trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.93k stars 2.32k forks source link

Unable to start service wg-quick@wg0 #1804

Closed ComputerJy closed 4 years ago

ComputerJy commented 4 years ago

I tried to install from WSL then I created a new Ubuntu 18.04 instance on Lightsail and ran the instructions as I usually do. On the new Ubuntu instance I used the default config.

Everytime I tried to run the algo command I ended up getting the below error:

Unable to start service wg-quick@wg0: Job for wg-quick@wg0.service failed because the control process exited with error code.\nSee \"systemctl status wg-quick@wg0.service\" and \"journalctl -xe\" for details.\n

A clear and concise description of what the bug is.

To Reproduce

user@server:~$ sudo apt update && sudo apt full-upgrade --assume-yes
Hit:1 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:5 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/main Sources [318 kB]
Get:6 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/restricted Sources [7444 B]
Get:7 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/universe Sources [283 kB]
Get:8 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [947 kB]
Get:9 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [322 kB]
Get:10 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [54.9 kB]
Get:11 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/restricted Translation-en [13.7 kB]
Get:12 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1075 kB]
Get:13 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [334 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe Sources [169 kB]
Get:15 http://security.ubuntu.com/ubuntu bionic-security/restricted Sources [5376 B]
Get:16 http://security.ubuntu.com/ubuntu bionic-security/main Sources [150 kB]
Get:17 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [720 kB]
Get:18 http://security.ubuntu.com/ubuntu bionic-security/main Translation-en [227 kB]
Get:19 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [43.5 kB]
Get:20 http://security.ubuntu.com/ubuntu bionic-security/restricted Translation-en [10.8 kB]
Get:21 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [666 kB]
Get:22 http://security.ubuntu.com/ubuntu bionic-security/universe Translation-en [221 kB]
Fetched 5821 kB in 3s (2107 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
After this operation, 5139 kB of additional disk space will be used.
Get:1 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 python-pip-whl all 9.0.1-2.3~ubuntu1.18.04.1 [1653 kB]
Get:2 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 python3-lib2to3 all 3.6.9-1~18.04 [77.4 kB]
Get:3 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 python3-distutils all 3.6.9-1~18.04 [144 kB]

