Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Some fixes

Browse Source
pull/69/head
Evgeniy Ivanov 8 years ago
parent e618cdf0ce
commit a9b10baf1d
7 changed files with 25 additions and 18 deletions
Show Stats Download Patch File Download Diff File

1
config.cfg
Unescape Escape View File

@ -10,6 +10,7 @@ easyrsa_reinit_existent: False
vpn_network: 10.19.48.0/24
vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64'
server_name: "{{ ansible_ssh_host }}"
IP_subject_alt_name: "{{ ansible_ssh_host }}"
# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
service_dns: True

14
non-cloud.yml
Unescape Escape View File

@ -6,6 +6,7 @@
- name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n"
default: localhost
private: no
- name: "server_user"
@ -26,7 +27,11 @@
- name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n"
default: "vpn"
private: yes
private: yes
- name: "IP_subject_alt_name"
prompt: "Enter public IP address of your server: (IMPORTANT! This IP is using to verify the certificate)\n"
private: no
tasks:
- name: Add the server to the vpn-host group
@ -38,6 +43,7 @@
dns_enabled: "{{ dns_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Post-provisioning tasks
hosts: vpn-host
@ -53,9 +59,9 @@
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- security
- proxy
#- common
#- security
#- proxy
- vpn
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

6
roles/vpn/tasks/main.yml
Unescape Escape View File

@ -67,7 +67,7 @@
- name: Build the server pair
shell: >
./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&&
./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass&&
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -99,12 +99,12 @@
- restart strongswan
- name: Copy the server cert to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=root group=root mode=0600
notify:
- restart strongswan
- name: Copy the server key to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=root group=root mode=0600
notify:
- restart strongswan

4
roles/vpn/templates/easy-rsa.vars.j2
Unescape Escape View File

@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
set_var EASYRSA_REQ_CN "{{ IP_subject_alt_name }}"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.
set_var EASYRSA_BATCH "{{ ansible_ssh_host }}"
set_var EASYRSA_BATCH "{{ IP_subject_alt_name }}"

4
roles/vpn/templates/ipsec.conf.j2
Unescape Escape View File

@ -15,8 +15,8 @@ conn %default
left=%any
leftauth=pubkey
leftid={{ ansible_ssh_host }}
leftcert={{ ansible_ssh_host }}.crt
leftid={{ IP_subject_alt_name }}
leftcert={{ IP_subject_alt_name }}.crt
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0

2
roles/vpn/templates/ipsec.secrets.j2
Unescape Escape View File

@ -1,2 +1,2 @@
: ECDSA {{ ansible_ssh_host }}.key
: ECDSA {{ IP_subject_alt_name }}.key

12
roles/vpn/templates/mobileconfig.j2
Unescape Escape View File

@ -48,11 +48,11 @@
<key>CertificateType</key>
<string>ECDSA256</string>
<key>ServerCertificateIssuerCommonName</key>
<string>{{ ansible_ssh_host }}</string>
<string>{{ IP_subject_alt_name }}</string>
<key>RemoteAddress</key>
<string>{{ ansible_ssh_host }}</string>
<string>{{ IP_subject_alt_name }}</string>
<key>RemoteIdentifier</key>
<string>{{ ansible_ssh_host }}</string>
<string>{{ IP_subject_alt_name }}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
@ -81,7 +81,7 @@
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>{{ ansible_ssh_host }} IKEv2</string>
<string>{{ IP_subject_alt_name }} IKEv2</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
@ -117,7 +117,7 @@
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>{{ ansible_ssh_host }}</string>
<string>{{ IP_subject_alt_name }}</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
<key>PayloadType</key>
@ -129,7 +129,7 @@
</dict>
</array>
<key>PayloadDisplayName</key>
<string>{{ ansible_ssh_host }} IKEv2</string>
<string>{{ IP_subject_alt_name }} IKEv2</string>
<key>PayloadIdentifier</key>
<string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
<key>PayloadRemovalDisallowed</key>

Write Preview
Loading…
Cancel
Save