mirror of https://github.com/trailofbits/algo
Update docs (#1430)
* Point additional docs to index.md * Update index.md Moves existing links from readme.md over to update this separate (previously out-of-date, redundant) page. * Update documented Ansible roles * Fix broken links in index.md * Complete index.md As a general rule all docs should be linked to from the index file. No? * Update SSH access instructions * Clarify SSH access instructions * Delete setup-roles.md * Update deploy-from-ansible.md Change header, insert text from setup-roles.md * Remove link to setup-roles from index.md * Fix typos * Update deploy-from-ansible.md Document other `--skip-tags` options, as well as examples for Vultr and Scaleway variables. * Update deploy-from-ansible.md Added region examples for AWS and Lightsail. Happy to add other examples if people have experience with other providers.pull/1405/head
parent
638a355196
commit
38ebe4893d
@ -1,21 +1,29 @@
|
||||
# Algo VPN documentation
|
||||
|
||||
* Setup instructions
|
||||
- Documentation for available [Ansible roles](setup-roles.md)
|
||||
* Deployment instructions
|
||||
- Deploy from [Fedora Workstation (26)](deploy-from-fedora-workstation.md)
|
||||
- Deploy from [RedHat/CentOS 6.x](deploy-from-redhat-centos6.md)
|
||||
- Deploy from [Windows](deploy-from-windows.md)
|
||||
- Deploy from [Ansible](deploy-from-ansible.md) directly
|
||||
- Deploy from a [Docker container](deploy-from-docker.md)
|
||||
- Deploy from [Ansible](deploy-from-ansible.md) non-interactively
|
||||
- Deploy onto a [cloud server at time of creation](deploy-from-script-or-cloud-init-to-localhost.md)
|
||||
* Client setup
|
||||
- Setup [Android](client-android.md) clients
|
||||
- Setup [Generic/Linux](client-linux.md) clients with Ansible
|
||||
* Cloud setup
|
||||
- Setup Ubuntu clients to use [WireGuard](client-linux-wireguard.md)
|
||||
- Setup Apple devices to use [IPSEC](client-apple-ipsec.md)
|
||||
- Setup Macs running macOS 10.13 or older to use [Wireguard](client-macos-wireguard.md)
|
||||
- Manual Windows 10 client setup for [IPSEC](client-windows.md)
|
||||
* Cloud provider setup
|
||||
- Configure [Amazon EC2](cloud-amazon-ec2.md)
|
||||
- Configure [Azure](cloud-azure.md)
|
||||
- Configure [DigitalOcean](cloud-do.md)
|
||||
- Configure [Google Cloud Platform](cloud-gce.md)
|
||||
- Configure [Vultr](cloud-vultr.md)
|
||||
* Advanced Deployment
|
||||
- Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
|
||||
- Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server
|
||||
- Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
|
||||
* [FAQ](faq.md)
|
||||
* [Firewalls](firewalls.md)
|
||||
* [Troubleshooting](troubleshooting.md)
|
||||
|
@ -1,28 +0,0 @@
|
||||
# Ansible Roles
|
||||
|
||||
## Required roles
|
||||
|
||||
* **Common**
|
||||
* Installs several required packages and software updates, then reboots if necessary
|
||||
* Configures network interfaces, and enables packet forwarding on them
|
||||
* **VPN**
|
||||
* Installs [strongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges
|
||||
* Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
|
||||
* Bundles the appropriate certificates into Apple mobileconfig profiles for each user
|
||||
* Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
|
||||
|
||||
## Optional roles
|
||||
|
||||
* **Security Enhancements**
|
||||
* Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
|
||||
* Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
|
||||
* Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP
|
||||
* **DNS-based Adblocking**
|
||||
* Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
|
||||
* Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
|
||||
* **DNS encryption**
|
||||
* Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)
|
||||
* Constrains dingo with AppArmor and cgroups CPU and memory limitations
|
||||
* **SSH Tunneling**
|
||||
* Adds a restricted `algo` group with no shell access and limited SSH forwarding options
|
||||
* Creates one limited, local account per user and an SSH public key for each
|
Loading…
Reference in New Issue