search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.66k stars 2.31k forks source link

Can't install user profile on Mac #888

Closed nasushkov closed 6 years ago

nasushkov commented 6 years ago

OS / Environment (where do you run Algo on)

Darwin nikita-macs-MacBook-Pro.local 17.5.0 Darwin Kernel Version 17.5.0: Mon Mar 5 22:24:32 PST 2018; root:xnu-4570.51.1~1/RELEASE_X86_64 x86_64

Cloud Provider (where do you deploy Algo to)

Azure

Summary of the problem

After successful installation of Algo server on Azure I tried to add user .mobileconfig profile to my Mac. It worked out for the first time. However, after that I encountered some issues with the connection which became unstable for some reason. I removed the installed profile and tried to install it again. Now the error occurs after filling out the p12 password:

An error occurred while trying to import the certificate or identity.

Also, I don't see any Algo VPN in System Preferences -> Network. I tried to run Algo script again for this server, but nothing helps.

Steps to reproduce the behavior

  1. Setup the app in AAD
  2. Download Algo and follow the instructions
  3. Add user profile to your Mac
  4. Remove user profile
  5. You can't add it anymore or any other generated profile from Algo

Full log

What provider would you like to use?

  1. DigitalOcean
  2. Amazon Lightsail
  3. Amazon EC2
  4. Microsoft Azure
  5. Google Compute Engine
  6. Scaleway
  7. OpenStack (DreamCompute optimised)
  8. Install to existing Ubuntu 16.04 server (Advanced)

Enter the number of your desired provider : 4

Enter your azure secret id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) You can skip this step if you want to use your defaults credentials from ~/.azure/credentials [pasted values will not be displayed] [...]:

Enter your azure tenant id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) You can skip this step if you want to use your defaults credentials from ~/.azure/credentials [pasted values will not be displayed] [...]:

Enter your azure client id (application id) (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) You can skip this step if you want to use your defaults credentials from ~/.azure/credentials [pasted values will not be displayed] [...]:

Enter your azure subscription id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) You can skip this step if you want to use your defaults credentials from ~/.azure/credentials [pasted values will not be displayed] [...]:

Name the vpn server: [algo]:

What region should the server be located in? (https://azure.microsoft.com/en-us/regions/)

  1. South Central US
  2. Central US
  3. North Europe
  4. West Europe
  5. Southeast Asia
  6. Japan West
  7. Japan East
  8. Australia Southeast
  9. Australia East
  10. Canada Central
  11. West US 2
  12. West Central US
  13. UK South
  14. UK West
  15. West US
  16. Brazil South
  17. Canada East
  18. Central India
  19. East Asia
  20. Germany Central
  21. Germany Northeast
  22. Korea Central
  23. Korea South
  24. North Central US
  25. South India
  26. West India
  27. East US
  28. East US 2

Enter the number of your desired region:

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) :

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?

Do you want each user to have their own account for SSH tunneling?

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)

Do you want to retain the CA key? (required to add users in the future, but less secure)

PLAY [Configure the server] ***

TASK [Gathering Facts] **** ok: [localhost]

TASK [Local pre-tasks] **** included: /Users/nikita_mac/vpn/algo-master/playbooks/local.yml for localhost

TASK [Generate the SSH private key] *** ok: [localhost]

TASK [Generate the SSH public key] **** ok: [localhost]

TASK [Change mode for the SSH private key] **** ok: [localhost]

TASK [Ensure the dynamic inventory exists] **** ok: [localhost]

TASK [cloud-azure : set_fact] ***** ok: [localhost]

TASK [cloud-azure : Create a resource group] ** ok: [localhost]

TASK [cloud-azure : Create a virtual network] ***** ok: [localhost]

TASK [cloud-azure : Create a security group] ** ok: [localhost]

TASK [cloud-azure : Create a subnet] ** ok: [localhost]

TASK [cloud-azure : Create an instance] *** ok: [localhost]

TASK [cloud-azure : set_fact] ***** ok: [localhost]

TASK [cloud-azure : Ensure the network interface includes all required parameters] **** ok: [localhost]

TASK [cloud-azure : Add the instance to an inventory group] *** changed: [localhost]

TASK [cloud-azure : set_fact] ***** ok: [localhost]

TASK [cloud-azure : Ensure the group azure exists in the dynamic inventory file] ** ok: [localhost]

TASK [cloud-azure : Populate the dynamic inventory] *** ok: [localhost]

TASK [Local post-tasks] *** included: /Users/nikita_mac/vpn/algo-master/playbooks/post.yml for localhost

TASK [Wait until SSH becomes ready...] **** ok: [localhost]

TASK [A short pause, in order to be sure the instance is ready] *** Pausing for 20 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) ok: [localhost]

TASK [include_tasks] ** included: /Users/nikita_mac/vpn/algo-master/playbooks/local_ssh.yml for localhost

TASK [Ensure the local ssh directory is exist] **** ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] *** ok: [localhost]

PLAY [Configure the server and install required software] *****

TASK [Common pre-tasks] *** included: /Users/nikita_mac/vpn/algo-master/playbooks/common.yml for 52.136.235.170

TASK [Check the system] *** changed: [52.136.235.170]

TASK [Ubuntu pre-tasks] *** included: /Users/nikita_mac/vpn/algo-master/playbooks/ubuntu.yml for 52.136.235.170

TASK [Ubuntu | Install prerequisites] ***** changed: [52.136.235.170]

TASK [Ubuntu | Configure defaults] **** changed: [52.136.235.170]

TASK [FreeBSD pre-tasks] ** skipping: [52.136.235.170]

TASK [include_tasks] ** included: /Users/nikita_mac/vpn/algo-master/playbooks/facts/main.yml for 52.136.235.170

TASK [Gather Facts] *** ok: [52.136.235.170]

TASK [Ensure the algo ssh key exist on the server] **** ok: [52.136.235.170]

TASK [Enable IPv6] **** skipping: [52.136.235.170]

TASK [Set facts if the deployment in a cloud] ***** ok: [52.136.235.170]

TASK [Generate password for the CA key] *** changed: [52.136.235.170 -> localhost]

TASK [Generate p12 export password] *** changed: [52.136.235.170 -> localhost]

TASK [Define password facts] ** ok: [52.136.235.170]

TASK [Define the commonName] ** ok: [52.136.235.170]

TASK [common : include_tasks] ***** included: /Users/nikita_mac/vpn/algo-master/roles/common/tasks/ubuntu.yml for 52.136.235.170

TASK [common : Install software updates] ** changed: [52.136.235.170]

TASK [common : Check if reboot is required] *** changed: [52.136.235.170]

TASK [common : Reboot] **** changed: [52.136.235.170]

TASK [common : Wait until SSH becomes ready...] *** ok: [52.136.235.170 -> localhost]

TASK [common : Include unatteded upgrades configuration] ** included: /Users/nikita_mac/vpn/algo-master/roles/common/tasks/unattended-upgrades.yml for 52.136.235.170

TASK [common : Install unattended-upgrades] *** ok: [52.136.235.170]

TASK [common : Configure unattended-upgrades] ***** ok: [52.136.235.170]

TASK [common : Periodic upgrades configured] ** ok: [52.136.235.170]

TASK [common : Disable MOTD on login and SSHD] **** ok: [52.136.235.170] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'}) ok: [52.136.235.170] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Install system specific tools] ***** ok: [52.136.235.170] => (item=ifupdown)

TASK [common : Ensure the interfaces directory exists] **** ok: [52.136.235.170]

TASK [common : Loopback for services configured] ** ok: [52.136.235.170]

TASK [common : Loopback included into the network config] ***** ok: [52.136.235.170]

TASK [common : Check apparmor support] **** changed: [52.136.235.170]

TASK [common : set_fact] ** ok: [52.136.235.170]

TASK [common : set_fact] ** ok: [52.136.235.170]

TASK [common : include_tasks] ***** skipping: [52.136.235.170]

TASK [common : Install tools] ***** ok: [52.136.235.170] => (item=git) ok: [52.136.235.170] => (item=screen) ok: [52.136.235.170] => (item=apparmor-utils) ok: [52.136.235.170] => (item=uuid-runtime) ok: [52.136.235.170] => (item=coreutils) ok: [52.136.235.170] => (item=iptables-persistent) ok: [52.136.235.170] => (item=cgroup-tools) ok: [52.136.235.170] => (item=openssl)

TASK [common : Sysctl tuning] ***** ok: [52.136.235.170] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1}) ok: [52.136.235.170] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1}) ok: [52.136.235.170] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [dns_adblocking : The DNS tag is defined] **** ok: [52.136.235.170]

TASK [dns_adblocking : Dnsmasq installed] ***** ok: [52.136.235.170]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] **** ok: [52.136.235.170]

TASK [dns_adblocking : The dnsmasq directory created] ***** ok: [52.136.235.170]

TASK [dns_adblocking : include_tasks] ***** included: /Users/nikita_mac/vpn/algo-master/roles/dns_adblocking/tasks/ubuntu.yml for 52.136.235.170

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] ** ok: [52.136.235.170]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ** changed: [52.136.235.170]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ** ok: [52.136.235.170]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **** ok: [52.136.235.170]

TASK [dns_adblocking : include_tasks] ***** skipping: [52.136.235.170]

TASK [dns_adblocking : Dnsmasq configured] **** ok: [52.136.235.170]

TASK [dns_adblocking : Adblock script created] **** ok: [52.136.235.170]

TASK [dns_adblocking : Adblock script added to cron] ** ok: [52.136.235.170]

TASK [dns_adblocking : Update adblock hosts] ** changed: [52.136.235.170]

TASK [dns_adblocking : Dnsmasq enabled and started] *** ok: [52.136.235.170]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] *** ok: [52.136.235.170]

TASK [ssh_tunneling : Ensure that the algo group exist] *** ok: [52.136.235.170]

TASK [ssh_tunneling : Ensure that the jail directory exist] *** ok: [52.136.235.170]

TASK [ssh_tunneling : Ensure that the SSH users exist] **** ok: [52.136.235.170] => (item=dan) ok: [52.136.235.170] => (item=jack) ok: [52.136.235.170] => (item=bob)

TASK [ssh_tunneling : The authorized keys file created] *** ok: [52.136.235.170] => (item=dan) ok: [52.136.235.170] => (item=jack) ok: [52.136.235.170] => (item=bob)

TASK [ssh_tunneling : Generate SSH fingerprints] ** changed: [52.136.235.170]

TASK [ssh_tunneling : Fetch users SSH private keys] *** ok: [52.136.235.170] => (item=dan) ok: [52.136.235.170] => (item=jack) ok: [52.136.235.170] => (item=bob)

