Jack Ivanov
0bf3e809a4
Linux clients installation vpn #44
2017-03-03 20:46:11 +03:00
Jack Ivanov
d7d976784c
Fixes #207
2017-02-28 21:34:28 +03:00
Jack Ivanov
8eb208c5b7
enable ipv6 if the default gateway is defined. Fixes #244
2017-02-26 20:17:12 +03:00
Craig
43c2f5c31a
Installs the recommended packages with strongswan, because we need the OpenSSL ( #260 )
...
plugin from libstrongswan-standard-plugins for ECDH to work.
2017-02-25 21:07:32 +03:00
Jack Ivanov
b8f3d43eee
enable some additional debug info
2017-02-23 19:22:18 +03:00
Jack Ivanov
2a7dd88a3c
Changed to ECDSA #102
2017-02-23 18:44:30 +03:00
Jack Ivanov
e31f10da6d
Fixes #255
2017-02-23 18:25:46 +03:00
Jack Ivanov
aca036142f
AndroidVPNClientProfiles #240
2017-02-17 00:30:21 +03:00
Jacob Wilder
7b468fae79
Fixed the azure role for situations where the user does not use a ~/.azure/credentials file ( #242 )
2017-02-16 23:43:03 +03:00
Jack Ivanov
20ebd7a595
rename connection
2017-02-12 23:01:29 +03:00
akirilov
05ab1f5feb
Modified certificate generation to address issues #234 and #228 ( #235 )
...
* Modified certificate generation to address issues #234 and #228
I have made the following modifications to comply with the IKEv2 client certificate requirements:
- Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }}
- Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }}
- Added clientAuth to client certificate EKU
I have made the following changes to address a mismatch in the windows deployment script and file names:
- Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script
Testing:
I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234
I apologize for not being able to test on other configurations. I hope that someone else can verify my changes
* fixed iOS issues
* fixed accidentall user change
* simplified changes
* Final iteration. I think that's all I can do to minimize the changes
2017-02-12 22:45:36 +03:00
Jack Ivanov
35faf4bca7
Local openssl tasks ( #169 )
...
* Draft
works with ECDSA
RSA support for Windows
* update-users with local_openssl_tasks
* move prompts to the algo script
* additional directory for SSH keys
* move easyrsa_p12_export_password to pre_tasks
* update-users testing
* Fix hardcoded vars
* Delete the CA key
* Hardcoded IP. Fixes #219
* Some fixes
2017-02-03 14:24:02 -05:00
Jack Ivanov
257be0f395
make the fail message more understandable. Fixes #217
2017-02-01 18:54:47 +03:00
Jack Ivanov
2798f84d3f
ensure that apparmor is supported by the kernel #215
2017-01-16 00:19:57 +03:00
Jack Ivanov
3e852caf04
disable compression #146
2017-01-14 19:56:23 +03:00
Jack Ivanov
cbf59addb3
additional tags
2017-01-11 21:02:41 +03:00
Jack Ivanov
a50a396b94
addtiional fixes
2017-01-11 20:55:44 +03:00
Defunct
b0f9ab94b1
ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support)
2017-01-05 19:36:30 +00:00
Defunct
0eb048383a
refactored ec2 encryption
2017-01-05 17:36:45 +00:00
Jack Ivanov
1a81372192
EC2 Encryption Implemented #133
2017-01-05 17:36:45 +00:00
Jack Ivanov
f246165298
Fix a typo
2017-01-04 17:45:42 +03:00
Glenn Rempe
9a46b671f7
Fixes #198 , replace typo ECXLUDE with EXCLUDE
2016-12-30 18:47:02 -08:00
Damian Gerow
b444398fab
Drop the MSS for GCE instances
2016-12-27 21:59:39 +00:00
Defunct
a9dd0af3fe
resolves #176 + other ec2 env issues
2016-12-21 05:55:11 +00:00
Dan Guido
75194675eb
closes #175
2016-12-20 20:28:13 -05:00
kennwhite
d2aa52f4e9
UX hint on profile name
...
