From 4064bc281ae0e037365fa5d21da5c47dbc5a7a41 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Thu, 6 Jun 2019 11:58:31 -0400 Subject: [PATCH] Update the Fedora related docs. (#1470) * Update the Fedora related docs. - update for new generated config file locations - remove reference to no-longer-needed copr - update package names for further py2 changes in Fedora * switch back to the default ciphers --- docs/client-linux.md | 27 ++++++----------------- docs/deploy-from-fedora-workstation.md | 30 +++++++++----------------- 2 files changed, 16 insertions(+), 41 deletions(-) diff --git a/docs/client-linux.md b/docs/client-linux.md index 94a6445..1968496 100644 --- a/docs/client-linux.md +++ b/docs/client-linux.md @@ -29,27 +29,12 @@ Some Linux clients may require more specific and details instructions to configu #### (Gnome) Network Manager install -We'll use the [rsclarke/NetworkManager-strongswan](https://copr.fedorainfracloud.org/coprs/rsclarke/NetworkManager-strongswan/) Copr repo (see [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-327820191)), this will make the `IKE` and `ESP` fields available in the Gnome Network Manager. Note that at time of writing the non-Copr repo will result in connection failures. Also note that the Copr repo *instructions are not filled in by author. Author knows what to do. Everybody else should avoid this repo*. So unless you are comfortable with using this repo, you'll want to hold out untill the patches applied in the Copr repo make it into stable. - -First remove the stable `NetworkManager-strongswan` package, ensure you have backups in place and / or take note of config backups taken during the removal of the package. - -```` -dnf remove NetworkManager-strongswan -```` - -Next, enable the Copr repo and install it along with the `NetworkManager-strongswan-gnome` package: +First, install the required plugins. ```` -dnf copr enable -y rsclarke/NetworkManager-strongswan dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome ```` -Reboot your machine: - -```` -reboot now -```` - #### (Gnome) Network Manager configuration In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the user we created is `user-name`. @@ -61,11 +46,11 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the * Name: your choice, e.g.: *ikev2-1.2.3.4* * Gateway: * Address: IP of the Algo VPN server, e.g: `1.2.3.4` - * Certificate: `cacert.pem` found at `/path/to/algo/configs/1.2.3.4/cacert.pem` + * Certificate: `cacert.pem` found at `/path/to/algo/configs/1.2.3.4/ipsec/.pki/cacert.pem` * Client: * Authentication: *Certificate/Private key* - * Certificate: `user-name.crt` found at `/path/to/algo/configs/1.2.3.4/pki/certs/user-name.crt` - * Private key: `user-name.key` found at `/path/to/algo/configs/1.2.3.4/pki/private/user-name.key` + * Certificate: `user-name.crt` found at `/path/to/algo/configs/1.2.3.4/ipsec/.pki/certs/user-name.crt` + * Private key: `user-name.key` found at `/path/to/algo/configs/1.2.3.4/ipsec/.pki/private/user-name.key` * Options: * Check *Request an inner IP address*, connection will fail without this option * Optionally check *Enforce UDP encapsulation* @@ -73,6 +58,6 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the * For the later 2 options, hover to option in the settings to see a description * Cipher proposal: * Check *Enable custom proposals* - * IKE: `aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384` - * ESP: `aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384` + * IKE: `aes256gcm16-prfsha512-ecp384` + * ESP: `aes256gcm16-ecp384` * Apply and turn the connection on, you should now be connected diff --git a/docs/deploy-from-fedora-workstation.md b/docs/deploy-from-fedora-workstation.md index 319d74c..39a979c 100644 --- a/docs/deploy-from-fedora-workstation.md +++ b/docs/deploy-from-fedora-workstation.md @@ -1,6 +1,6 @@ # Deploy from Fedora Workstation -These docs were written based on experience on Fedora Workstation 26. +These docs were written based on experience on Fedora Workstation 30. ## Prerequisites @@ -14,7 +14,7 @@ Using `python2-*` in favour of `python3-*` as per [declared dependency](https:// | `build-essential` | `make automake gcc gcc-c++ kernel-devel` | | `libssl-dev` | `openssl-devel` | | `libffi-dev` | `libffi-devel` | -| `python-dev` | `python-devel` | +| `python-dev` | `python2-devel` | | `python-pip` | `python2-pip` | | `python-setuptools` | `python2-setuptools` | | `python-virtualenv` | `python2-virtualenv` | @@ -39,10 +39,14 @@ dnf install -y \ openssl-devel \ libffi-devel \ libselinux-python \ - python-devel \ + python2-devel \ python2-pip \ python2-setuptools \ python2-virtualenv \ + python2-crypto \ + python2-pyyaml \ + python2-pyOpenSSL \ + python2-libselinux \ make ```` @@ -70,29 +74,15 @@ Run `pip -v` and check the python version it is using: ```` $ pip -V -pip 9.0.1 from /usr/lib/python2.7/site-packages (python 2.7) +pip 19.0.3 from /usr/lib/python2.7/site-packages (python 2.7) ```` `python 2.7` is what we're looking for. -### `pip` upgrade and installs - -```` -# Upgrade pip itself -pip -q install --upgrade pip -# python-devel needed to prevent setup.py crash -pip -q install pycrypto -# pycrypto 2.7.1 needed for latest security patch -# This may need to run with sudo to complete without permission violations -pip -q install setuptools --upgrade -# virtualenv to make installing dependencies easier -pip -q install virtualenv -```` - ### Setup virtualenv and install requirements ```` -virtualenv --system-site-packages env +python2 -m virtualenv --system-site-packages env source env/bin/activate pip -q install --user -r requirements.txt ```` @@ -110,7 +100,7 @@ We can now deploy our server by running: ```` Ensure to allow Windows / Linux clients when going through the config options. -Note the IP and password of the newly created Alfo VPN server and store it safely. +Note the IP and password of the newly created Algo VPN server and store it safely. If you want to setup client config on your Fedora Workstation, refer to [the Linux Client docs](client-linux.md).