Last active
December 26, 2020 17:02
-
-
Save elreydetoda/bac472aef59fc8d47145c4f25330187b to your computer and use it in GitHub Desktop.
Algo vpn Vagrantfile. Simply vagrant up then ./algo, checkout the z-cmds section for easy consumption (z- is prepended so you see the vagrant files first).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
Vagrant.configure("2") do |config| | |
config.vm.box = "bento/ubuntu-18.04" | |
config.vm.provision "shell", inline: <<-SHELL | |
# installing and configure docker stuff | |
curl -fsSL 'https://get.docker.com' | bash | |
sudo usermod -aG docker vagrant | |
# get algo docker stuff | |
docker pull trailofbits/algo:latest | |
# disable MOTD (it's annoying...) | |
sudo chmod -x /etc/update-motd.d/* | |
# installing necessary packages | |
export DEBIAN_FRONTEND='noninteractive' | |
sudo apt-get update && sudo apt-get install -y \ | |
qrencode | |
# putting all following stuff in /vagrant | |
pushd /vagrant | |
# saving default config.cfg | |
curl -OfsSL 'https://raw.githubusercontent.com/trailofbits/algo/master/config.cfg' | |
# checking if configs dir exists | |
# putting in ~vagrant/.bashrc for when user gets in | |
if [[ -d /vagrant/configs ]] ; then | |
# execute with a user update | |
cat >> ~vagrant/.bashrc <<'EOF' | |
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data -e \"ALGO_ARGS=update-users\" \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n' | |
EOF | |
else | |
# all the following happens | |
# execute normally | |
cat >> ~vagrant/.bashrc <<'EOF' | |
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n' | |
EOF | |
fi | |
SHELL | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
Vagrant.configure("2") do |config| | |
config.vm.box = "bento/ubuntu-18.04" | |
config.vm.provision "shell", inline: <<-SHELL | |
# installing and configure docker stuff | |
curl -fsSL 'https://get.docker.com' | bash | |
sudo usermod -aG docker vagrant | |
# get algo docker stuff | |
docker pull trailofbits/algo:latest | |
# disable MOTD (it's annoying...) | |
sudo chmod -x /etc/update-motd.d/* | |
# installing necessary packages | |
export DEBIAN_FRONTEND='noninteractive' | |
sudo apt-get update && sudo apt-get install -y \ | |
qrencode | |
# putting all following stuff in /vagrant | |
pushd /vagrant | |
# saving default config.cfg | |
curl -fsSLo config.cfg 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/z-personal_config.cfg' | |
# checking if configs dir exists | |
# putting in ~vagrant/.bashrc for when user gets in | |
if [[ -d /vagrant/configs ]] ; then | |
# execute with a user update | |
cat >> ~vagrant/.bashrc <<'EOF' | |
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data -e \"ALGO_ARGS=update-users\" \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n' | |
EOF | |
else | |
# all the following happens | |
# execute normally | |
cat >> ~vagrant/.bashrc <<'EOF' | |
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n' | |
EOF | |
fi | |
SHELL | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# if you a vanilla install | |
wget 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/Vagrantfile' | |
# if you want my personal config | |
wget -O Vagrantfile 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/Vagrantfile.elrey' | |
## my personal config contains the following customizations | |
# - pki_in_tmpfs: false - changed to not be in tmpfs so you can continue to use wireguard for long periods of time (although, cool feature checkout more here: https://github.com/trailofbits/algo/issues/145) | |
# - disables ipsec vpn, to only use wireguard | |
# - sets the wireguard_PersistentKeepalive to 25 to help with NAT Traversal (https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence) | |
# - change ip address to 100.66.0.0/24 so it doesn't clash with internal ips: https://en.wikipedia.org/wiki/Reserved_IP_addresses | |
# - enable unattended_reboot (reboot machine if need to install updates: https://github.com/trailofbits/algo/blob/f8ce1f84a2777f18803d62e4324bbf67989a7450/config.cfg#L99-L103) | |
# - BetweenClients_DROP: false - Allow clients to communicate to each other (to allow you to ssh or rdp to them) | |
# - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This is the list of users to generate. | |
# Every device must have a unique user. | |
# You can add up to 65,534 new users over the lifetime of an AlgoVPN. | |
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123". | |
# Email addresses are not allowed. | |
users: | |
- phone | |
- laptop | |
- desktop | |
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed. | |
# Change default SSH port for the cloud roles only | |
# It doesn't apply if you deploy to your existing Ubuntu Server | |
ssh_port: 4160 | |
# Deploy StrongSwan to enable IPsec support | |
ipsec_enabled: false | |
# Deploy WireGuard | |
# WireGuard will listen on 51820/UDP. You might need to change to another port | |
# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some | |
# mobile data networks. | |
wireguard_enabled: true | |
wireguard_port: 51820 | |
# This feature allows you to configure the Algo server to send outbound traffic | |
# through a different external IP address than the one you are establishing the VPN connection with. | |
# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html | |
# Available for the following cloud providers: | |
# - DigitalOcean | |
alternative_ingress_ip: false | |
# Reduce the MTU of the VPN tunnel | |
# Some cloud and internet providers use a smaller MTU (Maximum Transmission | |
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your | |
# VPN tunnel some network connections will hang. Algo will attempt to set this | |
# automatically based on your server, but if connections hang you might need to | |
# adjust this yourself. | |
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn | |
reduce_mtu: 0 | |
# Algo will use the following lists to block ads. You can add new block lists | |
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at: | |
# /usr/local/sbin/adblock.sh | |
# If you load very large blocklists, you may also have to modify resource limits: | |
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf | |
adblock_lists: | |
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | |
# Enable DNS encryption. | |
# If 'false', 'dns_servers' should be specified below. | |
# DNS encryption can not be disabled if DNS adblocking is enabled | |
dns_encryption: true | |
# Block traffic between connected clients. Change this to false to enable | |
# connected clients to reach each other, as well as other computers on the | |
# same LAN as your Algo server (i.e. the "road warrior" setup). In this | |
# case, you may also want to enable SMB/CIFS and NETBIOS traffic below. | |
BetweenClients_DROP: false | |
# Block SMB/CIFS traffic | |
block_smb: true | |
# Block NETBIOS traffic | |
block_netbios: true | |
# Your Algo server will automatically install security updates. Some updates | |
# require a reboot to take effect but your Algo server will not reboot itself | |
# automatically unless you change 'enabled' below from 'false' to 'true', in | |
# which case a reboot will take place if necessary at the time specified (as | |
# HH:MM) in the time zone of your Algo server. The default time zone is UTC. | |
unattended_reboot: | |
enabled: true | |
time: 03:00 | |
### Advanced users only below this line ### | |
# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple | |
# providers may be specified, but avoid mixing providers that filter results | |
# (like Cisco) with those that don't (like Cloudflare) or you could get | |
# inconsistent results. The list of available public providers can be found | |
# here: | |
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md | |
dnscrypt_servers: | |
ipv4: | |
- cloudflare | |
ipv6: | |
- cloudflare-ipv6 | |
# DNS servers which will be used if 'dns_encryption' is 'false'. | |
# Fallback resolvers for systemd-resolved | |
# The default is to use Cloudflare. | |
dns_servers: | |
ipv4: | |
- 1.1.1.1 | |
- 1.0.0.1 | |
ipv6: | |
- 2606:4700:4700::1111 | |
- 2606:4700:4700::1001 | |
# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false | |
# Supports on MacOS and Linux only (including Windows Subsystem for Linux) | |
pki_in_tmpfs: false | |
# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users. | |
keys_clean_all: false | |
# StrongSwan log level | |
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration | |
strongswan_log_level: 2 | |
# rightsourceip for ipsec | |
# ipv4 | |
strongswan_network: 10.48.0.0/16 | |
# ipv6 | |
strongswan_network_ipv6: '2001:db8:4160::/48' | |
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. | |
# This option will keep the "connection" open in the eyes of NAT. | |
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence | |
wireguard_PersistentKeepalive: 25 | |
# WireGuard network configuration | |
wireguard_network_ipv4: 100.66.0.0/24 | |
wireguard_network_ipv6: 2001:db8:a160::/48 | |
# Randomly generated IP address for the local dns resolver | |
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" | |
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" | |
# Hide sensetive data | |
no_log: true | |
congrats: | |
common: | | |
"# Congratulations! #" | |
"# Your Algo server is running. #" | |
"# Config files and certificates are in the ./configs/ directory. #" | |
"# Go to https://whoer.net/ after connecting #" | |
"# and ensure that all your traffic passes through the VPN. #" | |
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #" | |
p12_pass: | | |
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #" | |
ca_key_pass: | | |
"# The CA key password is {{ CA_password|default(omit) }} #" | |
ssh_access: | | |
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #" | |
SSH_keys: | |
comment: algo@ssh | |
private: configs/algo.pem | |
private_tmp: /tmp/algo-ssh.pem | |
public: configs/algo.pem.pub | |
cloud_providers: | |
azure: | |
size: Standard_B1S | |
image: | |
publisher: Canonical | |
offer: 0001-com-ubuntu-server-focal-daily | |
sku: 20_04-daily-lts | |
version: latest | |
digitalocean: | |
size: s-1vcpu-1gb | |
image: "ubuntu-20-04-x64" | |
ec2: | |
# Change the encrypted flag to "false" to disable AWS volume encryption. | |
encrypted: true | |
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP | |
# Additional prompt will be raised to determine which IP to use | |
use_existing_eip: false | |
size: t2.micro | |
image: | |
name: "ubuntu-focal-20.04" | |
owner: "099720109477" | |
gce: | |
size: f1-micro | |
image: ubuntu-2004-lts | |
external_static_ip: false | |
lightsail: | |
size: nano_2_0 | |
image: ubuntu_20_04 | |
scaleway: | |
size: DEV1-S | |
image: Ubuntu 20.04 Focal Fossa | |
arch: x86_64 | |
hetzner: | |
server_type: cx11 | |
image: ubuntu-20.04 | |
openstack: | |
flavor_ram: ">=512" | |
image: Ubuntu-18.04 | |
cloudstack: | |
size: Micro | |
image: Linux Ubuntu 20.04 LTS 64-bit | |
disk: 10 | |
vultr: | |
os: Ubuntu 20.04 x64 | |
size: 1024 MB RAM,25 GB SSD,1.00 TB BW | |
linode: | |
type: g6-nanode-1 | |
image: linode/ubuntu20.04 | |
local: | |
fail_hint: | |
- Sorry, but something went wrong! | |
- Please check the troubleshooting guide. | |
- https://trailofbits.github.io/algo/troubleshooting.html | |
booleans_map: | |
Y: true | |
y: true | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment