diff --git a/README.md b/README.md index c125213..3a28e3c 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Use the following command to SSH tunnel through the server: ```asdf``` -[explain the options] +asdf then explain the options used ## FAQ diff --git a/algo b/algo index 0e891da..3ee1bc4 100755 --- a/algo +++ b/algo @@ -64,9 +64,9 @@ Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached [ABCD...]: " -rs aws_secret_key - read -p " + read -e -p " Enter the local path to your SSH public key: -: " -r ssh_public_key +: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key read -p " Name the vpn server: diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md index 9877033..2bd50f2 100644 --- a/docs/ADVANCED.md +++ b/docs/ADVANCED.md @@ -17,6 +17,8 @@ Before you begin, make sure you have installed all the dependencies necessary fo ## Local Deployment +**Warning**: If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. You can find some information about tags below. + It is possible to download the Algo scripts to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA, and using a PPA requires installing `software-properties-common`. tl;dr: diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 81dbcab..fc3af8b 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -5,7 +5,10 @@ apt: name=privoxy state=latest - name: Privoxy configured - template: src=privoxy_config.j2 dest=/etc/privoxy/config + template: src="{{ item.src }}" dest="{{ item.dest }}" + with_items: + - { src: privoxy_config.j2, dest: /etc/privoxy/config } + - { src: default.filter.j2, dest: /etc/privoxy/default.filter } notify: - restart privoxy diff --git a/roles/proxy/templates/default.filter.j2 b/roles/proxy/templates/default.filter.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index e79c49c..e6d614b 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,8 +1,5 @@ - name: restart ssh service: name=ssh state=restarted -- name: restart iptables - service: name=netfilter-persistent state=restarted - - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index f951616..aed7576 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -88,14 +88,6 @@ - name: Do not send ICMP redirects (we are not a router) sysctl: name=net.ipv4.conf.all.send_redirects value=0 -- name: Iptables configured - template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 - with_items: - - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } - - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } - notify: - - restart iptables - - name: SSH config template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 notify: diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 4ba5173..84e08b0 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -6,13 +6,13 @@ - name: restart apparmor service: name=apparmor state=restarted - -- name: save iptables - shell: service netfilter-persistent save - name: save iptables shell: service netfilter-persistent save +- name: restart iptables + service: name=netfilter-persistent state=restarted + - name: congrats debug: msg: diff --git a/roles/vpn/tasks/iptables.yml b/roles/vpn/tasks/iptables.yml new file mode 100644 index 0000000..aeed994 --- /dev/null +++ b/roles/vpn/tasks/iptables.yml @@ -0,0 +1,9 @@ +--- + +- name: Iptables configured + template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 + with_items: + - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } + - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } + notify: + - restart iptables diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 690a44a..1009911 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -191,3 +191,7 @@ fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes notify: - congrats + +- include: iptables.yml + tags: iptables + diff --git a/roles/security/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 similarity index 100% rename from roles/security/templates/rules.v4.j2 rename to roles/vpn/templates/rules.v4.j2 diff --git a/roles/security/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2 similarity index 86% rename from roles/security/templates/rules.v6.j2 rename to roles/vpn/templates/rules.v6.j2 index e491fec..71342a0 100644 --- a/roles/security/templates/rules.v6.j2 +++ b/roles/vpn/templates/rules.v6.j2 @@ -17,6 +17,10 @@ COMMIT -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT # TODO: # The IP of the resolver should be bound to a DUMMY interface. # DUMMY interfaces are the proper way to install IPs without assigning them any