diff --git a/README.md b/README.md index fc33f45..5cf449a 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua ``` On macOS, you may be prompted to install `cc`. You should press accept if so. -5. **List the users to create.** Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. If you want to be able to add or delete users later, you **must** select `yes` for the `Do you want to retain the CA key?` prompt during the deployment. +5. **List the users to create.** Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. If you want to be able to add or delete users later, you **must** select `yes` for the `Do you want to retain the CA key?` prompt during the deployment. Make a unique user for each device you plan to setup. 6. **Start the deployment.** Return to your terminal. In the Algo directory, run `./algo` and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in [deploy-from-ansible.md](docs/deploy-from-ansible.md). @@ -105,14 +105,11 @@ If you prefer to use the built-in IPSEC VPN on Apple devices, or need "Connect o WireGuard is used to provide VPN services on Android. Install the [WireGuard VPN Client](https://play.google.com/store/apps/details?id=com.wireguard.android). Import the corresponding `wireguard/.conf` file to your device, then setup a new connection with it. See the [Android setup instructions](/docs/client-android.md) for more detailed walkthrough. -### Windows 10 +### Windows -Copy your PowerShell script `windows_{username}.ps1` to the Windows client and run the following command as Administrator to configure the VPN connection. -``` -powershell -ExecutionPolicy ByPass -File windows_{username}.ps1 -Add -``` +WireGuard is used to provide VPN services on Windows. Algo generates a WireGuard configuration file, `wireguard/.conf`, for each user defined in `config.cfg`. -For a manual installation, see the [Windows setup instructions](/docs/client-windows.md). +Install the [WireGuard VPN Client](https://www.wireguard.com/install/#windows-7-8-81-10-2012-2016-2019). Import the generated `wireguard/.conf` file to your device, then setup a new connection with it. ### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop) @@ -149,12 +146,13 @@ To configure the connection to come up at boot time replace `auto=add` with `aut Depending on the platform, you may need one or multiple of the following files. -* cacert.pem: CA Certificate -* user.mobileconfig: Apple Profile -* user.p12: User Certificate and Private Key (in PKCS#12 format) -* ipsec_user.conf: strongSwan client configuration -* ipsec_user.secrets: strongSwan client configuration -* windows_user.ps1: Powershell script to help setup a VPN connection on Windows +* ipsec/manual/cacert.pem: CA Certificate +* ipsec/manual/.p12: User Certificate and Private Key (in PKCS#12 format) +* ipsec/manual/.conf: strongSwan client configuration +* ipsec/manual/.secrets: strongSwan client configuration +* ipsec/apple/.mobileconfig: Apple Profile +* wireguard/.conf: WireGuard configuration profile +* wireguard/.png: WireGuard configuration QR code ## Setup an SSH Tunnel diff --git a/docs/client-windows.md b/docs/client-windows.md index 62d73cf..7d283d2 100644 --- a/docs/client-windows.md +++ b/docs/client-windows.md @@ -1,72 +1,6 @@ -# Windows client manual setup +# Windows client setup -## Automatic installation +## Installation via profiles -To install automatically, use the generated user Powershell script. - -1. Copy the user PowerShell script (`windows_USER.ps1`) to the client computer. -2. Open Powershell as Administrator. -3. Run the following command: -```powershell -powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add -``` - -If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, pass the parameter `-AllUsers` - -```powershell -powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add -AllUsers -``` - -4. The command has help information available. To view its full help, run this from Powershell: -```powershell -Get-Help -Name .\windows_USER.ps1 -Full | more -``` - -## Manual installation - -1. Copy the CA certificate (`cacert.pem`) and user certificate (`USER.p12`) to the client computer -2. Open PowerShell as Administrator. Navigate to your copied files. -3. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run. - -```powershell -Set-ExecutionPolicy Unrestricted -Scope Process -``` - -4. In the same window, run the necessary commands to install the certificates and create the VPN configuration. Note the lines at the top defining the VPN address, USER.p12 file location, and CA certificate location - change those lines to the IP address of your Algo server and the location you saved those two files. Also note that it will prompt for the "User p12 password", which is printed at the end of a successful Algo deployment. - -If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, then insert the line `AllUserConnection = $true` after `$EncryptionLevel = "Required"`. - -```powershell -$VpnServerAddress = "1.2.3.4" -$UserP12Path = "$Home\Downloads\USER.p12" -$CaCertPath = "$Home\Downloads\cacert.pem" -$VpnName = "Algo VPN $VpnServerAddress IKEv2" -$p12Pass = Read-Host -AsSecureString -Prompt "User p12 password" - -Import-PfxCertificate -FilePath $UserP12Path -CertStoreLocation Cert:\LocalMachine\My -Password $p12Pass -Import-Certificate -FilePath $CaCertPath -CertStoreLocation Cert:\LocalMachine\Root - -$addVpnParams = @{ - Name = $VpnName - ServerAddress = $VpnServerAddress - TunnelType = "IKEv2" - AuthenticationMethod = "MachineCertificate" - EncryptionLevel = "Required" -} -Add-VpnConnection @addVpnParams - -$setVpnParams = @{ - ConnectionName = $VpnName - AuthenticationTransformConstants = "GCMAES256" - CipherTransformConstants = "GCMAES256" - EncryptionMethod = "AES256" - IntegrityCheckMethod = "SHA384" - DHGroup = "ECP384" - PfsGroup = "ECP384" - Force = $true -} -Set-VpnConnectionIPsecConfiguration @setVpnParams - -``` - -Your VPN is now installed and ready to use. +1. Install the [WireGuard VPN Client](https://www.wireguard.com/install/#windows-7-8-81-10-2012-2016-2019) and start it. +2. Import the corresponding `wireguard/.conf` file to your device, then setup a new connection with it. diff --git a/docs/cloud-do.md b/docs/cloud-do.md index 6603dc8..59596e0 100644 --- a/docs/cloud-do.md +++ b/docs/cloud-do.md @@ -86,7 +86,6 @@ ansible-playbook main.yml -e "provider=digitalocean ondemand_wifi=true dns_adblocking=false ssh_tunneling=false - windows=false store_pki=true region=nyc3 do_token=token" diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index cd1e85c..352f7f5 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -15,7 +15,6 @@ ansible-playbook main.yml -e "provider=digitalocean ondemand_wifi=false dns_adblocking=true ssh_tunneling=true - windows=false store_pki=true region=ams3 do_token=token" @@ -32,7 +31,6 @@ See below for more information about variables and roles. - `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values - `dns_adblocking` - (Optional) Enables dnscrypt-proxy adblocking. Default: false - `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false -- `windows` - (Optional) Enables compatible ciphers and key exchange to support Windows clients, less secure. Default: false - `store_cakey` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false If any of the above variables are unspecified, ansible will ask the user to input them. @@ -57,7 +55,7 @@ Server roles: * Installs [strongSwan](https://www.strongswan.org/) * Enables AppArmor, limits CPU and memory access, and drops user privileges * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user - * Bundles the appropriate certificates into Apple mobileconfig profiles and Powershell scripts for each user + * Bundles the appropriate certificates into Apple mobileconfig profiles for each user - role: dns_adblocking * Installs DNS encryption through [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) with blacklists to be updated daily from `adblock_lists` in `config.cfg` - note this will occur even if `dns_encryption` in `config.cfg` is set to `false` * Constrains dnscrypt-proxy with AppArmor and cgroups CPU and memory limitations diff --git a/docs/deploy-from-fedora-workstation.md b/docs/deploy-from-fedora-workstation.md index 39a979c..378cf6f 100644 --- a/docs/deploy-from-fedora-workstation.md +++ b/docs/deploy-from-fedora-workstation.md @@ -71,7 +71,7 @@ Some steps are needed before we can deploy our Algo VPN server. ### Check `pip` Run `pip -v` and check the python version it is using: - + ```` $ pip -V pip 19.0.3 from /usr/lib/python2.7/site-packages (python 2.7) @@ -99,7 +99,6 @@ We can now deploy our server by running: ./algo ```` -Ensure to allow Windows / Linux clients when going through the config options. Note the IP and password of the newly created Algo VPN server and store it safely. If you want to setup client config on your Fedora Workstation, refer to [the Linux Client docs](client-linux.md). diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md index 22ba295..a59a3f7 100644 --- a/docs/deploy-from-script-or-cloud-init-to-localhost.md +++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md @@ -18,7 +18,6 @@ The command will prepare the environment and install AlgoVPN with the default pa `ONDEMAND_CELLULAR` - "Connect On Demand" when connected to cellular networks. Boolean. Default: false. `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false. `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. -`WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false. `STORE_PKI` - To retain the PKI. (required to add users in the future, but less secure). Default: false. `DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false. `SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false. @@ -36,7 +35,6 @@ The command will prepare the environment and install AlgoVPN with the default pa ``` #!/bin/bash export ONDEMAND_CELLULAR=true -export WINDOWS=true export SSH_TUNNELING=true curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x ``` diff --git a/docs/faq.md b/docs/faq.md index 5e59b63..69d4d61 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -16,6 +16,10 @@ No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use Algo at your own risk. If you find a security issue of any severity, please [contact us on Slack](https://empireslacking.herokuapp.com). +## What's the current status of WireGuard? + +[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. + ## Why aren't you using Tor? The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://web.archive.org/web/20150705184539/https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/). diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index cfa9a7c..45b399b 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -29,8 +29,6 @@ First of all, check [this](https://github.com/trailofbits/algo#features) and ens * [Various websites appear to be offline through the VPN](#various-websites-appear-to-be-offline-through-the-vpn) * [Clients appear stuck in a reconnection loop](#clients-appear-stuck-in-a-reconnection-loop) * [Wireguard: clients can connect on Wifi but not LTE](#wireguard-clients-can-connect-on-wifi-but-not-lte) - * ["Error 809" or IKE_AUTH requests that never make it to the server](#error-809-or-ike_auth-requests-that-never-make-it-to-the-server) - * [Windows: Parameter is incorrect](#windows-parameter-is-incorrect) * [IPsec: Difficulty connecting through router](#ipsec-difficulty-connecting-through-router) * [I have a problem not covered here](#i-have-a-problem-not-covered-here) @@ -229,7 +227,7 @@ You tried to deploy Algo from Windows and you received an error like this one: ``` TASK [cloud-azure : Create an instance]. -fatal: [localhost]: FAILED! => {"changed": false, +fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error creating or updating virtual machine AlgoVPN - Azure Error: InvalidParameter\n Message: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid.\n @@ -243,7 +241,7 @@ This is related to [the chmod issue](https://github.com/Microsoft/WSL/issues/81) You tried to deploy Algo from Docker and you received an error like this one: ``` -Failed to connect to the host via ssh: +Failed to connect to the host via ssh: Warning: Permanently added 'xxx.xxx.xxx.xxx' (ECDSA) to the list of known hosts.\r\n Control socket connect(/root/.ansible/cp/6d9d22e981): Connection refused\r\n Failed to connect to new control master\r\n @@ -265,7 +263,7 @@ TASK [wireguard : Generate public keys] **************************************** [WARNING]: Unable to find 'configs/xxx.xxx.xxx.xxx/wireguard//private/dan' in expected paths. fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a , original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"} -``` +``` This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04. You should upgrade your server to Ubuntu 18.04. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows: ```ssh @@ -412,16 +410,10 @@ sed -i -e 's/#*.dos_protection = yes/dos_protection = no/' /etc/strongswan.d/cha ### WireGuard: Clients can connect on Wifi but not LTE -Certain cloud providers (like AWS Lightsail) don't assign an IPv6 address to your server, but certain cellular carriers (e.g. T-Mobile in the United States, [EE](https://community.ee.co.uk/t5/4G-and-mobile-data/IPv4-VPN-Connectivity/td-p/757881) in the United Kingdom) operate an IPv6-only network. This somehow leads to the Wireguard app not being able to make a connection when transitioning to cell service. Go to the Wireguard app on the device when you're having problems with cell connectivity and select "Export log file" or similar option. If you see a long string of error messages like "`Failed to send data packet write udp6 [::]:49727->[2607:7700:0:2a:0:1:354:40ae]:51820: sendto: no route to host` then you might be having this problem. +Certain cloud providers (like AWS Lightsail) don't assign an IPv6 address to your server, but certain cellular carriers (e.g. T-Mobile in the United States, [EE](https://community.ee.co.uk/t5/4G-and-mobile-data/IPv4-VPN-Connectivity/td-p/757881) in the United Kingdom) operate an IPv6-only network. This somehow leads to the Wireguard app not being able to make a connection when transitioning to cell service. Go to the Wireguard app on the device when you're having problems with cell connectivity and select "Export log file" or similar option. If you see a long string of error messages like "`Failed to send data packet write udp6 [::]:49727->[2607:7700:0:2a:0:1:354:40ae]:51820: sendto: no route to host` then you might be having this problem. Manually disconnecting and then reconnecting should restore your connection. To solve this, you need to either "force IPv4 connection" if available on your phone, or install an IPv4 APN, which might be available from your carrier tech support. T-mobile's is available [for iOS here under "iOS IPv4/IPv6 fix"](https://www.reddit.com/r/tmobile/wiki/index), and [here is a walkthrough for Android phones](https://www.myopenrouter.com/article/vpn-connections-not-working-t-mobile-heres-how-fix). -### "Error 809" or IKE_AUTH requests that never make it to the server - -On Windows, this issue may manifest with an error message that says "The network connection between your computer and the VPN server could not be established because the remote server is not responding... This is Error 809." On other operating systems, you may try to debug the issue by capturing packets with tcpdump and notice that, while IKE_SA_INIT request and responses are exchanged between the client and server, IKE_AUTH requests never make it to the server. - -It is possible that the IKE_AUTH payload is too big to fit in a single IP datagram, and so is fragmented. Many consumer routers and cable modems ship with a feature that blocks "fragmented IP packets." Try logging into your router and disabling any firewall settings related to blocking or dropping fragmented IP packets. For more information, see [Issue #305](https://github.com/trailofbits/algo/issues/305). - ### Error: name 'basestring' is not defined ``` @@ -448,29 +440,6 @@ Then rerun the dependency installation explicitly using python 2.7 python2.7 -m virtualenv --python=`which python2.7` env && source env/bin/activate && python2.7 -m pip install -U pip && python2.7 -m pip install -r requirements.txt ``` -### Windows: Parameter is incorrect - -The problem may happen if you recently moved to a new server, where you have Algo VPN. - -1. Clear the Networking caches: - - Run CMD (click windows start menu, type 'cmd', right click on 'Command Prompt' and select "Run as Administrator"). - - Type the commands below: - ``` - netsh int ip reset - netsh int ipv6 reset - netsh winsock reset - ``` - -3. Restart your computer -4. Reset Device Manager adaptors: - - Open Device Manager - - Find Network Adapters - - Uninstall WAN Miniport drivers (IKEv2, IP, IPv6, etc) - - Click Action > Scan for hardware changes - - The adapters you just uninstalled should come back - -The VPN connection should work again - ### IPsec: Difficulty connecting through router Some routers treat IPsec connections specially because older versions of IPsec did not work properly through [NAT](https://en.wikipedia.org/wiki/Network_address_translation). If you're having problems connecting to your AlgoVPN through a specific router using IPsec you might need to change some settings on the router. diff --git a/input.yml b/input.yml index 40005dc..bfabc85 100644 --- a/input.yml +++ b/input.yml @@ -9,7 +9,6 @@ ondemand_wifi: false dns_adblocking: false ssh_tunneling: false - windows: false store_pki: false providers_map: - { name: DigitalOcean, alias: digitalocean } @@ -79,14 +78,6 @@ - (ondemand_wifi|default(false)|bool) or (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false)) - - name: Compatible ciphers prompt - pause: - prompt: | - Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) - [y/N] - register: _windows - when: windows is undefined - - name: Retain the PKI prompt pause: prompt: | @@ -141,10 +132,6 @@ {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }} {%- elif _ssh_tunneling.user_input is defined %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }} {%- else %}false{% endif %} - algo_windows: >- - {% if windows is defined %}{{ windows | bool }} - {%- elif _windows.user_input is defined %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }} - {%- else %}false{% endif %} algo_store_pki: >- {% if ipsec_enabled %}{%- if store_pki is defined %}{{ store_pki | bool }} {%- elif _store_pki.user_input is defined %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }} diff --git a/install.sh b/install.sh index 51de5bd..6fccc92 100644 --- a/install.sh +++ b/install.sh @@ -6,16 +6,15 @@ METHOD="${1:-${METHOD:-cloud}}" ONDEMAND_CELLULAR="${2:-${ONDEMAND_CELLULAR:-false}}" ONDEMAND_WIFI="${3:-${ONDEMAND_WIFI:-false}}" ONDEMAND_WIFI_EXCLUDE="${4:-${ONDEMAND_WIFI_EXCLUDE:-_null}}" -WINDOWS="${5:-${WINDOWS:-false}}" -STORE_PKI="${6:-${STORE_PKI:-false}}" -DNS_ADBLOCKING="${7:-${DNS_ADBLOCKING:-false}}" -SSH_TUNNELING="${8:-${SSH_TUNNELING:-false}}" -ENDPOINT="${9:-${ENDPOINT:-localhost}}" -USERS="${10:-${USERS:-user1}}" -REPO_SLUG="${11:-${REPO_SLUG:-trailofbits/algo}}" -REPO_BRANCH="${12:-${REPO_BRANCH:-master}}" -EXTRA_VARS="${13:-${EXTRA_VARS:-placeholder=null}}" -ANSIBLE_EXTRA_ARGS="${14:-${ANSIBLE_EXTRA_ARGS}}" +STORE_PKI="${5:-${STORE_PKI:-false}}" +DNS_ADBLOCKING="${6:-${DNS_ADBLOCKING:-false}}" +SSH_TUNNELING="${7:-${SSH_TUNNELING:-false}}" +ENDPOINT="${8:-${ENDPOINT:-localhost}}" +USERS="${9:-${USERS:-user1}}" +REPO_SLUG="${10:-${REPO_SLUG:-trailofbits/algo}}" +REPO_BRANCH="${11:-${REPO_BRANCH:-master}}" +EXTRA_VARS="${12:-${EXTRA_VARS:-placeholder=null}}" +ANSIBLE_EXTRA_ARGS="${13:-${ANSIBLE_EXTRA_ARGS}}" cd /opt/ @@ -91,7 +90,6 @@ deployAlgo() { -e "ondemand_cellular=${ONDEMAND_CELLULAR}" \ -e "ondemand_wifi=${ONDEMAND_WIFI}" \ -e "ondemand_wifi_exclude=${ONDEMAND_WIFI_EXCLUDE}" \ - -e "windows=${WINDOWS}" \ -e "store_pki=${STORE_PKI}" \ -e "dns_adblocking=${DNS_ADBLOCKING}" \ -e "ssh_tunneling=${SSH_TUNNELING}" \ diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml index 6fd9087..19c4de6 100644 --- a/playbooks/cloud-post.yml +++ b/playbooks/cloud-post.yml @@ -17,7 +17,6 @@ algo_ondemand_wifi_exclude: "{{ algo_ondemand_wifi_exclude }}" algo_dns_adblocking: "{{ algo_dns_adblocking }}" algo_ssh_tunneling: "{{ algo_ssh_tunneling }}" - algo_windows: "{{ algo_windows }}" algo_store_pki: "{{ algo_store_pki }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}" diff --git a/playbooks/cloud-pre.yml b/playbooks/cloud-pre.yml index 1a5c87b..fb0dee0 100644 --- a/playbooks/cloud-pre.yml +++ b/playbooks/cloud-pre.yml @@ -8,7 +8,6 @@ 'algo_ondemand_cellular "{{ algo_ondemand_cellular }}"' \ 'algo_ondemand_wifi "{{ algo_ondemand_wifi }}"' \ 'algo_ondemand_wifi_exclude "{{ algo_ondemand_wifi_exclude }}"' \ - 'algo_windows "{{ algo_windows }}"' \ {% endif %} 'algo_dns_adblocking "{{ algo_dns_adblocking }}"' \ 'algo_ssh_tunneling "{{ algo_ssh_tunneling }}"' \ diff --git a/roles/strongswan/defaults/main.yml b/roles/strongswan/defaults/main.yml index 7bc9974..a9d71a2 100644 --- a/roles/strongswan/defaults/main.yml +++ b/roles/strongswan/defaults/main.yml @@ -7,7 +7,6 @@ BetweenClients_DROP: true algo_ondemand_cellular: false algo_ondemand_wifi: false algo_ondemand_wifi_exclude: '_null' -algo_windows: false algo_dns_adblocking: false ipv6_support: false dns_encryption: true @@ -39,9 +38,6 @@ ciphers: defaults: ike: aes256gcm16-prfsha512-ecp384! esp: aes256gcm16-ecp384! - compat: - ike: aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384! - esp: aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384! pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" diff --git a/roles/strongswan/tasks/client_configs.yml b/roles/strongswan/tasks/client_configs.yml index 145f29d..8798950 100644 --- a/roles/strongswan/tasks/client_configs.yml +++ b/roles/strongswan/tasks/client_configs.yml @@ -41,16 +41,6 @@ with_items: - "{{ users }}" -- name: Build the windows client powershell script - template: - src: client_windows.ps1.j2 - dest: "{{ ipsec_config_path }}/windows/{{ item.0 }}.ps1" - mode: 0600 - when: algo_windows - with_together: - - "{{ users }}" - - "{{ PayloadContent.results }}" - - name: Restrict permissions for the local private directories file: path: "{{ ipsec_config_path }}" diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index 8420211..feb627f 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -39,7 +39,6 @@ mode: '0700' with_items: - apple - - windows - manual - name: Ensure the files exist diff --git a/roles/strongswan/templates/client_ipsec.conf.j2 b/roles/strongswan/templates/client_ipsec.conf.j2 index e44f949..d622296 100644 --- a/roles/strongswan/templates/client_ipsec.conf.j2 +++ b/roles/strongswan/templates/client_ipsec.conf.j2 @@ -6,13 +6,8 @@ conn algovpn-{{ IP_subject_alt_name }} compress=no dpddelay=35s -{% if algo_windows %} - ike={{ ciphers.compat.ike }} - esp={{ ciphers.compat.esp }} -{% else %} ike={{ ciphers.defaults.ike }} esp={{ ciphers.defaults.esp }} -{% endif %} right={{ IP_subject_alt_name }} rightid={{ IP_subject_alt_name }} diff --git a/roles/strongswan/templates/client_windows.ps1.j2 b/roles/strongswan/templates/client_windows.ps1.j2 deleted file mode 100644 index 883d956..0000000 --- a/roles/strongswan/templates/client_windows.ps1.j2 +++ /dev/null @@ -1,211 +0,0 @@ -#Requires -RunAsAdministrator - -<# -.SYNOPSIS -Add or remove the Algo VPN - -.DESCRIPTION -Add or remove the Algo VPN -See the examples for more information - -.PARAMETER Add -Add the VPN to the local system - -.PARAMETER Remove -Remove the VPN from the local system - -.PARAMETER GetInstalledCerts -Retrieve Algo certs, if any, from the system certificate store - -.PARAMETER SaveCerts -Save the Algo certs embedded in this file - -.PARAMETER OutputDirectory -When saving the Algo certs, save to this directory - -.PARAMETER Pkcs12DecryptionPassword -The decryption password for the user's PKCS12 certificate, sometimes called the "p12 password". -Note that this must be passed in as a SecureString, not a regular string. -You can create a secure string with the `Read-Host -AsSecureString` cmdlet. -See the examples for more information. - -.PARAMETER AllUsers -Allow all users to use the VPN - -.EXAMPLE -client_USER.ps1 -Add - -Adds the Algo VPN - -.EXAMPLE -$p12pass = Read-Host -AsSecureString; client_USER.ps1 -Add -Pkcs12DecryptionPassword $p12pass - -Create a variable containing the PKCS12 decryption password, then use it when adding the VPN. -This can be especially useful when troubleshooting, because you can use the same variable with -multiple calls to client_USER.ps1, rather than having to type the PKCS12 password each time. - -.EXAMPLE -client_USER.ps1 -Remove - -Removes the Algo VPN if installed. - -.EXAMPLE -client_USER.ps1 -GetIntalledCerts - -Show the Algo VPN's installed certificates, if any. - -.EXAMPLE -client_USER.ps1 -SaveCerts -OutputDirectory $Home\Downloads - -Save the embedded CA cert and encrypted user PKCS12 file. -#> -[CmdletBinding(DefaultParameterSetName="Add")] Param( - [Parameter(ParameterSetName="Add")] - [Switch] $Add, - - [Parameter(ParameterSetName="Add")] - [SecureString] $Pkcs12DecryptionPassword, - - [Parameter(ParameterSetName="Add")] - [Switch] $AllUsers = $false, - - [Parameter(Mandatory, ParameterSetName="Remove")] - [Switch] $Remove, - - [Parameter(Mandatory, ParameterSetName="GetInstalledCerts")] - [Switch] $GetInstalledCerts, - - [Parameter(Mandatory, ParameterSetName="SaveCerts")] - [Switch] $SaveCerts, - - [Parameter(ParameterSetName="SaveCerts")] - [string] $OutputDirectory = "$PWD" -) - -$ErrorActionPreference = "Stop" - -$VpnServerAddress = "{{ IP_subject_alt_name }}" -$VpnName = "AlgoVPN {{ algo_server_name }} IKEv2" -$VpnUser = "{{ item.0 }}" -$CaCertificateBase64 = "{{ PayloadContentCA }}" -$UserPkcs12Base64 = "{{ item.1.stdout }}" - -if ($PsCmdlet.ParameterSetName -eq "Add" -and -not $Pkcs12DecryptionPassword) { - $Pkcs12DecryptionPassword = ConvertTo-SecureString '{{ p12_export_password }}' -asplaintext -force -} - -<# -.SYNOPSIS -Create a temporary directory -#> -function New-TemporaryDirectory { - [CmdletBinding()] Param() - do { - $guid = New-Guid | Select-Object -ExpandProperty Guid - $newTempDirPath = Join-Path -Path $env:TEMP -ChildPath $guid - } while (Test-Path -Path $newTempDirPath) - New-Item -ItemType Directory -Path $newTempDirPath -} - -<# -.SYNOPSIS -Retrieve any installed Algo VPN certificates -#> -function Get-InstalledAlgoVpnCertificates { - [CmdletBinding()] Param() - Get-ChildItem -LiteralPath Cert:\LocalMachine\Root | - Where-Object { - $_.Subject -match "^CN=${VpnServerAddress}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$" - } - Get-ChildItem -LiteralPath Cert:\LocalMachine\My | - Where-Object { - $_.Subject -match "^CN=${VpnUser}$" -and $_.Issuer -match "^CN=${VpnServerAddress}$" - } -} - -function Save-AlgoVpnCertificates { - [CmdletBinding()] Param( - [String] $OutputDirectory = $PWD - ) - $caCertPath = Join-Path -Path $OutputDirectory -ChildPath "cacert.pem" - $userP12Path = Join-Path -Path $OutputDirectory -ChildPath "$VpnUser.p12" - # NOTE: We cannot use ConvertFrom-Base64 here because it is not designed for binary data - [IO.File]::WriteAllBytes( - $caCertPath, - [Convert]::FromBase64String($CaCertificateBase64)) - [IO.File]::WriteAllBytes( - $userP12Path, - [Convert]::FromBase64String($UserPkcs12Base64)) - return New-Object -TypeName PSObject -Property @{ - CaPem = $caCertPath - UserPkcs12 = $userP12Path - } -} - -function Add-AlgoVPN { - [Cmdletbinding()] Param() - - $workDir = New-TemporaryDirectory - - try { - $certs = Save-AlgoVpnCertificates -OutputDirectory $workDir - $importPfxCertParams = @{ - Password = $Pkcs12DecryptionPassword - FilePath = $certs.UserPkcs12 - CertStoreLocation = "Cert:\LocalMachine\My" - } - Import-PfxCertificate @importPfxCertParams - $importCertParams = @{ - FilePath = $certs.CaPem - CertStoreLocation = "Cert:\LocalMachine\Root" - } - Import-Certificate @importCertParams - } finally { - Remove-Item -Recurse -Force -LiteralPath $workDir - } - - $addVpnParams = @{ - Name = $VpnName - ServerAddress = $VpnServerAddress - TunnelType = "IKEv2" - AuthenticationMethod = "MachineCertificate" - EncryptionLevel = "Required" - AllUserConnection = $AllUsers - } - Add-VpnConnection @addVpnParams - - $addVpnRouteParams = @{ - ConnectionName = $VpnName - } - Add-VpnConnectionRoute @addVpnRouteParams -DestinationPrefix ::/1 - Add-VpnConnectionRoute @addVpnRouteParams -DestinationPrefix 8000::/1 - - $setVpnParams = @{ - ConnectionName = $VpnName - AuthenticationTransformConstants = "GCMAES256" - CipherTransformConstants = "GCMAES256" - EncryptionMethod = "AES256" - IntegrityCheckMethod = "SHA384" - DHGroup = "ECP384" - PfsGroup = "ECP384" - Force = $true - } - Set-VpnConnectionIPsecConfiguration @setVpnParams -} - -function Remove-AlgoVPN { - [CmdletBinding()] Param() - Get-InstalledAlgoVpnCertificates | Remove-Item -Force - Remove-VpnConnection -Name $VpnName -Force -} - -switch ($PsCmdlet.ParameterSetName) { - "Add" { Add-AlgoVPN } - "Remove" { Remove-AlgoVPN } - "GetInstalledCerts" { Get-InstalledAlgoVpnCertificates } - "SaveCerts" { - $certs = Save-AlgoVpnCertificates -OutputDirectory $OutputDirectory - Get-Item -LiteralPath $certs.UserPkcs12, $certs.CaPem - } - default { throw "Unknown parameter set: '$($PsCmdlet.ParameterSetName)'" } -} diff --git a/roles/strongswan/templates/ipsec.conf.j2 b/roles/strongswan/templates/ipsec.conf.j2 index 02c5190..6f6fff9 100644 --- a/roles/strongswan/templates/ipsec.conf.j2 +++ b/roles/strongswan/templates/ipsec.conf.j2 @@ -12,13 +12,8 @@ conn %default lifetime=3h ikelifetime=12h -{% if algo_windows %} - ike={{ ciphers.compat.ike }} - esp={{ ciphers.compat.esp }} -{% else %} ike={{ ciphers.defaults.ike }} esp={{ ciphers.defaults.esp }} -{% endif %} left=%any leftauth=pubkey diff --git a/server.yml b/server.yml index 3e51c22..0eb7866 100644 --- a/server.yml +++ b/server.yml @@ -50,7 +50,6 @@ algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }} algo_dns_adblocking: {{ algo_dns_adblocking }} algo_ssh_tunneling: {{ algo_ssh_tunneling }} - algo_windows: {{ algo_windows }} algo_store_pki: {{ algo_store_pki }} IP_subject_alt_name: {{ IP_subject_alt_name }} ipsec_enabled: {{ ipsec_enabled }} diff --git a/tests/cloud-init.sh b/tests/cloud-init.sh index 0dbec14..f8de251 100755 --- a/tests/cloud-init.sh +++ b/tests/cloud-init.sh @@ -4,7 +4,6 @@ export METHOD=local export ONDEMAND_CELLULAR=true export ONDEMAND_WIFI=true export ONDEMAND_WIFI_EXCLUDE=test1,test2 -export WINDOWS=true export STORE_PKI=true export DNS_ADBLOCKING=true export SSH_TUNNELING=true diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index 6f57537..f2d073b 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -2,7 +2,7 @@ set -ex -DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test dns_adblocking=true ssh_tunneling=true windows=true store_pki=true install_headers=false tests=true local_service_ip=172.16.0.1" +DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test dns_adblocking=true ssh_tunneling=true store_pki=true install_headers=false tests=true local_service_ip=172.16.0.1" if [ "${DEPLOY}" == "docker" ] then