Skip to content

Instantly share code, notes, and snippets.

@jimmycuadra
Created April 26, 2017 10:13
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jimmycuadra/3aea518d8237cff498e78e9fe7bed36d to your computer and use it in GitHub Desktop.
algo ansible output
$ ./algo
What provider would you like to use?
1. DigitalOcean
2. Amazon EC2
3. Microsoft Azure
4. Google Compute Engine (only for testing, see issue #369)
5. Install to existing Ubuntu 16.04 server
Enter the number of your desired provider
: 1
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
[pasted values will not be displayed]
:
Name the vpn server:
[algo.local]:
What region should the server be located in?
1. Amsterdam (Datacenter 2)
2. Amsterdam (Datacenter 3)
3. Frankfurt
4. London
5. New York (Datacenter 1)
6. New York (Datacenter 2)
7. New York (Datacenter 3)
8. San Francisco (Datacenter 1)
9. San Francisco (Datacenter 2)
10. Singapore
11. Toronto
12. Bangalore
Enter the number of your desired region:
[7]: 4
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]:
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]:
Do you want each user to have their own account for SSH tunneling?
[y/N]:
Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]:
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]:
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]:
PLAY [Configure the server] ****************************************************
TASK [setup] *******************************************************************
ok: [localhost]
TASK [Generate the SSH private key] ********************************************
ok: [localhost -> localhost]
TASK [Generate the SSH public key] *********************************************
ok: [localhost -> localhost]
TASK [Change mode for the SSH private key] *************************************
ok: [localhost -> localhost]
TASK [Ensure the dynamic inventory exists] *************************************
ok: [localhost]
TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] *************
ok: [localhost]
TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ******************
FAILED - RETRYING: TASK: cloud-digitalocean : Delete the existing Algo SSH keys (10 retries left).
ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] *********************************
changed: [localhost]
TASK [cloud-digitalocean : Creating a droplet...] ******************************
changed: [localhost]
TASK [cloud-digitalocean : Add the droplet to an inventory group] **************
changed: [localhost]
TASK [cloud-digitalocean : set_fact] *******************************************
ok: [localhost]
TASK [cloud-digitalocean : Tag the droplet] ************************************
changed: [localhost]
TASK [cloud-digitalocean : Get droplets] ***************************************
ok: [localhost]
TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] ***
ok: [localhost]
TASK [cloud-digitalocean : Populate the dynamic inventory] *********************
changed: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'algo.local', u'backup_ids': [], u'created_at': u'2017-04-25T17:46:57Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.240.0', u'ip_address': u'138.68.190.232', u'gateway': u'138.68.176.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2A03:B0C0:0001:00A1:0000:0000:18FE:D001', u'gateway': u'2a03:b0c0:0001:00a1:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams1', u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-04-17T16:04:33Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 24231613, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.29}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u'4gb', u'8gb', u'16gb', u'32gb', u'48gb', u'64gb'], u'slug': u'lon1', u'name': u'London 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent']}, u'disk': 20, u'id': 46891297, u'tags': [u'environment:algo'], u'features': [u'ipv6']})
TASK [Wait until SSH becomes ready...] *****************************************
ok: [localhost -> localhost]
TASK [A short pause, in order to be sure the instance is ready] ****************
Pausing for 10 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [localhost]
TASK [Ensure the local ssh directory is exist] *********************************
ok: [localhost -> localhost]
TASK [Copy the algo ssh key to the local ssh directory] ************************
ok: [localhost -> localhost]
PLAY [Configure the server and install required software] **********************
TASK [Check the system] ********************************************************
changed: [138.68.190.232]
TASK [Ubuntu | Install prerequisites] ******************************************
changed: [138.68.190.232]
TASK [Ubuntu | Configure defaults] *********************************************
changed: [138.68.190.232]
TASK [FreeBSD / HardenedBSD | Install prerequisites] ***************************
skipping: [138.68.190.232]
TASK [FreeBSD / HardenedBSD | Configure defaults] ******************************
