Commit Graph

355 Commits

Author SHA1 Message Date
Jack Ivanov
0bf3e809a4 Linux clients installation vpn #44 2017-03-03 20:46:11 +03:00
Jack Ivanov
d7d976784c Fixes #207 2017-02-28 21:34:28 +03:00
Jack Ivanov
8eb208c5b7 enable ipv6 if the default gateway is defined. Fixes #244 2017-02-26 20:17:12 +03:00
Craig
43c2f5c31a Installs the recommended packages with strongswan, because we need the OpenSSL (#260)
plugin from libstrongswan-standard-plugins for ECDH to work.
2017-02-25 21:07:32 +03:00
Jack Ivanov
b8f3d43eee enable some additional debug info 2017-02-23 19:22:18 +03:00
Jack Ivanov
2a7dd88a3c Changed to ECDSA #102 2017-02-23 18:44:30 +03:00
Jack Ivanov
e31f10da6d Fixes #255 2017-02-23 18:25:46 +03:00
Jack Ivanov
aca036142f AndroidVPNClientProfiles #240 2017-02-17 00:30:21 +03:00
Jacob Wilder
7b468fae79 Fixed the azure role for situations where the user does not use a ~/.azure/credentials file (#242) 2017-02-16 23:43:03 +03:00
Jack Ivanov
20ebd7a595 rename connection 2017-02-12 23:01:29 +03:00
akirilov
05ab1f5feb Modified certificate generation to address issues #234 and #228 (#235)
* Modified certificate generation to address issues #234 and #228

I have made the following modifications to comply with the IKEv2 client certificate requirements:

- Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }}
- Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }}
- Added clientAuth to client certificate EKU

I have made the following changes to address a mismatch in the windows deployment script and file names:

- Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script

Testing:

I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234

I apologize for not being able to test on other configurations. I hope that someone else can verify my changes

* fixed iOS issues

* fixed accidentall user change

* simplified changes

* Final iteration. I think that's all I can do to minimize the changes
2017-02-12 22:45:36 +03:00
Jack Ivanov
35faf4bca7 Local openssl tasks (#169)
* Draft

works with ECDSA

RSA support for Windows

* update-users with local_openssl_tasks

* move prompts to the algo script

* additional directory for SSH keys

* move easyrsa_p12_export_password to pre_tasks

* update-users testing

* Fix hardcoded vars

* Delete the CA key

* Hardcoded IP. Fixes #219

* Some fixes
2017-02-03 14:24:02 -05:00
Jack Ivanov
257be0f395 make the fail message more understandable. Fixes #217 2017-02-01 18:54:47 +03:00
Jack Ivanov
2798f84d3f ensure that apparmor is supported by the kernel #215 2017-01-16 00:19:57 +03:00
Jack Ivanov
3e852caf04 disable compression #146 2017-01-14 19:56:23 +03:00
Jack Ivanov
cbf59addb3 additional tags 2017-01-11 21:02:41 +03:00
Jack Ivanov
a50a396b94 addtiional fixes 2017-01-11 20:55:44 +03:00
Defunct
b0f9ab94b1 ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support) 2017-01-05 19:36:30 +00:00
Defunct
0eb048383a refactored ec2 encryption 2017-01-05 17:36:45 +00:00
Jack Ivanov
1a81372192 EC2 Encryption Implemented #133 2017-01-05 17:36:45 +00:00
Jack Ivanov
f246165298 Fix a typo 2017-01-04 17:45:42 +03:00
Glenn Rempe
9a46b671f7 Fixes #198, replace typo ECXLUDE with EXCLUDE 2016-12-30 18:47:02 -08:00
Damian Gerow
b444398fab Drop the MSS for GCE instances 2016-12-27 21:59:39 +00:00
Defunct
a9dd0af3fe resolves #176 + other ec2 env issues 2016-12-21 05:55:11 +00:00
Dan Guido
75194675eb closes #175 2016-12-20 20:28:13 -05:00
kennwhite
d2aa52f4e9 UX hint on profile name
Add explicit label for Algo-generated VPNs. If the user has multiple (non-Algo) VPNs for home/office, there is typically a label other than an IP address and "IKEv2".  This can be seen, for example, on OSX on the top menu bar for networks.
2016-12-19 15:21:02 -05:00
Jack Ivanov
33b3af540a Fix SSH keys for DigitalOcean 2016-12-19 00:19:26 +03:00
Jack Ivanov
2c9c3ccb09 Fixed #146 2016-12-17 16:36:59 +03:00
Jack Ivanov
cd5b096ab7 DO fix 2016-12-17 15:16:40 +03:00
Jack Ivanov
90cc5fa1f7 some fixes 2016-12-17 14:54:44 +03:00
Jack Ivanov
1d07200c74 generating ssh-keys #152 #151 #112 2016-12-17 14:54:44 +03:00
Jack Ivanov
abf94989fc the password for the CA private key #75 2016-12-15 13:33:29 +03:00
Jack Ivanov
8b0fe4d8f3 Block client-to-client traffic. Fixed #166 2016-12-14 21:54:14 +03:00
Jack Ivanov
ecb6b498b9 unnecessarry to use such way Fixed #162 2016-12-14 19:42:39 +03:00
Jack Ivanov
f1715c4e0b random password for the p12 certificates #135 2016-12-14 18:49:47 +03:00
Jack Ivanov
03c805cb87 reorganize the wait_for functions #159 2016-12-13 21:58:45 +03:00
Jack Ivanov
275663264a ipv6 option is available in ansible 2.2; Fixed #158 2016-12-13 21:12:51 +03:00
Jack Ivanov
37ec574d8d IP_subject_alt_name is not declared for localhost. Fixed #149 2016-12-13 20:46:27 +03:00
Jack Ivanov
517366f194 EC2 fix 2016-12-13 20:34:27 +03:00
Jack Ivanov
50e9dbfce0 draft EC2 #150 #157 2016-12-13 19:50:18 +03:00
Jack Ivanov
981809998c Merge branch 'master' of github.com:trailofbits/algo 2016-12-13 08:44:31 +03:00
kennwhite
016a8c7708 Change default instance to free tier (t2.micro)
I know this is a bit goofy, but the t2.nano is not in the free tier for AWS even though it is smaller than the t2.micro instance. See: https://aws.amazon.com/blogs/aws/ec2-update-t2-nano-instances-now-available/ (the "PS" at the bottom), confirmed on pricing page. The difference is $4.30 per mo vs. free/$8.76  per mo. Maybe add this to config questions, but at least one reviewer has noted this as an issue for his just-setup AWS free account.
2016-12-12 15:14:58 -05:00
Jack Ivanov
0269cafff7 DNS fix 2016-12-12 18:52:34 +03:00
Jack Ivanov
29ef4d45df Merge pull request #144 from trailofbits/ami_latest_image
Sort by latest AMI - resolves #140
2016-12-10 21:56:49 +03:00
Jack Ivanov
c552602724 Azure support #26 2016-12-10 21:26:08 +03:00
Defunct
27e5a4feca Sort by latest AMI - resolves #140 2016-12-09 20:45:12 +00:00
Jack Ivanov
3d53dde6ca Fixed. #137 2016-12-06 20:14:08 +03:00
Jack Ivanov
790bcb2efc Merge branch 'win10_support' #9 2016-11-30 17:00:03 +03:00
Jack Ivanov
8a0c5ab971 Windows support implemented 2016-11-29 23:00:01 +03:00
Jack Ivanov
f6166ccde4 modify ciphers #9 2016-11-29 22:14:18 +03:00
Jack Ivanov
195697a1f0 Merge pull request #131 from trailofbits/ec2updates
EC2 Updates and fixes
2016-11-29 18:48:31 +03:00
Jack Ivanov
ad162f55a2 here were no credentials #127 2016-11-29 18:46:58 +03:00
defunct
e40545cce5 opens #126
This commit reverts changes in 437d659 to avoid breaking changes.
2016-11-27 12:55:05 -05:00
Jack Ivanov
e90b58802d fix in the mobileconfig template 2016-11-27 12:44:05 +03:00
Jack Ivanov
2cb98b4516 Windows RSA support #9 2016-11-27 01:37:17 +03:00
Jack Ivanov
ede452fad4 Merge branch 'master' of github.com:trailofbits/algo 2016-11-26 23:27:25 +03:00
Jack Ivanov
c5860cbc5d Merge pull request #125 from cernekee/tag-fix. Fix #128
Add missing playbook tags
2016-11-26 23:24:43 +03:00
Jack Ivanov
ee95846445 mobileconfig fix 2016-11-26 23:22:12 +03:00
Defunct
d54ba6c7ce Merge branch 'master' into ec2updates 2016-11-26 18:08:14 +00:00
fkt
27ea98e7a8 Show congrats message at the end - #115 2016-11-26 18:05:06 +00:00
Defunct
437d659eb6 resolves #126 - incorrect private key usage w/o ssh-agent 2016-11-26 17:42:46 +00:00
Defunct
1dc6e1a0fa resolves #118 - AWS env keys 2016-11-26 17:39:24 +00:00
Jack Ivanov
047f68df2f Change the site in the congrats handler to whoer.net in order to clarify the message at the end of the install about testing VPN. Fix #110 2016-11-23 20:34:53 +03:00
Kevin Cernekee
433389c0ab Use /var/run/reboot-required to determine if a restart is needed
The current check only looks to see if a new kernel was installed.
2016-11-06 09:45:39 -08:00
Kevin Cernekee
09bbc4058c Add missing tags in common playbook
If the common playbook is invoked with the "cloud" tag, non-cloud
tasks will be skipped.  On GCE this causes "Install tools" to be skipped,
apparmor-utils is not installed, and then the "Enforcing ipsec with
apparmor" step fails.
2016-11-06 09:45:34 -08:00
Jack Ivanov
29de003b2d inplemented #109 2016-11-03 18:05:56 +03:00
Jack Ivanov
5383c71499 Fixed #108 2016-11-03 17:21:18 +03:00
Jack Ivanov
d052cb8e77 skip-tags added. Fixed #121 2016-10-28 21:00:11 +03:00
Jack Ivanov
76ea7f67ae extra vars added to use local DNS #110 2016-10-26 18:56:23 +03:00
Jack Ivanov
289807ead4 fix dependencies 2016-10-25 21:33:46 +03:00
Jack Ivanov
d50bd43988 Fix SSH keys permissions 2016-10-24 18:08:58 +03:00
Jack Ivanov
44bc3ead48 set AllowTcpForwarding to local 2016-10-24 17:53:08 +03:00
Dan Guido
c52350030d Merge branch 'master' into docs 2016-10-16 22:01:56 +02:00
Jack Ivanov
d93b7c200f EC2 | Add VPC group #98 and counts #59 2016-10-16 19:24:04 +03:00
Jack Ivanov
0e613f2ff7 fix a typo. #96 closed 2016-10-16 17:38:00 +03:00
Jack Ivanov
8c284a16e3 Done. #96 2016-10-16 17:36:01 +03:00
Jack Ivanov
062426e0ec client configuration templates #43 2016-10-16 15:27:05 +03:00
Dan Guido
1a3a14943c pull in changes from master 2016-10-15 19:26:28 +02:00
Jack Ivanov
fcf29534ba the proxixy filter rules disabled #93 2016-10-14 19:58:55 +03:00
Jack Ivanov
bf5d5e53ac ip6tables fixes 2016-10-14 19:05:39 +03:00
Jack Ivanov
c43ccc3898 iptables moved to the vpn role #61 2016-10-14 18:50:24 +03:00
Dan Guido
bff7c414b2 Initial commit of reorg'd docs 2016-10-13 15:27:06 +02:00
Jack Ivanov
4db428a86e Disable unneeded plugins in StrongSwan #84 2016-10-10 15:42:32 +03:00
Jack Ivanov
2cca45c967 additional tags 2016-10-10 15:32:14 +03:00
Jack Ivanov
ad9d7d6ddb disable dpdtimeout #90 2016-09-26 22:07:34 +03:00
Jack Ivanov
8e0cca6b66 some fixes 2016-09-26 15:43:19 +03:00
Jack Ivanov
dbeb7a13e8 Merge branch 'tags' #80 2016-09-19 20:22:51 +03:00
Jack Ivanov
4d731580b7 linting 2016-09-19 20:18:27 +03:00
Jack Ivanov
fc162728d3 role for local installation 2016-09-19 19:54:45 +03:00
Jack Ivanov
d9441b236a move to tags #80 2016-09-18 13:12:17 +03:00
Jack Ivanov
aa4dcc31d4 gce role to tags 2016-09-18 13:11:30 +03:00
Jack Ivanov
cf5a0f41d3 ec2 role to tags 2016-09-18 13:11:22 +03:00
Jack Ivanov
97ea00056d DO roles to tags 2016-09-18 13:11:10 +03:00
Jack Ivanov
6685642f0b #85 fixed 2016-08-31 11:42:29 +03:00
Jack Ivanov
91688324ce additional functions 2016-08-28 23:19:41 +03:00
Jack Ivanov
ddcee8db18 logging fixes 2016-08-28 23:07:45 +03:00
Jack Ivanov
97a00699b7 new tags 2016-08-28 23:04:59 +03:00
Jack Ivanov
05df4f0c04 unattended-upgrades moved to the security role 2016-08-28 22:11:39 +03:00
Evgeniy Ivanov
4284dd63aa rsyslog moved to the logging role 2016-08-28 22:06:33 +03:00
Jack Ivanov
0cd4084aa4 ssh fixes 2016-08-26 00:47:08 +03:00
Jack Ivanov
00e4bcc1ec security role and SSH fixes #77 2016-08-26 00:35:07 +03:00
Jack Ivanov
8c5f80bf8f linting 2016-08-25 23:59:16 +03:00
Jack Ivanov
57b6c96ba8 SSH fingerprints #77 2016-08-25 23:48:35 +03:00
Jack Ivanov
0945f54366 SSH user-management #77 2016-08-25 23:30:27 +03:00
Jack Ivanov
c19908c9b1 ssh fixes 2016-08-25 23:03:20 +03:00
Jack Ivanov
cf08c5ff61 fix 2016-08-25 22:20:53 +03:00
Dan Guido
27421070b9 linting 2016-08-24 09:22:04 +02:00
Dan Guido
809b62cd33 daemon_reload is an option for systemd, not service 2016-08-24 09:03:29 +02:00
Jack Ivanov
b29f1ab226 service fixed #78 2016-08-24 10:03:19 +03:00
Dan Guido
2fcc3600fd Disable features in the Match block vs main config 2016-08-23 17:03:27 -04:00
Jack Ivanov
1dcfe18055 SSH tunneling role #77 2016-08-23 16:51:06 +03:00
Jack Ivanov
19797bc020 CPU and memory limitations of the services #63 2016-08-23 16:10:42 +03:00
Evgeniy Ivanov
5ecd23c59c type 2016-08-23 09:01:07 +03:00
Evgeniy Ivanov
468d5af23d service fixes 2016-08-23 09:00:32 +03:00
Defunct
50f43dc601 revert systemd changes (2.2 only), identation normalization; 2016-08-23 02:02:57 +00:00
Evgeniy Ivanov
09c39627d9 Memory limits #63 2016-08-22 23:01:43 +03:00
Evgeniy Ivanov
c51fe5dac0 run charon as non-root user #66 2016-08-21 20:32:31 +03:00
Evgeniy Ivanov
71ad2f570e proxy prompts enabled #70 2016-08-21 19:57:52 +03:00
Evgeniy Ivanov
ba50abce8a make local ip changeable #67 2016-08-21 13:29:53 +03:00
Evgeniy Ivanov
e6090b8245 forwarding #61 2016-08-21 12:51:58 +03:00
Colin Mahns
1fbe1b63f8 HTTPS for domains that support it
hosts-file.net and malwaredomainlist.com has optional TLS, adaway.org forces it server side
2016-08-20 14:48:31 -04:00
Colin Mahns
6c81b86c92 Link to MVPS Hosts file directly
http://www.mvps.org/winhelp2002/hosts.txt redirects to http://winhelp2002.mvps.org/hosts.txt automatically, saves a step
2016-08-20 14:40:33 -04:00
Evgeniy Ivanov
53f60e33d8 random tmp names #64 2016-08-20 17:45:35 +03:00
Evgeniy Ivanov
3864f8104d adblock.sh as an unprivileged user; Store the whitelists in /var/; #64 2016-08-20 17:25:06 +03:00
Evgeniy Ivanov
4b2ae71ffe Tighten the dnsmasq AppArmor policy #62 2016-08-20 16:49:34 +03:00
Evgeniy Ivanov
de06b4fd9e security remarks 2016-08-20 16:24:00 +03:00
Evgeniy Ivanov
b593986b0c SFTP fixed 2016-08-20 16:22:54 +03:00
Evgeniy Ivanov
3fa75a081d new iptabes deployment #61 2016-08-20 16:22:14 +03:00
Evgeniy Ivanov
cfc38e3df1 Drop SMB traffic ##61 2016-08-20 15:19:46 +03:00
Evgeniy Ivanov
4a6602e877 RSAAuthentication no; Turn off SFTP; Turn off X11 forwarding; #51 2016-08-20 14:14:09 +03:00
Evgeniy Ivanov
16627783f5 Minor updates to the sshd_config #51 2016-08-18 21:35:47 +03:00
Evgeniy Ivanov
f3eb06cfe0 server_name fixes 2016-08-18 12:44:34 +03:00
Evgeniy Ivanov
9eaaf63fa0 server_name fixes 2016-08-18 12:36:54 +03:00
Evgeniy Ivanov
f20d375dc9 IP_subject fixes 2016-08-18 12:32:28 +03:00
Evgeniy Ivanov
a9b10baf1d Some fixes 2016-08-18 12:17:46 +03:00
Evgeniy Ivanov
a1bf2ad5ef flush handlers after loopback configured 2016-08-18 11:22:06 +03:00
Evgeniy Ivanov
7085a594fc p12 moved into playbooks 2016-08-18 11:16:22 +03:00
Evgeniy Ivanov
4f46cc221a Split the features role in two #49 2016-08-17 23:26:21 +03:00
Evgeniy Ivanov
95c43e2211 Split the features role in two #49 2016-08-17 23:26:17 +03:00
Dan Guido
2a8c1adb76 Update main.yml 2016-08-16 23:31:20 -04:00
Dan Guido
52855c9e3f Use the right language for GCE 2016-08-16 00:03:26 -04:00
Dan Guido
0fd0de17d4 rename the cloud roles 2016-08-16 00:00:26 -04:00
Dan Guido
f538ffe4e8 linting 2016-08-15 23:32:44 -04:00
jack
7a8d58783f Roles and Google cloud 2016-08-14 20:03:33 +03:00
jack
e729f0d303 Roles and Google cloud 2016-08-14 20:03:23 +03:00
jack
42e6067e4d Firewall | Google Cloud Engine #27 2016-08-14 16:51:24 +03:00
jack
89758aaec9 Google Cloud Engine #27 2016-08-14 16:36:50 +03:00
jack
3870956f0a google and azure 2016-08-14 14:13:23 +03:00
jack
917b7d6138 Modify user-management function 2016-08-11 23:54:29 +03:00
jack
f6c1309aac non-cloud servers #34 2016-08-11 23:40:07 +03:00
jack
2f66b03880 EC2 Role; Loggin Role 2016-08-11 22:36:36 +03:00
jack
fff70293f1 Roles enabled 2016-08-11 11:54:34 +03:00
Dan Guido
e10b1b669f no reason to have roles yet 2016-05-15 11:06:03 -04:00
Dan Guido
041c6da9b0 fix what was here, script runs now 2016-05-15 11:02:13 -04:00
Dan Guido
e8993b06dd initial commit 2016-05-14 23:43:37 -04:00