Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Document using WireGuard app on macOS (#1327)

Browse Source 
* Document using WireGuard app on macOS

* Update README.md

* Make WireGuard the default for Apple devices

* clarify user list

* fix tests

* connect on demand
pull/1333/head
David Myers 5 years ago committed by Dan Guido
parent 1be0908c51
commit df3d547fb3
5 changed files with 40 additions and 34 deletions
Show Stats Download Patch File Download Diff File

23
README.md
Unescape Escape View File

@ -89,27 +89,15 @@ Certificates and configuration files that users will need are placed in the `con
### Apple Devices
Apple devices can connect to an Algo VPN via IPsec using their built-in IPsec support or via WireGuard by installing WireGuard client software.
WireGuard is used to provide VPN services on Apple devices. Algo generates a WireGuard configuration file, `wireguard/<username>.conf`, and a QR code, `wireguard/<username>.png`, for each user defined in `config.cfg`.
#### Install WireGuard
On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the App Store. For each user you defined, Algo generated a WireGuard configuration file `wireguard/<name>.conf` and a corresponding QR code image `wireguard/<name>.png`. Either AirDrop the configuration file to the iOS device or use the WireGuard app to scan the QR code. To use "Connect On Demand" with WireGuard enable it by editing the configuration in the WireGuard app.
On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. Enable "Connect on Demand" by editing the tunnel configuration in the WireGuard app.
Until the WireGuard app for macOS is ready, installing WireGuard on macOS is a little more complicated. See [Using MacOS as a Client with WireGuard](docs/client-macos-wireguard.md).
Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
#### Configure IPsec
Find the corresponding `mobileconfig` (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted.
#### Enable the VPN
On iOS, connect to the VPN by opening **Settings** and clicking the toggle next to "VPN" near the top of the list. If using WireGuard you can also enable the VPN from the WireGuard app. On macOS, connect to the VPN by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, and clicking "Connect." Check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar.
#### Managing "Connect On Demand"
If you enabled "Connect On Demand" the VPN will connect automatically whenever it is able. Most Apple users will want to enable "Connect On Demand", but if you do then simply disabling the VPN will not cause it to stay disabled; it will just "Connect On Demand" again. To disable the VPN you'll need to disable "Connect On Demand".
On iOS, you can turn off "Connect On Demand" in **Settings** by clicking the (i) next to the entry for your Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "Connect On Demand" by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, unchecking the box for "Connect on demand", and clicking Apply.
If you prefer to use the built-in IPSEC VPN on Apple devices, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md).
### Android Devices
@ -208,6 +196,7 @@ After this process completes, the Algo VPN server will contain only the users li
- Setup [Android](docs/client-android.md) clients
- Setup [Generic/Linux](docs/client-linux.md) clients with Ansible
- Setup Ubuntu clients to use [WireGuard](docs/client-linux-wireguard.md)
- Setup Apple devices to use [IPSEC](docs/client-apple-ipsec.md)
* Cloud setup
- Configure [Amazon EC2](docs/cloud-amazon-ec2.md)
- Configure [Azure](docs/cloud-azure.md)

15
config.cfg
Unescape Escape View File

@ -1,15 +1,14 @@
---
# Add up to 250 users here.
# For each user, configuration files will be generated for both an IPsec
# connection and a WireGuard connection. Multiple client devices can share an
# IPsec configuration but WireGuard clients must each use a unique
# WireGuard configuration.
# This is the list of user to generate.
# Every device must have a unique username.
# You can generate up to 250 users at one time.
users:
- dan
- jack
- phone
- laptop
- desktop
# NOTE: If your usernames have leading 0's, like "000dan", you have to escape them
# NOTE: You must "escape" any usernames with leading 0's, like "000dan"
### Advanced users only below this line ###

15
docs/client-apple-ipsec.md
Unescape Escape View File

@ -0,0 +1,15 @@
# Using the built-in IPSEC VPN on Apple Devices
## Configure IPsec
Find the corresponding `mobileconfig` (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted.
## Enable the VPN
On iOS, connect to the VPN by opening **Settings** and clicking the toggle next to "VPN" near the top of the list. If using WireGuard you can also enable the VPN from the WireGuard app. On macOS, connect to the VPN by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, and clicking "Connect." Check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar.
## Managing "Connect On Demand"
If you enabled "Connect On Demand" the VPN will connect automatically whenever it is able. Most Apple users will want to enable "Connect On Demand", but if you do then simply disabling the VPN will not cause it to stay disabled; it will just "Connect On Demand" again. To disable the VPN you'll need to disable "Connect On Demand".
On iOS, you can turn off "Connect On Demand" in **Settings** by clicking the (i) next to the entry for your Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "Connect On Demand" by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, unchecking the box for "Connect on demand", and clicking Apply.

19
docs/client-macos-wireguard.md
Unescape Escape View File

@ -1,31 +1,34 @@
# Using MacOS as a Client with WireGuard
# MacOS WireGuard Client Setup
The WireGuard macOS app is unavailable for older operating systems. Please update your operating system if you can. If you are on a macOS High Sierra (10.13) or earlier, then you can still use WireGuard via their userspace drivers via the process detailed below.
## Install WireGuard
To connect to your Algo VPN using [WireGuard](https://www.wireguard.com) from MacOS
Install the wireguard-go userspace driver:
```
# Install the wireguard-go userspace driver
brew install wireguard-tools
```
## Locate the Config File
The Algo-generated config files for WireGuard are named `configs/<ip_address>/wireguard/<username>.conf` on the system where you ran `./algo`. One file was generated for each of the users you added to `config.cfg` before you ran `./algo`. Each Linux and Android client you connect to your Algo VPN must use a different WireGuard config file. Choose one of these files and copy it to your device.
Algo generates a WireGuard configuration file, `wireguard/<username>.conf`, and a QR code, `wireguard/<username>.png`, for each user defined in `config.cfg`. Find the configuration file and copy it to your device if you don't already have it.
Note that each client you use to connect to Algo VPN must have a unique WireGuard config.
## Configure WireGuard
Finally, install the config file on your client as `/usr/local/etc/wireguard/wg0.conf` and start WireGuard:
You'll need to copy the appropriate WireGuard configuration file into a location where the userspace driver can find it. After it is in the right place, start the VPN, and verify connectivity.
```
# Install the config file to the WireGuard configuration directory on your MacOS device
# Copy the config file to the WireGuard configuration directory on your macOS device
mkdir /usr/local/etc/wireguard/
cp <username>.conf /usr/local/etc/wireguard/wg0.conf
# Start the WireGuard VPN:
# Start the WireGuard VPN
sudo wg-quick up wg0
# Verify the connection to the Algo VPN:
# Verify the connection to the Algo VPN
wg
# See that your client is using the IP address of your Algo VPN:

2
tests/update-users.sh
Unescape Escape View File

@ -11,7 +11,7 @@ else
ansible-playbook users.yml -e "${USER_ARGS}" -t update-users
fi
if sudo openssl crl -inform pem -noout -text -in configs/$LXC_IP/pki/crl/jack.crt | grep CRL
if sudo openssl crl -inform pem -noout -text -in configs/$LXC_IP/pki/crl/phone.crt | grep CRL
then
echo "The CRL check passed"
else

Write Preview
Loading…
Cancel
Save