Failures on Ubuntu 16.04 on Hetzner

[dafacto]

OS / Environment (where do you run Algo on)

Linux vpn 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Cloud Provider (where do you deploy Algo to)

Hetzner

Summary of the problem

There are two problems I'm seeing:

TASK [wireguard : WireGuard enabled and started] *******************************************************
fatal: [195.201.121.2]: FAILED! => {"changed": false, "msg": "Unable to start service wg-quick@wg0: Job for wg-quick@wg0.service failed because the control process exited with error code. See \"systemctl status wg-quick@wg0.service\" and \"journalctl -xe\" for details.\n"}

PLAY RECAP *********************************************************************************************
195.201.121.2              : ok=28   changed=6    unreachable=0    failed=1   
localhost                  : ok=13   changed=1    unreachable=0    failed=0   ```

And secondly, on my local Mac, there are no .mobileconfig files created. I'm only seeing .ssh_config and .pem files for each user.

Steps to reproduce the behavior

1. Do this..
2. Do that..

Full log

(env) mbp13:algo-master mhenders$ ./algo

  What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine
    5. Scaleway
    6. OpenStack (DreamCompute optimised)
    7. Install to existing Ubuntu 16.04 server (Advanced)

Enter the number of your desired provider
: 7

Enter the IP address of your server: (or use localhost for local installation)
[localhost]: 195.201.121.2

What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]: 

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[195.201.121.2]: 

Was this server deployed by Algo previously?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
: 

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: 

Do you want each user to have their own account for SSH tunneling?
[y/N]: 

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: 

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: 

PLAY [Configure the server] ****************************************************************************

TASK [Gathering Facts] *********************************************************************************
ok: [localhost]

TASK [Local pre-tasks] *********************************************************************************
included: /Users/mhenders/Documents/Algo/algo-master/playbooks/local.yml for localhost

TASK [Generate the SSH private key] ********************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *********************************************************************
ok: [localhost]

TASK [Change mode for the SSH private key] *************************************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] *************************************************************
ok: [localhost]

TASK [Local pre-tasks] *********************************************************************************
included: /Users/mhenders/Documents/Algo/algo-master/playbooks/local_ssh.yml for localhost

TASK [Ensure the local ssh directory is exist] *********************************************************
ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] ************************************************
ok: [localhost]

TASK [local : Add the instance to an inventory group] **************************************************
changed: [localhost]

TASK [local : Add the instance to an inventory group] **************************************************
skipping: [localhost]

TASK [local : set_fact] ********************************************************************************
ok: [localhost]

TASK [local : Ensure the group local exists in the dynamic inventory file] *****************************
ok: [localhost]

TASK [local : Populate the dynamic inventory] **********************************************************
ok: [localhost]

PLAY [Configure the server and install required software] **********************************************

TASK [Common pre-tasks] ********************************************************************************
included: /Users/mhenders/Documents/Algo/algo-master/playbooks/common.yml for 195.201.121.2

TASK [Check the system] ********************************************************************************
changed: [195.201.121.2]

TASK [Ubuntu pre-tasks] ********************************************************************************
included: /Users/mhenders/Documents/Algo/algo-master/playbooks/ubuntu.yml for 195.201.121.2

TASK [Ubuntu | Install prerequisites] ******************************************************************
changed: [195.201.121.2] => (item=sleep 10)
changed: [195.201.121.2] => (item=apt-get update -qq)
changed: [195.201.121.2] => (item=apt-get install -qq -y python2.7 sudo)

TASK [FreeBSD pre-tasks] *******************************************************************************
skipping: [195.201.121.2]

TASK [include_tasks] ***********************************************************************************
included: /Users/mhenders/Documents/Algo/algo-master/playbooks/facts/main.yml for 195.201.121.2

TASK [Gather Facts] ************************************************************************************
ok: [195.201.121.2]

TASK [Check if IPv6 configured] ************************************************************************
ok: [195.201.121.2]

TASK [Generate password for the CA key] ****************************************************************
changed: [195.201.121.2 -> localhost]

TASK [Generate p12 export password] ********************************************************************
changed: [195.201.121.2 -> localhost]

TASK [Define password facts] ***************************************************************************
ok: [195.201.121.2]

TASK [Define the commonName] ***************************************************************************
ok: [195.201.121.2]

TASK [common : Install tools] **************************************************************************

TASK [common : Sysctl tuning] **************************************************************************

TASK [common : Install tools] **************************************************************************

TASK [common : Sysctl tuning] **************************************************************************

TASK [common : Install tools] **************************************************************************

TASK [common : Sysctl tuning] **************************************************************************

TASK [common : include_tasks] **************************************************************************
included: /Users/mhenders/Documents/Algo/algo-master/roles/common/tasks/ubuntu.yml for 195.201.121.2

TASK [common : Loopback for services configured] *******************************************************
ok: [195.201.121.2]

TASK [common : systemd-networkd enabled and started] ***************************************************
ok: [195.201.121.2]

TASK [common : Check apparmor support] *****************************************************************
changed: [195.201.121.2]

TASK [common : set_fact] *******************************************************************************
ok: [195.201.121.2]

TASK [common : set_fact] *******************************************************************************
ok: [195.201.121.2]

TASK [common : include_tasks] **************************************************************************
skipping: [195.201.121.2]