TASK [ssh_tunneling : Change mode for SSH private keys] *** ok: [52.136.235.170 -> localhost] => (item=dan) ok: [52.136.235.170 -> localhost] => (item=jack) ok: [52.136.235.170 -> localhost] => (item=bob)

TASK [ssh_tunneling : Fetch the known_hosts file] ***** ok: [52.136.235.170 -> localhost]

TASK [ssh_tunneling : Build the client ssh config] **** ok: [52.136.235.170 -> localhost] => (item=dan) ok: [52.136.235.170 -> localhost] => (item=jack) ok: [52.136.235.170 -> localhost] => (item=bob)

TASK [ssh_tunneling : SSH | Get active system users] ** skipping: [52.136.235.170]

TASK [ssh_tunneling : SSH | Delete non-existing users] **** skipping: [52.136.235.170] => (item=null)

TASK [vpn : Ensure that the strongswan group exist] *** ok: [52.136.235.170]

TASK [vpn : Ensure that the strongswan user exist] **** ok: [52.136.235.170]

TASK [vpn : include_tasks] **** included: /Users/nikita_mac/vpn/algo-master/roles/vpn/tasks/ubuntu.yml for 52.136.235.170

TASK [vpn : set_fact] ***** ok: [52.136.235.170]

TASK [vpn : Ubuntu | Install strongSwan] ** ok: [52.136.235.170]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] *** changed: [52.136.235.170] => (item=/usr/lib/ipsec/charon) changed: [52.136.235.170] => (item=/usr/lib/ipsec/lookip) changed: [52.136.235.170] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ***** ok: [52.136.235.170] => (item=apparmor) ok: [52.136.235.170] => (item=strongswan) ok: [52.136.235.170] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] ** ok: [52.136.235.170]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *** ok: [52.136.235.170]

TASK [vpn : include_tasks] **** included: /Users/nikita_mac/vpn/algo-master/roles/vpn/tasks/iptables.yml for 52.136.235.170

TASK [vpn : Iptables configured] ** ok: [52.136.235.170] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ** skipping: [52.136.235.170] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : include_tasks] **** skipping: [52.136.235.170]

TASK [vpn : Install strongSwan] *** ok: [52.136.235.170]

TASK [vpn : include_tasks] **** included: /Users/nikita_mac/vpn/algo-master/roles/vpn/tasks/ipec_configuration.yml for 52.136.235.170

TASK [vpn : Setup the config files from our templates] **** ok: [52.136.235.170] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) ok: [52.136.235.170] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) ok: [52.136.235.170] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] *** changed: [52.136.235.170]

TASK [vpn : Disable unneeded plugins] ***** ok: [52.136.235.170] => (item=updown) skipping: [52.136.235.170] => (item=pem) ok: [52.136.235.170] => (item=dnskey) ok: [52.136.235.170] => (item=gmp) skipping: [52.136.235.170] => (item=x509) ok: [52.136.235.170] => (item=agent) ok: [52.136.235.170] => (item=test-vectors) ok: [52.136.235.170] => (item=sshkey) ok: [52.136.235.170] => (item=rc2) ok: [52.136.235.170] => (item=resolve) skipping: [52.136.235.170] => (item=gcm) ok: [52.136.235.170] => (item=attr) ok: [52.136.235.170] => (item=md4) skipping: [52.136.235.170] => (item=random) skipping: [52.136.235.170] => (item=pkcs8) ok: [52.136.235.170] => (item=sha1) skipping: [52.136.235.170] => (item=pubkey) skipping: [52.136.235.170] => (item=pkcs12) skipping: [52.136.235.170] => (item=pgp) ok: [52.136.235.170] => (item=fips-prf) ok: [52.136.235.170] => (item=connmark) skipping: [52.136.235.170] => (item=pkcs7) skipping: [52.136.235.170] => (item=stroke) skipping: [52.136.235.170] => (item=aes) skipping: [52.136.235.170] => (item=openssl) ok: [52.136.235.170] => (item=pkcs1) skipping: [52.136.235.170] => (item=kernel-netlink) skipping: [52.136.235.170] => (item=socket-default) ok: [52.136.235.170] => (item=md5) skipping: [52.136.235.170] => (item=hmac) ok: [52.136.235.170] => (item=xcbc) skipping: [52.136.235.170] => (item=revocation) skipping: [52.136.235.170] => (item=nonce) ok: [52.136.235.170] => (item=constraints) skipping: [52.136.235.170] => (item=sha2)

TASK [vpn : Ensure that required plugins are enabled] ***** skipping: [52.136.235.170] => (item=updown) ok: [52.136.235.170] => (item=pem) skipping: [52.136.235.170] => (item=dnskey) skipping: [52.136.235.170] => (item=gmp) ok: [52.136.235.170] => (item=x509) skipping: [52.136.235.170] => (item=agent) skipping: [52.136.235.170] => (item=test-vectors) skipping: [52.136.235.170] => (item=sshkey) skipping: [52.136.235.170] => (item=rc2) skipping: [52.136.235.170] => (item=resolve) ok: [52.136.235.170] => (item=gcm) skipping: [52.136.235.170] => (item=attr) skipping: [52.136.235.170] => (item=md4) ok: [52.136.235.170] => (item=random) ok: [52.136.235.170] => (item=pkcs8) skipping: [52.136.235.170] => (item=sha1) ok: [52.136.235.170] => (item=pubkey) ok: [52.136.235.170] => (item=pkcs12) ok: [52.136.235.170] => (item=pgp) skipping: [52.136.235.170] => (item=fips-prf) skipping: [52.136.235.170] => (item=connmark) ok: [52.136.235.170] => (item=pkcs7) ok: [52.136.235.170] => (item=stroke) ok: [52.136.235.170] => (item=aes) ok: [52.136.235.170] => (item=openssl) skipping: [52.136.235.170] => (item=pkcs1) ok: [52.136.235.170] => (item=kernel-netlink) ok: [52.136.235.170] => (item=socket-default) skipping: [52.136.235.170] => (item=md5) ok: [52.136.235.170] => (item=hmac) skipping: [52.136.235.170] => (item=xcbc) ok: [52.136.235.170] => (item=revocation) ok: [52.136.235.170] => (item=nonce) skipping: [52.136.235.170] => (item=constraints) ok: [52.136.235.170] => (item=sha2)