Add explicit label for Algo-generated VPNs. If the user has multiple (non-Algo) VPNs for home/office, there is typically a label other than an IP address and "IKEv2". This can be seen, for example, on OSX on the top menu bar for networks.
2016-12-19 15:21:02 -05:00
Jack Ivanov
33b3af540a
Fix SSH keys for DigitalOcean
2016-12-19 00:19:26 +03:00
Jack Ivanov
2c9c3ccb09
Fixed #146
2016-12-17 16:36:59 +03:00
Jack Ivanov
cd5b096ab7
DO fix
2016-12-17 15:16:40 +03:00
Jack Ivanov
90cc5fa1f7
some fixes
2016-12-17 14:54:44 +03:00
Jack Ivanov
1d07200c74
generating ssh-keys #152 #151 #112
2016-12-17 14:54:44 +03:00
Jack Ivanov
abf94989fc
the password for the CA private key #75
2016-12-15 13:33:29 +03:00
Jack Ivanov
8b0fe4d8f3
Block client-to-client traffic. Fixed #166
2016-12-14 21:54:14 +03:00
Jack Ivanov
ecb6b498b9
unnecessarry to use such way Fixed #162
2016-12-14 19:42:39 +03:00
Jack Ivanov
f1715c4e0b
random password for the p12 certificates #135
2016-12-14 18:49:47 +03:00
Jack Ivanov
03c805cb87
reorganize the wait_for functions #159
2016-12-13 21:58:45 +03:00
Jack Ivanov
275663264a
ipv6 option is available in ansible 2.2; Fixed #158
2016-12-13 21:12:51 +03:00
Jack Ivanov
37ec574d8d
IP_subject_alt_name is not declared for localhost. Fixed #149
2016-12-13 20:46:27 +03:00
Jack Ivanov
517366f194
EC2 fix
2016-12-13 20:34:27 +03:00
Jack Ivanov
50e9dbfce0
draft EC2 #150 #157
2016-12-13 19:50:18 +03:00
Jack Ivanov
981809998c
Merge branch 'master' of github.com:trailofbits/algo
2016-12-13 08:44:31 +03:00
kennwhite
016a8c7708
Change default instance to free tier (t2.micro)
...
I know this is a bit goofy, but the t2.nano is not in the free tier for AWS even though it is smaller than the t2.micro instance. See: https://aws.amazon.com/blogs/aws/ec2-update-t2-nano-instances-now-available/ (the "PS" at the bottom), confirmed on pricing page. The difference is $4.30 per mo vs. free/$8.76 per mo. Maybe add this to config questions, but at least one reviewer has noted this as an issue for his just-setup AWS free account.
2016-12-12 15:14:58 -05:00
Jack Ivanov
0269cafff7
DNS fix
2016-12-12 18:52:34 +03:00
Jack Ivanov
29ef4d45df
Merge pull request #144 from trailofbits/ami_latest_image
...
Sort by latest AMI - resolves #140
2016-12-10 21:56:49 +03:00
Jack Ivanov
c552602724
Azure support #26
2016-12-10 21:26:08 +03:00
Defunct
27e5a4feca
Sort by latest AMI - resolves #140
2016-12-09 20:45:12 +00:00
Jack Ivanov
3d53dde6ca
Fixed. #137
2016-12-06 20:14:08 +03:00
Jack Ivanov
790bcb2efc
Merge branch 'win10_support' #9
2016-11-30 17:00:03 +03:00
Jack Ivanov
8a0c5ab971
Windows support implemented
2016-11-29 23:00:01 +03:00
Jack Ivanov
f6166ccde4
modify ciphers #9
2016-11-29 22:14:18 +03:00
Jack Ivanov
195697a1f0
Merge pull request #131 from trailofbits/ec2updates
...
EC2 Updates and fixes
2016-11-29 18:48:31 +03:00
Jack Ivanov
ad162f55a2
here were no credentials #127
2016-11-29 18:46:58 +03:00
defunct
e40545cce5
opens #126
...
This commit reverts changes in 437d659
to avoid breaking changes.
