Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
955 Commits
5 Branches
2 Tags
10 MiB
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6f58093a06'
${ noResults }
Commit Graph

355 Commits (6f58093a0646c6433ff19fa1bed468a85b9a5d74)

Author SHA1 Message Date
adamluk b30f6db079 Update rules.v6.j2 (#818) 
Updated to use -m conntrack for consistency as per the other IPv6 rules.
 7 years ago
Jack Ivanov 7e07c35474 proper cloudformation template (#815) 7 years ago
Jack Ivanov 02427910de Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) 
* Move to ansible-2.4.3

* Add Lightsail support #623

* Fixing the EC2 deployment

* Scaleway integration #623

* OpenStack cloud provider (DreamCompute optimised) #623

* Remove the security role

* Enable unattended-upgrades for clouds

* New requirements to make Azure and GCE work
 7 years ago
Jack Ivanov 4da752b603 Ubuntu 17.10 support (#811) 7 years ago
Micah R Ledbetter 5eed1bbba4 Use dns_servers in dnsmasq.conf (#794) 7 years ago
Douglas Gastonguay-Goddard 7eb4fc5f22 DigitalOcean - Add cleanup step for SSH key (#784) 
* Add cleanup step for SSH key.

* Two space tabs are hard to see.
 7 years ago
Jack Ivanov a844870b7a Sendmail should not be installed (#738) 7 years ago
Marcelo Elizeche Landó 07a1c70bf4 Update adblock.sh for systemd to fix issue #735 (#736) 
* Update script to restart the dnsmasq service using systemctl(systemd) command instead of service(Upstart)

* Use  instead of legacy  REF: https://github.com/koalaman/shellcheck/wiki/SC2006

* Replace non-standard egrep(deprecated) for grep -E. REF: https://github.com/koalaman/shellcheck/wiki/SC2196
 7 years ago
Jack Ivanov f18c1a0d67 Certificate revocation fix (#719) 7 years ago
Jack Ivanov b64f682bae remove the dead code. Fixes #671 7 years ago
Jurgen Verhasselt 185c0f51d7 correct configs_prefix vars in client tasks (#712) 7 years ago
Julie Bernosky dc4dff040e Add StrongSwan log level config option to ipsec.conf template (#700) 7 years ago
Jack Ivanov 3c55cd15a4 GCE. replace underscores (#698) 7 years ago
Jack Ivanov ee7264f26e Ask users to enter the p12 password manually (#697) 7 years ago
Jack Ivanov 6b803e069f LibreSSL fix #625 (#685) 7 years ago
Jack Ivanov 8da53f859b Some browsers (eg. Safari) stop loading pages if the element with ads can't be loaded (#633) 7 years ago
Samuel Horwitz 0607e968d7 Update main.yml (#621) 7 years ago
Jack Ivanov 0bb9279094 bug in the gce_net module #616 (#620) 7 years ago
Jack Ivanov 78bd5b017c client fixes (#605) 7 years ago
Jack Ivanov 9d8e39f63d Move back to the Xenial repo (#606) 7 years ago
Jack Ivanov f0283856ad fix revocation (#586) 7 years ago
Jack Ivanov a8ebb16437 Enable timeouts. Fixes #581 7 years ago
Jack Ivanov 26c202ded5 Generate p12 each deployment. Generate ps1 scripts if windows supported. Define `become` for all the section. (#580) 7 years ago
Jack Ivanov ba7859ba5f Revoke non-existing users fix 7 years ago
Jack Ivanov 0131505195 Enhance PS1 script (#510) 
update docs

Update README.md

update readme
 7 years ago
Jack Ivanov e6c8f19d3c Create a VPC network for each instane (#561) 7 years ago
Jack Ivanov ee6db37428 Change the P12 and SSH passwords only for new users (#550) 7 years ago
Jack Ivanov 40e0363b18 Add html helper for Android (#554) 
* add html helper #280

move to the new local schema

fix a typo

* Update client-android.md
 7 years ago
Ruben Jongejan e9e6c6e383 cleaner syntax for local actions (#536) 
* refactored local actions to cleaner syntax

