adamluk
b30f6db079
Update rules.v6.j2 ( #818 )
...
Updated to use -m conntrack for consistency as per the other IPv6 rules.
7 years ago
Jack Ivanov
7e07c35474
proper cloudformation template ( #815 )
7 years ago
Jack Ivanov
02427910de
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration ( #804 )
...
* Move to ansible-2.4.3
* Add Lightsail support #623
* Fixing the EC2 deployment
* Scaleway integration #623
* OpenStack cloud provider (DreamCompute optimised) #623
* Remove the security role
* Enable unattended-upgrades for clouds
* New requirements to make Azure and GCE work
7 years ago
Jack Ivanov
4da752b603
Ubuntu 17.10 support ( #811 )
7 years ago
Micah R Ledbetter
5eed1bbba4
Use dns_servers in dnsmasq.conf ( #794 )
7 years ago
Douglas Gastonguay-Goddard
7eb4fc5f22
DigitalOcean - Add cleanup step for SSH key ( #784 )
...
* Add cleanup step for SSH key.
* Two space tabs are hard to see.
7 years ago
Jack Ivanov
a844870b7a
Sendmail should not be installed ( #738 )
7 years ago
Marcelo Elizeche Landó
07a1c70bf4
Update adblock.sh for systemd to fix issue #735 ( #736 )
...
* Update script to restart the dnsmasq service using systemctl(systemd) command instead of service(Upstart)
* Use instead of legacy REF: https://github.com/koalaman/shellcheck/wiki/SC2006
* Replace non-standard egrep(deprecated) for grep -E. REF: https://github.com/koalaman/shellcheck/wiki/SC2196
7 years ago
Jack Ivanov
f18c1a0d67
Certificate revocation fix ( #719 )
7 years ago
Jack Ivanov
b64f682bae
remove the dead code. Fixes #671
7 years ago
Jurgen Verhasselt
185c0f51d7
correct configs_prefix vars in client tasks ( #712 )
7 years ago
Julie Bernosky
dc4dff040e
Add StrongSwan log level config option to ipsec.conf template ( #700 )
7 years ago
Jack Ivanov
3c55cd15a4
GCE. replace underscores ( #698 )
7 years ago
Jack Ivanov
ee7264f26e
Ask users to enter the p12 password manually ( #697 )
7 years ago
Jack Ivanov
6b803e069f
LibreSSL fix #625 ( #685 )
7 years ago
Jack Ivanov
8da53f859b
Some browsers (eg. Safari) stop loading pages if the element with ads can't be loaded ( #633 )
7 years ago
Samuel Horwitz
0607e968d7
Update main.yml ( #621 )
7 years ago
Jack Ivanov
0bb9279094
bug in the gce_net module #616 ( #620 )
7 years ago
Jack Ivanov
78bd5b017c
client fixes ( #605 )
7 years ago
Jack Ivanov
9d8e39f63d
Move back to the Xenial repo ( #606 )
7 years ago
Jack Ivanov
f0283856ad
fix revocation ( #586 )
7 years ago
Jack Ivanov
a8ebb16437
Enable timeouts. Fixes #581
7 years ago
Jack Ivanov
26c202ded5
Generate p12 each deployment. Generate ps1 scripts if windows supported. Define `become` for all the section. ( #580 )
7 years ago
Jack Ivanov
ba7859ba5f
Revoke non-existing users fix
7 years ago
Jack Ivanov
0131505195
Enhance PS1 script ( #510 )
...
update docs
Update README.md
update readme
7 years ago
Jack Ivanov
e6c8f19d3c
Create a VPC network for each instane ( #561 )
7 years ago
Jack Ivanov
ee6db37428
Change the P12 and SSH passwords only for new users ( #550 )
7 years ago
Jack Ivanov
40e0363b18
Add html helper for Android ( #554 )
...
* add html helper #280
move to the new local schema
fix a typo
* Update client-android.md
7 years ago
Ruben Jongejan
e9e6c6e383
cleaner syntax for local actions ( #536 )
...
* refactored local actions to cleaner syntax
* openssl commands folded
* removed unnecessary local_action's
7 years ago
Rod Vagg
75d64ac018
Make DNS blocklist URLs configurable ( #548 )
7 years ago
tetov
ac6db06a19
grammar edit ( #540 )
...