TASK [vpn : include_tasks] **** included: /Users/nikita_mac/vpn/algo-master/roles/vpn/tasks/openssl.yml for 52.136.235.170

TASK [vpn : Ensure the pki directory does not exist] ** skipping: [52.136.235.170]

TASK [vpn : Ensure the pki directories exist] ***** ok: [52.136.235.170 -> localhost] => (item=ecparams) ok: [52.136.235.170 -> localhost] => (item=certs) ok: [52.136.235.170 -> localhost] => (item=crl) ok: [52.136.235.170 -> localhost] => (item=newcerts) ok: [52.136.235.170 -> localhost] => (item=private) ok: [52.136.235.170 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] *** changed: [52.136.235.170 -> localhost] => (item=.rnd) changed: [52.136.235.170 -> localhost] => (item=private/.rnd) changed: [52.136.235.170 -> localhost] => (item=index.txt) changed: [52.136.235.170 -> localhost] => (item=index.txt.attr) changed: [52.136.235.170 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] ** ok: [52.136.235.170 -> localhost]

TASK [vpn : Build the CA pair] **** ok: [52.136.235.170 -> localhost]

TASK [vpn : Copy the CA certificate] ** ok: [52.136.235.170 -> localhost]

TASK [vpn : Generate the serial number] *** ok: [52.136.235.170 -> localhost]

TASK [vpn : Build the server pair] **** ok: [52.136.235.170 -> localhost]

TASK [vpn : Build the client's pair] ** ok: [52.136.235.170 -> localhost] => (item=dan) ok: [52.136.235.170 -> localhost] => (item=jack) ok: [52.136.235.170 -> localhost] => (item=bob)

TASK [vpn : Build the client's p12] *** changed: [52.136.235.170 -> localhost] => (item=dan) changed: [52.136.235.170 -> localhost] => (item=jack) changed: [52.136.235.170 -> localhost] => (item=bob)

TASK [vpn : Copy the p12 certificates] **** changed: [52.136.235.170 -> localhost] => (item=dan) changed: [52.136.235.170 -> localhost] => (item=jack) changed: [52.136.235.170 -> localhost] => (item=bob)

TASK [vpn : Get active users] ***** changed: [52.136.235.170 -> localhost]

TASK [vpn : Revoke non-existing users] **** skipping: [52.136.235.170] => (item=dan) skipping: [52.136.235.170] => (item=jack) skipping: [52.136.235.170] => (item=bob)

TASK [vpn : Genereate new CRL file] *** skipping: [52.136.235.170]

TASK [vpn : Copy the CRL to the vpn server] *** skipping: [52.136.235.170]

TASK [vpn : include_tasks] **** included: /Users/nikita_mac/vpn/algo-master/roles/vpn/tasks/distribute_keys.yml for 52.136.235.170

TASK [vpn : Copy the keys to the strongswan directory] **** ok: [52.136.235.170] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/52.136.235.170/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) ok: [52.136.235.170] => (item={u'dest': u'/etc/ipsec.d/certs/52.136.235.170.crt', u'src': u'configs/52.136.235.170/pki/certs/52.136.235.170.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) ok: [52.136.235.170] => (item={u'dest': u'/etc/ipsec.d/private/52.136.235.170.key', u'src': u'configs/52.136.235.170/pki/private/52.136.235.170.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : include_tasks] **** included: /Users/nikita_mac/vpn/algo-master/roles/vpn/tasks/client_configs.yml for 52.136.235.170

TASK [vpn : Register p12 PayloadContent] ** changed: [52.136.235.170 -> localhost] => (item=dan) changed: [52.136.235.170 -> localhost] => (item=jack) changed: [52.136.235.170 -> localhost] => (item=bob)

TASK [vpn : Set facts for mobileconfigs] ** ok: [52.136.235.170 -> localhost]

TASK [vpn : Build the mobileconfigs] ** changed: [52.136.235.170] => (item=None) changed: [52.136.235.170] => (item=None) changed: [52.136.235.170] => (item=None)

TASK [vpn : Build the strongswan app android config] ** changed: [52.136.235.170] => (item=None) changed: [52.136.235.170] => (item=None) changed: [52.136.235.170] => (item=None)

TASK [vpn : Build the android helper html] **** ok: [52.136.235.170] => (item=None) ok: [52.136.235.170] => (item=None) ok: [52.136.235.170] => (item=None)

TASK [vpn : Build the client ipsec config file] *** changed: [52.136.235.170 -> localhost] => (item=dan) changed: [52.136.235.170 -> localhost] => (item=jack) changed: [52.136.235.170 -> localhost] => (item=bob)

TASK [vpn : Build the client ipsec secret file] *** ok: [52.136.235.170 -> localhost] => (item=dan) ok: [52.136.235.170 -> localhost] => (item=jack) ok: [52.136.235.170 -> localhost] => (item=bob)

TASK [vpn : Create the windows check file] **** changed: [52.136.235.170 -> localhost]

TASK [vpn : Check if the windows check file exists] *** ok: [52.136.235.170 -> localhost]

TASK [vpn : Build the windows client powershell script] *** changed: [52.136.235.170 -> localhost] => (item=[u'dan', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/dan.p12 | base64', u'end': u'2018-04-24 15:40:45.482873', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEDQIBAzCCA9MGCSqGSIb3DQEHAaCCA8QEggPAMIIDvDCCApcGCSqGSIb3DQEHBqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQITVGgr5AYwXwCAggAgIICUCMPVJwcr1rCWEm2LC2HotahS6hm6SYItBxlzAA1CB2ZVW17ISnlgglcXDEnLY4U8bhu+V+XVgj/LgejP3ztlyN2cd18OVn5bnMIbfWkv4lNPY0M4zINQC/qisVOpqzCWzrL9VSKlfN8VDr51RrsQobOuKAN+0Y+3l1yPfDeGGiTtwtc0O67jaqy0F4eEO1R+mVP47noi8OTaNURytEkhnzAWbWv6tHoeMy2axHCZF0TvpawPYLIkUIrqVgl546HsfS3Tg2hjOTwTKuIEJWFComK9+yOQVpoQU9PezxBebUzt1ydOGSRzniMRq2hYux5d/cWmskNUe1qNg9nnZ95IH3yRFQu8H+i9d4eTXFlQqCUisnAtjm1XFxSB60I54JfghGkRPs+cjPxeK/q2O+PCtwumbALKDCs6R/QGO+UzlsPY3K0fKAclDgZ4EAkMj0bAMHUJrg/bE2wVgQRWJ8BMQWSWLKt90fe9KspNMifD8UPy0RfPy+mo4TQ+IzWv8ILqxD0AchiXGDAiHbBzRzk3t2HwvD40ypVnYKJToVj9FxOOYGJ92Ki02KbpTs0HrZ+bDJmHy6dEvHESvHNcm7rJFP0iwoSeuYxINb6r8uA/7ai3TZgw4yQQDchUJaXtaE7l47j+BaOEGCd8Mi7xjqkqkhakefKg7xodSjqNLCjSQuon1I/V3915KU6v1QAu7YzxrHW8+/p4zpLesyoeT8EUcLTiXO4OYpSIOkf7/OsT98TLLfi1nQEffNACtUZ6DssExew4lVyCQS2CZkcWPc2JiUwggEdBgkqhkiG9w0BBwGgggEOBIIBCjCCAQYwggECBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECMEfDESxAF+/AgIIAASBkKaQHVv1hzHW7qMwBCkxhXnYkSiQhy62d2hAfVxZhGOOta+5keYsx+DqiEG6Zv2gHW24nBlMbXOBk+O618o0PXXmgHb5X7bsIGy5Xg6mscJbh8UhikqwYbzXF6nwumPDl5odiK85qrtH7Xj+0l/mAD8MAT2jBeOJpe8kJ/UuYp2Ye4MUNjE75Za3OqBPHDroPjE8MBUGCSqGSIb3DQEJFDEIHgYAZABhAG4wIwYJKoZIhvcNAQkVMRYEFLZ5N6X1+/u6Zd7RS7p3vouJa6FWMDEwITAJBgUrDgMCGgUABBR2sccN4Y067GrQMxw9y7t+gjoyWwQI1Phe9H6Htw0CAggA', 'item': u'dan', u'delta': u'0:00:00.012687', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/52.136.235.170/pki/', u'_raw_params': u'cat private/dan.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEDQIBAzCCA9MGCSqGSIb3DQEHAaCCA8QEggPAMIIDvDCCApcGCSqGSIb3DQEHBqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQITVGgr5AYwXwCAggAgIICUCMPVJwcr1rCWEm2LC2HotahS6hm6SYItBxlzAA1CB2ZVW17ISnlgglcXDEnLY4U8bhu+V+XVgj/LgejP3ztlyN2cd18OVn5bnMIbfWkv4lNPY0M4zINQC/qisVOpqzCWzrL9VSKlfN8VDr51RrsQobOuKAN+0Y+3l1yPfDeGGiTtwtc0O67jaqy0F4eEO1R+mVP47noi8OTaNURytEkhnzAWbWv6tHoeMy2axHCZF0TvpawPYLIkUIrqVgl546HsfS3Tg2hjOTwTKuIEJWFComK9+yOQVpoQU9PezxBebUzt1ydOGSRzniMRq2hYux5d/cWmskNUe1qNg9nnZ95IH3yRFQu8H+i9d4eTXFlQqCUisnAtjm1XFxSB60I54JfghGkRPs+cjPxeK/q2O+PCtwumbALKDCs6R/QGO+UzlsPY3K0fKAclDgZ4EAkMj0bAMHUJrg/bE2wVgQRWJ8BMQWSWLKt90fe9KspNMifD8UPy0RfPy+mo4TQ+IzWv8ILqxD0AchiXGDAiHbBzRzk3t2HwvD40ypVnYKJToVj9FxOOYGJ92Ki02KbpTs0HrZ+bDJmHy6dEvHESvHNcm7rJFP0iwoSeuYxINb6r8uA/7ai3TZgw4yQQDchUJaXtaE7l47j+BaOEGCd8Mi7xjqkqkhakefKg7xodSjqNLCjSQuon1I/V3915KU6v1QAu7YzxrHW8+/p4zpLesyoeT8EUcLTiXO4OYpSIOkf7/OsT98TLLfi1nQEffNACtUZ6DssExew4lVyCQS2CZkcWPc2JiUwggEdBgkqhkiG9w0BBwGgggEOBIIBCjCCAQYwggECBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECMEfDESxAF+/AgIIAASBkKaQHVv1hzHW7qMwBCkxhXnYkSiQhy62d2hAfVxZhGOOta+5keYsx+DqiEG6Zv2gHW24nBlMbXOBk+O618o0PXXmgHb5X7bsIGy5Xg6mscJbh8UhikqwYbzXF6nwumPDl5odiK85qrtH7Xj+0l/mAD8MAT2jBeOJpe8kJ/UuYp2Ye4MUNjE75Za3OqBPHDroPjE8MBUGCSqGSIb3DQEJFDEIHgYAZABhAG4wIwYJKoZIhvcNAQkVMRYEFLZ5N6X1+/u6Zd7RS7p3vouJa6FWMDEwITAJBgUrDgMCGgUABBR2sccN4Y067GrQMxw9y7t+gjoyWwQI1Phe9H6Htw0CAggA'], u'start': u'2018-04-24 15:40:45.470186', '_ansible_ignore_errors': None, 'failed': False}]) changed: [52.136.235.170 -> localhost] => (item=[u'jack', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/jack.p12 | base64', u'end': u'2018-04-24 15:40:45.679160', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEDwIBAzCCA9UGCSqGSIb3DQEHAaCCA8YEggPCMIIDvjCCApcGCSqGSIb3DQEHBqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQILGkaq7/NOTwCAggAgIICUFUc20qcCNIWsEX4IB4LZQwHiUzNookuOBRGofeRDLdpOwVNmWJA5fBJJm8OB6EWZVe51gbhHZVS9NFa81Ka53tj1rnzMfVAvPIfsX9PZYnfpiE81+/hhORqniHCyCDLnan6zJ+yJo+CghTl9aAkD2reDNiCatvI+W9/o709Q9CapnQ0wVbGXEtZeS8AvmmQTaAonqUX6IOhs300Dn+G4OJck61P5zpKQVt2cYDLJSn02kw6B9fleXDxtns/X2/VVdv7VHOjWlkWa6X+uWRbEnNYMAY5NJEJCTCY8HkX3CT0ntDlAXPqQeEtULEoUyXP23KYuOIl32ymAhpikr0FvIkhh76RKKSY9f8RGG+ar4FQ3qwohJ5edznd7D9u15k9Ww48q+dnRE36GRFIb304syJVNHG9AHGt9tUC82FsxzCn8cnjs8fOVQX/bo9we1Mm3tpjpkbKmKJv/HemUTR5EEPCPlVdm62M+QpCzeUxxwcMa/LmghYe0HbpCFICjM4BL6ocpG8wpzcS/IMzDIO+YzNnd06eUbQM97ho3lLczyzY0aDlDLyn8mz+HLgwdt0705IrObt1Voj0dcO6ZVHYGflPRxeJhFItwJG9maUGtxlOlPRD40qgkvfSbuA+BpIloo2QhrxCW0ewVXQcoUi6OhZ/Iz84edF3nrPkPTMbqwgLxHZ6YXGJaFQZRee0h91zxFss3wzm/DH79/YKKdWyAjeNAtWEByUXpS275WSxsMSavs/1UY2LxneA+AChQzsWBrtdafQeLWW4GyWUvrlH6qEwggEfBgkqhkiG9w0BBwGgggEQBIIBDDCCAQgwggEEBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECA8yoiUSNXU/AgIIAASBkFNs4sLVo5cFFkYDPA+xVxzSlhPbelgB29H25DPYyPtZa5p8leorHisWqApUiND4nEf1bE076B9hyHRkTFsvoAkO5A36s9iSf1euMD4ZaC4XIFmEsIjVb6B53TP3STRsox40HhJEDexg6A7yFVbUVUiCtz5456fMAYN3XBTljxoZ/55h+KyKo7kowTOaMG3aSzE+MBcGCSqGSIb3DQEJFDEKHggAagBhAGMAazAjBgkqhkiG9w0BCRUxFgQUcd4OPuoo7o2+cneweTgKNKKI/pUwMTAhMAkGBSsOAwIaBQAEFNFRJAkv0xQEpjRc530N/alqKWPrBAje7U8M/mqucAICCAA=', 'item': u'jack', u'delta': u'0:00:00.012200', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/52.136.235.170/pki/', u'_raw_params': u'cat private/jack.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEDwIBAzCCA9UGCSqGSIb3DQEHAaCCA8YEggPCMIIDvjCCApcGCSqGSIb3DQEHBqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQILGkaq7/NOTwCAggAgIICUFUc20qcCNIWsEX4IB4LZQwHiUzNookuOBRGofeRDLdpOwVNmWJA5fBJJm8OB6EWZVe51gbhHZVS9NFa81Ka53tj1rnzMfVAvPIfsX9PZYnfpiE81+/hhORqniHCyCDLnan6zJ+yJo+CghTl9aAkD2reDNiCatvI+W9/o709Q9CapnQ0wVbGXEtZeS8AvmmQTaAonqUX6IOhs300Dn+G4OJck61P5zpKQVt2cYDLJSn02kw6B9fleXDxtns/X2/VVdv7VHOjWlkWa6X+uWRbEnNYMAY5NJEJCTCY8HkX3CT0ntDlAXPqQeEtULEoUyXP23KYuOIl32ymAhpikr0FvIkhh76RKKSY9f8RGG+ar4FQ3qwohJ5edznd7D9u15k9Ww48q+dnRE36GRFIb304syJVNHG9AHGt9tUC82FsxzCn8cnjs8fOVQX/bo9we1Mm3tpjpkbKmKJv/HemUTR5EEPCPlVdm62M+QpCzeUxxwcMa/LmghYe0HbpCFICjM4BL6ocpG8wpzcS/IMzDIO+YzNnd06eUbQM97ho3lLczyzY0aDlDLyn8mz+HLgwdt0705IrObt1Voj0dcO6ZVHYGflPRxeJhFItwJG9maUGtxlOlPRD40qgkvfSbuA+BpIloo2QhrxCW0ewVXQcoUi6OhZ/Iz84edF3nrPkPTMbqwgLxHZ6YXGJaFQZRee0h91zxFss3wzm/DH79/YKKdWyAjeNAtWEByUXpS275WSxsMSavs/1UY2LxneA+AChQzsWBrtdafQeLWW4GyWUvrlH6qEwggEfBgkqhkiG9w0BBwGgggEQBIIBDDCCAQgwggEEBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECA8yoiUSNXU/AgIIAASBkFNs4sLVo5cFFkYDPA+xVxzSlhPbelgB29H25DPYyPtZa5p8leorHisWqApUiND4nEf1bE076B9hyHRkTFsvoAkO5A36s9iSf1euMD4ZaC4XIFmEsIjVb6B53TP3STRsox40HhJEDexg6A7yFVbUVUiCtz5456fMAYN3XBTljxoZ/55h+KyKo7kowTOaMG3aSzE+MBcGCSqGSIb3DQEJFDEKHggAagBhAGMAazAjBgkqhkiG9w0BCRUxFgQUcd4OPuoo7o2+cneweTgKNKKI/pUwMTAhMAkGBSsOAwIaBQAEFNFRJAkv0xQEpjRc530N/alqKWPrBAje7U8M/mqucAICCAA='], u'start': u'2018-04-24 15:40:45.666960', '_ansible_ignore_errors': None, 'failed': False}]) changed: [52.136.235.170 -> localhost] => (item=[u'bob', {'_ansible_parsed': True, 'stderr_lines': [], u'cmd': u'cat private/bob.p12 | base64', u'end': u'2018-04-24 15:40:45.878530', '_ansible_no_log': False, '_ansible_delegated_vars': {'ansible_delegated_host': u'localhost', 'ansible_host': u'localhost'}, '_ansible_item_result': True, u'changed': True, u'stdout': u'MIIEDQIBAzCCA9MGCSqGSIb3DQEHAaCCA8QEggPAMIIDvDCCApcGCSqGSIb3DQEHBqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIegflervEpnYCAggAgIICUL/Pj+0AN5BvV4bWNpUiq/uar3un+u7tqt/o999BYJCLID59wcdTSRDfErng55nRAHYxL2VVUbh/V4R1UGJ1vgkKwQZetZVUUjaGIkSHUKtLCF0ncRRv76XMK6Jjmig2uQeMtqaipKVzmyXxtBq0+Zin9wZB+hsHGEDUb0ja1zJr7vSw3D7YJdRYZiwe07NmFinih464CtZOfae0WvoXUWiR7yNCPD421njJjrQVP6KuIt3d83pVo2zKGdhrZhPjcmFtEyQPsfn4VOvjCBip1y1cImLC6aDnoSwZ7bu9xtwcBVtcT4UTNoh4TlQIu1bwUwKIczPQwCqRRNv87LHXbqaiWAI4B+X2020KcAIYUGOorMZAZ3d2uGT0ULTzTinMKB4STyubbJvsNaP/pJQWu8sYfxa5eI/36YtlznfDO/HXqdD7KHi9C8dhrhRLmexezQQvkv4iN2zX3XfW1o6iu8axVasZTRpFkzl1lWzGONkqhagMSHFt9QpL0CHRZscbrAUiikpYoQKMf9lstWzmd69AkQF/72wpmEMOHUvHwzlE2L9e8LeqfkUn5iujXYhATtHMDbpTrLqyRJv2+eY1lS9LSyPo+6EOGiZjRYZeWPN7sfLVnlRHA7KjT8WcC0eDZf5RrTgfOj4XxiIFQkJmOVPaWiQrOtzfgJ3Og5rP0SRA9K8GLQvM6HrDdmTO0umhsoegIsIvPt9zfAUmkcJOlCKYQqqJZJGWktVVXOFL7PWYE8+76XMlvqOC8SNi5T/lRHRe1wf1TGiPPBn3mR7glnowggEdBgkqhkiG9w0BBwGgggEOBIIBCjCCAQYwggECBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECCPSaCReJ4hrAgIIAASBkEHPfeYJh/ar80iEt7ku4jBVGEEddLPpTA0GEzZzbg430Ycv3Rx+aq/voujjK90ZvOwxGXDZIx5+uBtdf7+qKv3V9AypIbaB/sAfiEpmmR3aLlAMAvXcrxqTzUx27OkInhnjXlTDjoxl0MZrWPsp7YOGHkGm45jizNcayGfNmWSkBVj47TaDO/UNyh+4plJMjTE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFOLl56rgCphWuYVnwReNukjd3z9LMDEwITAJBgUrDgMCGgUABBTr/MTkLm2ZB3T7r7VgDxggO8cBoAQIbJyqE++hCXoCAggA', 'item': u'bob', u'delta': u'0:00:00.012088', u'stderr': u'', u'rc': 0, u'invocation': {u'module_args': {u'warn': True, u'executable': None, u'chdir': u'configs/52.136.235.170/pki/', u'_raw_params': u'cat private/bob.p12 | base64', u'removes': None, u'creates': None, u'_uses_shell': True, u'stdin': None}}, 'stdout_lines': [u'MIIEDQIBAzCCA9MGCSqGSIb3DQEHAaCCA8QEggPAMIIDvDCCApcGCSqGSIb3DQEHBqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIegflervEpnYCAggAgIICUL/Pj+0AN5BvV4bWNpUiq/uar3un+u7tqt/o999BYJCLID59wcdTSRDfErng55nRAHYxL2VVUbh/V4R1UGJ1vgkKwQZetZVUUjaGIkSHUKtLCF0ncRRv76XMK6Jjmig2uQeMtqaipKVzmyXxtBq0+Zin9wZB+hsHGEDUb0ja1zJr7vSw3D7YJdRYZiwe07NmFinih464CtZOfae0WvoXUWiR7yNCPD421njJjrQVP6KuIt3d83pVo2zKGdhrZhPjcmFtEyQPsfn4VOvjCBip1y1cImLC6aDnoSwZ7bu9xtwcBVtcT4UTNoh4TlQIu1bwUwKIczPQwCqRRNv87LHXbqaiWAI4B+X2020KcAIYUGOorMZAZ3d2uGT0ULTzTinMKB4STyubbJvsNaP/pJQWu8sYfxa5eI/36YtlznfDO/HXqdD7KHi9C8dhrhRLmexezQQvkv4iN2zX3XfW1o6iu8axVasZTRpFkzl1lWzGONkqhagMSHFt9QpL0CHRZscbrAUiikpYoQKMf9lstWzmd69AkQF/72wpmEMOHUvHwzlE2L9e8LeqfkUn5iujXYhATtHMDbpTrLqyRJv2+eY1lS9LSyPo+6EOGiZjRYZeWPN7sfLVnlRHA7KjT8WcC0eDZf5RrTgfOj4XxiIFQkJmOVPaWiQrOtzfgJ3Og5rP0SRA9K8GLQvM6HrDdmTO0umhsoegIsIvPt9zfAUmkcJOlCKYQqqJZJGWktVVXOFL7PWYE8+76XMlvqOC8SNi5T/lRHRe1wf1TGiPPBn3mR7glnowggEdBgkqhkiG9w0BBwGgggEOBIIBCjCCAQYwggECBgsqhkiG9w0BDAoBAqCBtDCBsTAcBgoqhkiG9w0BDAEDMA4ECCPSaCReJ4hrAgIIAASBkEHPfeYJh/ar80iEt7ku4jBVGEEddLPpTA0GEzZzbg430Ycv3Rx+aq/voujjK90ZvOwxGXDZIx5+uBtdf7+qKv3V9AypIbaB/sAfiEpmmR3aLlAMAvXcrxqTzUx27OkInhnjXlTDjoxl0MZrWPsp7YOGHkGm45jizNcayGfNmWSkBVj47TaDO/UNyh+4plJMjTE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFOLl56rgCphWuYVnwReNukjd3z9LMDEwITAJBgUrDgMCGgUABBTr/MTkLm2ZB3T7r7VgDxggO8cBoAQIbJyqE++hCXoCAggA'], u'start': u'2018-04-24 15:40:45.866442', '_ansible_ignore_errors': None, 'failed': False}])