2016-11-27 12:55:05 -05:00
Jack Ivanov
e90b58802d
fix in the mobileconfig template
2016-11-27 12:44:05 +03:00
Jack Ivanov
2cb98b4516
Windows RSA support #9
2016-11-27 01:37:17 +03:00
Jack Ivanov
ede452fad4
Merge branch 'master' of github.com:trailofbits/algo
2016-11-26 23:27:25 +03:00
Jack Ivanov
c5860cbc5d
Merge pull request #125 from cernekee/tag-fix. Fix #128
...
Add missing playbook tags
2016-11-26 23:24:43 +03:00
Jack Ivanov
ee95846445
mobileconfig fix
2016-11-26 23:22:12 +03:00
Defunct
d54ba6c7ce
Merge branch 'master' into ec2updates
2016-11-26 18:08:14 +00:00
fkt
27ea98e7a8
Show congrats message at the end - #115
2016-11-26 18:05:06 +00:00
Defunct
437d659eb6
resolves #126 - incorrect private key usage w/o ssh-agent
2016-11-26 17:42:46 +00:00
Defunct
1dc6e1a0fa
resolves #118 - AWS env keys
2016-11-26 17:39:24 +00:00
Jack Ivanov
047f68df2f
Change the site in the congrats handler to whoer.net in order to clarify the message at the end of the install about testing VPN. Fix #110
2016-11-23 20:34:53 +03:00
Kevin Cernekee
433389c0ab
Use /var/run/reboot-required to determine if a restart is needed
...
The current check only looks to see if a new kernel was installed.
2016-11-06 09:45:39 -08:00
Kevin Cernekee
09bbc4058c
Add missing tags in common playbook
...
If the common playbook is invoked with the "cloud" tag, non-cloud
tasks will be skipped. On GCE this causes "Install tools" to be skipped,
apparmor-utils is not installed, and then the "Enforcing ipsec with
apparmor" step fails.
2016-11-06 09:45:34 -08:00
Jack Ivanov
29de003b2d
inplemented #109
2016-11-03 18:05:56 +03:00
Jack Ivanov
5383c71499
Fixed #108
2016-11-03 17:21:18 +03:00
Jack Ivanov
d052cb8e77
skip-tags added. Fixed #121
2016-10-28 21:00:11 +03:00
Jack Ivanov
76ea7f67ae
extra vars added to use local DNS #110
2016-10-26 18:56:23 +03:00
Jack Ivanov
289807ead4
fix dependencies
2016-10-25 21:33:46 +03:00
Jack Ivanov
d50bd43988
Fix SSH keys permissions
2016-10-24 18:08:58 +03:00
Jack Ivanov
44bc3ead48
set AllowTcpForwarding to local
2016-10-24 17:53:08 +03:00
Dan Guido
c52350030d
Merge branch 'master' into docs
2016-10-16 22:01:56 +02:00
Jack Ivanov
d93b7c200f
EC2 | Add VPC group #98 and counts #59
2016-10-16 19:24:04 +03:00
Jack Ivanov
0e613f2ff7
fix a typo. #96 closed
2016-10-16 17:38:00 +03:00
Jack Ivanov
8c284a16e3
Done. #96
2016-10-16 17:36:01 +03:00
Jack Ivanov
062426e0ec
client configuration templates #43
2016-10-16 15:27:05 +03:00
Dan Guido
1a3a14943c
pull in changes from master
2016-10-15 19:26:28 +02:00
Jack Ivanov
fcf29534ba
the proxixy filter rules disabled #93
2016-10-14 19:58:55 +03:00
Jack Ivanov
bf5d5e53ac
ip6tables fixes
2016-10-14 19:05:39 +03:00
Jack Ivanov
c43ccc3898
iptables moved to the vpn role #61
2016-10-14 18:50:24 +03:00
Dan Guido
bff7c414b2
Initial commit of reorg'd docs
2016-10-13 15:27:06 +02:00
Jack Ivanov
4db428a86e
Disable unneeded plugins in StrongSwan #84
2016-10-10 15:42:32 +03:00
Jack Ivanov
2cca45c967
additional tags
2016-10-10 15:32:14 +03:00
Jack Ivanov
ad9d7d6ddb
disable dpdtimeout #90
2016-09-26 22:07:34 +03:00
Jack Ivanov
8e0cca6b66
some fixes
2016-09-26 15:43:19 +03:00
Jack Ivanov
dbeb7a13e8
Merge branch 'tags' #80
2016-09-19 20:22:51 +03:00
Jack Ivanov
4d731580b7
linting
2016-09-19 20:18:27 +03:00
Jack Ivanov
fc162728d3
role for local installation
2016-09-19 19:54:45 +03:00
Jack Ivanov
d9441b236a
move to tags #80
2016-09-18 13:12:17 +03:00
Jack Ivanov
aa4dcc31d4
gce role to tags
2016-09-18 13:11:30 +03:00
Jack Ivanov
cf5a0f41d3
ec2 role to tags
2016-09-18 13:11:22 +03:00
Jack Ivanov
97ea00056d
DO roles to tags
2016-09-18 13:11:10 +03:00
Jack Ivanov
6685642f0b
#85 fixed
2016-08-31 11:42:29 +03:00
Jack Ivanov
91688324ce
additional functions
2016-08-28 23:19:41 +03:00
Jack Ivanov
ddcee8db18
logging fixes
2016-08-28 23:07:45 +03:00
Jack Ivanov
97a00699b7
new tags
2016-08-28 23:04:59 +03:00
Jack Ivanov
05df4f0c04
unattended-upgrades moved to the security role
2016-08-28 22:11:39 +03:00
Evgeniy Ivanov
4284dd63aa
rsyslog moved to the logging role
2016-08-28 22:06:33 +03:00
Jack Ivanov
0cd4084aa4
ssh fixes
2016-08-26 00:47:08 +03:00
Jack Ivanov
00e4bcc1ec
security role and SSH fixes #77
2016-08-26 00:35:07 +03:00
Jack Ivanov
8c5f80bf8f
linting
2016-08-25 23:59:16 +03:00
Jack Ivanov
57b6c96ba8
SSH fingerprints #77
2016-08-25 23:48:35 +03:00
Jack Ivanov
0945f54366
SSH user-management #77
2016-08-25 23:30:27 +03:00
Jack Ivanov
c19908c9b1
ssh fixes
2016-08-25 23:03:20 +03:00
Jack Ivanov
cf08c5ff61
fix
2016-08-25 22:20:53 +03:00
Dan Guido
27421070b9
linting
2016-08-24 09:22:04 +02:00
Dan Guido
809b62cd33
daemon_reload is an option for systemd, not service
2016-08-24 09:03:29 +02:00
Jack Ivanov
b29f1ab226
service fixed #78
2016-08-24 10:03:19 +03:00
Dan Guido
2fcc3600fd
Disable features in the Match block vs main config
2016-08-23 17:03:27 -04:00
Jack Ivanov
1dcfe18055
SSH tunneling role #77
2016-08-23 16:51:06 +03:00
Jack Ivanov
19797bc020
CPU and memory limitations of the services #63
2016-08-23 16:10:42 +03:00
Evgeniy Ivanov
5ecd23c59c
type
2016-08-23 09:01:07 +03:00
Evgeniy Ivanov
468d5af23d
service fixes
2016-08-23 09:00:32 +03:00
Defunct
50f43dc601
revert systemd changes (2.2 only), identation normalization;
2016-08-23 02:02:57 +00:00
Evgeniy Ivanov
09c39627d9
Memory limits #63
2016-08-22 23:01:43 +03:00
Evgeniy Ivanov
c51fe5dac0
run charon as non-root user #66
2016-08-21 20:32:31 +03:00
Evgeniy Ivanov
71ad2f570e
proxy prompts enabled #70
2016-08-21 19:57:52 +03:00
Evgeniy Ivanov
ba50abce8a
make local ip changeable #67
2016-08-21 13:29:53 +03:00
Evgeniy Ivanov
e6090b8245
forwarding #61
2016-08-21 12:51:58 +03:00
Colin Mahns
1fbe1b63f8
HTTPS for domains that support it
...
hosts-file.net and malwaredomainlist.com has optional TLS, adaway.org forces it server side
2016-08-20 14:48:31 -04:00
Colin Mahns
6c81b86c92
Link to MVPS Hosts file directly
...
http://www.mvps.org/winhelp2002/hosts.txt redirects to http://winhelp2002.mvps.org/hosts.txt automatically, saves a step
2016-08-20 14:40:33 -04:00
Evgeniy Ivanov
53f60e33d8
random tmp names #64
2016-08-20 17:45:35 +03:00
Evgeniy Ivanov
3864f8104d
adblock.sh as an unprivileged user; Store the whitelists in /var/; #64
2016-08-20 17:25:06 +03:00
Evgeniy Ivanov
4b2ae71ffe
Tighten the dnsmasq AppArmor policy #62
2016-08-20 16:49:34 +03:00
Evgeniy Ivanov
de06b4fd9e
security remarks
2016-08-20 16:24:00 +03:00
Evgeniy Ivanov
b593986b0c
SFTP fixed
2016-08-20 16:22:54 +03:00
Evgeniy Ivanov
3fa75a081d
new iptabes deployment #61
2016-08-20 16:22:14 +03:00
Evgeniy Ivanov
cfc38e3df1
Drop SMB traffic ##61
2016-08-20 15:19:46 +03:00
Evgeniy Ivanov
4a6602e877
RSAAuthentication no; Turn off SFTP; Turn off X11 forwarding; #51
2016-08-20 14:14:09 +03:00
Evgeniy Ivanov
16627783f5
Minor updates to the sshd_config #51
2016-08-18 21:35:47 +03:00
Evgeniy Ivanov
f3eb06cfe0
server_name fixes
2016-08-18 12:44:34 +03:00
Evgeniy Ivanov
9eaaf63fa0
server_name fixes
2016-08-18 12:36:54 +03:00
Evgeniy Ivanov
f20d375dc9
IP_subject fixes
2016-08-18 12:32:28 +03:00
Evgeniy Ivanov
a9b10baf1d
Some fixes
2016-08-18 12:17:46 +03:00
Evgeniy Ivanov
a1bf2ad5ef
flush handlers after loopback configured
2016-08-18 11:22:06 +03:00
Evgeniy Ivanov
7085a594fc
p12 moved into playbooks
2016-08-18 11:16:22 +03:00
Evgeniy Ivanov
4f46cc221a
Split the features role in two #49
2016-08-17 23:26:21 +03:00
Evgeniy Ivanov
95c43e2211
Split the features role in two #49
2016-08-17 23:26:17 +03:00
Dan Guido
2a8c1adb76
Update main.yml
2016-08-16 23:31:20 -04:00
Dan Guido
52855c9e3f
Use the right language for GCE
2016-08-16 00:03:26 -04:00
Dan Guido
0fd0de17d4
rename the cloud roles
2016-08-16 00:00:26 -04:00
Dan Guido
f538ffe4e8
linting
2016-08-15 23:32:44 -04:00
jack
7a8d58783f
Roles and Google cloud
2016-08-14 20:03:33 +03:00
jack
e729f0d303
Roles and Google cloud
2016-08-14 20:03:23 +03:00
jack
42e6067e4d
Firewall | Google Cloud Engine #27
2016-08-14 16:51:24 +03:00
jack
89758aaec9
Google Cloud Engine #27
2016-08-14 16:36:50 +03:00
jack
3870956f0a
google and azure
2016-08-14 14:13:23 +03:00
jack
917b7d6138
Modify user-management function
2016-08-11 23:54:29 +03:00
jack
f6c1309aac
non-cloud servers #34
2016-08-11 23:40:07 +03:00
jack
2f66b03880
EC2 Role; Loggin Role
2016-08-11 22:36:36 +03:00
jack
fff70293f1
Roles enabled
2016-08-11 11:54:34 +03:00
Dan Guido
e10b1b669f
no reason to have roles yet
2016-05-15 11:06:03 -04:00
Dan Guido
041c6da9b0
fix what was here, script runs now
2016-05-15 11:02:13 -04:00
Dan Guido
e8993b06dd
initial commit
2016-05-14 23:43:37 -04:00