wan="vtnet0" nat on $wan from !($wan) -> ($wan:0)
Describe the bug
SSH-tunneling option not work
To Reproduce
pkg install bash chsh -s /bin/bash root *** relogin
pkg install git cd git clone https://github.com/trailofbits/algo
pkg install py37-ansible pkg install py37-pip pkg install py37-openssl pkg install base64
portsnap fetch portsnap extract portsnap update
cd /usr/ports/security/openssl make config *** add SSLv3 option. make install clean
cd /usr/local/bin ln -s python3.7 python3 ln -s pip-3.7 pip3 cd ~/algo
python3 -m ensurepip python3 -m pip install -U -r requirements.txt
FreeBSD can't reset connection: [WARNING]: Reset is not implemented for this connection *** and script stopped
for resolve this need edit cloud-post.yml
ee ~/algo/playbooks/cloud-post.yml
delete wait_for_connection: delegate_to: "{{ item }}" loop: "{{ groups['vpn-host'] }}"
add pause: seconds: 20
ee ~/algo/config.cfg (add users)
ansible-playbook main.yml -e "provider=local"
*if you enable "SSH-tunneling" - the script stops with an error
*I could not solve this problem. ((
Expected behavior all other options can be enabled by saying "yes". everything is successfully installed and launched
Additional context
one more problem relevant only for digital ocean turning on the nat reduces the speed on the output interface to almost zero (( probably some anti-spoofing rules are activated
[root@freebsd-algo ~]# ps ax | grep nat 99806 - Ss 0:00.95 /sbin/natd -dynamic -m -n vtnet0 4029 1 R+ 0:00.00 grep nat
[root@freebsd-algo ~]# ipfw list 00050 divert 8668 ip4 from any to any via vtnet0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any icmp6types 1 01000 allow ipv6-icmp from any to any icmp6types 2,135,136 65000 allow ip from any to any 65535 deny ip from any to any [root@freebsd-algo ~]#
ipfw delete 50 this unlocks the speed on the output interface, but then the vpn-server stops working ((
Full log
TASK [ssh_tunneling : Get active users] **** ok: [localhost]
TASK [ssh_tunneling : Delete non-existing users] *** fatal: [localhost]: FAILED! => {"msg": "list object has no element 2"} included: /root/algo/playbooks/rescue.yml for localhost
TASK [Fail the installation] *** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested fr