---
Get:4 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu bionic/universe amd64 python3-virtualenv all 15.1.0+ds-1.1 [43.4 kB]
Fetched 1918 kB in 0s (5076 kB/s)
Selecting previously unselected package python-pip-whl.
(Reading database ... 85108 files and directories currently installed.)
Preparing to unpack .../python-pip-whl_9.0.1-2.3~ubuntu1.18.04.1_all.deb ...
Unpacking python-pip-whl (9.0.1-2.3~ubuntu1.18.04.1) ...
Selecting previously unselected package python3-lib2to3.
Preparing to unpack .../python3-lib2to3_3.6.9-1~18.04_all.deb ...
Unpacking python3-lib2to3 (3.6.9-1~18.04) ...
Selecting previously unselected package python3-distutils.
Preparing to unpack .../python3-distutils_3.6.9-1~18.04_all.deb ...
Unpacking python3-distutils (3.6.9-1~18.04) ...
Selecting previously unselected package python3-virtualenv.
Preparing to unpack .../python3-virtualenv_15.1.0+ds-1.1_all.deb ...
Unpacking python3-virtualenv (15.1.0+ds-1.1) ...
Setting up python-pip-whl (9.0.1-2.3~ubuntu1.18.04.1) ...
Setting up python3-lib2to3 (3.6.9-1~18.04) ...
Setting up python3-distutils (3.6.9-1~18.04) ...
Setting up python3-virtualenv (15.1.0+ds-1.1) ...
user@server:~$ git clone https://github.com/trailofbits/algo
Cloning into 'algo'...
remote: Enumerating objects: 1, done.
remote: Counting objects: 100% (1/1), done.
remote: Total 6748 (delta 0), reused 0 (delta 0), pack-reused 6747
Receiving objects: 100% (6748/6748), 2.78 MiB | 4.35 MiB/s, done.
Resolving deltas: 100% (3860/3860), done.
user@server:~$ cd algo/
user@server:~/algo$ vim config.cfg
user@server:~/algo$ python3 -m virtualenv --python="$(command -v python3)" .env &&
>   source .env/bin/activate &&
>   python3 -m pip install -U pip virtualenv &&
>   python3 -m pip install -r requirements.txt
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /home/ubuntu/algo/.env/bin/python3
Also creating executable in /home/ubuntu/algo/.env/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
Requirement already up-to-date: pip in ./.env/lib/python3.6/site-packages (20.1.1)
Collecting virtualenv
  Downloading virtualenv-20.0.21-py2.py3-none-any.whl (4.7 MB)
     |████████████████████████████████| 4.7 MB 11.3 MB/s
Collecting appdirs<2,>=1.4.3
  Downloading appdirs-1.4.4-py2.py3-none-any.whl (9.6 kB)
Collecting filelock<4,>=3.0.0
  Downloading filelock-3.0.12-py3-none-any.whl (7.6 kB)
Collecting importlib-resources<2,>=1.0; python_version < "3.7"
  Downloading importlib_resources-1.5.0-py2.py3-none-any.whl (21 kB)
Collecting six<2,>=1.9.0
  Downloading six-1.14.0-py2.py3-none-any.whl (10 kB)
Collecting importlib-metadata<2,>=0.12; python_version < "3.8"
  Downloading importlib_metadata-1.6.0-py2.py3-none-any.whl (30 kB)
Collecting distlib<1,>=0.3.0
  Downloading distlib-0.3.0.zip (571 kB)
     |████████████████████████████████| 571 kB 44.1 MB/s
Collecting zipp>=0.4; python_version < "3.8"
  Downloading zipp-3.1.0-py3-none-any.whl (4.9 kB)
Building wheels for collected packages: distlib
  Building wheel for distlib (setup.py) ... done
  Created wheel for distlib: filename=distlib-0.3.0-py3-none-any.whl size=340427 sha256=7a99c8206e2f98885e9bfe9a840e3f64907640b64b351f212e3988395abad540
  Stored in directory: /home/ubuntu/.cache/pip/wheels/33/d9/71/e4e3cac73529e1947df418af0f140cd7589d5d9ec0e17ecfc2
Successfully built distlib
Installing collected packages: appdirs, filelock, zipp, importlib-metadata, importlib-resources, six, distlib, virtualenv
Successfully installed appdirs-1.4.4 distlib-0.3.0 filelock-3.0.12 importlib-metadata-1.6.0 importlib-resources-1.5.0 six-1.14.0 virtualenv-20.0.21 zipp-3.1.0
Collecting ansible==2.8.8
  Downloading ansible-2.8.8.tar.gz (12.7 MB)
     |████████████████████████████████| 12.7 MB 11.4 MB/s
Collecting netaddr
  Downloading netaddr-0.7.19-py2.py3-none-any.whl (1.6 MB)
     |████████████████████████████████| 1.6 MB 31.7 MB/s
Collecting jinja2
  Downloading Jinja2-2.11.2-py2.py3-none-any.whl (125 kB)
     |████████████████████████████████| 125 kB 53.5 MB/s
Collecting PyYAML
  Downloading PyYAML-5.3.1.tar.gz (269 kB)
     |████████████████████████████████| 269 kB 37.3 MB/s
Collecting cryptography
  Downloading cryptography-2.9.2-cp35-abi3-manylinux2010_x86_64.whl (2.7 MB)
     |████████████████████████████████| 2.7 MB 29.1 MB/s
Collecting MarkupSafe>=0.23
  Downloading MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl (27 kB)
Collecting cffi!=1.11.3,>=1.8
  Downloading cffi-1.14.0-cp36-cp36m-manylinux1_x86_64.whl (399 kB)
     |████████████████████████████████| 399 kB 27.5 MB/s
Requirement already satisfied: six>=1.4.1 in ./.env/lib/python3.6/site-packages (from cryptography->ansible==2.8.8->-r requirements.txt (line 1)) (1.14.0)
Collecting pycparser
  Downloading pycparser-2.20-py2.py3-none-any.whl (112 kB)
     |████████████████████████████████| 112 kB 51.5 MB/s
Building wheels for collected packages: ansible, PyYAML
  Building wheel for ansible (setup.py) ... done
  Created wheel for ansible: filename=ansible-2.8.8-py3-none-any.whl size=12650706 sha256=41870833ca1ab43c145ab10eabd0292ac7178547f806008a0a1d77c429da175e
  Stored in directory: /home/ubuntu/.cache/pip/wheels/f5/3b/6b/6e4fc9377e5e6d2bc064d5eadea8cb84ab620d276cbd0e185c
  Building wheel for PyYAML (setup.py) ... done
  Created wheel for PyYAML: filename=PyYAML-5.3.1-cp36-cp36m-linux_x86_64.whl size=44621 sha256=ca57d7cc6e89717064bf498ea10a182c59441d107dac57ab347e7297b7c24ece
  Stored in directory: /home/ubuntu/.cache/pip/wheels/e5/9d/ad/2ee53cf262cba1ffd8afe1487eef788ea3f260b7e6232a80fc
Successfully built ansible PyYAML
Installing collected packages: MarkupSafe, jinja2, PyYAML, pycparser, cffi, cryptography, ansible, netaddr
Successfully installed MarkupSafe-1.1.1 PyYAML-5.3.1 ansible-2.8.8 cffi-1.14.0 cryptography-2.9.2 jinja2-2.11.2 netaddr-0.7.19 pycparser-2.20
(.env) user@server:~/algo$ ./algo
[WARNING]: Could not match supplied host pattern, ignoring: vpn-host

PLAY [localhost] *******************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] ***********************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Ensure the requirements installed] *******************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **************************************************************************
ok: [localhost] => (item=ansible==2.8.8)

TASK [Verify Python meets Algo VPN requirements] ***********************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] **********************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY [Ask user for the input] ******************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider
:

TASK [Cloud prompt] ****************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:

TASK [VPN server name prompt] ******************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:

TASK [Cellular On Demand prompt] ***************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:

TASK [Wi-Fi On Demand prompt] ******************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:

TASK [Trusted Wi-Fi networks prompt] ***********************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:

TASK [Retain the PKI prompt] *******************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:

TASK [DNS adblocking prompt] *******************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [SSH tunneling prompt] ********************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ************************************************************************************
ok: [localhost]

PLAY [Provision the server] ********************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 18.04.4 LTS (Virtualized: xen)
Created from git fork. Last commit: 9ac64cb Document WG DNS search domain on Linux client (#1796)
Python 3.6.9
Runtime variables:
    algo_provider "lightsail"
    algo_ondemand_cellular "True"
    algo_ondemand_wifi "True"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "True"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ******************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] ****************************************************************************************
changed: [localhost -> localhost]

TASK [Generate the SSH private key] ************************************************************************************
changed: [localhost]

TASK [Generate the SSH public key] *************************************************************************************
changed: [localhost]

TASK [Copy the private SSH key to /tmp] ********************************************************************************
changed: [localhost -> localhost]

TASK [cloud-lightsail : Install requirements] **************************************************************************
changed: [localhost]
[cloud-lightsail : pause]
Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md)
 (output is hidden):

TASK [cloud-lightsail : pause] *****************************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 (output is hidden):

TASK [cloud-lightsail : pause] *****************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : set_fact] **************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Get regions] ***********************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Set facts about the regions] *******************************************************************
ok: [localhost]

TASK [cloud-lightsail : Set the default region] ************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
What region should the server be located in?
(https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/)
    1.  ap-northeast-1       Tokyo
    2.  ap-northeast-2       Seoul
    3.  ap-south-1           Mumbai
    4.  ap-southeast-1       Singapore
    5.  ap-southeast-2       Sydney
    6.  ca-central-1         Montreal
    7.  eu-central-1         Frankfurt
    8.  eu-west-1            Ireland
    9.  eu-west-2            London
    10. eu-west-3            Paris
    11. us-east-1            Virginia
    12. us-east-2            Ohio
    13. us-west-2            Oregon

Enter the number of your desired region
[11]
:

TASK [cloud-lightsail : pause] *****************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : set_fact] **************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Create an instance] ****************************************************************************
changed: [localhost]

TASK [cloud-lightsail : set_fact] **************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ****************************************************************************
changed: [localhost]

TASK [Additional variables for the server] *****************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *********************************************************************************
ok: [localhost]

TASK [Linux | set OS specific facts] ***********************************************************************************
ok: [localhost]

TASK [Set config paths as facts] ***************************************************************************************
ok: [localhost]

TASK [Update config paths] *********************************************************************************************
changed: [localhost]

TASK [debug] ***********************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "35.180.51.183"
}

TASK [Wait 600 seconds for target connection to become reachable/usable] ***********************************************
ok: [localhost -> 35.180.51.183] => (item=35.180.51.183)

PLAY [Configure the server and install required software] **************************************************************

TASK [Wait until the cloud-init completed] *****************************************************************************
ok: [35.180.51.183]

TASK [Ensure the config directory exists] ******************************************************************************
changed: [35.180.51.183 -> localhost]

TASK [Dump the ssh config] *********************************************************************************************
changed: [35.180.51.183 -> localhost]

TASK [common : Check the system] ***************************************************************************************
ok: [35.180.51.183]
included: /home/ubuntu/algo/roles/common/tasks/ubuntu.yml for 35.180.51.183

TASK [common : Gather facts] *******************************************************************************************
ok: [35.180.51.183]

TASK [common : Install software updates] *******************************************************************************
changed: [35.180.51.183]

TASK [common : Check if reboot is required] ****************************************************************************
changed: [35.180.51.183]

TASK [common : Reboot] *************************************************************************************************
changed: [35.180.51.183]

TASK [common : Wait until the server becomes ready...] *****************************************************************
ok: [35.180.51.183]

TASK [common : Install unattended-upgrades] ****************************************************************************
ok: [35.180.51.183]

TASK [common : Configure unattended-upgrades] **************************************************************************
changed: [35.180.51.183]

TASK [common : Periodic upgrades configured] ***************************************************************************
changed: [35.180.51.183]

TASK [common : Disable MOTD on login and SSHD] *************************************************************************
changed: [35.180.51.183] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [35.180.51.183] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] ***********************************************************************
changed: [35.180.51.183]

TASK [common : systemd services enabled and started] *******************************************************************
ok: [35.180.51.183] => (item=systemd-networkd)
ok: [35.180.51.183] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] ********************************************************************
changed: [35.180.51.183]

TASK [common : Check apparmor support] *********************************************************************************
ok: [35.180.51.183]

TASK [common : Set fact if apparmor enabled] ***************************************************************************
ok: [35.180.51.183]

TASK [common : Define facts] *******************************************************************************************
ok: [35.180.51.183]

TASK [common : Set facts] **********************************************************************************************
ok: [35.180.51.183]

TASK [common : Set IPv6 support as a fact] *****************************************************************************
ok: [35.180.51.183]

TASK [common : Check size of MTU] **************************************************************************************
ok: [35.180.51.183]

TASK [common : Set OS specific facts] **********************************************************************************
ok: [35.180.51.183]

TASK [common : Install tools] ******************************************************************************************
changed: [35.180.51.183]

TASK [common : Install headers] ****************************************************************************************
changed: [35.180.51.183]
included: /home/ubuntu/algo/roles/common/tasks/iptables.yml for 35.180.51.183

TASK [common : Iptables configured] ************************************************************************************
changed: [35.180.51.183] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Sysctl tuning] ******************************************************************************************
changed: [35.180.51.183] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [35.180.51.183] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] ****************************************************************************
changed: [35.180.51.183]
included: /home/ubuntu/algo/roles/dns/tasks/ubuntu.yml for 35.180.51.183

TASK [dns : Add the repository] ****************************************************************************************
changed: [35.180.51.183]

TASK [dns : Install dnscrypt-proxy] ************************************************************************************
changed: [35.180.51.183]

TASK [dns : Configure unattended-upgrades] *****************************************************************************
changed: [35.180.51.183]

TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] *****************************************************
changed: [35.180.51.183]

TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *******************************************************
ok: [35.180.51.183]

TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] *******************************************
changed: [35.180.51.183]

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] *******************************************
changed: [35.180.51.183]

TASK [dns : dnscrypt-proxy ip-blacklist configured] ********************************************************************
changed: [35.180.51.183]

TASK [dns : dnscrypt-proxy configured] *********************************************************************************
changed: [35.180.51.183]

TASK [dns : Adblock script created] ************************************************************************************
changed: [35.180.51.183]

TASK [dns : Adblock script added to cron] ******************************************************************************
changed: [35.180.51.183]

TASK [dns : Update adblock hosts] **************************************************************************************
ok: [35.180.51.183]
[WARNING]: flush_handlers task does not support when conditional

RUNNING HANDLER [dns : restart dnscrypt-proxy] *************************************************************************
changed: [35.180.51.183]

TASK [dns : dnscrypt-proxy enabled and started] ************************************************************************
ok: [35.180.51.183]

TASK [wireguard : Ensure the required directories exist] ***************************************************************
changed: [35.180.51.183 -> localhost] => (item=configs/35.180.51.183/wireguard//.pki//preshared)
changed: [35.180.51.183 -> localhost] => (item=configs/35.180.51.183/wireguard//.pki//private)
changed: [35.180.51.183 -> localhost] => (item=configs/35.180.51.183/wireguard//.pki//public)
changed: [35.180.51.183 -> localhost] => (item=configs/35.180.51.183/wireguard//apple/ios)
changed: [35.180.51.183 -> localhost] => (item=configs/35.180.51.183/wireguard//apple/macos)
included: /home/ubuntu/algo/roles/wireguard/tasks/ubuntu.yml for 35.180.51.183

TASK [wireguard : WireGuard repository configured] *********************************************************************
changed: [35.180.51.183]

TASK [wireguard : Configure unattended-upgrades] ***********************************************************************
changed: [35.180.51.183]

TASK [wireguard : WireGuard installed] *********************************************************************************
changed: [35.180.51.183]

TASK [wireguard : WireGuard reload-module-on-update] *******************************************************************
changed: [35.180.51.183]

TASK [wireguard : Set OS specific facts] *******************************************************************************
ok: [35.180.51.183]

TASK [wireguard : Generate private keys] *******************************************************************************
changed: [35.180.51.183] => (item=phone)
changed: [35.180.51.183] => (item=laptop)
changed: [35.180.51.183] => (item=35.180.51.183)

TASK [wireguard : Save private keys] ***********************************************************************************
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183]

TASK [wireguard : Touch the lock file] *********************************************************************************
changed: [35.180.51.183] => (item=phone)
changed: [35.180.51.183] => (item=laptop)
changed: [35.180.51.183] => (item=35.180.51.183)

TASK [wireguard : Generate preshared keys] *****************************************************************************
changed: [35.180.51.183] => (item=phone)
changed: [35.180.51.183] => (item=laptop)
changed: [35.180.51.183] => (item=35.180.51.183)

TASK [wireguard : Save preshared keys] *********************************************************************************
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183]

TASK [wireguard : Touch the preshared lock file] ***********************************************************************
changed: [35.180.51.183] => (item=phone)
changed: [35.180.51.183] => (item=laptop)
changed: [35.180.51.183] => (item=35.180.51.183)

TASK [wireguard : Generate public keys] ********************************************************************************
ok: [35.180.51.183] => (item=phone)
ok: [35.180.51.183] => (item=laptop)
ok: [35.180.51.183] => (item=35.180.51.183)

TASK [wireguard : Save public keys] ************************************************************************************
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183 -> localhost] => (item=None)
changed: [35.180.51.183]

TASK [wireguard : WireGuard user list updated] *************************************************************************
changed: [35.180.51.183 -> localhost] => (item=phone)
changed: [35.180.51.183 -> localhost] => (item=laptop)

TASK [wireguard : set_fact] ********************************************************************************************
ok: [35.180.51.183 -> localhost]

TASK [wireguard : WireGuard users config generated] ********************************************************************
changed: [35.180.51.183 -> localhost] => (item=[0, 'phone'])
changed: [35.180.51.183 -> localhost] => (item=[1, 'laptop'])
included: /home/ubuntu/algo/roles/wireguard/tasks/mobileconfig.yml for 35.180.51.183
included: /home/ubuntu/algo/roles/wireguard/tasks/mobileconfig.yml for 35.180.51.183

TASK [wireguard : WireGuard apple mobileconfig generated] **************************************************************
changed: [35.180.51.183 -> localhost] => (item=[0, 'phone'])
changed: [35.180.51.183 -> localhost] => (item=[1, 'laptop'])

TASK [wireguard : WireGuard apple mobileconfig generated] **************************************************************
changed: [35.180.51.183 -> localhost] => (item=[0, 'phone'])
changed: [35.180.51.183 -> localhost] => (item=[1, 'laptop'])

TASK [wireguard : Generate QR codes] ***********************************************************************************
ok: [35.180.51.183 -> localhost] => (item=[0, 'phone'])
ok: [35.180.51.183 -> localhost] => (item=[1, 'laptop'])

TASK [wireguard : WireGuard configured] ********************************************************************************
changed: [35.180.51.183]

TASK [wireguard : WireGuard enabled and started] ***********************************************************************
fatal: [35.180.51.183]: FAILED! => {"changed": false, "msg": "Unable to start service wg-quick@wg0: Job for wg-quick@wg0.service failed because the control process exited with error code.\nSee \"systemctl status wg-quick@wg0.service\" and \"journalctl -xe\" for details.\n"}
included: /home/ubuntu/algo/playbooks/rescue.yml for 35.180.51.183

TASK [debug] ***********************************************************************************************************
ok: [35.180.51.183] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [Fail the installation] *******************************************************************************************
fatal: [35.180.51.183]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP *************************************************************************************************************
35.180.51.183              : ok=71   changed=43   unreachable=0    failed=1    skipped=7    rescued=1    ignored=0
localhost                  : ok=44   changed=10   unreachable=0    failed=0    skipped=2    rescued=0    ignored=0

I usually run this on WSL and it works fine but lately I've been getting errors since I upgraded the Ubuntu WSL to 20.04 so I tried installing from a new Ubuntu 18.04 instance.

systemctl status wg-quick@wg0.service
Unit wg-quick@wg0.service could not be found.
davidemyers commented 4 years ago

Ubuntu just released some kernel updates for 18.04 that break WireGuard when using kernel 5.3. WireGuard's been fixed, but the repository that contains the WireGuard packages used by Algo hasn't been updated to the fixed version yet.

I'm not sure what can be done other than waiting for the repository to be updated. Or you can choose another cloud provider where Ubuntu 20.04 is available.

ComputerJy commented 4 years ago

Ubuntu just released some kernel updates for 18.04 that break WireGuard when using kernel 5.3. WireGuard's been fixed, but the repository that contains the WireGuard packages used by Algo hasn't been updated to the fixed version yet.

I'm not sure what can be done other than waiting for the repository to be updated. Or you can choose another cloud provider where Ubuntu 20.04 is available.

I guess I'll just have to wait. Thanks

vadiof commented 4 years ago

This issue still exist but it looks like enabling HWE is a workaround

cosmopockets commented 3 years ago

Would like to update this as I have also been experiencing this issue.

Wireguard is currently running on the GCP platform

Promethiyas commented 2 years ago

Hi, i tried to start wireguard but I think it's the same problem

root@val-1:/etc/wireguard# systemctl start wg-quick@wg0
Job for wg-quick@wg0.service failed because the control process exited with error code.
See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.

and when i check the status I have this

root@val-1:/etc/wireguard# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enab>
     Active: failed (Result: exit-code) since Tue 2022-01-18 14:54:53 CET; 6min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 1719 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
   Main PID: 1719 (code=exited, status=1/FAILURE)

janv. 18 14:54:52 val-1 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
janv. 18 14:54:52 val-1 wg-quick[1719]: [#] ip link add wg0 type wireguard
janv. 18 14:54:53 val-1 wg-quick[1719]: [#] wg setconf wg0 /dev/fd/63
janv. 18 14:54:53 val-1 wg-quick[1742]: Key is not the correct length or format: `aXXXXXX>
janv. 18 14:54:53 val-1 wg-quick[1742]: Configuration parsing error
janv. 18 14:54:53 val-1 wg-quick[1719]: [#] ip link delete dev wg0
janv. 18 14:54:53 val-1 systemd[1]: wg-quick@wg0.service: Main process exited, code=exite>
janv. 18 14:54:53 val-1 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
janv. 18 14:54:53 val-1 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
lines 1-21/21 (END)

If anyone know how to solve the problem...