search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.93k stars 2.32k forks source link

DigitalOcean Deploys to Wrong Region #1914

Closed jimmybrancaccio closed 3 years ago

jimmybrancaccio commented 3 years ago

Describe the bug

When running through the deployment process, I've selected 1 for DigitalOcean and 8 for New York 3. However once deployment is complete I see the droplet has been created in Bangalore 1.

To Reproduce

Steps to reproduce the behavior:

  1. Fetch commit ebec20e which is the current as of today.
  2. Edit your config.cfg file to your liking. I don't believe I have anything in my configuration file which would dictate the location of a droplet at DigitalOcean. Save and exit.
  3. Run ./algo. Select DigitalOcean as your cloud provider, and New York 3 as your region.
  4. Let the deployment complete.
  5. Login to DigitalOcean and note the location of the new droplet.

Expected behavior

I would expect that the droplet would be deployed to the location from which I selected when running ./algo.

Additional context

N/A.

Full log

[WARNING]: Could not match supplied host pattern, ignoring: vpn-host

PLAY [localhost] ***************************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] *******************************************************************************************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***********************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Ensure the requirements installed] ***************************************************************************************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **********************************************************************************************************************************************************
ok: [localhost] => (item=ansible==2.9.7)

TASK [Verify Python meets Algo VPN requirements] *******************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] ******************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY [Ask user for the input] **************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider
:

TASK [Cloud prompt] ************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************************************************************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:

TASK [VPN server name prompt] **************************************************************************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:

TASK [Cellular On Demand prompt] ***********************************************************************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:

TASK [Wi-Fi On Demand prompt] **************************************************************************************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:

TASK [Trusted Wi-Fi networks prompt] *******************************************************************************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:

TASK [Retain the PKI prompt] ***************************************************************************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:

TASK [DNS adblocking prompt] ***************************************************************************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [SSH tunneling prompt] ****************************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************************************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Gentoo/Linux (Virtualized: kvm)
Created from git clone. Last commit: ebec20e Multiple Azure fixes (#1908)
Python 3.7.9
Runtime variables:
    algo_provider "digitalocean"
    algo_ondemand_cellular "True"
    algo_ondemand_wifi "True"
    algo_ondemand_wifi_exclude "U2t5TmV0"
    algo_dns_adblocking "True"
    algo_ssh_tunneling "True"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] **************************************************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] ************************************************************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Generate the SSH private key] ********************************************************************************************************************************************************************
changed: [localhost]

TASK [Generate the SSH public key] *********************************************************************************************************************************************************************
changed: [localhost]

TASK [Copy the private SSH key to /tmp] ****************************************************************************************************************************************************************
changed: [localhost -> localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
 (output is hidden):

TASK [cloud-digitalocean : pause] **********************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the token as a fact] ****************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Get regions] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set facts about the regions] ************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set default region] *********************************************************************************************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
    1. ams2     Amsterdam 2
    2. ams3     Amsterdam 3
    3. blr1     Bangalore 1
    4. fra1     Frankfurt 1
    5. lon1     London 1
    6. nyc1     New York 1
    7. nyc2     New York 2
    8. nyc3     New York 3
    9. sfo1     San Francisco 1
    10. sfo2     San Francisco 2
    11. sfo3     San Francisco 3
    12. sgp1     Singapore 1
    13. tor1     Toronto 1

Enter the number of your desired region
[8]
:

TASK [cloud-digitalocean : pause] **********************************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set additional facts] *******************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *********************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ******************************************************************************************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] *******************************************************************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ************************************************************************************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] *************************************************************************************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *****************************************************************************************************************************************************************
ok: [localhost]

TASK [debug] *******************************************************************************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "143.110.178.70"
}

TASK [Wait 600 seconds for target connection to become reachable/usable] *******************************************************************************************************************************
ok: [localhost -> 143.110.178.70] => (item=143.110.178.70)

PLAY [Configure the server and install required software] **********************************************************************************************************************************************

TASK [Wait until the cloud-init completed] *************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [Ensure the config directory exists] **************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [Dump the ssh config] *****************************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [common : Check the system] ***********************************************************************************************************************************************************************
ok: [143.110.178.70]
included: /home/jimmy/Developer/github.com/algo/roles/common/tasks/ubuntu.yml for 143.110.178.70

TASK [common : Gather facts] ***************************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Install software updates] ***************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Check if reboot is required] ************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : Reboot] *********************************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : Wait until the server becomes ready...] *************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Install unattended-upgrades] ************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Configure unattended-upgrades] **********************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : Periodic upgrades configured] ***********************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : Disable MOTD on login and SSHD] *********************************************************************************************************************************************************
changed: [143.110.178.70] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [143.110.178.70] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})

TASK [common : Ensure fallback resolvers are set] ******************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : Loopback for services configured] *******************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : systemd services enabled and started] ***************************************************************************************************************************************************
ok: [143.110.178.70] => (item=systemd-networkd)
ok: [143.110.178.70] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] ****************************************************************************************************************************************************
changed: [143.110.178.70]

RUNNING HANDLER [common : restart systemd-resolved] ****************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [common : Check apparmor support] *****************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Set fact if apparmor enabled] ***********************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Define facts] ***************************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Set facts] ******************************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Set IPv6 support as a fact] *************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Check size of MTU] **********************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Set OS specific facts] ******************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [common : Install tools] **************************************************************************************************************************************************************************
changed: [143.110.178.70]
included: /home/jimmy/Developer/github.com/algo/roles/common/tasks/iptables.yml for 143.110.178.70

TASK [common : Iptables configured] ********************************************************************************************************************************************************************
changed: [143.110.178.70] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Iptables configured] ********************************************************************************************************************************************************************
changed: [143.110.178.70] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})

TASK [common : Sysctl tuning] **************************************************************************************************************************************************************************
changed: [143.110.178.70] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [143.110.178.70] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [143.110.178.70] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] ************************************************************************************************************************************************************
changed: [143.110.178.70]
included: /home/jimmy/Developer/github.com/algo/roles/dns/tasks/ubuntu.yml for 143.110.178.70

TASK [dns : Install dnscrypt-proxy] ********************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] *************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ***************************************************************************************************************************************
ok: [143.110.178.70]

TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] ***************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : dnscrypt-proxy ip-blacklist configured] ****************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : dnscrypt-proxy configured] *****************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : Adblock script created] ********************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : Adblock script added to cron] **************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : Update adblock hosts] **********************************************************************************************************************************************************************
ok: [143.110.178.70]
[WARNING]: flush_handlers task does not support when conditional

RUNNING HANDLER [dns : restart dnscrypt-proxy] *********************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [dns : dnscrypt-proxy enabled and started] ********************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [wireguard : Ensure the required directories exist] ***********************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=configs/143.110.178.70/wireguard//.pki//preshared)
changed: [143.110.178.70 -> localhost] => (item=configs/143.110.178.70/wireguard//.pki//private)
changed: [143.110.178.70 -> localhost] => (item=configs/143.110.178.70/wireguard//.pki//public)
changed: [143.110.178.70 -> localhost] => (item=configs/143.110.178.70/wireguard//apple/ios)
changed: [143.110.178.70 -> localhost] => (item=configs/143.110.178.70/wireguard//apple/macos)
included: /home/jimmy/Developer/github.com/algo/roles/wireguard/tasks/ubuntu.yml for 143.110.178.70

TASK [wireguard : WireGuard installed] *****************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [wireguard : Set OS specific facts] ***************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [wireguard : Generate private keys] ***************************************************************************************************************************************************************
changed: [143.110.178.70] => (item=jimmy-iphone)
changed: [143.110.178.70] => (item=jimmy-ipad)
changed: [143.110.178.70] => (item=jimmy-macbook)
changed: [143.110.178.70] => (item=jimmy-windows10)
changed: [143.110.178.70] => (item=jimmy-macpro)
changed: [143.110.178.70] => (item=jimmy-bentobox)
changed: [143.110.178.70] => (item=jimmy-imac)
changed: [143.110.178.70] => (item=morgan-macmini)
changed: [143.110.178.70] => (item=143.110.178.70)

TASK [wireguard : Save private keys] *******************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70]

TASK [wireguard : Touch the lock file] *****************************************************************************************************************************************************************
changed: [143.110.178.70] => (item=jimmy-iphone)
changed: [143.110.178.70] => (item=jimmy-ipad)
changed: [143.110.178.70] => (item=jimmy-macbook)
changed: [143.110.178.70] => (item=jimmy-windows10)
changed: [143.110.178.70] => (item=jimmy-macpro)
changed: [143.110.178.70] => (item=jimmy-bentobox)
changed: [143.110.178.70] => (item=jimmy-imac)
changed: [143.110.178.70] => (item=morgan-macmini)
changed: [143.110.178.70] => (item=143.110.178.70)

TASK [wireguard : Generate preshared keys] *************************************************************************************************************************************************************
changed: [143.110.178.70] => (item=jimmy-iphone)
changed: [143.110.178.70] => (item=jimmy-ipad)
changed: [143.110.178.70] => (item=jimmy-macbook)
changed: [143.110.178.70] => (item=jimmy-windows10)
changed: [143.110.178.70] => (item=jimmy-macpro)
changed: [143.110.178.70] => (item=jimmy-bentobox)
changed: [143.110.178.70] => (item=jimmy-imac)
changed: [143.110.178.70] => (item=morgan-macmini)
changed: [143.110.178.70] => (item=143.110.178.70)

TASK [wireguard : Save preshared keys] *****************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70]

TASK [wireguard : Touch the preshared lock file] *******************************************************************************************************************************************************
changed: [143.110.178.70] => (item=jimmy-iphone)
changed: [143.110.178.70] => (item=jimmy-ipad)
changed: [143.110.178.70] => (item=jimmy-macbook)
changed: [143.110.178.70] => (item=jimmy-windows10)
changed: [143.110.178.70] => (item=jimmy-macpro)
changed: [143.110.178.70] => (item=jimmy-bentobox)
changed: [143.110.178.70] => (item=jimmy-imac)
changed: [143.110.178.70] => (item=morgan-macmini)
changed: [143.110.178.70] => (item=143.110.178.70)

TASK [wireguard : Generate public keys] ****************************************************************************************************************************************************************
ok: [143.110.178.70] => (item=jimmy-iphone)
ok: [143.110.178.70] => (item=jimmy-ipad)
ok: [143.110.178.70] => (item=jimmy-macbook)
ok: [143.110.178.70] => (item=jimmy-windows10)
ok: [143.110.178.70] => (item=jimmy-macpro)
ok: [143.110.178.70] => (item=jimmy-bentobox)
ok: [143.110.178.70] => (item=jimmy-imac)
ok: [143.110.178.70] => (item=morgan-macmini)
ok: [143.110.178.70] => (item=143.110.178.70)

TASK [wireguard : Save public keys] ********************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70]

TASK [wireguard : WireGuard user list updated] *********************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [wireguard : set_fact] ****************************************************************************************************************************************************************************
ok: [143.110.178.70 -> localhost]

TASK [wireguard : WireGuard users config generated] ****************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=[0, 'jimmy-iphone'])
changed: [143.110.178.70 -> localhost] => (item=[1, 'jimmy-ipad'])
changed: [143.110.178.70 -> localhost] => (item=[2, 'jimmy-macbook'])
changed: [143.110.178.70 -> localhost] => (item=[3, 'jimmy-windows10'])
changed: [143.110.178.70 -> localhost] => (item=[4, 'jimmy-macpro'])
changed: [143.110.178.70 -> localhost] => (item=[5, 'jimmy-bentobox'])
changed: [143.110.178.70 -> localhost] => (item=[6, 'jimmy-imac'])
changed: [143.110.178.70 -> localhost] => (item=[7, 'morgan-macmini'])
included: /home/jimmy/Developer/github.com/algo/roles/wireguard/tasks/mobileconfig.yml for 143.110.178.70
included: /home/jimmy/Developer/github.com/algo/roles/wireguard/tasks/mobileconfig.yml for 143.110.178.70

TASK [wireguard : WireGuard apple mobileconfig generated] **********************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=[0, 'jimmy-iphone'])
changed: [143.110.178.70 -> localhost] => (item=[1, 'jimmy-ipad'])
changed: [143.110.178.70 -> localhost] => (item=[2, 'jimmy-macbook'])
changed: [143.110.178.70 -> localhost] => (item=[3, 'jimmy-windows10'])
changed: [143.110.178.70 -> localhost] => (item=[4, 'jimmy-macpro'])
changed: [143.110.178.70 -> localhost] => (item=[5, 'jimmy-bentobox'])
changed: [143.110.178.70 -> localhost] => (item=[6, 'jimmy-imac'])
changed: [143.110.178.70 -> localhost] => (item=[7, 'morgan-macmini'])

TASK [wireguard : WireGuard apple mobileconfig generated] **********************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=[0, 'jimmy-iphone'])
changed: [143.110.178.70 -> localhost] => (item=[1, 'jimmy-ipad'])
changed: [143.110.178.70 -> localhost] => (item=[2, 'jimmy-macbook'])
changed: [143.110.178.70 -> localhost] => (item=[3, 'jimmy-windows10'])
changed: [143.110.178.70 -> localhost] => (item=[4, 'jimmy-macpro'])
changed: [143.110.178.70 -> localhost] => (item=[5, 'jimmy-bentobox'])
changed: [143.110.178.70 -> localhost] => (item=[6, 'jimmy-imac'])
changed: [143.110.178.70 -> localhost] => (item=[7, 'morgan-macmini'])

TASK [wireguard : Generate QR codes] *******************************************************************************************************************************************************************
ok: [143.110.178.70 -> localhost] => (item=[0, 'jimmy-iphone'])
ok: [143.110.178.70 -> localhost] => (item=[1, 'jimmy-ipad'])
ok: [143.110.178.70 -> localhost] => (item=[2, 'jimmy-macbook'])
ok: [143.110.178.70 -> localhost] => (item=[3, 'jimmy-windows10'])
ok: [143.110.178.70 -> localhost] => (item=[4, 'jimmy-macpro'])
ok: [143.110.178.70 -> localhost] => (item=[5, 'jimmy-bentobox'])
ok: [143.110.178.70 -> localhost] => (item=[6, 'jimmy-imac'])
ok: [143.110.178.70 -> localhost] => (item=[7, 'morgan-macmini'])

TASK [wireguard : WireGuard configured] ****************************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [wireguard : WireGuard enabled and started] *******************************************************************************************************************************************************
changed: [143.110.178.70]

RUNNING HANDLER [wireguard : restart wireguard] ********************************************************************************************************************************************************
changed: [143.110.178.70]
included: /home/jimmy/Developer/github.com/algo/roles/strongswan/tasks/ubuntu.yml for 143.110.178.70

TASK [strongswan : Set OS specific facts] **************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [strongswan : Ubuntu | Install strongSwan] ********************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] ************************************************************************************************************************************
changed: [143.110.178.70]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] *********************************************************************************************************************************************
ok: [143.110.178.70] => (item=/usr/lib/ipsec/charon)
ok: [143.110.178.70] => (item=/usr/lib/ipsec/lookip)
ok: [143.110.178.70] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] ***********************************************************************************************************************************************************
ok: [143.110.178.70] => (item=apparmor)
ok: [143.110.178.70] => (item=strongswan-starter)
ok: [143.110.178.70] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] ***********************************************************************************************************************
changed: [143.110.178.70]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *************************************************************************************************************************
changed: [143.110.178.70]

TASK [strongswan : Ensure that the strongswan user exists] *********************************************************************************************************************************************
ok: [143.110.178.70]

TASK [strongswan : Install strongSwan] *****************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [strongswan : Setup the config files from our templates] ******************************************************************************************************************************************
changed: [143.110.178.70] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [143.110.178.70] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [143.110.178.70] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [143.110.178.70] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})

TASK [strongswan : Get loaded plugins] *****************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [strongswan : Disable unneeded plugins] ***********************************************************************************************************************************************************
changed: [143.110.178.70] => (item=agent)
changed: [143.110.178.70] => (item=sha1)
changed: [143.110.178.70] => (item=md5)
changed: [143.110.178.70] => (item=bypass-lan)
changed: [143.110.178.70] => (item=pkcs1)
changed: [143.110.178.70] => (item=gmp)
changed: [143.110.178.70] => (item=mgf1)
changed: [143.110.178.70] => (item=connmark)
changed: [143.110.178.70] => (item=counters)
changed: [143.110.178.70] => (item=xauth-generic)
changed: [143.110.178.70] => (item=rc2)
changed: [143.110.178.70] => (item=xcbc)
changed: [143.110.178.70] => (item=dnskey)
changed: [143.110.178.70] => (item=drbg)
changed: [143.110.178.70] => (item=sshkey)
changed: [143.110.178.70] => (item=constraints)
changed: [143.110.178.70] => (item=updown)
changed: [143.110.178.70] => (item=fips-prf)
changed: [143.110.178.70] => (item=eap-mschapv2)
changed: [143.110.178.70] => (item=aesni)
changed: [143.110.178.70] => (item=attr)
changed: [143.110.178.70] => (item=resolve)

TASK [strongswan : Ensure that required plugins are enabled] *******************************************************************************************************************************************
changed: [143.110.178.70] => (item=pgp)
changed: [143.110.178.70] => (item=hmac)
changed: [143.110.178.70] => (item=nonce)
changed: [143.110.178.70] => (item=aes)
changed: [143.110.178.70] => (item=pkcs8)
changed: [143.110.178.70] => (item=gcm)
changed: [143.110.178.70] => (item=pkcs12)
changed: [143.110.178.70] => (item=x509)
changed: [143.110.178.70] => (item=sha2)
changed: [143.110.178.70] => (item=pkcs7)
changed: [143.110.178.70] => (item=kernel-netlink)
changed: [143.110.178.70] => (item=socket-default)
changed: [143.110.178.70] => (item=openssl)
changed: [143.110.178.70] => (item=pem)
changed: [143.110.178.70] => (item=stroke)
changed: [143.110.178.70] => (item=pubkey)
changed: [143.110.178.70] => (item=revocation)
changed: [143.110.178.70] => (item=random)

TASK [strongswan : debug] ******************************************************************************************************************************************************************************
ok: [143.110.178.70 -> localhost] => {
    "subjectAltName": "IP:143.110.178.70,IP:2400:6180:100:d0::8fe:2001"
}

TASK [strongswan : Ensure the pki directories exist] ***************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=ecparams)
changed: [143.110.178.70 -> localhost] => (item=certs)
changed: [143.110.178.70 -> localhost] => (item=crl)
changed: [143.110.178.70 -> localhost] => (item=newcerts)
changed: [143.110.178.70 -> localhost] => (item=private)
changed: [143.110.178.70 -> localhost] => (item=public)
changed: [143.110.178.70 -> localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] ************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=apple)
changed: [143.110.178.70 -> localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] *************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=.rnd)
changed: [143.110.178.70 -> localhost] => (item=private/.rnd)
changed: [143.110.178.70 -> localhost] => (item=index.txt)
changed: [143.110.178.70 -> localhost] => (item=index.txt.attr)
changed: [143.110.178.70 -> localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] ************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [strongswan : Build the CA pair] ******************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [strongswan : Copy the CA certificate] ************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [strongswan : Generate the serial number] *********************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [strongswan : Build the server pair] **************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [strongswan : Build the client's pair] ************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Build openssh public keys] **********************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Build the client's p12] *************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Build the client's p12 with the CA cert included] ***********************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Copy the p12 certificates] **********************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Get active users] *******************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [strongswan : Copy the keys to the strongswan directory] ******************************************************************************************************************************************
changed: [143.110.178.70] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [143.110.178.70] => (item={'src': 'certs/143.110.178.70.crt', 'dest': 'certs/143.110.178.70.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [143.110.178.70] => (item={'src': 'private/143.110.178.70.key', 'dest': 'private/143.110.178.70.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})

TASK [strongswan : Register p12 PayloadContent] ********************************************************************************************************************************************************
ok: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
ok: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
ok: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
ok: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
ok: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
ok: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
ok: [143.110.178.70 -> localhost] => (item=jimmy-imac)
ok: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Set facts for mobileconfigs] ********************************************************************************************************************************************************
ok: [143.110.178.70 -> localhost]

TASK [strongswan : Build the mobileconfigs] ************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70]

TASK [strongswan : Build the client ipsec config file] *************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Build the client ipsec secret file] *************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [strongswan : Restrict permissions for the local private directories] *****************************************************************************************************************************
ok: [143.110.178.70 -> localhost]

TASK [strongswan : strongSwan started] *****************************************************************************************************************************************************************
ok: [143.110.178.70]

RUNNING HANDLER [strongswan : restart strongswan] ******************************************************************************************************************************************************
changed: [143.110.178.70]

RUNNING HANDLER [strongswan : daemon-reload] ***********************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ****************************************************************************************************************************
changed: [143.110.178.70]

TASK [ssh_tunneling : Ensure that the algo group exist] ************************************************************************************************************************************************
changed: [143.110.178.70]

TASK [ssh_tunneling : Ensure that the jail directory exist] ********************************************************************************************************************************************
changed: [143.110.178.70]

TASK [ssh_tunneling : Ensure that the SSH users exist] *************************************************************************************************************************************************
changed: [143.110.178.70] => (item=jimmy-iphone)
changed: [143.110.178.70] => (item=jimmy-ipad)
changed: [143.110.178.70] => (item=jimmy-macbook)
changed: [143.110.178.70] => (item=jimmy-windows10)
changed: [143.110.178.70] => (item=jimmy-macpro)
changed: [143.110.178.70] => (item=jimmy-bentobox)
changed: [143.110.178.70] => (item=jimmy-imac)
changed: [143.110.178.70] => (item=morgan-macmini)

TASK [ssh_tunneling : Ensure the config directories exist] *********************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [ssh_tunneling : Check if the private keys exist] *************************************************************************************************************************************************
ok: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
ok: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
ok: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
ok: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
ok: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
ok: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
ok: [143.110.178.70 -> localhost] => (item=jimmy-imac)
ok: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [ssh_tunneling : Build ssh private keys] **********************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70]

TASK [ssh_tunneling : Build ssh public keys] ***********************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70 -> localhost] => (item=None)
changed: [143.110.178.70]

TASK [ssh_tunneling : Build the client ssh config] *****************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost] => (item=jimmy-iphone)
changed: [143.110.178.70 -> localhost] => (item=jimmy-ipad)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macbook)
changed: [143.110.178.70 -> localhost] => (item=jimmy-windows10)
changed: [143.110.178.70 -> localhost] => (item=jimmy-macpro)
changed: [143.110.178.70 -> localhost] => (item=jimmy-bentobox)
changed: [143.110.178.70 -> localhost] => (item=jimmy-imac)
changed: [143.110.178.70 -> localhost] => (item=morgan-macmini)

TASK [ssh_tunneling : The authorized keys file created] ************************************************************************************************************************************************
changed: [143.110.178.70] => (item=jimmy-iphone)
changed: [143.110.178.70] => (item=jimmy-ipad)
changed: [143.110.178.70] => (item=jimmy-macbook)
changed: [143.110.178.70] => (item=jimmy-windows10)
changed: [143.110.178.70] => (item=jimmy-macpro)
changed: [143.110.178.70] => (item=jimmy-bentobox)
changed: [143.110.178.70] => (item=jimmy-imac)
changed: [143.110.178.70] => (item=morgan-macmini)

TASK [ssh_tunneling : Get active users] ****************************************************************************************************************************************************************
ok: [143.110.178.70]

TASK [ssh_tunneling : Delete non-existing users] *******************************************************************************************************************************************************
ok: [143.110.178.70] => (item=)

TASK [Dump the configuration] **************************************************************************************************************************************************************************
changed: [143.110.178.70 -> localhost]

TASK [debug] *******************************************************************************************************************************************************************************************
ok: [143.110.178.70] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#                     Local DNS resolver 172.26.170.218, fd00::a:aada                   #\"",
            ""
        ],
        "    \"#        The p12 and SSH keys password for new users is 1234567890       #\"\n",
        "    \"#        The CA key password is 1234567890       #\"\n",
        "    \"#      Shell access: ssh -F configs/143.110.178.70/ssh_config vpn.linuxbox.ninja        #\"\n"
    ]
}

RUNNING HANDLER [ssh_tunneling : restart ssh] **********************************************************************************************************************************************************
changed: [143.110.178.70]

PLAY RECAP *********************************************************************************************************************************************************************************************
143.110.178.70             : ok=122  changed=78   unreachable=0    failed=0    skipped=21   rescued=0    ignored=0   
localhost                  : ok=40   changed=9    unreachable=0    failed=0    skipped=7    rescued=0    ignored=0
davidemyers commented 3 years ago

I just tried to recreate this issue but my Droplet ended up in NYC3 as requested. I don't know why your attempt ended up in the wrong place.

jimmybrancaccio commented 3 years ago

@davidemyers Yeah, very weird!

Screenshot from 2020-11-16 13-52-25

I actually just tried creating another instance and selected NYC1 and it went there fine...I guess I should have tried NYC3 to see if I could replicate it, but it looks you were able to select NYC3 and have it deploy there without issue. 🤔