* grammar edit
* Update openssl.yml
8 years ago
Jack Ivanov
58d5a06e87
delete tasks and move to roles ( #519 )
8 years ago
Ruben Jongejan
07ddb5863b
improved readability with native yaml ( #530 )
8 years ago
Jack Ivanov
97369c303a
define local_dns if dns tag used ( #533 )
8 years ago
Jack Ivanov
0031d2809e
Disable the Signature Algorithm check and add default vars. Fixes #525
8 years ago
Christopher J. Pilkington
a225bde2b8
Specify EIP domain ( #521 )
8 years ago
Jack Ivanov
6f170982aa
move to Elastic IP ( #512 )
8 years ago
Jack Ivanov
9f698fdd68
Get strongswan from the Zesty repo on Xenial ( #515 )
8 years ago
Jack Ivanov
bd348af9c2
Implementing blocks and additional fail hints #487 ( #497 )
...
change the troubleshooting url
8 years ago
Jack Ivanov
2f5c050fd2
dpdaction to clear ( #498 )
8 years ago
Jack Ivanov
0ed68b6c30
Properly configure ICMP restrictions ( #492 )
8 years ago
Ryan Kasper
0cb43650cb
Windows 10 -PfsGroup None --> -PfsGroup ECP256 ( #493 )
...
* Windows 10 -PfsGroup None --> -PfsGroup ECP256
Fixes broken tunnel when rekey (CREATE_CHILD_SA request [ N(REKEY_SA) SA No TSi TSr KE ]) occurs (on my Windows 10 1703 build 15063.138 Creator's Update system this is ~every 57 minutes)
* Update Windows Client PfsGroup Commandline
8 years ago
Jack Ivanov
540c761d3b
Disable RSA in the mobileconfigs. Fixes #486
8 years ago
Jack Ivanov
451394100d
Some enhances in the compat ciphers ( #464 )
...
raise the IntegrityCheckMethod to SHA384
Move Windows to ECDSA
Increase IntegrityCheckMethod
8 years ago
Dan Guido
aac052da46
this option is deprecated ( #477 )
8 years ago
Jack Ivanov
c3fcfe5d0d
Let users choose the distro version #449 ( #466 )
...
Make dpdaction great again
add 1704 to travis
Make EC2 image name more convenient
modify apparmor profile
8 years ago
Andy Boutte
76cdc69548
CF tested and working for EC2 deployment ( #431 )
...
* AWS CloudFormation #132
* IPv6 EC2 draft
* CF tested and working for EC2 deployment
* IPv6 Implementation, EC2, Cloudformation
* Fixed ipv6 networking
* adding ip6tables rule for DHCP on AWS
8 years ago
Jack Ivanov
a7b06058cb
remove the proxy role #440 ( #457 )
...
* remove the proxy role #440
* Separate facts. Make roles more independent from each other
move openssl to local tasks
move unneeded tasks
8 years ago
Dan Guido
0b05ea19bc
Windows needs SHA2-256. Closes #453 . ( #456 )
8 years ago
Dan Guido
8173b84ff8
Change uniqueids back to never ( #448 )
...
We need this to allow multiple connections with the same id/certificate
8 years ago
Dan Guido
b29772f146
prefer ed25519
8 years ago
Dan Guido
f9f7be7b0d
Fix a typo from #439
8 years ago
Dan Guido
1778cb1f45
disable dpd #430 ( #437 )
...
Closes #430
8 years ago
Dan Guido
8e5e6d5088
remove extraneous integrity algos from AEAD ciphers ( #439 )
...
In reference to
https://github.com/trailofbits/algo/issues/9#issuecomment-294370560
8 years ago
Jauder Ho
5b2e13d18f
Only enable ChaCha cipher ( #412 )
...
* Only enable ChaCha cipher
* Add back a few ciphers for compatability
8 years ago
Jack Ivanov
fa5a956193
Add URLStringProbe ( #428 )
...
* Add URLStringProbe
* switch to Apple's hotspot-detect.html
8 years ago
Jack Ivanov
ea5976f49b
write logs to file if BSD only
8 years ago
Jack Ivanov
9c12272c8c
Python False-y values should be accepted. #417 ( #426 )
8 years ago
Jack Ivanov
16329fe088
Instance size ( #404 )
...
* Escaping Special Characters #388
* Make instance sizes more flexible to edit #355
8 years ago
Jack Ivanov
bf75a1bb03
move generating of the known_hosts file to local_action ( #425 )
8 years ago
MiWCryptAnalytics
04b61ca3d2
Increase CA key entropy to 128bit ( #415 )
...
Changes the default CA key size from 48 bit to 128bit with OpenSSL usermode CSPRNG with hex encoding
8 years ago
Jack Ivanov
02f363d825
change the order of ciphers
8 years ago
mathew19
ae43ed6f81
Update client_ipsec.secrets.j2 ( #414 )
...
Fix filename in client ipsec_user.secrets
8 years ago
mathew19
5e56996f5c
Fix name ( #411 )
8 years ago
Jack Ivanov
c61a07fb60
Escaping Special Characters #388 ( #403 )
8 years ago
Jack Ivanov
56a72e5af2
New ciphers implementing #247 ( #352 )
...
Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
8 years ago
Jack Ivanov
70738ed8be
Enable IP forwarding GCE #369
8 years ago
Jack Ivanov
95e0134f21
1. Disable SSH key deploying if installation on existing server
...
2. Move to the ed25519 algorithm
3. Delete unneeded option RSAAuthentication
Fixes #272
8 years ago
Dan Guido
e55ce03906
URLStringProbe with this URL does not work as intended
8 years ago
Dan Guido
5e22b79033
Add configuration for URL probes to Apple profile
...
Chrome and Android both request a known URL that generates HTTP 204 No Content responses to determine if they have internet connectivity. In Apple profiles, we can use the same URL to determine whether the VPN needs to connect. Using this feature will help save battery life for lots of users.
8 years ago
Jack Ivanov
47515154bb
add mtu in the sswan profile
8 years ago
Casey Lang
8b977afd99
Modify creation of GCE Instance ( #363 )
...
Update deprecated GCE metadata options
8 years ago
Jack Ivanov
3b8d04d06c
remove the logging role
8 years ago
Jack Ivanov
6e61a51aca
rewrite the sysctl task
8 years ago
Jack Ivanov
c0f4b5fa41
Enable default values if the role is skipped #313
8 years ago
Josh Soref
84bbcb88d0
Spelling fixes ( #342 )
...
* spelling: algorithm
* spelling: bertrand
* spelling: between
* spelling: checking
* spelling: conjunction
* spelling: contributor
* spelling: delimited
* spelling: fashion
* spelling: droplet
* spelling: javascript
* spelling: nameserver
* spelling: obligatory
* spelling: official
* spelling: overridden
* spelling: overwrite
* spelling: parameter
* spelling: suppressing
8 years ago
James Hale
41ed682213
Reduce VPC CIDR size to /16 ( #341 )
8 years ago
Josh Meisels
d37c6b72c5
Add new Azure regions and allow user to select VM size ( #332 )
...
* Update Azure Region List
Included several additional regions in the Azure list.
In a future version we may want to ask users to choose a continent, then present region options since this list is getting long.
* Add VM size selection
Added prompt for user to choose VM size. Useful because the default size is not available in all regions, and there are cheaper sizes.
* Handle vm_size choice in "Create an Instance" step
Use the variable passed in that the user chose for vm_size.
* Differentiate Basic A0 and Standard A0
* Remove vm_size D1 since it's being deprecated
* Fix syntax issue - missing semicolons
* Remove note to self comment
* Remove changes to let user select VM size
Removing my previous additions that let the user select their Azure VM size.
* Hard code VM size to cheapest size
Remove my usage of a variable for VM size. Update to use the Basic_A0, which is the cheapest size of VM.
8 years ago
Matt Mankins
b8d2dc68bb
Change EC2 VPC CIDR blocks to uncommon non-routable addresses ( #335 )
8 years ago
Josh Watson
84a3b5f675
Change EC2 VPC CIDR blocks to non-routable addresses. ( #330 )
...
The previous address ranges were actually routable addresses, which caused some concern for some people because it looked suspicious in tracert. The new CIDR blocks are non-routable addresses, which resolves this concern.
8 years ago
brad2014
09e5d87c7b
Minor name and documentation edits ( #327 )
8 years ago
James Hale
3b3fb601ef
Fix name tag key ( #282 )
8 years ago
Dan Guido
655a917dd2
iptables filter table fix ( #285 )
8 years ago
Jack Ivanov
6facb6cb4f
FreeBSD / HardenedBSD ( #262 )
...
* FreeBSD draft
ifconfig fix
Pre-tasks fixes
fix hardcoded IP
some refactoring
disable system-based tags
disable freebsd tags
FreeBSD vpn role
add defaults
ssh role freebsd
default fix
dns_adblocking freebsd
ubuntu dict fix
* HardenedBSD
update-users BSD
* Rebuild the kernel
docs changing
8 years ago
Jack Ivanov
49ba1f76b4
Some improvements in the mobileconfig. Fixes #270
8 years ago
Jack Ivanov
045ff4bb9f
Azure security group. Fixes #264
8 years ago
Jack Ivanov
906d962d4d
GCE. env variables #195
8 years ago
Jack Ivanov
573c2f2322
DO. env variables #195
8 years ago
Jack Ivanov
fc30f8bb10
GCE. Tags fixed #267
8 years ago
Jack Ivanov
0aff3ebb6f
EC2 instance_initiated_shutdown_behavior to terminate. Close #124
8 years ago
Jack Ivanov
c52024d4cc
Azure. Add to the inventory #30
8 years ago
Jack Ivanov
0d1731e058
update tags for azure resources
8 years ago
Jack Ivanov
6e538627db
gce inventory #30
8 years ago
Jack Ivanov
9cc9cf7b5f
local inventory #30
8 years ago
Jack Ivanov
69ff22f9bb
fix typo
8 years ago
Jack Ivanov
dfb1cbc282
DigitalOcean dynamic inventory
8 years ago
Jack Ivanov
f7da2e3888
EC2 dynamic enventory. Fixes #73
8 years ago
Jack Ivanov
5cbf125202
Some refactoring. Disable unneeded variables.
8 years ago
Jack Ivanov
237fcc7a7f
additional variables
8 years ago
Jack Ivanov
2a4d1837b5
Some fixes. Fedora client. Close #44
8 years ago
Jack Ivanov
0bf3e809a4
Linux clients installation vpn #44
8 years ago
Jack Ivanov
d7d976784c
Fixes #207
8 years ago
Jack Ivanov
8eb208c5b7
enable ipv6 if the default gateway is defined. Fixes #244
8 years ago
Craig
43c2f5c31a
Installs the recommended packages with strongswan, because we need the OpenSSL ( #260 )
...
plugin from libstrongswan-standard-plugins for ECDH to work.
8 years ago
Jack Ivanov
b8f3d43eee
enable some additional debug info
8 years ago
Jack Ivanov
2a7dd88a3c
Changed to ECDSA #102
8 years ago
Jack Ivanov
e31f10da6d
Fixes #255
8 years ago
Jack Ivanov
aca036142f
AndroidVPNClientProfiles #240
8 years ago
Jacob Wilder
7b468fae79
Fixed the azure role for situations where the user does not use a ~/.azure/credentials file ( #242 )
8 years ago
Jack Ivanov
20ebd7a595
rename connection
8 years ago
akirilov
05ab1f5feb
Modified certificate generation to address issues #234 and #228 ( #235 )
...
* Modified certificate generation to address issues #234 and #228
I have made the following modifications to comply with the IKEv2 client certificate requirements:
- Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }}
- Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }}
- Added clientAuth to client certificate EKU
I have made the following changes to address a mismatch in the windows deployment script and file names:
- Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script
Testing:
I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234
I apologize for not being able to test on other configurations. I hope that someone else can verify my changes
* fixed iOS issues
* fixed accidentall user change
* simplified changes
* Final iteration. I think that's all I can do to minimize the changes
8 years ago
Jack Ivanov
35faf4bca7
Local openssl tasks ( #169 )
...
* Draft
works with ECDSA
RSA support for Windows
* update-users with local_openssl_tasks
* move prompts to the algo script
* additional directory for SSH keys
* move easyrsa_p12_export_password to pre_tasks
* update-users testing
* Fix hardcoded vars
* Delete the CA key
* Hardcoded IP. Fixes #219
* Some fixes
8 years ago
Jack Ivanov
257be0f395
make the fail message more understandable. Fixes #217
8 years ago
Jack Ivanov
2798f84d3f
ensure that apparmor is supported by the kernel #215
8 years ago
Jack Ivanov
3e852caf04
disable compression #146
8 years ago
Jack Ivanov
cbf59addb3
additional tags
8 years ago
Jack Ivanov
a50a396b94
addtiional fixes
8 years ago
Defunct
b0f9ab94b1
ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support)
8 years ago
Defunct
0eb048383a
refactored ec2 encryption
8 years ago
Jack Ivanov
1a81372192
EC2 Encryption Implemented #133
8 years ago
Jack Ivanov
f246165298
Fix a typo
8 years ago
Glenn Rempe
9a46b671f7
Fixes #198 , replace typo ECXLUDE with EXCLUDE
8 years ago
Damian Gerow
b444398fab
Drop the MSS for GCE instances
8 years ago
Defunct
a9dd0af3fe
resolves #176 + other ec2 env issues
8 years ago
Dan Guido
75194675eb
closes #175
8 years ago
kennwhite
d2aa52f4e9
UX hint on profile name
...
Add explicit label for Algo-generated VPNs. If the user has multiple (non-Algo) VPNs for home/office, there is typically a label other than an IP address and "IKEv2". This can be seen, for example, on OSX on the top menu bar for networks.
8 years ago
Jack Ivanov
33b3af540a
Fix SSH keys for DigitalOcean
8 years ago
Jack Ivanov
2c9c3ccb09
Fixed #146
8 years ago
Jack Ivanov
cd5b096ab7
DO fix
8 years ago
Jack Ivanov
90cc5fa1f7
some fixes
8 years ago
Jack Ivanov
1d07200c74
generating ssh-keys #152 #151 #112
8 years ago
Jack Ivanov
abf94989fc
the password for the CA private key #75
8 years ago
Jack Ivanov
8b0fe4d8f3
Block client-to-client traffic. Fixed #166
8 years ago
Jack Ivanov
ecb6b498b9
unnecessarry to use such way Fixed #162
8 years ago
Jack Ivanov
f1715c4e0b
random password for the p12 certificates #135
8 years ago
Jack Ivanov
03c805cb87
reorganize the wait_for functions #159
8 years ago
Jack Ivanov
275663264a
ipv6 option is available in ansible 2.2; Fixed #158
8 years ago
Jack Ivanov
37ec574d8d
IP_subject_alt_name is not declared for localhost. Fixed #149
8 years ago
Jack Ivanov
517366f194
EC2 fix
8 years ago
Jack Ivanov
50e9dbfce0
draft EC2 #150 #157
8 years ago
Jack Ivanov
981809998c
Merge branch 'master' of github.com:trailofbits/algo
8 years ago
kennwhite
016a8c7708
Change default instance to free tier (t2.micro)
...
I know this is a bit goofy, but the t2.nano is not in the free tier for AWS even though it is smaller than the t2.micro instance. See: https://aws.amazon.com/blogs/aws/ec2-update-t2-nano-instances-now-available/ (the "PS" at the bottom), confirmed on pricing page. The difference is $4.30 per mo vs. free/$8.76 per mo. Maybe add this to config questions, but at least one reviewer has noted this as an issue for his just-setup AWS free account.
8 years ago
Jack Ivanov
0269cafff7
DNS fix
8 years ago
Jack Ivanov
29ef4d45df
Merge pull request #144 from trailofbits/ami_latest_image
...
Sort by latest AMI - resolves #140
8 years ago
Jack Ivanov
c552602724
Azure support #26
8 years ago
Defunct
27e5a4feca
Sort by latest AMI - resolves #140
8 years ago
Jack Ivanov
3d53dde6ca
Fixed. #137
8 years ago
Jack Ivanov
790bcb2efc
Merge branch 'win10_support' #9
8 years ago
Jack Ivanov
8a0c5ab971
Windows support implemented
8 years ago
Jack Ivanov
f6166ccde4
modify ciphers #9
8 years ago