skipping: [138.68.190.232]
TASK [set_fact] ****************************************************************
skipping: [138.68.190.232]
TASK [Gather Facts] ************************************************************
ok: [138.68.190.232]
TASK [Ensure the algo ssh key exist on the server] *****************************
ok: [138.68.190.232]
TASK [Enable IPv6] *************************************************************
ok: [138.68.190.232]
TASK [Set facts if the deployment in a cloud] **********************************
ok: [138.68.190.232]
TASK [Generate password for the CA key] ****************************************
changed: [138.68.190.232 -> localhost]
TASK [Define password facts] ***************************************************
ok: [138.68.190.232]
TASK [Define the commonName] ***************************************************
ok: [138.68.190.232]
TASK [common : Gather Facts] ***************************************************
ok: [138.68.190.232]
TASK [common : Install software updates] ***************************************
changed: [138.68.190.232]
TASK [common : Check if reboot is required] ************************************
changed: [138.68.190.232]
TASK [common : Reboot] *********************************************************
ok: [138.68.190.232]
TASK [common : Wait until SSH becomes ready...] ********************************
ok: [138.68.190.232 -> localhost]
TASK [common : Disable MOTD on login and SSHD] *********************************
changed: [138.68.190.232] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [138.68.190.232] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})
TASK [common : Loopback for services configured] *******************************
changed: [138.68.190.232]
TASK [common : Loopback included into the network config] **********************
changed: [138.68.190.232]
RUNNING HANDLER [common : restart loopback] ************************************
changed: [138.68.190.232]
TASK [common : set_fact] *******************************************************
ok: [138.68.190.232]
TASK [common : set_fact] *******************************************************
skipping: [138.68.190.232]
TASK [common : Loopback included into the rc config] ***************************
skipping: [138.68.190.232]
TASK [common : Enable the gateway features] ************************************
skipping: [138.68.190.232] => (item={u'value': u'"YES"', u'param': u'firewall_enable'})
skipping: [138.68.190.232] => (item={u'value': u'"open"', u'param': u'firewall_type'})
skipping: [138.68.190.232] => (item={u'value': u'"YES"', u'param': u'gateway_enable'})
skipping: [138.68.190.232] => (item={u'value': u'"YES"', u'param': u'natd_enable'})
skipping: [138.68.190.232] => (item={u'value': u'""', u'param': u'natd_interface'})
skipping: [138.68.190.232] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'})
TASK [common : Install tools] **************************************************
changed: [138.68.190.232] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'sendmail', u'iptables-persistent', u'cgroup-tools', u'openssl'])
TASK [common : Sysctl tuning] **************************************************
changed: [138.68.190.232] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [138.68.190.232] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [138.68.190.232] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})
TASK [vpn : Ensure that the strongswan group exist] ****************************
changed: [138.68.190.232]
TASK [vpn : Ensure that the strongswan user exist] *****************************
changed: [138.68.190.232]
TASK [vpn : set_fact] **********************************************************
ok: [138.68.190.232]
TASK [vpn : Ubuntu | Install strongSwan] ***************************************
changed: [138.68.190.232]
TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************
skipping: [138.68.190.232] => (item=/usr/lib/ipsec/charon)
skipping: [138.68.190.232] => (item=/usr/lib/ipsec/lookip)
skipping: [138.68.190.232] => (item=/usr/lib/ipsec/stroke)
TASK [vpn : Ubuntu | Enable services] ******************************************
ok: [138.68.190.232] => (item=apparmor)
ok: [138.68.190.232] => (item=strongswan)
ok: [138.68.190.232] => (item=netfilter-persistent)
TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******
changed: [138.68.190.232]
TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********
changed: [138.68.190.232]
TASK [vpn : Iptables configured] ***********************************************
changed: [138.68.190.232] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})
TASK [vpn : Iptables configured] ***********************************************
changed: [138.68.190.232] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})
TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] ********
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] ***************
skipping: [138.68.190.232] => (item=IPSEC)
skipping: [138.68.190.232] => (item=IPSEC_NAT_T)
skipping: [138.68.190.232] => (item=crypto)
TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] ********************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] ********
skipping: [138.68.190.232] => (item=options IPSEC)
skipping: [138.68.190.232] => (item=options IPSEC_NAT_T)
skipping: [138.68.190.232] => (item=device crypto)
TASK [vpn : HardenedBSD | Determine the sources] *******************************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD | Determine the sources] ***********************************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] **********
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Reboot] ************************************
skipping: [138.68.190.232]
TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] *************************
skipping: [138.68.190.232]
TASK [vpn : Install strongSwan] ************************************************
ok: [138.68.190.232]
TASK [vpn : Get StrongSwan versions] *******************************************
changed: [138.68.190.232]
TASK [vpn : Setup the config files from our templates] *************************
changed: [138.68.190.232] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [138.68.190.232] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [138.68.190.232] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [vpn : Get loaded plugins] ************************************************
changed: [138.68.190.232]
TASK [vpn : Disable unneeded plugins] ******************************************
skipping: [138.68.190.232] => (item=pem)
skipping: [138.68.190.232] => (item=sha2)
skipping: [138.68.190.232] => (item=hmac)
changed: [138.68.190.232] => (item=sshkey)
changed: [138.68.190.232] => (item=constraints)
changed: [138.68.190.232] => (item=dnskey)
skipping: [138.68.190.232] => (item=pubkey)
skipping: [138.68.190.232] => (item=x509)
changed: [138.68.190.232] => (item=attr)
changed: [138.68.190.232] => (item=pkcs1)
changed: [138.68.190.232] => (item=connmark)
skipping: [138.68.190.232] => (item=stroke)
changed: [138.68.190.232] => (item=rc2)
skipping: [138.68.190.232] => (item=gcm)
changed: [138.68.190.232] => (item=agent)
changed: [138.68.190.232] => (item=xcbc)
skipping: [138.68.190.232] => (item=nonce)
skipping: [138.68.190.232] => (item=pgp)
skipping: [138.68.190.232] => (item=revocation)
skipping: [138.68.190.232] => (item=pkcs8)
changed: [138.68.190.232] => (item=test-vectors)
changed: [138.68.190.232] => (item=md4)
skipping: [138.68.190.232] => (item=kernel-netlink)
changed: [138.68.190.232] => (item=md5)
skipping: [138.68.190.232] => (item=pkcs7)
changed: [138.68.190.232] => (item=fips-prf)
skipping: [138.68.190.232] => (item=openssl)
changed: [138.68.190.232] => (item=updown)
changed: [138.68.190.232] => (item=resolve)
skipping: [138.68.190.232] => (item=pkcs12)
skipping: [138.68.190.232] => (item=socket-default)
skipping: [138.68.190.232] => (item=aes)
skipping: [138.68.190.232] => (item=random)
changed: [138.68.190.232] => (item=gmp)
changed: [138.68.190.232] => (item=sha1)
TASK [vpn : Ensure that required plugins are enabled] **************************
changed: [138.68.190.232] => (item=pem)
changed: [138.68.190.232] => (item=sha2)
changed: [138.68.190.232] => (item=hmac)
skipping: [138.68.190.232] => (item=sshkey)
skipping: [138.68.190.232] => (item=constraints)
skipping: [138.68.190.232] => (item=dnskey)
changed: [138.68.190.232] => (item=pubkey)
changed: [138.68.190.232] => (item=x509)
skipping: [138.68.190.232] => (item=attr)
skipping: [138.68.190.232] => (item=pkcs1)
skipping: [138.68.190.232] => (item=connmark)
changed: [138.68.190.232] => (item=stroke)
skipping: [138.68.190.232] => (item=rc2)
changed: [138.68.190.232] => (item=gcm)
skipping: [138.68.190.232] => (item=agent)
skipping: [138.68.190.232] => (item=xcbc)
changed: [138.68.190.232] => (item=nonce)
changed: [138.68.190.232] => (item=pgp)
changed: [138.68.190.232] => (item=revocation)
changed: [138.68.190.232] => (item=pkcs8)
skipping: [138.68.190.232] => (item=test-vectors)
skipping: [138.68.190.232] => (item=md4)
changed: [138.68.190.232] => (item=kernel-netlink)
skipping: [138.68.190.232] => (item=md5)
changed: [138.68.190.232] => (item=pkcs7)
skipping: [138.68.190.232] => (item=fips-prf)
changed: [138.68.190.232] => (item=openssl)
skipping: [138.68.190.232] => (item=updown)
skipping: [138.68.190.232] => (item=resolve)
changed: [138.68.190.232] => (item=pkcs12)
changed: [138.68.190.232] => (item=socket-default)
changed: [138.68.190.232] => (item=aes)
changed: [138.68.190.232] => (item=random)
skipping: [138.68.190.232] => (item=gmp)
skipping: [138.68.190.232] => (item=sha1)
TASK [vpn : Ensure the pki directory is not exist] *****************************
skipping: [138.68.190.232]
TASK [vpn : Ensure the pki directories are exist] ******************************
changed: [138.68.190.232 -> localhost] => (item=ecparams)
changed: [138.68.190.232 -> localhost] => (item=certs)
changed: [138.68.190.232 -> localhost] => (item=crl)
changed: [138.68.190.232 -> localhost] => (item=newcerts)
changed: [138.68.190.232 -> localhost] => (item=private)
changed: [138.68.190.232 -> localhost] => (item=reqs)
TASK [vpn : Ensure the files are exist] ****************************************
changed: [138.68.190.232 -> localhost] => (item=.rnd)
changed: [138.68.190.232 -> localhost] => (item=private/.rnd)
changed: [138.68.190.232 -> localhost] => (item=index.txt)
changed: [138.68.190.232 -> localhost] => (item=index.txt.attr)
changed: [138.68.190.232 -> localhost] => (item=serial)
TASK [vpn : Generate the openssl server configs] *******************************
changed: [138.68.190.232 -> localhost]
TASK [vpn : Build the CA pair] *************************************************
changed: [138.68.190.232 -> localhost]
TASK [vpn : Copy the CA certificate] *******************************************
changed: [138.68.190.232 -> localhost]
TASK [vpn : Generate the serial number] ****************************************
changed: [138.68.190.232 -> localhost]
TASK [vpn : Build the server pair] *********************************************
changed: [138.68.190.232 -> localhost]
TASK [vpn : Build the client's pair] *******************************************
changed: [138.68.190.232 -> localhost] => (item=user1)
changed: [138.68.190.232 -> localhost] => (item=user2)
TASK [vpn : Build the client's p12] ********************************************
changed: [138.68.190.232 -> localhost] => (item=user1)
changed: [138.68.190.232 -> localhost] => (item=user2)
TASK [vpn : Copy the p12 certificates] *****************************************
changed: [138.68.190.232 -> localhost] => (item=user1)
changed: [138.68.190.232 -> localhost] => (item=user2)
TASK [vpn : Copy the keys to the strongswan directory] *************************
changed: [138.68.190.232] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/138.68.190.232/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [138.68.190.232] => (item={u'dest': u'/etc/ipsec.d/certs/138.68.190.232.crt', u'src': u'configs/138.68.190.232/pki/certs/138.68.190.232.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [138.68.190.232] => (item={u'dest': u'/etc/ipsec.d/private/138.68.190.232.key', u'src': u'configs/138.68.190.232/pki/private/138.68.190.232.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [vpn : Register p12 PayloadContent] ***************************************
changed: [138.68.190.232 -> localhost] => (item=user1)
changed: [138.68.190.232 -> localhost] => (item=user2)
TASK [vpn : Set facts for mobileconfigs] ***************************************
ok: [138.68.190.232]
TASK [vpn : Build the mobileconfigs] *******************************************
changed: [138.68.190.232 -> localhost] => (item=(censored due to no_log))
changed: [138.68.190.232 -> localhost] => (item=(censored due to no_log))
TASK [vpn : Build the strongswan app android config] ***************************
changed: [138.68.190.232 -> localhost] => (item=(censored due to no_log))
changed: [138.68.190.232 -> localhost] => (item=(censored due to no_log))
TASK [vpn : Build the client ipsec config file] ********************************
changed: [138.68.190.232 -> localhost] => (item=user1)
changed: [138.68.190.232 -> localhost] => (item=user2)
TASK [vpn : Build the client ipsec secret file] ********************************
changed: [138.68.190.232 -> localhost] => (item=user1)
changed: [138.68.190.232 -> localhost] => (item=user2)
TASK [vpn : Build the windows client powershell script] ************************
skipping: [138.68.190.232] => (item=user1)
skipping: [138.68.190.232] => (item=user2)
TASK [vpn : Restrict permissions for the local private directories] ************
changed: [138.68.190.232 -> localhost] => (item=configs/138.68.190.232)
RUNNING HANDLER [vpn : restart strongswan] *************************************
changed: [138.68.190.232]
RUNNING HANDLER [vpn : daemon-reload] ******************************************
changed: [138.68.190.232]
RUNNING HANDLER [vpn : restart iptables] ***************************************
changed: [138.68.190.232]
TASK [vpn : strongSwan started] ************************************************
ok: [138.68.190.232]
TASK [debug] *******************************************************************
ok: [138.68.190.232] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.16.0.1 #\"",
""
],
" \"# The p12 and SSH keys password is REDACTED #\"\n",
" ",
" \"# Shell access: ssh -i configs/algo.pem root@138.68.190.232 #\"\n"
]
}
TASK [Delete the CA key] *******************************************************
changed: [138.68.190.232 -> localhost]
PLAY RECAP *********************************************************************
138.68.190.232 : ok=61 changed=45 unreachable=0 failed=0
localhost : ok=19 changed=5 unreachable=0 failed=0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment