glennschler/_how-to_algovpn_1.md

## _how-to_algovpn_1.md

      
    Raw
  

              _how-to_algovpn_1.md
            
          
    git clone https://github.com/trailofbits/algo.git
cd algo

Create more client usernames, and change some values to be the following:

ipsec_enabled: false
arch: arm64
size: t4g.micro
instance_market_type: spot

sed -e '/phone/d' \
 -e '/laptop/d' \
 -e 's/- desktop/- ios-user-01\
  - ios-user-02\
  - ios-user-03\
  - droid-user-01\
  - droid-user-02\
  - droid-user-03\
  - mac-user-01\
  - mac-user-02\
  - mac-user-03\
  - win-user-01\
  - win-user-02\
  - win-user-03\
  - lin-user-01\
  - lin-user-02\
  - lin-user-03/' \
 -r -e 's/(ipsec_enabled: ).*/\1false/' \
 -r -e 's/(size: )t2\.micro/\1t4g.micro/' \
 -r -e 's/(arch: ).*/\1arm64/' \
 -r -e 's/(instance_market_type: ).*/\1 spot/' -iconfig.cfg.bak config.cfg

If debugging stack creation errors, it might be useful to disable rollback the stack resources on failure
sed -ri -e 's/( *)(cloudformation:.*).*/\1\2\n\1\1disable_rollback: true/' roles/cloud-ec2/tasks/cloudformation.yml

Review those changes
git diff -- config.cfg roles/cloud-ec2/tasks/cloudformation.yml


## _how-to_algovpn_2.md

      
    Raw
  

              _how-to_algovpn_2.md
            
          
First follow these Algo instructions to install requirements

https://github.com/trailofbits/algo#deploy-the-algo-server
Then confirm the python virtual environment prompt is shown


Prepare the ansible-vault of aws_secrets


mkdir vars

# download the empty template
curl -o vars/aws_secrets_.yml https://gist.githubusercontent.com/glennschler/8edcadb6ba5e151898774441dbffb739/raw/_secrets.yml

# or
echo "aws_access_key:\naws_secret_key:" > vars/aws_secrets_.yml

# encrypt the plain text file
ansible-vault encrypt vars/aws_secrets_.yml

# edit the vault, to place the real aws secret values
ansible-vault edit vars/aws_secrets_.yml


Use ansible-vault file to secure the aws secrets

./algo --ask-vault-pass -e @vars/aws_secrets_.yml


Another example, using ansible-vault file to secure the aws secrets, plus pass some variables

./algo --ask-vault-pass -e @vars/aws_secrets_.yml -e '{provider: ec2,
  ondemand_cellular: false,
  ondemand_wifi: false,
  dns_adblocking: false,
  ssh_tunneling: false,
  store_pki: false }' -e server_name=algo-$(date +%Y%b%d-%H%M)


## _how-to_algovpn_other_3.md

      
    Raw
  

              _how-to_algovpn_other_3.md
            
          
    sudo vim /etc/iptables/rules.v6
systemctl restart netfilter-persistent

Debug the MTU from client while not running VPN
Results below indicate that 1473 data bytes will be fragmented, and
1472 are the max. So 1472 + 28 header = 1500 MTU


❯ ping -c 1 -D -s 1472 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 1472 data bytes
1480 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=78.640 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 78.640/78.640/78.640/0.000 ms

❯ ping -c 1 -D -s 1473 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 1473 data bytes
ping: sendto: Message too long


See wireguard traffic at server

# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
# listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
sudo tcpdump -ttttn -i tailscale0 any 'udp port 51820'

# Very Verbose
sudo tcpdump -evvvttttn -i wg0 any 'udp port 51820'


see who is connecting to ssh port 4160

sudo tcpdump -ttttni any 'tcp port 4160'


procustodibus monitoring

sudo apt install python3-dev make
pip3 install wheel setuptools docopt==0.6.2 

curl -L -O https://ad.custodib.us/agents/procustodibus-agent-latest.tar.gz
tar xf procustodibus-agent-*.tar.gz
cd procustodibus-agent-*/
sudo ./install.sh --install


## _secrets.yml
# required
aws_access_key:
aws_secret_key:

# optional
aws_mfa_serial:
assume_role_arn:
	# required
	aws_access_key:
	aws_secret_key:

	# optional
	aws_mfa_serial:
	assume_role_arn: