diff --git a/README.md b/README.md index d3372f7..2bd41a8 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,9 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you. -1. Install the dependencies on OS X or Linux: `sudo easy_install pip && sudo pip install -r requirements.txt` +1. Install the dependencies +1.1. On OS X: `sudo easy_install pip && sudo pip install -r requirements.txt` +1.2. On Linux (deb based): `sudo easy_install pip && sudo apt-get install libssl-dev && sudo pip install -r requirements.txt` 2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. 3. Start the deploy and follow the instructions: `./algo` diff --git a/algo b/algo index 8eeb05a..cf2f1f1 100755 --- a/algo +++ b/algo @@ -2,6 +2,8 @@ set -e +SKIP_TAGS="_null" + additional_roles () { read -p " Do you want to apply security enhancements? @@ -33,11 +35,31 @@ Do you want each user to have their own account for SSH tunneling? ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi +read -p " +Do you want to enable VPN always when connected to Wi-Fi? +[y/N]: " -r OnDemandEnabled_WIFI +OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n} +if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi + +if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then + read -p " +Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi) +: " -r OnDemandEnabled_WIFI_ECXLUDE + OnDemandEnabled_WIFI_ECXLUDE=${OnDemandEnabled_WIFI_ECXLUDE:-_null} + EXTRA_VARS+=" OnDemandEnabled_WIFI_ECXLUDE=$OnDemandEnabled_WIFI_ECXLUDE" +fi + +read -p " +Do you want to enable VPN always when connected to the cellular network? +[y/N]: " -r OnDemandEnabled_Cellular +OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} +if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi + } deploy () { - ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" + ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}" } @@ -88,7 +110,7 @@ Enter the number of your desired region: 12) do_region="blr1" ;; esac -ROLES="digitalocean vpn" +ROLES="digitalocean vpn cloud" EXTRA_VARS="do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" } @@ -146,7 +168,7 @@ Enter the number of your desired region: 12) region="sa-east-1" ;; esac - ROLES="ec2 vpn" + ROLES="ec2 vpn cloud" EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" } @@ -199,7 +221,7 @@ Please choose the number of your zone. Press enter for default (#8) zone. 13) zone="asia-east1-c" ;; esac - ROLES="gce vpn" + ROLES="gce vpn cloud" EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" } @@ -219,7 +241,7 @@ Enter the public IP address of your server: (IMPORTANT! This IP is used to verif ROLES="local vpn" EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" - + SKIP_TAGS+=" cloud" } algo_provisioning () { diff --git a/config.cfg b/config.cfg index 6db3c7e..26f1458 100644 --- a/config.cfg +++ b/config.cfg @@ -5,7 +5,8 @@ users: - dan - jack -# Add an email address to send logs if you're using auditd for monitoring, +# Add an email address to send logs if you're using auditd for monitoring. +# Avoid using '+' in your email address otherwise auditd will fail to start. auditd_action_mail_acct: email@example.com # Exported certificates will be protected by the password below: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 44aa345..4b6e2ee 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,8 @@ args: executable: /bin/bash register: reboot_required + tags: + - cloud - name: Reboot shell: sleep 2 && shutdown -r now "Ansible updates triggered" @@ -19,16 +21,22 @@ poll: 0 when: reboot_required is defined and reboot_required.stdout == 'required' ignore_errors: true + tags: + - cloud - name: Wait for shutdown local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' become: false + tags: + - cloud - name: Wait until SSH becomes ready... local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' become: false + tags: + - cloud - name: Disable MOTD on login and SSHD replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 84e08b0..26ba6ff 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -20,7 +20,7 @@ - "# Congratulations! #" - "# Your Algo server is running. #" - "# Config files and certificates are in the ./configs/ directory. #" - - "# Go to https://www.dnsleaktest.com/ after connecting #" + - "# Go to https://whoer.net/ after connecting #" - "# and ensure that all your traffic passes through the VPN. #" - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - "#----------------------------------------------------------------------#" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index fbe4b94..6fff583 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -170,6 +170,9 @@ - name: Set facts for mobileconfigs set_fact: proxy_enabled: false + pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" + VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" + CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 @@ -224,4 +227,3 @@ - include: iptables.yml tags: iptables - diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 5714839..d7ac899 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -6,7 +6,51 @@ IKEv2 +{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} + OnDemandEnabled + 1 + OnDemandRules + +{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %} +{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %} + + Action + Disconnect + InterfaceTypeMatch + WiFi + SSIDMatch + +{% for network_name in WIFI_ECXLUDE_LIST %} + {{ network_name }} +{% endfor %} + + +{% else %} +{% endif %} + + Action +{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %} + Connect + {% else %} + Disconnect +{% endif %} + InterfaceTypeMatch + WiFi + + + Action +{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %} + Connect + {% else %} + Disconnect +{% endif %} + InterfaceTypeMatch + Cellular + + +{% else %} +{% endif %} AuthenticationMethod Certificate ChildSecurityAssociationParameters @@ -44,7 +88,7 @@ LocalIdentifier {{ item.0 }} PayloadCertificateUUID - 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + {{ pkcs12_PayloadCertificateUUID }} CertificateType ECDSA256 ServerCertificateIssuerCommonName @@ -66,11 +110,11 @@ PayloadDisplayName VPN PayloadIdentifier - com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53 + com.apple.vpn.managed.{{ VPN_PayloadIdentifier }} PayloadType com.apple.vpn.managed PayloadUUID - D247A30B-6023-4C8E-B3E3-FF1910A65E53 + {{ VPN_PayloadIdentifier }} PayloadVersion 1 Proxies @@ -111,11 +155,11 @@ PayloadDisplayName {{ item.0 }}.p12 PayloadIdentifier - com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }} PayloadType com.apple.security.pkcs12 PayloadUUID - 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + {{ pkcs12_PayloadCertificateUUID }} PayloadVersion 1 @@ -131,11 +175,11 @@ PayloadDisplayName {{ IP_subject_alt_name }} PayloadIdentifier - com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38 + com.apple.security.root.{{ CA_PayloadIdentifier }} PayloadType com.apple.security.root PayloadUUID - 32EA3AAA-D19E-43EF-B357-608218745A38 + {{ CA_PayloadIdentifier }} PayloadVersion 1 @@ -148,16 +192,16 @@ {% endif %} PayloadIdentifier {% if proxy_enabled is defined and proxy_enabled == true %} - donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA + donut.local.{{ 600000 | random | to_uuid | upper }} {% else %} - donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE + donut.local.{{ 500000 | random | to_uuid | upper }} {% endif %} PayloadRemovalDisallowed PayloadType Configuration PayloadUUID - 743B04A8-5725-45A2-B1BB-836F8C16DB0A + {{ 400000 | random | to_uuid | upper }} PayloadVersion 1