TASK [common : Install tools] **************************************************************************
ok: [195.201.121.2] => (item=git)
ok: [195.201.121.2] => (item=screen)
ok: [195.201.121.2] => (item=apparmor-utils)
ok: [195.201.121.2] => (item=uuid-runtime)
ok: [195.201.121.2] => (item=coreutils)
ok: [195.201.121.2] => (item=iptables-persistent)
ok: [195.201.121.2] => (item=cgroup-tools)
ok: [195.201.121.2] => (item=openssl)

TASK [common : Sysctl tuning] **************************************************************************
ok: [195.201.121.2] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
ok: [195.201.121.2] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
ok: [195.201.121.2] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [wireguard : WireGuard repository configured] *****************************************************
ok: [195.201.121.2]

TASK [wireguard : WireGuard installed] *****************************************************************
ok: [195.201.121.2]

TASK [wireguard : Ensure the required directories exist] ***********************************************
ok: [195.201.121.2 -> localhost] => (item=private)
ok: [195.201.121.2 -> localhost] => (item=public)

TASK [wireguard : Delete the lock files] ***************************************************************
skipping: [195.201.121.2] => (item=matt) 
skipping: [195.201.121.2] => (item=pino) 
skipping: [195.201.121.2] => (item=andrea) 
skipping: [195.201.121.2] => (item=lance) 
skipping: [195.201.121.2] => (item=195.201.121.2) 

TASK [wireguard : Generate private keys] ***************************************************************
ok: [195.201.121.2] => (item=matt)
ok: [195.201.121.2] => (item=pino)
ok: [195.201.121.2] => (item=andrea)
ok: [195.201.121.2] => (item=lance)
ok: [195.201.121.2] => (item=195.201.121.2)
 [WARNING]: As of Ansible 2.4, the parameter 'executable' is no longer supported with the 'command'
module. Not using 'bash'.

TASK [wireguard : Save private keys] *******************************************************************
skipping: [195.201.121.2] => (item=None) 
skipping: [195.201.121.2] => (item=None) 
skipping: [195.201.121.2] => (item=None) 
skipping: [195.201.121.2] => (item=None) 
skipping: [195.201.121.2] => (item=None) 

TASK [wireguard : Touch the lock file] *****************************************************************
skipping: [195.201.121.2] => (item=matt) 
skipping: [195.201.121.2] => (item=pino) 
skipping: [195.201.121.2] => (item=andrea) 
skipping: [195.201.121.2] => (item=lance) 
skipping: [195.201.121.2] => (item=195.201.121.2) 

TASK [wireguard : Generate public keys] ****************************************************************
ok: [195.201.121.2] => (item=matt)
ok: [195.201.121.2] => (item=pino)
ok: [195.201.121.2] => (item=andrea)
ok: [195.201.121.2] => (item=lance)
ok: [195.201.121.2] => (item=195.201.121.2)

TASK [wireguard : Save public keys] ********************************************************************
ok: [195.201.121.2] => (item=None)
ok: [195.201.121.2] => (item=None)
ok: [195.201.121.2] => (item=None)
ok: [195.201.121.2] => (item=None)
ok: [195.201.121.2] => (item=None)

TASK [wireguard : WireGuard configured] ****************************************************************
ok: [195.201.121.2]

TASK [wireguard : WireGuard reload-module-on-update] ***************************************************
changed: [195.201.121.2]

TASK [wireguard : WireGuard users config generated] ****************************************************
ok: [195.201.121.2 -> localhost] => (item=(0, u'matt'))
ok: [195.201.121.2 -> localhost] => (item=(1, u'pino'))
ok: [195.201.121.2 -> localhost] => (item=(2, u'andrea'))
ok: [195.201.121.2 -> localhost] => (item=(3, u'lance'))

TASK [wireguard : WireGuard enabled and started] *******************************************************
fatal: [195.201.121.2]: FAILED! => {"changed": false, "msg": "Unable to start service wg-quick@wg0: Job for wg-quick@wg0.service failed because the control process exited with error code. See \"systemctl status wg-quick@wg0.service\" and \"journalctl -xe\" for details.\n"}

PLAY RECAP *********************************************************************************************
195.201.121.2              : ok=28   changed=6    unreachable=0    failed=1   
localhost                  : ok=13   changed=1    unreachable=0    failed=0   

[kotfenix]

systemctl status wg-quick@wg0.service\ says that RTNETLINK answers: Operation not supported wireguard I think hetzner's ubuntu contains not properly installed wireguard kernel modules. I built wireguard from source and it helped

[jackivanov]

We don't officially support Hetzner, and you choosed to deploy as an advanced, so you need to debug it somehow yourself

[ealeksandrov]

I built wireguard from source and it helped

I confirm, building WireGuard from source before installing Algo prevents error.

https://www.wireguard.com/install/ It shows couple of OpenSSL errors on make install but still works fine.

[ghost]

I'm just stuck at PLAY [Configure the server] on both Debian or Ubuntu 18.04 on Hetzer, I'm surprised what Algo says about passwordless login, I think this may be the culprit but it did not prompt me to supply ssh keys or anything, just the name of the user it should use to login.

[ghost]

systemctl status wg-quick@wg0.service\

this works for me now by default so your workaround may not be needed anymore

● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/wg-quick@.service; indirect; vendor preset: enabled)
   Active: active (exited) since Wed 2018-11-14 15:04:46 CET; 26min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
 Main PID: 1025 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 2299)
   CGroup: /system.slice/system-wg\x2dquick.slice/wg-quick@wg0.service

@kotfenix was there something else you needed to do because it does not yet work for me https://github.com/trailofbits/algo/issues/1130#issuecomment-438641071

thanks