Deprecate IKEv2 for Windows (#1521)

* Windows to WireGuard

* Add note about WireGuard

* change wireguard faq

* Clarify Windows instructions

* Correct Wireguard description

* Update README.md

Author: jackivanov

README.md

@@ -63,7 +63,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua
     ```
     On macOS, you may be prompted to install `cc`. You should press accept if so.
 
-5. **List the users to create.** Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. If you want to be able to add or delete users later, you **must** select `yes` for the `Do you want to retain the CA key?` prompt during the deployment.
+5. **List the users to create.** Open `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. If you want to be able to add or delete users later, you **must** select `yes` for the `Do you want to retain the CA key?` prompt during the deployment. Make a unique user for each device you plan to setup.
 
 6. **Start the deployment.** Return to your terminal. In the Algo directory, run `./algo` and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in [deploy-from-ansible.md](docs/deploy-from-ansible.md).
 
@@ -105,14 +105,11 @@ If you prefer to use the built-in IPSEC VPN on Apple devices, or need "Connect o
 
 WireGuard is used to provide VPN services on Android. Install the [WireGuard VPN Client](https://play.google.com/store/apps/details?id=com.wireguard.android). Import the corresponding `wireguard/<name>.conf` file to your device, then setup a new connection with it. See the [Android setup instructions](/docs/client-android.md) for more detailed walkthrough.
 
-### Windows 10
+### Windows
 
-Copy your PowerShell script `windows_{username}.ps1` to the Windows client and run the following command as Administrator to configure the VPN connection.
-```
-powershell -ExecutionPolicy ByPass -File windows_{username}.ps1 -Add
-```
+WireGuard is used to provide VPN services on Windows. Algo generates a WireGuard configuration file, `wireguard/<username>.conf`, for each user defined in `config.cfg`.
 
-For a manual installation, see the [Windows setup instructions](/docs/client-windows.md).
+Install the [WireGuard VPN Client](https://www.wireguard.com/install/#windows-7-8-81-10-2012-2016-2019). Import the generated `wireguard/<username>.conf` file to your device, then setup a new connection with it.
 
 ### Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop)
 
@@ -149,12 +146,13 @@ To configure the connection to come up at boot time replace `auto=add` with `aut
 
 Depending on the platform, you may need one or multiple of the following files.
 
-* cacert.pem: CA Certificate
-* user.mobileconfig: Apple Profile
-* user.p12: User Certificate and Private Key (in PKCS#12 format)
-* ipsec_user.conf: strongSwan client configuration
-* ipsec_user.secrets: strongSwan client configuration
-* windows_user.ps1: Powershell script to help setup a VPN connection on Windows
+* ipsec/manual/cacert.pem: CA Certificate
+* ipsec/manual/<user>.p12: User Certificate and Private Key (in PKCS#12 format)
+* ipsec/manual/<user>.conf: strongSwan client configuration
+* ipsec/manual/<user>.secrets: strongSwan client configuration
+* ipsec/apple/<user>.mobileconfig: Apple Profile
+* wireguard/<user>.conf: WireGuard configuration profile
+* wireguard/<user>.png: WireGuard configuration QR code
 
 ## Setup an SSH Tunnel
 

docs/client-windows.md

@@ -1,72 +1,6 @@
-# Windows client manual setup
+# Windows client setup
 
-## Automatic installation
+## Installation via profiles
 
-To install automatically, use the generated user Powershell script.
-
-1. Copy the user PowerShell script (`windows_USER.ps1`) to the client computer.
-2. Open Powershell as Administrator.
-3. Run the following command:
-```powershell
-powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add
-```
-
-If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, pass the parameter `-AllUsers`
-
-```powershell
-powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add -AllUsers
-```
-
-4. The command has help information available. To view its full help, run this from Powershell:
-```powershell
-Get-Help -Name .\windows_USER.ps1 -Full | more
-```
-
-## Manual installation
-
-1. Copy the CA certificate (`cacert.pem`) and user certificate (`USER.p12`) to the client computer
-2. Open PowerShell as Administrator. Navigate to your copied files.
-3. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run.
-
-```powershell
-Set-ExecutionPolicy Unrestricted -Scope Process
-```
-
-4. In the same window, run the necessary commands to install the certificates and create the VPN configuration. Note the lines at the top defining the VPN address, USER.p12 file location, and CA certificate location - change those lines to the IP address of your Algo server and the location you saved those two files. Also note that it will prompt for the "User p12 password", which is printed at the end of a successful Algo deployment.
-
-If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, then insert the line `AllUserConnection = $true` after `$EncryptionLevel = "Required"`.
-
-```powershell
-$VpnServerAddress = "1.2.3.4"
-$UserP12Path = "$Home\Downloads\USER.p12"
-$CaCertPath = "$Home\Downloads\cacert.pem"
-$VpnName = "Algo VPN $VpnServerAddress IKEv2"
-$p12Pass = Read-Host -AsSecureString -Prompt "User p12 password"
-
-Import-PfxCertificate -FilePath $UserP12Path -CertStoreLocation Cert:\LocalMachine\My -Password $p12Pass
-Import-Certificate -FilePath $CaCertPath -CertStoreLocation Cert:\LocalMachine\Root
-
-$addVpnParams = @{
-    Name = $VpnName
-    ServerAddress = $VpnServerAddress
-    TunnelType = "IKEv2"
-    AuthenticationMethod = "MachineCertificate"
-    EncryptionLevel = "Required"
-}
-Add-VpnConnection @addVpnParams
-
-$setVpnParams = @{
-    ConnectionName = $VpnName
-    AuthenticationTransformConstants = "GCMAES256"
-    CipherTransformConstants = "GCMAES256"
-    EncryptionMethod = "AES256"
-    IntegrityCheckMethod = "SHA384"
-    DHGroup = "ECP384"
-    PfsGroup = "ECP384"
-    Force = $true
-}
-Set-VpnConnectionIPsecConfiguration @setVpnParams
-
-```
-
-Your VPN is now installed and ready to use.
+1. Install the [WireGuard VPN Client](https://www.wireguard.com/install/#windows-7-8-81-10-2012-2016-2019) and start it.
+2. Import the corresponding `wireguard/<name>.conf` file to your device, then setup a new connection with it.

docs/cloud-do.md

@@ -86,7 +86,6 @@ ansible-playbook main.yml -e "provider=digitalocean
                                 ondemand_wifi=true
                                 dns_adblocking=false
                                 ssh_tunneling=false
-                                windows=false
                                 store_pki=true
                                 region=nyc3
                                 do_token=token"

docs/deploy-from-ansible.md

@@ -15,7 +15,6 @@ ansible-playbook main.yml -e "provider=digitalocean
                                 ondemand_wifi=false
                                 dns_adblocking=true
                                 ssh_tunneling=true
-                                windows=false
                                 store_pki=true
                                 region=ams3
                                 do_token=token"
@@ -32,7 +31,6 @@ See below for more information about variables and roles.
 - `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values
 - `dns_adblocking` - (Optional) Enables dnscrypt-proxy adblocking. Default: false
 - `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false
-- `windows` - (Optional) Enables compatible ciphers and key exchange to support Windows clients, less secure. Default: false
 - `store_cakey` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false
 
 If any of the above variables are unspecified, ansible will ask the user to input them.
@@ -57,7 +55,7 @@ Server roles:
   * Installs [strongSwan](https://www.strongswan.org/)
   * Enables AppArmor, limits CPU and memory access, and drops user privileges
   * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
-  * Bundles the appropriate certificates into Apple mobileconfig profiles and Powershell scripts for each user
+  * Bundles the appropriate certificates into Apple mobileconfig profiles for each user
 - role: dns_adblocking
   * Installs DNS encryption through [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) with blacklists to be updated daily from `adblock_lists` in `config.cfg` - note this will occur even if `dns_encryption` in `config.cfg` is set to `false`
   * Constrains dnscrypt-proxy with AppArmor and cgroups CPU and memory limitations

docs/deploy-from-fedora-workstation.md

@@ -71,7 +71,7 @@ Some steps are needed before we can deploy our Algo VPN server.
 ### Check `pip`
 
 Run `pip -v` and check the python version it is using:
- 
+
 ````
 $ pip -V
 pip 19.0.3 from /usr/lib/python2.7/site-packages (python 2.7)
@@ -99,7 +99,6 @@ We can now deploy our server by running:
 ./algo
 ````
 
-Ensure to allow Windows / Linux clients when going through the config options.
 Note the IP and password of the newly created Algo VPN server and store it safely.
 
 If you want to setup client config on your Fedora Workstation, refer to [the Linux Client docs](client-linux.md).

docs/deploy-from-script-or-cloud-init-to-localhost.md

@@ -18,7 +18,6 @@ The command will prepare the environment and install AlgoVPN with the default pa
 `ONDEMAND_CELLULAR` - "Connect On Demand" when connected to cellular networks. Boolean. Default: false.
 `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false.
 `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.
-`WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false.
 `STORE_PKI` - To retain the PKI. (required to add users in the future, but less secure). Default: false.
 `DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false.
 `SSH_TUNNELING` -  Enable SSH tunneling for each user. Default: false.
@@ -36,7 +35,6 @@ The command will prepare the environment and install AlgoVPN with the default pa
 ```
 #!/bin/bash
 export ONDEMAND_CELLULAR=true
-export WINDOWS=true
 export SSH_TUNNELING=true
 curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```

docs/faq.md

@@ -16,6 +16,10 @@
 
 No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use Algo at your own risk. If you find a security issue of any severity, please [contact us on Slack](https://empireslacking.herokuapp.com).
 
+## What's the current status of WireGuard?
+
+[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available.
+
 ## Why aren't you using Tor?
 
 The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://web.archive.org/web/20150705184539/https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/).

docs/troubleshooting.md

@@ -29,8 +29,6 @@ First of all, check [this](https://github.com/trailofbits/algo#features) and ens
      * [Various websites appear to be offline through the VPN](#various-websites-appear-to-be-offline-through-the-vpn)
      * [Clients appear stuck in a reconnection loop](#clients-appear-stuck-in-a-reconnection-loop)
      * [Wireguard: clients can connect on Wifi but not LTE](#wireguard-clients-can-connect-on-wifi-but-not-lte)
-     * ["Error 809" or IKE_AUTH requests that never make it to the server](#error-809-or-ike_auth-requests-that-never-make-it-to-the-server)
-     * [Windows: Parameter is incorrect](#windows-parameter-is-incorrect)
      * [IPsec: Difficulty connecting through router](#ipsec-difficulty-connecting-through-router)
   * [I have a problem not covered here](#i-have-a-problem-not-covered-here)
 
@@ -229,7 +227,7 @@ You tried to deploy Algo from Windows and you received an error like this one:
 
 ```
 TASK [cloud-azure : Create an instance].
-fatal: [localhost]: FAILED! => {"changed": false, 
+fatal: [localhost]: FAILED! => {"changed": false,
 "msg": "Error creating or updating virtual machine AlgoVPN - Azure Error:
 InvalidParameter\n
 Message: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid.\n
@@ -243,7 +241,7 @@ This is related to [the chmod issue](https://github.com/Microsoft/WSL/issues/81)
 You tried to deploy Algo from Docker and you received an error like this one:
 
 ```
-Failed to connect to the host via ssh: 
+Failed to connect to the host via ssh:
 Warning: Permanently added 'xxx.xxx.xxx.xxx' (ECDSA) to the list of known hosts.\r\n
 Control socket connect(/root/.ansible/cp/6d9d22e981): Connection refused\r\n
 Failed to connect to new control master\r\n
@@ -265,7 +263,7 @@ TASK [wireguard : Generate public keys] ****************************************
 [WARNING]: Unable to find 'configs/xxx.xxx.xxx.xxx/wireguard//private/dan' in expected paths.
 
 fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"}
-``` 
+```
 This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04. You should upgrade your server to Ubuntu 18.04. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows:
 
 ```ssh
@@ -412,16 +410,10 @@ sed -i -e 's/#*.dos_protection = yes/dos_protection = no/' /etc/strongswan.d/cha
 
 ### WireGuard: Clients can connect on Wifi but not LTE
 
-Certain cloud providers (like AWS Lightsail) don't assign an IPv6 address to your server, but certain cellular carriers (e.g. T-Mobile in the United States, [EE](https://community.ee.co.uk/t5/4G-and-mobile-data/IPv4-VPN-Connectivity/td-p/757881) in the United Kingdom) operate an IPv6-only network. This somehow leads to the Wireguard app not being able to make a connection when transitioning to cell service. Go to the Wireguard app on the device when you're having problems with cell connectivity and select "Export log file" or similar option. If you see a long string of error messages like "`Failed to send data packet write udp6 [::]:49727->[2607:7700:0:2a:0:1:354:40ae]:51820: sendto: no route to host` then you might be having this problem. 
+Certain cloud providers (like AWS Lightsail) don't assign an IPv6 address to your server, but certain cellular carriers (e.g. T-Mobile in the United States, [EE](https://community.ee.co.uk/t5/4G-and-mobile-data/IPv4-VPN-Connectivity/td-p/757881) in the United Kingdom) operate an IPv6-only network. This somehow leads to the Wireguard app not being able to make a connection when transitioning to cell service. Go to the Wireguard app on the device when you're having problems with cell connectivity and select "Export log file" or similar option. If you see a long string of error messages like "`Failed to send data packet write udp6 [::]:49727->[2607:7700:0:2a:0:1:354:40ae]:51820: sendto: no route to host` then you might be having this problem.
 
 Manually disconnecting and then reconnecting should restore your connection. To solve this, you need to either "force IPv4 connection" if available on your phone, or install an IPv4 APN, which might be available from your carrier tech support. T-mobile's is available [for iOS here under "iOS IPv4/IPv6 fix"](https://www.reddit.com/r/tmobile/wiki/index), and [here is a walkthrough for Android phones](https://www.myopenrouter.com/article/vpn-connections-not-working-t-mobile-heres-how-fix).
 
-### "Error 809" or IKE_AUTH requests that never make it to the server
-
-On Windows, this issue may manifest with an error message that says "The network connection between your computer and the VPN server could not be established because the remote server is not responding... This is Error 809." On other operating systems, you may try to debug the issue by capturing packets with tcpdump and notice that, while IKE_SA_INIT request and responses are exchanged between the client and server, IKE_AUTH requests never make it to the server.
-
-It is possible that the IKE_AUTH payload is too big to fit in a single IP datagram, and so is fragmented. Many consumer routers and cable modems ship with a feature that blocks "fragmented IP packets." Try logging into your router and disabling any firewall settings related to blocking or dropping fragmented IP packets. For more information, see [Issue #305](https://github.com/trailofbits/algo/issues/305).
-
 ### Error: name 'basestring' is not defined
 
 ```
@@ -448,29 +440,6 @@ Then rerun the dependency installation explicitly using python 2.7
 python2.7 -m virtualenv --python=`which python2.7` env && source env/bin/activate && python2.7 -m pip install -U pip && python2.7 -m pip install -r requirements.txt
 ```
 
-### Windows: Parameter is incorrect
-
-The problem may happen if you recently moved to a new server, where you have Algo VPN.
-
-1. Clear the Networking caches:
-	- Run CMD (click windows start menu, type 'cmd', right click on 'Command Prompt' and select "Run as Administrator").
-	- Type the commands below:
-	```
-	netsh int ip reset
-	netsh int ipv6 reset
-	netsh winsock reset
-	```
-
-3. Restart your computer
-4. Reset Device Manager adaptors:
-	- Open Device Manager
-	- Find Network Adapters
-	- Uninstall WAN Miniport drivers (IKEv2, IP, IPv6, etc)
-	- Click Action > Scan for hardware changes
-	- The adapters you just uninstalled should come back
-
-The VPN connection should work again
-
 ### IPsec: Difficulty connecting through router
 
 Some routers treat IPsec connections specially because older versions of IPsec did not work properly through [NAT](https://en.wikipedia.org/wiki/Network_address_translation). If you're having problems connecting to your AlgoVPN through a specific router using IPsec you might need to change some settings on the router.