* openssl commands folded

* removed unnecessary local_action's
 7 years ago
Rod Vagg 75d64ac018 Make DNS blocklist URLs configurable (#548) 7 years ago
tetov ac6db06a19 grammar edit (#540) 
* grammar edit

* Update openssl.yml
 8 years ago
Jack Ivanov 58d5a06e87 delete tasks and move to roles (#519) 8 years ago
Ruben Jongejan 07ddb5863b improved readability with native yaml (#530) 8 years ago
Jack Ivanov 97369c303a define local_dns if dns tag used (#533) 8 years ago
Jack Ivanov 0031d2809e Disable the Signature Algorithm check and add default vars. Fixes #525 8 years ago
Christopher J. Pilkington a225bde2b8 Specify EIP domain (#521) 8 years ago
Jack Ivanov 6f170982aa move to Elastic IP (#512) 8 years ago
Jack Ivanov 9f698fdd68 Get strongswan from the Zesty repo on Xenial (#515) 8 years ago
Jack Ivanov bd348af9c2 Implementing blocks and additional fail hints #487 (#497) 
change the troubleshooting url
 8 years ago
Jack Ivanov 2f5c050fd2 dpdaction to clear (#498) 8 years ago
Jack Ivanov 0ed68b6c30 Properly configure ICMP restrictions (#492) 8 years ago
Ryan Kasper 0cb43650cb Windows 10 -PfsGroup None --> -PfsGroup ECP256 (#493) 
* Windows 10 -PfsGroup None --> -PfsGroup ECP256

Fixes broken tunnel when rekey (CREATE_CHILD_SA request [ N(REKEY_SA) SA No TSi TSr KE ]) occurs (on my Windows 10 1703 build 15063.138 Creator's Update system this is ~every 57 minutes)

* Update Windows Client PfsGroup Commandline
 8 years ago
Jack Ivanov 540c761d3b Disable RSA in the mobileconfigs. Fixes #486 8 years ago
Jack Ivanov 451394100d Some enhances in the compat ciphers (#464) 
raise the IntegrityCheckMethod to SHA384

Move Windows to ECDSA

Increase IntegrityCheckMethod
 8 years ago
Dan Guido aac052da46 this option is deprecated (#477) 8 years ago
Jack Ivanov c3fcfe5d0d Let users choose the distro version #449 (#466) 
Make dpdaction great again

add 1704 to travis

Make EC2 image name more convenient

modify apparmor profile
 8 years ago
Andy Boutte 76cdc69548 CF tested and working for EC2 deployment (#431) 
* AWS CloudFormation #132

* IPv6 EC2 draft

* CF tested and working for EC2 deployment

* IPv6 Implementation, EC2, Cloudformation

* Fixed ipv6 networking

* adding ip6tables rule for DHCP on AWS
 8 years ago
Jack Ivanov a7b06058cb remove the proxy role #440 (#457) 
* remove the proxy role #440

* Separate facts. Make roles more independent from each other

move openssl to local tasks

move unneeded tasks
 8 years ago
Dan Guido 0b05ea19bc Windows needs SHA2-256. Closes #453. (#456) 8 years ago
Dan Guido 8173b84ff8 Change uniqueids back to never (#448) 
We need this to allow multiple connections with the same id/certificate
 8 years ago
Dan Guido b29772f146 prefer ed25519 8 years ago
Dan Guido f9f7be7b0d Fix a typo from #439 8 years ago
Dan Guido 1778cb1f45 disable dpd #430 (#437) 
Closes #430
 8 years ago
Dan Guido 8e5e6d5088 remove extraneous integrity algos from AEAD ciphers (#439) 
In reference to
https://github.com/trailofbits/algo/issues/9#issuecomment-294370560
 8 years ago
Jauder Ho 5b2e13d18f Only enable ChaCha cipher (#412) 
* Only enable ChaCha cipher

* Add back a few ciphers for compatability
 8 years ago
Jack Ivanov fa5a956193 Add URLStringProbe (#428) 
* Add URLStringProbe

* switch to Apple's hotspot-detect.html
 8 years ago
Jack Ivanov ea5976f49b write logs to file if BSD only 8 years ago
Jack Ivanov 9c12272c8c Python False-y values should be accepted. #417 (#426) 8 years ago
Jack Ivanov 16329fe088 Instance size (#404) 
* Escaping Special Characters #388

* Make instance sizes more flexible to edit #355
 8 years ago
Jack Ivanov bf75a1bb03 move generating of the known_hosts file to local_action (#425) 8 years ago
MiWCryptAnalytics 04b61ca3d2 Increase CA key entropy to 128bit (#415) 
Changes the default CA key size from 48 bit to 128bit with OpenSSL usermode CSPRNG with hex encoding
 8 years ago
Jack Ivanov 02f363d825 change the order of ciphers 8 years ago
mathew19 ae43ed6f81 Update client_ipsec.secrets.j2 (#414) 
Fix filename in client ipsec_user.secrets
 8 years ago
mathew19 5e56996f5c Fix name (#411) 8 years ago
Jack Ivanov c61a07fb60 Escaping Special Characters #388 (#403) 8 years ago
Jack Ivanov 56a72e5af2 New ciphers implementing #247 (#352) 
Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
 8 years ago
Jack Ivanov 70738ed8be Enable IP forwarding GCE #369 8 years ago
Jack Ivanov 95e0134f21 1. Disable SSH key deploying if installation on existing server 
2. Move to the ed25519 algorithm
3. Delete unneeded option RSAAuthentication
Fixes #272
 8 years ago
Dan Guido e55ce03906 URLStringProbe with this URL does not work as intended 8 years ago
Dan Guido 5e22b79033 Add configuration for URL probes to Apple profile 
Chrome and Android both request a known URL that generates HTTP 204 No Content responses to determine if they have internet connectivity. In Apple profiles, we can use the same URL to determine whether the VPN needs to connect. Using this feature will help save battery life for lots of users.
 8 years ago
Jack Ivanov 47515154bb add mtu in the sswan profile 8 years ago
Casey Lang 8b977afd99 Modify creation of GCE Instance (#363) 
Update deprecated GCE metadata options
 8 years ago
Jack Ivanov 3b8d04d06c remove the logging role 8 years ago
Jack Ivanov 6e61a51aca rewrite the sysctl task 8 years ago
Jack Ivanov c0f4b5fa41 Enable default values if the role is skipped #313 8 years ago
Josh Soref 84bbcb88d0 Spelling fixes (#342) 
* spelling: algorithm

* spelling: bertrand

* spelling: between

* spelling: checking

* spelling: conjunction

* spelling: contributor

* spelling: delimited

* spelling: fashion

* spelling: droplet

* spelling: javascript

* spelling: nameserver

* spelling: obligatory

* spelling: official

* spelling: overridden

* spelling: overwrite

* spelling: parameter

* spelling: suppressing
 8 years ago
James Hale 41ed682213 Reduce VPC CIDR size to /16 (#341) 8 years ago
Josh Meisels d37c6b72c5 Add new Azure regions and allow user to select VM size (#332) 
* Update Azure Region List

Included several additional regions in the Azure list.

In a future version we may want to ask users to choose a continent, then present region options since this list is getting long.

* Add VM size selection

Added prompt for user to choose VM size. Useful because the default size is not available in all regions, and there are cheaper sizes.

* Handle vm_size choice in "Create an Instance" step

Use the variable passed in that the user chose for vm_size.

* Differentiate Basic A0 and Standard A0

* Remove vm_size D1 since it's being deprecated

* Fix syntax issue - missing semicolons

* Remove note to self comment

* Remove changes to let user select VM size

Removing my previous additions that let the user select their Azure VM size.

