search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.65k stars 2.31k forks source link

Failure at dns_adblocking : restart dnsmasq #367

Closed sashkab closed 7 years ago

sashkab commented 7 years ago

OS / Environment

Ubuntu 16.04.2

Ansible version

$ ansible --version
ansible 2.2.0.0
  config file =
  configured module search path = Default w/o overrides

Version of components from requirements.txt

Package                        Version
------------------------------ ---------
adal                           0.4.5
ansible                        2.2.0.0
apache-libcloud                1.5.0
appdirs                        1.4.3
asn1crypto                     0.22.0
azure                          2.0.0rc5
azure-batch                    0.30.0rc5
azure-common                   1.1.4
azure-graphrbac                0.30.0rc5
azure-mgmt                     0.30.0rc5
azure-mgmt-authorization       0.30.0rc5
azure-mgmt-batch               0.30.0rc5
azure-mgmt-cdn                 0.30.0rc5
azure-mgmt-cognitiveservices   0.30.0rc5
azure-mgmt-commerce            0.30.0rc5
azure-mgmt-compute             0.30.0rc5
azure-mgmt-keyvault            0.30.0rc5
azure-mgmt-logic               0.30.0rc5
azure-mgmt-network             0.30.0rc5
azure-mgmt-notificationhubs    0.30.0rc5
azure-mgmt-nspkg               1.0.0
azure-mgmt-powerbiembedded     0.30.0rc5
azure-mgmt-redis               0.30.0rc5
azure-mgmt-resource            0.30.0rc5
azure-mgmt-scheduler           0.30.0rc5
azure-mgmt-storage             0.30.0rc5
azure-mgmt-web                 0.30.0rc5
azure-nspkg                    1.0.0
azure-servicebus               0.20.2
azure-servicemanagement-legacy 0.20.3
azure-storage                  0.32.0
boto                           2.46.1
boto3                          1.4.4
botocore                       1.5.38
certifi                        2017.1.23
cffi                           1.10.0
chardet                        2.3.0
cryptography                   1.8.1
docutils                       0.13.1
dopy                           0.3.5
enum34                         1.1.6
futures                        3.0.5
idna                           2.5
ipaddress                      1.0.18
isodate                        0.5.4
Jinja2                         2.8
jmespath                       0.9.2
keyring                        10.3.1
MarkupSafe                     1.0
msrest                         0.4.1
msrestazure                    0.4.7
oauthlib                       2.0.2
packaging                      16.8
paramiko                       2.1.2
pip                            9.0.1
pkg-resources                  0.0.0
pyasn1                         0.2.3
pycparser                      2.17
pycrypto                       2.6.1
PyJWT                          1.4.2
pyOpenSSL                      16.2.0
pyparsing                      2.2.0
python-dateutil                2.6.0
PyYAML                         3.12
requests                       2.13.0
requests-oauthlib              0.8.0
s3transfer                     0.1.10
SecretStorage                  2.3.1
setuptools                     34.3.3
six                            1.10.0
wheel                          0.30.0a0

Summary of the problem

I've installed Algo on ubuntu VPS, and it work. Then I decided to enable DNS server. It failed with following error:

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *****************************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to restart service dnsmasq: Job for dnsmasq.service failed because the control process exited with error code. See \"systemctl status dnsmasq.service\" and \"journalctl -xe\" for details.\n"}

PLAY RECAP *********************************************************************
localhost                  : ok=71   changed=29   unreachable=0    failed=1

Steps to reproduce the behavior

  1. ./algo
  2. Enable DNS ad blocking installation.
  3. Fail.

The way of deployment (cloud or local)

Local

Expected behavior

Successful deployment.

Actual behavior

Failure with dnsmasq.

Full log

# ./algo

  What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Google Compute Engine
    4. Microsoft Azure
    5. Install to existing Ubuntu server

Enter the number of your desired provider
: 5

Enter the IP address of your server: (or use localhost for local installation)
: localhost

What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]:

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[localhost]: XXX.XXX.XXX.XXX

Was this server deployed by Algo previously?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: n

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
: OfficeWifi

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: y

Do you want each user to have their own account for SSH tunneling?
[y/N]: n

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]: n

Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure)
[y/N]: n

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: n

PLAY [Configure the server] ****************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ********************************************
ok: [localhost -> localhost]

TASK [Generate the SSH public key] *********************************************
ok: [localhost -> localhost]

TASK [Change mode for the SSH private key] *************************************
ok: [localhost -> localhost]

TASK [Ensure the dynamic inventory exists] *************************************
ok: [localhost]

TASK [Ensure the local ssh directory is exist] *********************************
ok: [localhost -> localhost]

TASK [Copy the algo ssh key to the local ssh directory] ************************
changed: [localhost -> localhost]

TASK [Configure the local ssh config] ******************************************
changed: [localhost -> localhost]

TASK [local : Add the instance to an inventory group] **************************
skipping: [localhost]

TASK [local : Add the instance to an inventory group] **************************
changed: [localhost]

TASK [local : set_fact] ********************************************************
ok: [localhost]

TASK [local : Ensure the group local exists in the dynamic inventory file] *****
ok: [localhost]

TASK [local : Populate the dynamic inventory] **********************************
ok: [localhost]

PLAY [Configure the server and install required software] **********************

TASK [Check the system] ********************************************************
changed: [localhost]

TASK [Ubuntu | Install prerequisites] ******************************************
changed: [localhost]

TASK [FreeBSD / HardenedBSD | Install prerequisites] ***************************
skipping: [localhost]

TASK [FreeBSD / HardenedBSD | Configure defaults] ******************************
skipping: [localhost]

TASK [set_fact] ****************************************************************
skipping: [localhost]

TASK [Ensure the algo ssh key exist on the server] *****************************
ok: [localhost]

TASK [common : Gather Facts] ***************************************************
ok: [localhost]

TASK [common : Loopback for services configured] *******************************
ok: [localhost]

TASK [common : Loopback included into the network config] **********************
ok: [localhost]

TASK [common : set_fact] *******************************************************
ok: [localhost]

TASK [common : set_fact] *******************************************************
skipping: [localhost]

TASK [common : Loopback included into the rc config] ***************************
skipping: [localhost]

TASK [common : Enable the gateway features] ************************************
skipping: [localhost] => (item={u'value': u'"open"', u'param': u'firewall_type'})
skipping: [localhost] => (item={u'value': u'"YES"', u'param': u'firewall_enable'})
skipping: [localhost] => (item={u'value': u'"YES"', u'param': u'gateway_enable'})
skipping: [localhost] => (item={u'value': u'"YES"', u'param': u'natd_enable'})
skipping: [localhost] => (item={u'value': u'""', u'param': u'natd_interface'})
skipping: [localhost] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'})

TASK [common : Install tools] **************************************************
ok: [localhost] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'sendmail', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Sysctl tuning] **************************************************
ok: [localhost] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
ok: [localhost] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
ok: [localhost] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [vpn : Gather Facts] ******************************************************
ok: [localhost]

TASK [vpn : Enable IPv6] *******************************************************
skipping: [localhost]

TASK [vpn : Generate password for the CA key] **********************************
changed: [localhost]

TASK [vpn : set_fact] **********************************************************
ok: [localhost]

TASK [vpn : Change the algorithm to RSA] ***************************************
skipping: [localhost]

TASK [vpn : Ensure that the strongswan group exist] ****************************
ok: [localhost]

TASK [vpn : Ensure that the strongswan user exist] *****************************
ok: [localhost]

TASK [vpn : set_fact] **********************************************************
ok: [localhost]

TASK [vpn : Ubuntu | Install strongSwan] ***************************************
changed: [localhost]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************
skipping: [localhost] => (item=/usr/lib/ipsec/charon)
skipping: [localhost] => (item=/usr/lib/ipsec/lookip)
skipping: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ******************************************
ok: [localhost] => (item=apparmor)
ok: [localhost] => (item=strongswan)
ok: [localhost] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******
ok: [localhost]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********
ok: [localhost]

TASK [vpn : Iptables configured] ***********************************************
changed: [localhost] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***********************************************
skipping: [localhost] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] ********
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] ***************
skipping: [localhost] => (item=IPSEC_NAT_T)
skipping: [localhost] => (item=IPSEC)
skipping: [localhost] => (item=crypto)

TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] ********************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] ********
skipping: [localhost] => (item=options IPSEC_NAT_T)
skipping: [localhost] => (item=options  IPSEC)
skipping: [localhost] => (item=device   crypto)

TASK [vpn : HardenedBSD | Determine the sources] *******************************
skipping: [localhost]

TASK [vpn : FreeBSD | Determine the sources] ***********************************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] **********
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Reboot] ************************************
skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] *************************
skipping: [localhost]

TASK [vpn : Install strongSwan] ************************************************
ok: [localhost]

TASK [vpn : Setup the config files from our templates] *************************
ok: [localhost] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [localhost] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
ok: [localhost] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ************************************************
changed: [localhost]

TASK [vpn : Disable unneeded plugins] ******************************************
skipping: [localhost] => (item=revocation)
ok: [localhost] => (item=xcbc)
ok: [localhost] => (item=sha1)
ok: [localhost] => (item=test-vectors)
ok: [localhost] => (item=fips-prf)
skipping: [localhost] => (item=aes)
skipping: [localhost] => (item=pkcs8)
ok: [localhost] => (item=attr)
ok: [localhost] => (item=updown)
ok: [localhost] => (item=sshkey)
skipping: [localhost] => (item=hmac)
skipping: [localhost] => (item=kernel-netlink)
ok: [localhost] => (item=md5)
ok: [localhost] => (item=pkcs1)
skipping: [localhost] => (item=pkcs12)
ok: [localhost] => (item=rc2)
skipping: [localhost] => (item=sha2)
skipping: [localhost] => (item=pkcs7)
ok: [localhost] => (item=resolve)
skipping: [localhost] => (item=pubkey)
skipping: [localhost] => (item=gcm)
ok: [localhost] => (item=dnskey)
skipping: [localhost] => (item=stroke)
ok: [localhost] => (item=gmp)
skipping: [localhost] => (item=socket-default)
ok: [localhost] => (item=connmark)
skipping: [localhost] => (item=nonce)
ok: [localhost] => (item=md4)
skipping: [localhost] => (item=x509)
ok: [localhost] => (item=constraints)
ok: [localhost] => (item=agent)
skipping: [localhost] => (item=openssl)
skipping: [localhost] => (item=pem)
skipping: [localhost] => (item=random)
skipping: [localhost] => (item=pgp)

TASK [vpn : Ensure that required plugins are enabled] **************************
skipping: [localhost] => (item=xcbc)
ok: [localhost] => (item=revocation)
skipping: [localhost] => (item=sha1)
skipping: [localhost] => (item=test-vectors)
skipping: [localhost] => (item=fips-prf)
ok: [localhost] => (item=aes)
ok: [localhost] => (item=pkcs8)
skipping: [localhost] => (item=attr)
skipping: [localhost] => (item=updown)
skipping: [localhost] => (item=sshkey)
ok: [localhost] => (item=hmac)
skipping: [localhost] => (item=md5)
ok: [localhost] => (item=kernel-netlink)
skipping: [localhost] => (item=pkcs1)
skipping: [localhost] => (item=rc2)
ok: [localhost] => (item=pkcs12)
ok: [localhost] => (item=sha2)
ok: [localhost] => (item=pkcs7)
skipping: [localhost] => (item=resolve)
ok: [localhost] => (item=pubkey)
skipping: [localhost] => (item=dnskey)
ok: [localhost] => (item=gcm)
ok: [localhost] => (item=stroke)
skipping: [localhost] => (item=gmp)
skipping: [localhost] => (item=connmark)
ok: [localhost] => (item=socket-default)
ok: [localhost] => (item=nonce)
skipping: [localhost] => (item=md4)
ok: [localhost] => (item=x509)
skipping: [localhost] => (item=constraints)
skipping: [localhost] => (item=agent)
ok: [localhost] => (item=openssl)
ok: [localhost] => (item=pem)
ok: [localhost] => (item=random)
ok: [localhost] => (item=pgp)

TASK [vpn : Ensure the pki directory is not exist] *****************************
skipping: [localhost]

TASK [vpn : Ensure the pki directories are exist] ******************************
ok: [localhost -> localhost] => (item=ecparams)
ok: [localhost -> localhost] => (item=certs)
ok: [localhost -> localhost] => (item=crl)
ok: [localhost -> localhost] => (item=newcerts)
ok: [localhost -> localhost] => (item=private)
ok: [localhost -> localhost] => (item=reqs)

TASK [vpn : Ensure the files are exist] ****************************************
changed: [localhost -> localhost] => (item=.rnd)
changed: [localhost -> localhost] => (item=private/.rnd)
changed: [localhost -> localhost] => (item=index.txt)
changed: [localhost -> localhost] => (item=index.txt.attr)
changed: [localhost -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *******************************
ok: [localhost -> localhost]

TASK [vpn : Build the CA pair] *************************************************
ok: [localhost -> localhost]

TASK [vpn : Copy the CA certificate] *******************************************
ok: [localhost -> localhost]

TASK [vpn : Generate the serial number] ****************************************
ok: [localhost -> localhost]

TASK [vpn : Build the server pair] *********************************************
ok: [localhost -> localhost]

TASK [vpn : Build the client's pair] *******************************************
ok: [localhost -> localhost] => (item=user1)
ok: [localhost -> localhost] => (item=user2)
ok: [localhost -> localhost] => (item=user3)

TASK [vpn : Build the client's p12] ********************************************
changed: [localhost -> localhost] => (item=user1)
changed: [localhost -> localhost] => (item=user2)
changed: [localhost -> localhost] => (item=user3)

TASK [vpn : Copy the p12 certificates] *****************************************
changed: [localhost -> localhost] => (item=user1)
changed: [localhost -> localhost] => (item=user2)
changed: [localhost -> localhost] => (item=user3)

TASK [vpn : Copy the keys to the strongswan directory] *************************
ok: [localhost] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/XXX.XXX.XXX.XXX/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
ok: [localhost] => (item={u'dest': u'/etc/ipsec.d/certs/XXX.XXX.XXX.XXX.crt', u'src': u'configs/XXX.XXX.XXX.XXX/pki/certs/XXX.XXX.XXX.XXX.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
ok: [localhost] => (item={u'dest': u'/etc/ipsec.d/private/XXX.XXX.XXX.XXX.key', u'src': u'configs/XXX.XXX.XXX.XXX/pki/private/XXX.XXX.XXX.XXX.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Register p12 PayloadContent] ***************************************
changed: [localhost -> localhost] => (item=user1)
changed: [localhost -> localhost] => (item=user2)
changed: [localhost -> localhost] => (item=user3)

TASK [vpn : Set facts for mobileconfigs] ***************************************
ok: [localhost]

TASK [vpn : Build the mobileconfigs] *******************************************
changed: [localhost -> localhost] => (item=(censored due to no_log))
changed: [localhost -> localhost] => (item=(censored due to no_log))
changed: [localhost -> localhost] => (item=(censored due to no_log))

TASK [vpn : Build the strongswan app android config] ***************************
changed: [localhost -> localhost] => (item=(censored due to no_log))
changed: [localhost -> localhost] => (item=(censored due to no_log))
changed: [localhost -> localhost] => (item=(censored due to no_log))

TASK [vpn : Build the client ipsec config file] ********************************
ok: [localhost -> localhost] => (item=user1)
ok: [localhost -> localhost] => (item=user2)
ok: [localhost -> localhost] => (item=user3)

TASK [vpn : Build the client ipsec secret file] ********************************
ok: [localhost -> localhost] => (item=user1)
ok: [localhost -> localhost] => (item=user2)
ok: [localhost -> localhost] => (item=user3)

TASK [vpn : Build the windows client powershell script] ************************
skipping: [localhost] => (item=user2)
skipping: [localhost] => (item=user1)
skipping: [localhost] => (item=user3)

TASK [vpn : Restrict permissions for the local private directories] ************
ok: [localhost -> localhost] => (item=configs/XXX.XXX.XXX.XXX)

RUNNING HANDLER [vpn : restart strongswan] *************************************
changed: [localhost]

RUNNING HANDLER [vpn : restart iptables] ***************************************
changed: [localhost]

TASK [vpn : strongSwan started] ************************************************
ok: [localhost]

TASK [dns_adblocking : Gather Facts] *******************************************
ok: [localhost]

TASK [dns_adblocking : Dnsmasq installed] **************************************
changed: [localhost]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] *********************
changed: [localhost]

TASK [dns_adblocking : The dnsmasq directory created] **************************
changed: [localhost]

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *******
skipping: [localhost]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ***********
skipping: [localhost]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ***
changed: [localhost]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***
changed: [localhost]

TASK [dns_adblocking : FreeBSD / HardenedBSD | Enable dnsmasq] *****************
skipping: [localhost]

RUNNING HANDLER [vpn : daemon-reload] ******************************************
changed: [localhost]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *****************************
changed: [localhost]

TASK [dns_adblocking : Dnsmasq configured] *************************************
changed: [localhost]

TASK [dns_adblocking : Adblock script created] *********************************
changed: [localhost]

TASK [dns_adblocking : Adblock script added to cron] ***************************
changed: [localhost]

TASK [dns_adblocking : Update adblock hosts] ***********************************
changed: [localhost]
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

TASK [dns_adblocking : Dnsmasq enabled and started] ****************************
ok: [localhost]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *****************************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to restart service dnsmasq: Job for dnsmasq.service failed because the control process exited with error code. See \"systemctl status dnsmasq.service\" and \"journalctl -xe\" for details.\n"}

PLAY RECAP *********************************************************************
localhost                  : ok=71   changed=29   unreachable=0    failed=1
jackivanov commented 7 years ago

Ca not reproduce. Do you have any other DNS services on the server? Show the output here:

systemctl status dnsmasq
netstat -nltup | grep :53
sashkab commented 7 years ago

There is nothing running on port 53:

$ netstat -nltup | grep :53

Unfortunately, I didn't save the output of the dnsmasq's systemctl status..., and don't want to try to re-install now, as everything seems to be working (sans dns) and don't have time to try.

I will attempt to re-try dns installation next week, and will report back.

sashkab commented 7 years ago

Error message was similar to this bug report: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1464990