Refactoring (#1334)

## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ |-- ipsec | |-- apple | | |-- desktop.mobileconfig | | |-- laptop.mobileconfig | | `-- phone.mobileconfig | |-- manual | | |-- cacert.pem | | |-- desktop.p12 | | |-- desktop.ssh.pem | | |-- ipsec_desktop.conf | | |-- ipsec_desktop.secrets | | |-- ipsec_laptop.conf | | |-- ipsec_laptop.secrets | | |-- ipsec_phone.conf | | |-- ipsec_phone.secrets | | |-- laptop.p12 | | |-- laptop.ssh.pem | | |-- phone.p12 | | `-- phone.ssh.pem | `-- windows | |-- desktop.ps1 | |-- laptop.ps1 | `-- phone.ps1 |-- ssh-tunnel | |-- desktop.pem | |-- desktop.pub | |-- laptop.pem | |-- laptop.pub | |-- phone.pem | |-- phone.pub | `-- ssh_config `-- wireguard |-- desktop.conf |-- desktop.png |-- laptop.conf |-- laptop.png |-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes  - [x] Refactoring ## Checklist:   - [x] I have read the **CONTRIBUTING** document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed.
trailofbits · Mar 10, 2019 · 273c766 · 273c766
1 parent 7e7476e
commit 273c766
Show file tree

Hide file tree

Showing 42 changed files with 360 additions and 365 deletions.
diff --git a/README.md b/README.md
@@ -123,9 +123,9 @@ Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets,
 #### Ubuntu Server 18.04 example
 
 1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan
-2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/pki/certs/<name>.crt`
-3. `/etc/ipsec.d/private`: copy `<name>.key` from `algo-master/configs/<server_ip>/pki/private/<name>.key`
-4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs/<server_ip>/pki/cacert.pem`
+2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.crt`
+3. `/etc/ipsec.d/private`: copy `<name>.key` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.key`
+4. `/etc/ipsec.d/cacerts`: copy `cacert.pem` from `algo-master/configs/<server_ip>/ipsec/manual/cacert.pem`
 5. `/etc/ipsec.secrets`: add your `user.key` to the list, e.g. `<server_ip> : ECDSA <name>.key`
 6. `/etc/ipsec.conf`: add the connection from `ipsec_user.conf` and ensure `leftcert` matches the `<name>.crt` filename
 7. `sudo ipsec restart`: pick up config changes
@@ -160,7 +160,7 @@ If you turned on the optional SSH tunneling role, then local user accounts will
 
 Use the example command below to start an SSH tunnel by replacing `user` and `ip` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
 
- `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem`
+ `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/<server_ip>/ssh-tunnel/<user>.pem`
 
 ## SSH into Algo Server
 

diff --git a/config.cfg b/config.cfg
@@ -18,8 +18,14 @@ keys_clean_all: False
 # Clean up cloud python environments
 clean_environment: false
 
-vpn_network: 10.19.48.0/24
-vpn_network_ipv6: 'fd9d:bc11:4020::/48'
+# Deploy StrongSwan to enable IPsec support
+ipsec_enabled: true
+
+# StrongSwan log level
+# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
+strongswan_log_level: 2
+
+# Deploy WireGuard
 wireguard_enabled: true
 wireguard_port: 51820
 # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
@@ -36,10 +42,6 @@ wireguard_PersistentKeepalive: 0
 # See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
 reduce_mtu: 0
 
-# StrongSwan log level
-# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
-strongswan_log_level: 2
-
 # Algo will use the following lists to block ads. You can add new block lists
 # after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
 # /usr/local/sbin/adblock.sh
@@ -90,10 +92,6 @@ unattended_reboot:
   enabled: false
   time: 06:00
 
-pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
-VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
-CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
-
 # Block traffic between connected clients
 BetweenClients_DROP: true
 

diff --git a/input.yml b/input.yml
@@ -48,30 +48,45 @@
       when:
         - server_name is undefined
         - algo_provider != "local"
+    - block:
+      - pause:
+          prompt: |
+            Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
+            [y/N]
+        register: _ondemand_cellular
+        when: ondemand_cellular is undefined
 
-    - pause:
-        prompt: |
-          Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
-          [y/N]
-      register: _ondemand_cellular
-      when: ondemand_cellular is undefined
+      - pause:
+          prompt: |
+            Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
+            [y/N]
+        register: _ondemand_wifi
+        when: ondemand_wifi is undefined
 
-    - pause:
-        prompt: |
-          Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
-          [y/N]
-      register: _ondemand_wifi
-      when: ondemand_wifi is undefined
+      - pause:
+          prompt: |
+            List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
+            (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
+        register: _ondemand_wifi_exclude
+        when:
+          - ondemand_wifi_exclude is undefined
+          - (ondemand_wifi|default(false)|bool) or
+            (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
 
-    - pause:
-        prompt: |
-          List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
-          (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
-      register: _ondemand_wifi_exclude
-      when:
-        - ondemand_wifi_exclude is undefined
-        - (ondemand_wifi|default(false)|bool) or
-          (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
+      - pause:
+          prompt: |
+            Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
+            [y/N]
+        register: _windows
+        when: windows is undefined
+
+      - pause:
+          prompt: |
+            Do you want to retain the CA key? (required to add users in the future, but less secure)
+            [y/N]
+        register: _store_cakey
+        when: store_cakey is undefined
+      when: ipsec_enabled
 
     - pause:
         prompt: |
@@ -87,20 +102,6 @@
       register: _ssh_tunneling
       when: ssh_tunneling is undefined
 
-    - pause:
-        prompt: |
-          Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
-          [y/N]
-      register: _windows
-      when: windows is undefined
-
-    - pause:
-        prompt: |
-          Do you want to retain the CA key? (required to add users in the future, but less secure)
-          [y/N]
-      register: _store_cakey
-      when: store_cakey is undefined
-
     - name: Set facts based on the input
       set_fact:
         algo_server_name: >-

diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml
@@ -9,7 +9,7 @@
     groups: vpn-host
     ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}"
     ansible_ssh_user: "{{ ansible_ssh_user }}"
-    ansible_python_interpreter: "/usr/bin/python2.7"
+    ansible_python_interpreter: "/usr/bin/python3"
     algo_provider: "{{ algo_provider }}"
     algo_server_name: "{{ algo_server_name }}"
     algo_ondemand_cellular: "{{ algo_ondemand_cellular }}"

diff --git a/playbooks/win_script_rebuild.yml b/playbooks/win_script_rebuild.yml
diff --git a/roles/client/tasks/main.yml b/roles/client/tasks/main.yml
@@ -50,11 +50,11 @@
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
   with_items:
-    - src: "configs/{{ IP_subject_alt_name }}/pki/certs/{{ vpn_user }}.crt"
+    - src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt"
       dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
-    - src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
+    - src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem"
       dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
-    - src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ vpn_user }}.key"
+    - src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key"
       dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
   notify:
     - restart strongswan
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
@@ -19,3 +19,9 @@
     ifconfig lo100 create &&
     ifconfig lo100 inet {{ local_service_ip }} netmask 255.255.255.255 &&
     ifconfig lo100 inet6 FCAA::1/64; echo $?
+
+- name: save iptables
+  shell: service netfilter-persistent save
+
+- name: restart iptables
+  service: name=netfilter-persistent state=restarted
diff --git a/roles/common/tasks/freebsd.yml b/roles/common/tasks/freebsd.yml
@@ -1,4 +1,16 @@
 ---
+- name: FreeBSD | Install prerequisites
+  package:
+    name:
+      - python3
+      - sudo
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python2.7
+
+- name: Set python3 as the interpreter to use
+  set_fact:
+    ansible_python_interpreter: /usr/local/bin/python3
+
 - name: Gather facts
   setup:
 
@@ -15,7 +27,6 @@
     strongswan_additional_plugins:
       - kernel-pfroute
       - kernel-pfkey
-    ansible_python_interpreter: /usr/local/bin/python2.7
     tools:
       - git
       - subversion

diff --git a/roles/vpn/tasks/iptables.yml → roles/common/tasks/iptables.yml b/roles/vpn/tasks/iptables.yml → roles/common/tasks/iptables.yml
diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
@@ -1,24 +1,4 @@
 ---
-- block:
-  - name: Ubuntu | Install prerequisites
-    apt:
-      name: "{{ item }}"
-      update_cache: true
-    with_items:
-      - python2.7
-      - sudo
-
-  - name: Ubuntu | Configure defaults
-    alternatives:
-      name: python
-      link: /usr/bin/python
-      path: /usr/bin/python2.7
-      priority: 1
-    tags:
-      - update-alternatives
-  vars:
-    ansible_python_interpreter: /usr/bin/python3
-
 - name: Gather facts
   setup:
 
@@ -115,15 +95,20 @@
         value: 1
 
 - name: Install tools
-  package: name="{{ item }}" state=present
+  apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
   with_items:
     - "{{ tools|default([]) }}"
 
 - name: Install headers
   apt:
-    name: "{{ item }}"
+    name:
+      - linux-headers-generic
+      - "linux-headers-{{ ansible_kernel }}"
     state: present
   when: install_headers
-  with_items:
-    - linux-headers-generic
-    - "linux-headers-{{ ansible_kernel }}"
+
+- include_tasks: iptables.yml
+  tags: iptables