* Hard code VM size to cheapest size

Remove my usage of a variable for VM size. Update to use the Basic_A0, which is the cheapest size of VM.
 8 years ago
Matt Mankins b8d2dc68bb Change EC2 VPC CIDR blocks to uncommon non-routable addresses (#335) 8 years ago
Josh Watson 84a3b5f675 Change EC2 VPC CIDR blocks to non-routable addresses. (#330) 
The previous address ranges were actually routable addresses, which caused some concern for some people because it looked suspicious in tracert. The new CIDR blocks are non-routable addresses, which resolves this concern.
 8 years ago
brad2014 09e5d87c7b Minor name and documentation edits (#327) 8 years ago
James Hale 3b3fb601ef Fix name tag key (#282) 8 years ago
Dan Guido 655a917dd2 iptables filter table fix (#285) 8 years ago
Jack Ivanov 6facb6cb4f FreeBSD / HardenedBSD (#262) 
* FreeBSD draft

ifconfig fix

Pre-tasks fixes

fix hardcoded IP

some refactoring

disable system-based tags

disable freebsd tags

FreeBSD vpn role

add defaults

ssh role freebsd

default fix

dns_adblocking freebsd

ubuntu dict fix

* HardenedBSD

update-users BSD

* Rebuild the kernel

docs changing
 8 years ago
Jack Ivanov 49ba1f76b4 Some improvements in the mobileconfig. Fixes #270 8 years ago
Jack Ivanov 045ff4bb9f Azure security group. Fixes #264 8 years ago
Jack Ivanov 906d962d4d GCE. env variables #195 8 years ago
Jack Ivanov 573c2f2322 DO. env variables #195 8 years ago
Jack Ivanov fc30f8bb10 GCE. Tags fixed #267 8 years ago
Jack Ivanov 0aff3ebb6f EC2 instance_initiated_shutdown_behavior to terminate. Close #124 8 years ago
Jack Ivanov c52024d4cc Azure. Add to the inventory #30 8 years ago
Jack Ivanov 0d1731e058 update tags for azure resources 8 years ago
Jack Ivanov 6e538627db gce inventory #30 8 years ago
Jack Ivanov 9cc9cf7b5f local inventory #30 8 years ago
Jack Ivanov 69ff22f9bb fix typo 8 years ago
Jack Ivanov dfb1cbc282 DigitalOcean dynamic inventory 8 years ago
Jack Ivanov f7da2e3888 EC2 dynamic enventory. Fixes #73 8 years ago
Jack Ivanov 5cbf125202 Some refactoring. Disable unneeded variables. 8 years ago
Jack Ivanov 237fcc7a7f additional variables 8 years ago
Jack Ivanov 2a4d1837b5 Some fixes. Fedora client. Close #44 8 years ago
Jack Ivanov 0bf3e809a4 Linux clients installation vpn #44 8 years ago
Jack Ivanov d7d976784c Fixes #207 8 years ago
Jack Ivanov 8eb208c5b7 enable ipv6 if the default gateway is defined. Fixes #244 8 years ago
Craig 43c2f5c31a Installs the recommended packages with strongswan, because we need the OpenSSL (#260) 
plugin from libstrongswan-standard-plugins for ECDH to work.
 8 years ago
Jack Ivanov b8f3d43eee enable some additional debug info 8 years ago
Jack Ivanov 2a7dd88a3c Changed to ECDSA #102 8 years ago
Jack Ivanov e31f10da6d Fixes #255 8 years ago
Jack Ivanov aca036142f AndroidVPNClientProfiles #240 8 years ago
Jacob Wilder 7b468fae79 Fixed the azure role for situations where the user does not use a ~/.azure/credentials file (#242) 8 years ago
Jack Ivanov 20ebd7a595 rename connection 8 years ago
akirilov 05ab1f5feb Modified certificate generation to address issues #234 and #228 (#235) 
* Modified certificate generation to address issues #234 and #228

I have made the following modifications to comply with the IKEv2 client certificate requirements:

- Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }}
- Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }}
- Added clientAuth to client certificate EKU

I have made the following changes to address a mismatch in the windows deployment script and file names:

- Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script

Testing:

I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234

I apologize for not being able to test on other configurations. I hope that someone else can verify my changes

