TC1977
a76642c4d5
Update mobileconfig.j2 ( #1197 )
...
Adds "Algo VPN" to the organization in the "Profiles" menu of "General Settings". (The type still shows up as "Unknown" in the "VPN" menu, because that seems to be governed by the "VPNSubType" string, which must be empty according to the [developer reference](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf ) Maybe this can help clear the way for #1101 .
6 years ago
zuccs
2b2d90a8a9
Fix typo ( #1165 )
6 years ago
datew0
30446d0363
Set disk size depending on server plan ( #1159 )
...
Scaleway`s START1-XS does not start with a disk size of 50GB.
6 years ago
Jack Ivanov
399d47233a
add region ( #1182 )
6 years ago
Jack Ivanov
3468d27e61
Lightsail back ( #1157 )
6 years ago
Jack Ivanov
fbc7b29456
WireGuard update-users fix ( #1154 )
6 years ago
Jack Ivanov
efc8dc7620
add tags for the wireguard qr code task. variables fix ( #1147 )
6 years ago
Jack Ivanov
bcba905547
ssh tunneling fixes ( #1127 )
6 years ago
David Myers
d90ba3d11a
Allow more flexible DNSCrypt configuration ( #1120 )
...
* Allow more flexible DNSCrypt configuration
* Correct permissions on files changed in #1120
I'm not sure why using BBEdit over SMB makes every file executable.
* Put the public resolvers cache file in /tmp.
6 years ago
Jack Ivanov
1442586682
WireGuard: Generate QR codes ( #1129 )
...
* WireGuard: Generate QR codes
* Update client-android.md
6 years ago
Jack Ivanov
dbd68aa97d
WireGuard BSD ( #1083 )
...
* WireGuard BSD
* Remove unneeded config option
* Enable PersistentKeepalive for NAT and Firewall Traversal Persistence
* Install dnscrypt-proxy from repositories
6 years ago
Jack Ivanov
6c0753e3b8
GCE: Static external ip (optional) ( #1125 )
6 years ago
Jack Ivanov
eb2224cde1
install generic linux headers ( #1124 )
6 years ago
James
14234344eb
Use gateway ip address for wireguard interface ( #1115 )
6 years ago
Jack Ivanov
4a42fbea35
Move to the ARM deployment schema ( #1107 )
6 years ago
David Myers
d95df710a5
Add an unattended reboot option ( #1082 )
6 years ago
Jack Ivanov
91a9dfd983
invoke dns encryption from main playbook instead of meta-dependencies ( #1097 )
6 years ago
Jack Ivanov
e860b78d80
Scaleway authentication fix ( #1088 )
6 years ago
Jack Ivanov
e8947f318b
Large refactor to support Ansible 2.5 ( #976 )
...
* Refactoring, booleans declaration and update users fix
* Make server_name more FQDN compatible
* Rename variables
* Define the default value for store_cakey
* Skip a prompt about the SSH user if deploying to localhost
* Disable reboot for non-cloud deployments
* Enable EC2 volume encryption by default
* Add default server value (localhost) for the local installation
Delete empty files
* Add default region to aws_region_facts
* Update docs
* EC2 credentials fix
* Warnings fix
* Update deploy-from-ansible.md
* Fix a typo
* Remove lightsail from the docs
* Disable EC2 encryption by default
* rename droplet to server
* Disable dependencies
* Disable tls_cipher_suite
* Convert wifi-exclude to a string. Update-users fix
* SSH access congrats fix
* 16.04 > 18.04
* Dont ask for the credentials if specified in the environment vars
* GCE server name fix
6 years ago
Jack Ivanov
53d1113881
Split up unattended upgrades ( #1041 )
6 years ago
David Myers
b86ebe20d7
Prevent DNS rebinding ( #1049 )
6 years ago
Fabian Foerg
3ddd0ac30f
Run dnsmasq as the dnsmasq user ( #1029 )
...
* Run dnsmasq as the dnsmasq user
There is a task that checks whether the dnsmasq user exists.
However, dnsmasq is configured to run as user "nobody" instead.
This change lets dnsmasq run as user "dnsmasq".
* remove dnsmasq user task
6 years ago
bghost
60a99faaf8
Update PPA for dnscrypt-proxy to 'bionic' ( #1039 )
6 years ago
Jack Ivanov
ca59eeb5c3
Explicitly allow traffic between clients if enabled ( #1028 )
6 years ago
Jack Ivanov
952e759af4
Revert "Update dnscrypt-proxy.toml.j2 ( #1022 )" ( #1030 )
...
This reverts commit e6281bc7df
.
6 years ago
adamluk
e6281bc7df
Update dnscrypt-proxy.toml.j2 ( #1022 )
6 years ago
Jack Ivanov
07a6bbe652
Move max_mss to config.cfg ( #1015 )
...
* Move max_mss to config.cfg
* Add docs about max_mss
* Update troubleshooting.md
6 years ago
Jack Ivanov
d1c58f0d28
apt_repository fix ( #1017 )
6 years ago
Jack Ivanov
4ca8c03e3c
New default cipher suite ( #991 )
...
* New ciphers enabled
* Update CHANGELOG.md
* Switch ecparam to secp384r1
* Change CertificateType to ECDSA384
6 years ago
Jack Ivanov
b061df6631
Move DNSCrypt proxy fallback_resolver to systemd resolved ( #1011 )
6 years ago
Emir Beganović
2f142f6dcc
Remove duplicate dict key (enable_ipv6) ( #999 )
...
Warning in yaml file:
` [WARNING]: While constructing a mapping from /root/algo/roles/cloud-scaleway/tasks/main.yml, line 73, column 11, found a duplicate dict key (enable_ipv6). Using last defined value only.`
6 years ago
Jack Ivanov
ffb5a1f737
WireGuard: disable SaveConfig, update-users fix ( #985 )
...
- Disables SaveConfig. SaveConfig totally breaks the idea of configuration management and it breaks update-users
- WireGuard update-users fix. Mentioned in https://github.com/trailofbits/algo/issues/980#issuecomment-393720561
6 years ago
Jack Ivanov
aee043977f
explicit installation of linux headers ( #975 )
6 years ago
Jack Ivanov
2d9a36d13a
Scaleway: enable ipv6 and switch to local boot ( #974 )
...
- Enables IPv6 on Scaleway
- Adds local boot on scaleway
- Fixes #966
6 years ago
Jack Ivanov
d56f50180b
Extra line and better DNS configuration for WireGuard ( #968 )
...
- Adds an extra line after the if statement. Jinja2 trims such blocks by default in Ansible. Fixes #965
- More appropriate way to configure DNS servers
- Removes `DNS` option from the wireguard server config
- Fixes dnscrypt-proxy restart
6 years ago
Jack Ivanov
3488e660ad
Add WireGuard support for Android ( #910 )
...
* WireGuard Implementation
* Update client-android.md
* Update README.md
* WireGuard unattended upgrades
* Update README.md
* reload-module-on-update and syntax fix
* SaveConfig to true
* Azure firewall. Fixes #962
* Update README.md
* Update client-android.md
6 years ago
Jack Ivanov
d27b849f24
Ubuntu1804 ( #925 )
...
- Fixes #897 #944 #956
Work in progress. Lightsail is not ready for Ubuntu 18.04 yet
- [x] DigitalOcean
~~- [ ] Amazon Lightsail~~
- [x] Amazon EC2
- [x] Microsoft Azure
- [x] Google Compute Engine
- [x] Scaleway
- [x] OpenStack (DreamCompute optimised)
6 years ago
Evgeny Aleksandrov
d9dc68164f
Remove algo_params ( #961 )
6 years ago
Evgeny Aleksandrov
87836e0358
Fix typo ( #960 )
6 years ago
Jack Ivanov
35e526a5a3
IPv6 fixes ( #930 )
6 years ago
Brian Hulette
e01e82b1c3
Don't download minisig dnscrypt release ( #905 )
7 years ago
adamluk
3d9fa7f8c8
Update dnscrypt-proxy.toml.j2 ( #899 )
...
Updated dnscrypt-proxy.tml with new options: cache_neg_min_ttl and cache_neg_max_ttl
7 years ago
Dan Guido
c276f971b7
monkey patch problematic dnscrypt-proxy cgroup limits ( #894 )
7 years ago
Jack Ivanov
c82bd8c5ff
DNS-over-HTTPS ( #875 )
7 years ago
Jack Ivanov
ed6e2d998d
Add ipv6 address to subjectAltName if supported ( #881 )
...
CHANGELOG
Some changes
Some changes
7 years ago
Micah R Ledbetter
e944ee993a
Embed certs into Windows deployment scripts ( #840 )
...
- Obviate need to copy separate script and certificate files
- Allow execution from any directory, not just the script's parent
directory (no assumption of any particular working directory)
- Fix docs that neglected to mention copying cacert.pem
- Fix docs that incorrectly referred to the user cert store
As part of this work, rewrite the windows_client.ps1.j2 deployment
script template
- Add comment-based help
- Require admin privileges
- Use a Param() block
- Use parameter sets with -Add and -Remove switches
- Add the -GetInstalledCerts switch, to list any Algo certificates
installed the machine's cert store
- Add the -SaveCerts switch, to save the embedded certificates to files
- Put Jinja2 variables inside Powershell variables,
- Use native Powershell cmdlets rather than shell out to certutil.exe
- Add a playbook to regenerate the windows_USER.ps1 scripts
7 years ago
Micah R Ledbetter
4b0aea8f5a
Document iptables rules ( #854 )
...
* Remove firewall rule related to the old proxy role
* Remove proxy conditionals from mobileconfig template
* Add comments explaining firewall rules
7 years ago
Jack Ivanov
78830d96aa
Android: add the CA and set the ciphers explicitly ( #837 )
7 years ago
Jack Ivanov
4e4440a318
Exclude CA from P12 ( #835 )
7 years ago
Jack Ivanov
3b19f13082
Enable no-resolv ( #816 )
7 years ago
adamluk
b30f6db079
Update rules.v6.j2 ( #818 )
...
Updated to use -m conntrack for consistency as per the other IPv6 rules.
7 years ago
Jack Ivanov
7e07c35474
proper cloudformation template ( #815 )
7 years ago
Jack Ivanov
02427910de
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration ( #804 )
...
* Move to ansible-2.4.3
* Add Lightsail support #623
* Fixing the EC2 deployment
* Scaleway integration #623
* OpenStack cloud provider (DreamCompute optimised) #623
* Remove the security role
* Enable unattended-upgrades for clouds
* New requirements to make Azure and GCE work
7 years ago
Jack Ivanov
4da752b603
Ubuntu 17.10 support ( #811 )
7 years ago
Micah R Ledbetter
5eed1bbba4
Use dns_servers in dnsmasq.conf ( #794 )
7 years ago
Douglas Gastonguay-Goddard
7eb4fc5f22
DigitalOcean - Add cleanup step for SSH key ( #784 )
...
* Add cleanup step for SSH key.
* Two space tabs are hard to see.
7 years ago
Jack Ivanov
a844870b7a
Sendmail should not be installed ( #738 )
7 years ago
Marcelo Elizeche Landó
07a1c70bf4
Update adblock.sh for systemd to fix issue #735 ( #736 )
...
* Update script to restart the dnsmasq service using systemctl(systemd) command instead of service(Upstart)
* Use instead of legacy REF: https://github.com/koalaman/shellcheck/wiki/SC2006
* Replace non-standard egrep(deprecated) for grep -E. REF: https://github.com/koalaman/shellcheck/wiki/SC2196
7 years ago
Jack Ivanov
f18c1a0d67
Certificate revocation fix ( #719 )
7 years ago
Jack Ivanov
b64f682bae
remove the dead code. Fixes #671
7 years ago
Jurgen Verhasselt
185c0f51d7
correct configs_prefix vars in client tasks ( #712 )
7 years ago
Julie Bernosky
dc4dff040e
Add StrongSwan log level config option to ipsec.conf template ( #700 )
7 years ago
Jack Ivanov
3c55cd15a4
GCE. replace underscores ( #698 )
7 years ago
Jack Ivanov
ee7264f26e
Ask users to enter the p12 password manually ( #697 )
7 years ago
Jack Ivanov
6b803e069f
LibreSSL fix #625 ( #685 )
7 years ago
Jack Ivanov
8da53f859b
Some browsers (eg. Safari) stop loading pages if the element with ads can't be loaded ( #633 )
7 years ago
Samuel Horwitz
0607e968d7
Update main.yml ( #621 )
7 years ago
Jack Ivanov
0bb9279094
bug in the gce_net module #616 ( #620 )
7 years ago
Jack Ivanov
78bd5b017c
client fixes ( #605 )
7 years ago
Jack Ivanov
9d8e39f63d
Move back to the Xenial repo ( #606 )
7 years ago
Jack Ivanov
f0283856ad
fix revocation ( #586 )
7 years ago
Jack Ivanov
a8ebb16437
Enable timeouts. Fixes #581
7 years ago
Jack Ivanov
26c202ded5
Generate p12 each deployment. Generate ps1 scripts if windows supported. Define `become` for all the section. ( #580 )
7 years ago
Jack Ivanov
ba7859ba5f
Revoke non-existing users fix
7 years ago
Jack Ivanov
0131505195
Enhance PS1 script ( #510 )
...
update docs
Update README.md
update readme
7 years ago
Jack Ivanov
e6c8f19d3c
Create a VPC network for each instane ( #561 )
7 years ago
Jack Ivanov
ee6db37428
Change the P12 and SSH passwords only for new users ( #550 )
7 years ago
Jack Ivanov
40e0363b18
Add html helper for Android ( #554 )
...
* add html helper #280
move to the new local schema
fix a typo
* Update client-android.md
7 years ago
Ruben Jongejan
e9e6c6e383
cleaner syntax for local actions ( #536 )
...
* refactored local actions to cleaner syntax
* openssl commands folded
* removed unnecessary local_action's
7 years ago
Rod Vagg
75d64ac018
Make DNS blocklist URLs configurable ( #548 )
7 years ago
tetov
ac6db06a19
grammar edit ( #540 )
...
* grammar edit
* Update openssl.yml
8 years ago
Jack Ivanov
58d5a06e87
delete tasks and move to roles ( #519 )
8 years ago
Ruben Jongejan
07ddb5863b
improved readability with native yaml ( #530 )
8 years ago
Jack Ivanov
97369c303a
define local_dns if dns tag used ( #533 )
8 years ago
Jack Ivanov
0031d2809e
Disable the Signature Algorithm check and add default vars. Fixes #525
8 years ago
Christopher J. Pilkington
a225bde2b8
Specify EIP domain ( #521 )
8 years ago
Jack Ivanov
6f170982aa
move to Elastic IP ( #512 )
8 years ago
Jack Ivanov
9f698fdd68
Get strongswan from the Zesty repo on Xenial ( #515 )
8 years ago
Jack Ivanov
bd348af9c2
Implementing blocks and additional fail hints #487 ( #497 )
...
change the troubleshooting url
8 years ago
Jack Ivanov
2f5c050fd2
dpdaction to clear ( #498 )
8 years ago
Jack Ivanov
0ed68b6c30
Properly configure ICMP restrictions ( #492 )
8 years ago
Ryan Kasper
0cb43650cb
Windows 10 -PfsGroup None --> -PfsGroup ECP256 ( #493 )
...
* Windows 10 -PfsGroup None --> -PfsGroup ECP256
Fixes broken tunnel when rekey (CREATE_CHILD_SA request [ N(REKEY_SA) SA No TSi TSr KE ]) occurs (on my Windows 10 1703 build 15063.138 Creator's Update system this is ~every 57 minutes)
* Update Windows Client PfsGroup Commandline
8 years ago
Jack Ivanov
540c761d3b
Disable RSA in the mobileconfigs. Fixes #486
8 years ago
Jack Ivanov
451394100d
Some enhances in the compat ciphers ( #464 )
...
raise the IntegrityCheckMethod to SHA384
Move Windows to ECDSA
Increase IntegrityCheckMethod
8 years ago
Dan Guido
aac052da46
this option is deprecated ( #477 )
8 years ago
Jack Ivanov
c3fcfe5d0d
Let users choose the distro version #449 ( #466 )
...
Make dpdaction great again
add 1704 to travis
Make EC2 image name more convenient
modify apparmor profile
8 years ago
Andy Boutte
76cdc69548
CF tested and working for EC2 deployment ( #431 )
...
* AWS CloudFormation #132
* IPv6 EC2 draft
* CF tested and working for EC2 deployment
* IPv6 Implementation, EC2, Cloudformation
* Fixed ipv6 networking
* adding ip6tables rule for DHCP on AWS
8 years ago
Jack Ivanov
a7b06058cb
remove the proxy role #440 ( #457 )
...
* remove the proxy role #440
* Separate facts. Make roles more independent from each other
move openssl to local tasks
move unneeded tasks
8 years ago
Dan Guido
0b05ea19bc
Windows needs SHA2-256. Closes #453 . ( #456 )
8 years ago
Dan Guido
8173b84ff8
Change uniqueids back to never ( #448 )
...
We need this to allow multiple connections with the same id/certificate
8 years ago