search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.66k stars 2.31k forks source link

Can connect to VPN once, but no Internet. Can never connect again. #906

Closed deanishe closed 6 years ago

deanishe commented 6 years ago

OS / Environment (where do you run Algo on)

Linux hostname 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Cloud Provider (where do you deploy Algo to)

Ubuntu 16.04.4 (local installation)

Summary of the problem

I can connect only once (in total, not per device) to the VPN server (from iOS 11.3.1), but there is no connection to the Internet. All subsequent attempts to connect to the algo server fail. Rebooting doesn't help.

NOTE: I have successfully deployed algo to the same VPS before and all tested client devices can connect without issue to another algo server I have.

Steps to reproduce the behavior

  1. Install algo (I've tried both local install and from a macOS Sierra machine)
  2. Connect to server using iOS profile
  3. No Internet connection
  4. Disconnect from algo server
  5. Never able to connect again

Full log

  What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Scaleway
    7. OpenStack (DreamCompute optimised)
    8. Install to existing Ubuntu 16.04 server (Advanced)

Enter the number of your desired provider
: 8

Enter the IP address of your server: (or use localhost for local installation)
[localhost]:

What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]:

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[]: XXX.XXX.XX.XXX

Was this server deployed by Algo previously?
[y/N]:

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
: Der Herr der Pinge,UPC6001195

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: y

Do you want each user to have their own account for SSH tunneling?
[y/N]: y

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]:

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: y

PLAY [Configure the server] **********************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************************
ok: [localhost]

TASK [Local pre-tasks] ***************************************************************************************************************************************
included: /root/algo/playbooks/local.yml for localhost

TASK [Generate the SSH private key] **************************************************************************************************************************
changed: [localhost]

TASK [Generate the SSH public key] ***************************************************************************************************************************
ok: [localhost]

TASK [Change mode for the SSH private key] *******************************************************************************************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] *******************************************************************************************************************
changed: [localhost]

TASK [Local pre-tasks] ***************************************************************************************************************************************
skipping: [localhost]

TASK [local : Add the instance to an inventory group] ********************************************************************************************************
skipping: [localhost]

TASK [local : Add the instance to an inventory group] ********************************************************************************************************
changed: [localhost]

TASK [local : set_fact] **************************************************************************************************************************************
ok: [localhost]

TASK [local : Ensure the group local exists in the dynamic inventory file] ***********************************************************************************
changed: [localhost]

TASK [local : Populate the dynamic inventory] ****************************************************************************************************************
changed: [localhost]

PLAY [Configure the server and install required software] ****************************************************************************************************

TASK [Common pre-tasks] **************************************************************************************************************************************
included: /root/algo/playbooks/common.yml for localhost

TASK [Check the system] **************************************************************************************************************************************
changed: [localhost]

TASK [Ubuntu pre-tasks] **************************************************************************************************************************************
included: /root/algo/playbooks/ubuntu.yml for localhost

TASK [Ubuntu | Install prerequisites] ************************************************************************************************************************
changed: [localhost]

TASK [FreeBSD pre-tasks] *************************************************************************************************************************************
skipping: [localhost]

TASK [include_tasks] *****************************************************************************************************************************************
included: /root/algo/playbooks/facts/main.yml for localhost

TASK [Gather Facts] ******************************************************************************************************************************************
ok: [localhost]

TASK [Enable IPv6] *******************************************************************************************************************************************
ok: [localhost]

TASK [Generate password for the CA key] **********************************************************************************************************************
changed: [localhost -> localhost]

TASK [Generate p12 export password] **************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Define password facts] *********************************************************************************************************************************
ok: [localhost]

TASK [Define the commonName] *********************************************************************************************************************************
ok: [localhost]

TASK [common : include_tasks] ********************************************************************************************************************************
included: /root/algo/roles/common/tasks/ubuntu.yml for localhost

TASK [common : Install system specific tools] ****************************************************************************************************************
ok: [localhost] => (item=ifupdown)

TASK [common : Ensure the interfaces directory exists] *******************************************************************************************************
ok: [localhost]

TASK [common : Loopback for services configured] *************************************************************************************************************
changed: [localhost]

TASK [common : Loopback included into the network config] ****************************************************************************************************
changed: [localhost]

RUNNING HANDLER [common : restart loopback] ******************************************************************************************************************
changed: [localhost]

TASK [common : Check apparmor support] ***********************************************************************************************************************
changed: [localhost]

TASK [common : set_fact] *************************************************************************************************************************************
ok: [localhost]

TASK [common : set_fact] *************************************************************************************************************************************
ok: [localhost]

TASK [common : include_tasks] ********************************************************************************************************************************
skipping: [localhost]

TASK [common : Install tools] ********************************************************************************************************************************
ok: [localhost] => (item=git)
ok: [localhost] => (item=screen)
changed: [localhost] => (item=apparmor-utils)
ok: [localhost] => (item=uuid-runtime)
ok: [localhost] => (item=coreutils)
changed: [localhost] => (item=iptables-persistent)
changed: [localhost] => (item=cgroup-tools)
ok: [localhost] => (item=openssl)

TASK [common : Sysctl tuning] ********************************************************************************************************************************
changed: [localhost] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [localhost] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [localhost] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [dns_encryption : Include tasks for Ubuntu] *************************************************************************************************************
included: /root/algo/roles/dns_encryption/tasks/ubuntu.yml for localhost

TASK [dns_encryption : Add the repository] *******************************************************************************************************************
changed: [localhost]

TASK [dns_encryption : Install dnscrypt-proxy] ***************************************************************************************************************
changed: [localhost]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *************************************************************************************
changed: [localhost]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] **********************************************************************************
ok: [localhost]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] **********************************************************************
changed: [localhost]

TASK [dns_encryption : Include tasks for FreeBSD] ************************************************************************************************************
skipping: [localhost]

TASK [dns_encryption : dnscrypt-proxy configured] ************************************************************************************************************
changed: [localhost]

TASK [dns_encryption : dnscrypt-proxy enabled and started] ***************************************************************************************************
ok: [localhost]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] ****************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : The DNS tag is defined] ***************************************************************************************************************
ok: [localhost]

TASK [dns_adblocking : Dnsmasq installed] ********************************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] ***************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : The dnsmasq directory created] ********************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : include_tasks] ************************************************************************************************************************
included: /root/algo/roles/dns_adblocking/tasks/ubuntu.yml for localhost

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] *****************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] *****************************************************************************
changed: [localhost]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***************************************************************************
changed: [localhost]

TASK [dns_adblocking : include_tasks] ************************************************************************************************************************
skipping: [localhost]

TASK [dns_adblocking : Dnsmasq configured] *******************************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Adblock script created] ***************************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Adblock script added to cron] *********************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Update adblock hosts] *****************************************************************************************************************
changed: [localhost]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] ***********************************************************************************************************
changed: [localhost]

RUNNING HANDLER [vpn : daemon-reload] ************************************************************************************************************************
changed: [localhost]

TASK [dns_adblocking : Dnsmasq enabled and started] **********************************************************************************************************
ok: [localhost]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] **********************************************************************************
changed: [localhost]

TASK [ssh_tunneling : Ensure that the algo group exist] ******************************************************************************************************
changed: [localhost]

TASK [ssh_tunneling : Ensure that the jail directory exist] **************************************************************************************************
changed: [localhost]

TASK [ssh_tunneling : Ensure that the SSH users exist] *******************************************************************************************************
changed: [localhost] => (item=earl)
changed: [localhost] => (item=mclovin)
changed: [localhost] => (item=don-cazzo)
changed: [localhost] => (item=spanish-harlan)

TASK [ssh_tunneling : The authorized keys file created] ******************************************************************************************************
changed: [localhost] => (item=earl)
changed: [localhost] => (item=mclovin)
changed: [localhost] => (item=don-cazzo)
changed: [localhost] => (item=spanish-harlan)

TASK [ssh_tunneling : Generate SSH fingerprints] *************************************************************************************************************
changed: [localhost]

TASK [ssh_tunneling : Fetch users SSH private keys] **********************************************************************************************************
changed: [localhost] => (item=earl)
changed: [localhost] => (item=mclovin)
changed: [localhost] => (item=don-cazzo)
changed: [localhost] => (item=spanish-harlan)

TASK [ssh_tunneling : Change mode for SSH private keys] ******************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [ssh_tunneling : Fetch the known_hosts file] ************************************************************************************************************
changed: [localhost -> localhost]

TASK [ssh_tunneling : Build the client ssh config] ***********************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [ssh_tunneling : SSH | Get active system users] *********************************************************************************************************
skipping: [localhost]

TASK [ssh_tunneling : SSH | Delete non-existing users] *******************************************************************************************************
skipping: [localhost] => (item=null)

TASK [vpn : Ensure that the strongswan group exist] **********************************************************************************************************
changed: [localhost]

TASK [vpn : Ensure that the strongswan user exist] ***********************************************************************************************************
changed: [localhost]

TASK [vpn : include_tasks] ***********************************************************************************************************************************
included: /root/algo/roles/vpn/tasks/ubuntu.yml for localhost

TASK [vpn : set_fact] ****************************************************************************************************************************************
ok: [localhost]

TASK [vpn : Ubuntu | Install strongSwan] *********************************************************************************************************************
changed: [localhost]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] **********************************************************************************************************
changed: [localhost] => (item=/usr/lib/ipsec/charon)
changed: [localhost] => (item=/usr/lib/ipsec/lookip)
changed: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ************************************************************************************************************************
ok: [localhost] => (item=apparmor)
ok: [localhost] => (item=strongswan)
ok: [localhost] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *************************************************************************************
changed: [localhost]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **************************************************************************************
changed: [localhost]

TASK [vpn : include_tasks] ***********************************************************************************************************************************
included: /root/algo/roles/vpn/tasks/iptables.yml for localhost

TASK [vpn : Iptables configured] *****************************************************************************************************************************
changed: [localhost] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] *****************************************************************************************************************************
changed: [localhost] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : include_tasks] ***********************************************************************************************************************************
skipping: [localhost]

TASK [vpn : Install strongSwan] ******************************************************************************************************************************
ok: [localhost]

TASK [vpn : include_tasks] ***********************************************************************************************************************************
included: /root/algo/roles/vpn/tasks/ipec_configuration.yml for localhost

TASK [vpn : Setup the config files from our templates] *******************************************************************************************************
changed: [localhost] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [localhost] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [localhost] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ******************************************************************************************************************************
changed: [localhost]

TASK [vpn : Disable unneeded plugins] ************************************************************************************************************************
skipping: [localhost] => (item=pubkey)
changed: [localhost] => (item=constraints)
changed: [localhost] => (item=updown)
skipping: [localhost] => (item=revocation)
changed: [localhost] => (item=dnskey)
changed: [localhost] => (item=attr)
changed: [localhost] => (item=sshkey)
skipping: [localhost] => (item=pgp)
skipping: [localhost] => (item=aes)
skipping: [localhost] => (item=pkcs8)
skipping: [localhost] => (item=stroke)
changed: [localhost] => (item=md4)
skipping: [localhost] => (item=gcm)
skipping: [localhost] => (item=hmac)
changed: [localhost] => (item=sha1)
skipping: [localhost] => (item=nonce)
skipping: [localhost] => (item=pkcs12)
skipping: [localhost] => (item=kernel-netlink)
changed: [localhost] => (item=test-vectors)
changed: [localhost] => (item=md5)
changed: [localhost] => (item=resolve)
changed: [localhost] => (item=fips-prf)
skipping: [localhost] => (item=pkcs7)
skipping: [localhost] => (item=sha2)
skipping: [localhost] => (item=random)
changed: [localhost] => (item=rc2)
changed: [localhost] => (item=connmark)
skipping: [localhost] => (item=openssl)
changed: [localhost] => (item=gmp)
changed: [localhost] => (item=xcbc)
skipping: [localhost] => (item=pem)
skipping: [localhost] => (item=socket-default)
skipping: [localhost] => (item=x509)
changed: [localhost] => (item=pkcs1)
changed: [localhost] => (item=agent)

TASK [vpn : Ensure that required plugins are enabled] ********************************************************************************************************
changed: [localhost] => (item=pubkey)
skipping: [localhost] => (item=constraints)
skipping: [localhost] => (item=updown)
changed: [localhost] => (item=revocation)
skipping: [localhost] => (item=dnskey)
skipping: [localhost] => (item=attr)
skipping: [localhost] => (item=sshkey)
changed: [localhost] => (item=pgp)
changed: [localhost] => (item=aes)
changed: [localhost] => (item=pkcs8)
changed: [localhost] => (item=stroke)
skipping: [localhost] => (item=md4)
changed: [localhost] => (item=gcm)
changed: [localhost] => (item=hmac)
skipping: [localhost] => (item=sha1)
changed: [localhost] => (item=nonce)
changed: [localhost] => (item=pkcs12)
changed: [localhost] => (item=kernel-netlink)
skipping: [localhost] => (item=test-vectors)
skipping: [localhost] => (item=md5)
skipping: [localhost] => (item=resolve)
skipping: [localhost] => (item=fips-prf)
changed: [localhost] => (item=pkcs7)
changed: [localhost] => (item=sha2)
changed: [localhost] => (item=random)
skipping: [localhost] => (item=rc2)
skipping: [localhost] => (item=connmark)
changed: [localhost] => (item=openssl)
skipping: [localhost] => (item=gmp)
skipping: [localhost] => (item=xcbc)
changed: [localhost] => (item=pem)
changed: [localhost] => (item=socket-default)
changed: [localhost] => (item=x509)
skipping: [localhost] => (item=pkcs1)
skipping: [localhost] => (item=agent)

TASK [vpn : include_tasks] ***********************************************************************************************************************************
included: /root/algo/roles/vpn/tasks/openssl.yml for localhost

TASK [vpn : Set subjectAltName as a fact] ********************************************************************************************************************
ok: [localhost -> localhost]

TASK [vpn : Ensure the pki directory does not exist] *********************************************************************************************************
skipping: [localhost]

TASK [vpn : Ensure the pki directories exist] ****************************************************************************************************************
changed: [localhost -> localhost] => (item=ecparams)
changed: [localhost -> localhost] => (item=certs)
changed: [localhost -> localhost] => (item=crl)
changed: [localhost -> localhost] => (item=newcerts)
changed: [localhost -> localhost] => (item=private)
changed: [localhost -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] **************************************************************************************************************************
changed: [localhost -> localhost] => (item=.rnd)
changed: [localhost -> localhost] => (item=private/.rnd)
changed: [localhost -> localhost] => (item=index.txt)
changed: [localhost -> localhost] => (item=index.txt.attr)
changed: [localhost -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *************************************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Build the CA pair] *******************************************************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Copy the CA certificate] *************************************************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Generate the serial number] **********************************************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Build the server pair] ***************************************************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Build the client's pair] *************************************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [vpn : Build the client's p12] **************************************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [vpn : Copy the p12 certificates] ***********************************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [vpn : Get active users] ********************************************************************************************************************************
changed: [localhost -> localhost]

TASK [vpn : Revoke non-existing users] ***********************************************************************************************************************
skipping: [localhost] => (item=earl)
skipping: [localhost] => (item=mclovin)
skipping: [localhost] => (item=don-cazzo)
skipping: [localhost] => (item=spanish-harlan)

TASK [vpn : Genereate new CRL file] **************************************************************************************************************************
skipping: [localhost]

TASK [vpn : Copy the CRL to the vpn server] ******************************************************************************************************************
skipping: [localhost]

TASK [vpn : include_tasks] ***********************************************************************************************************************************
included: /root/algo/roles/vpn/tasks/distribute_keys.yml for localhost

TASK [vpn : Copy the keys to the strongswan directory] *******************************************************************************************************
changed: [localhost] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/XXX.XXX.XX.XXX/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [localhost] => (item={u'dest': u'/etc/ipsec.d/certs/XXX.XXX.XX.XXX.crt', u'src': u'configs/XXX.XXX.XX.XXX/pki/certs/XXX.XXX.XX.XXX.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [localhost] => (item={u'dest': u'/etc/ipsec.d/private/XXX.XXX.XX.XXX.key', u'src': u'configs/XXX.XXX.XX.XXX/pki/private/XXX.XXX.XX.XXX.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : include_tasks] ***********************************************************************************************************************************
included: /root/algo/roles/vpn/tasks/client_configs.yml for localhost

TASK [vpn : Register p12 PayloadContent] *********************************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [vpn : Set facts for mobileconfigs] *********************************************************************************************************************
ok: [localhost -> localhost]

TASK [vpn : Build the mobileconfigs] *************************************************************************************************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)

TASK [vpn : Build the strongswan app android config] *********************************************************************************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)

TASK [vpn : Build the android helper html] *******************************************************************************************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)

TASK [vpn : Build the client ipsec config file] **************************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [vpn : Build the client ipsec secret file] **************************************************************************************************************
changed: [localhost -> localhost] => (item=earl)
changed: [localhost -> localhost] => (item=mclovin)
changed: [localhost -> localhost] => (item=don-cazzo)
changed: [localhost -> localhost] => (item=spanish-harlan)

TASK [vpn : Create the windows check file] *******************************************************************************************************************
skipping: [localhost]

TASK [vpn : Check if the windows check file exists] **********************************************************************************************************
ok: [localhost -> localhost]

TASK [vpn : Build the windows client powershell script] ******************************************************************************************************
skipping: [localhost] => <CERTS REDACTED>

TASK [vpn : Restrict permissions for the local private directories] ******************************************************************************************
changed: [localhost -> localhost] => (item=configs/XXX.XXX.XX.XXX)

RUNNING HANDLER [dns_adblocking : restart apparmor] **********************************************************************************************************
changed: [localhost]

RUNNING HANDLER [ssh_tunneling : restart ssh] ****************************************************************************************************************
changed: [localhost]

RUNNING HANDLER [vpn : restart strongswan] *******************************************************************************************************************
changed: [localhost]

RUNNING HANDLER [vpn : daemon-reload] ************************************************************************************************************************
changed: [localhost]

RUNNING HANDLER [vpn : restart iptables] *********************************************************************************************************************
changed: [localhost]

TASK [vpn : strongSwan started] ******************************************************************************************************************************
ok: [localhost]

TASK [debug] *************************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#               Local DNS resolver 172.16.0.1              #\"",
            ""
        ],
        "    \"#                The p12 and SSH keys password for new users is REDACTED             #\"\n",
        "    \"#                  The CA key password is REDACTED                 #\"\n",
        "    "
    ]
}

TASK [Delete the CA key] *************************************************************************************************************************************
skipping: [localhost]

PLAY RECAP ***************************************************************************************************************************************************
localhost                  : ok=117  changed=80   unreachable=0    failed=0
dguido commented 6 years ago

Check your dmesg on the server. Did any service get killed with an OOM error? I've had this happen with cgroups before.

Please try resolving this on Gitter before filing an issue! Thanks.