* fixed iOS issues

* fixed accidentall user change

* simplified changes

* Final iteration. I think that's all I can do to minimize the changes
 8 years ago
Jack Ivanov 35faf4bca7 Local openssl tasks (#169) 
* Draft

works with ECDSA

RSA support for Windows

* update-users with local_openssl_tasks

* move prompts to the algo script

* additional directory for SSH keys

* move easyrsa_p12_export_password to pre_tasks

* update-users testing

* Fix hardcoded vars

* Delete the CA key

* Hardcoded IP. Fixes #219

* Some fixes
 8 years ago
Jack Ivanov 257be0f395 make the fail message more understandable. Fixes #217 8 years ago
Jack Ivanov 2798f84d3f ensure that apparmor is supported by the kernel #215 8 years ago
Jack Ivanov 3e852caf04 disable compression #146 8 years ago
Jack Ivanov cbf59addb3 additional tags 8 years ago
Jack Ivanov a50a396b94 addtiional fixes 8 years ago
Defunct b0f9ab94b1 ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support) 8 years ago
Defunct 0eb048383a refactored ec2 encryption 8 years ago
Jack Ivanov 1a81372192 EC2 Encryption Implemented #133 8 years ago
Jack Ivanov f246165298 Fix a typo 8 years ago
Glenn Rempe 9a46b671f7 Fixes #198, replace typo ECXLUDE with EXCLUDE 8 years ago
Damian Gerow b444398fab Drop the MSS for GCE instances 8 years ago
Defunct a9dd0af3fe resolves #176 + other ec2 env issues 8 years ago
Dan Guido 75194675eb closes #175 8 years ago
kennwhite d2aa52f4e9 UX hint on profile name 
Add explicit label for Algo-generated VPNs. If the user has multiple (non-Algo) VPNs for home/office, there is typically a label other than an IP address and "IKEv2".  This can be seen, for example, on OSX on the top menu bar for networks.
 8 years ago
Jack Ivanov 33b3af540a Fix SSH keys for DigitalOcean 8 years ago
Jack Ivanov 2c9c3ccb09 Fixed #146 8 years ago
Jack Ivanov cd5b096ab7 DO fix 8 years ago
Jack Ivanov 90cc5fa1f7 some fixes 8 years ago
Jack Ivanov 1d07200c74 generating ssh-keys #152 #151 #112 8 years ago
Jack Ivanov abf94989fc the password for the CA private key #75 8 years ago
Jack Ivanov 8b0fe4d8f3 Block client-to-client traffic. Fixed #166 8 years ago
Jack Ivanov ecb6b498b9 unnecessarry to use such way Fixed #162 8 years ago
Jack Ivanov f1715c4e0b random password for the p12 certificates #135 8 years ago
Jack Ivanov 03c805cb87 reorganize the wait_for functions #159 8 years ago
Jack Ivanov 275663264a ipv6 option is available in ansible 2.2; Fixed #158 8 years ago
Jack Ivanov 37ec574d8d IP_subject_alt_name is not declared for localhost. Fixed #149 8 years ago
Jack Ivanov 517366f194 EC2 fix 8 years ago
Jack Ivanov 50e9dbfce0 draft EC2 #150 #157 8 years ago
Jack Ivanov 981809998c Merge branch 'master' of github.com:trailofbits/algo 8 years ago
kennwhite 016a8c7708 Change default instance to free tier (t2.micro) 
I know this is a bit goofy, but the t2.nano is not in the free tier for AWS even though it is smaller than the t2.micro instance. See: https://aws.amazon.com/blogs/aws/ec2-update-t2-nano-instances-now-available/ (the "PS" at the bottom), confirmed on pricing page. The difference is $4.30 per mo vs. free/$8.76  per mo. Maybe add this to config questions, but at least one reviewer has noted this as an issue for his just-setup AWS free account.
 8 years ago
Jack Ivanov 0269cafff7 DNS fix 8 years ago
Jack Ivanov 29ef4d45df Merge pull request #144 from trailofbits/ami_latest_image 
Sort by latest AMI - resolves #140
 8 years ago
Jack Ivanov c552602724 Azure support #26 8 years ago
Defunct 27e5a4feca Sort by latest AMI - resolves #140 8 years ago
Jack Ivanov 3d53dde6ca Fixed. #137 8 years ago
Jack Ivanov 790bcb2efc Merge branch 'win10_support' #9 8 years ago
Jack Ivanov 8a0c5ab971 Windows support implemented 8 years ago
Jack Ivanov f6166ccde4 modify ciphers #9 8 years ago