mirror of
https://github.com/trailofbits/algo
synced 2024-11-18 09:25:38 +00:00
8bdd99c05d
* bump ansible to 2.8.3 * DigitalOcean: move to the latest modules * Add Hetzner Cloud * Scaleway and Lightsail fixes * lint missing roles * Update roles/cloud-hetzner/tasks/main.yml Add api_token Co-Authored-By: phaer <phaer@phaer.org> * Update roles/cloud-hetzner/tasks/main.yml Add api_token Co-Authored-By: phaer <phaer@phaer.org> * Try to run apt until succeeded * Scaleway modules upgrade * GCP: Refactoring, remove deprecated modules * Doc updates (#1552) * Update README.md Adding links and mentions of Exoscale aka CloudStack and Hetzner Cloud. * Update index.md Add the Hetzner Cloud to the docs index * Remove link to Win 10 IPsec instructions * Delete client-windows.md Unnecessary since the deprecation of IPsec for Win10. * Update deploy-from-ansible.md Added sections and required variables for CloudStack and Hetzner Cloud. * Update deploy-from-ansible.md Added sections for CloudStack and Hetzner, added req variables and examples, mentioned environment variables, and added links to the provider role section. * Update deploy-from-ansible.md Cosmetic changes to links, fix typo. * Update GCE variables * Update deploy-from-script-or-cloud-init-to-localhost.md Fix a finer point, and make variables list more readable. * update azure requirements * Python3 draft * set LANG=c to the p12 password generation task * Update README * Install cloud requirements to the existing venv * FreeBSD fix * env->.env fixes * lightsail_region_facts fix * yaml syntax fix * Update README for Python 3 (#1564) * Update README for Python 3 * Remove tabs and tweak instructions * Remove cosmetic command indentation * Update README.md * Update README for Python 3 (#1565) * DO fix for "found unpermitted parameters: id" * Verify Python version * Remove ubuntu 16.04 from readme * Revert back DigitalOcean module * Update deploy-from-script-or-cloud-init-to-localhost.md * env to .env
2.0 KiB
2.0 KiB
Linux strongSwan IPsec Clients (e.g., OpenWRT, Ubuntu Server, etc.)
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
Ubuntu Server example
sudo apt-get install strongswan libstrongswan-standard-plugins: install strongSwan/etc/ipsec.d/certs: copy<name>.crtfromalgo-master/configs/<server_ip>/ipsec/manual/<name>.crt/etc/ipsec.d/private: copy<name>.keyfromalgo-master/configs/<server_ip>/ipsec/manual/<name>.key/etc/ipsec.d/cacerts: copycacert.pemfromalgo-master/configs/<server_ip>/ipsec/manual/cacert.pem/etc/ipsec.secrets: add youruser.keyto the list, e.g.<server_ip> : ECDSA <name>.key/etc/ipsec.conf: add the connection fromipsec_user.confand ensureleftcertmatches the<name>.crtfilenamesudo ipsec restart: pick up config changessudo ipsec up <conn-name>: start the ipsec tunnelsudo ipsec down <conn-name>: shutdown the ipsec tunnel
One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to /etc/ipsec.conf:
conn lan-passthrough
leftsubnet=192.168.1.1/24 # Replace with your LAN subnet
rightsubnet=192.168.1.1/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
To configure the connection to come up at boot time replace auto=add with auto=start.
Notes on SELinux
If you use a system with SELinux enabled you might need to set appropriate file contexts:
semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?"
restorecon -R -v $(pwd)
See this comment.