TASK [vpn : Restrict permissions for the local private directories] *** ok: [52.136.235.170 -> localhost] => (item=configs/52.136.235.170)

RUNNING HANDLER [dns_adblocking : restart apparmor] *** changed: [52.136.235.170]

TASK [vpn : strongSwan started] *** ok: [52.136.235.170]

TASK [debug] ** ok: [52.136.235.170] => { "msg": [ [ "\"# Congratulations! #\"", "\"# Your Algo server is running. #\"", "\"# Config files and certificates are in the ./configs/ directory. #\"", "\"# Go to https://whoer.net/ after connecting #\"", "\"# and ensure that all your traffic passes through the VPN. #\"", "\"# Local DNS resolver 172.16.0.1 #\"", "" ], " \"# The p12 and SSH keys password for new users is KfoP5kES #\"\n", " \"# The CA key password is f0c336aaf9ae1c5a907e05c630e9c68f #\"\n", " \"# Shell access: ssh -i configs/algo.pem ubuntu@52.136.235.170 #\"\n" ] }

TASK [Delete the CA key] ** skipping: [52.136.235.170]

PLAY RECAP **** 52.136.235.170 : ok=102 changed=25 unreachable=0 failed=0
localhost : ok=24 changed=1 unreachable=0 failed=0

dguido commented 6 years ago

I can't reproduce this. Try naming the server differently or avoid whitelisting Wifi APs. Sometimes there are escaping problems in the mobileconfig.