Merge remote-tracking branch 'origin/master' into 196-simple-webapp-config

Author: summerisgone

.github/workflows/main.yml

@@ -39,7 +39,6 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt update -y
-          sudo add-apt-repository -yu ppa:wireguard/wireguard
           sudo apt install -y \
             python3-pip \
             lxd \
@@ -108,7 +107,6 @@ jobs:
       - name: Install dependencies
         run: |
           set -x
-          sudo add-apt-repository -yu ppa:wireguard/wireguard
           sudo add-apt-repository -yu ppa:ubuntu-lxc/stable
           sudo apt update -y
           sudo apt install -y \

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ### Added
 - New provider CloudStack added [\#1420](https://github.com/trailofbits/algo/pull/1420)
-- Support for Ubuntu 19.10 [\#1630](https://github.com/trailofbits/algo/pull/1630)
+- Support for Ubuntu 20.04 [\#1782](https://github.com/trailofbits/algo/pull/1782)
 - Allow WireGuard to listen on port 53 [\#1594](https://github.com/trailofbits/algo/pull/1594)
 - Introducing Makefile [\#1553](https://github.com/trailofbits/algo/pull/1553)
 - Option to unblock SMB and Netbios [\#1558](https://github.com/trailofbits/algo/pull/1558)
@@ -15,13 +15,14 @@
 - Scaleway instance creating issue [\#1549](https://github.com/trailofbits/algo/pull/1549)
 
 ### Changed
+- Discontinue use of the WireGuard PPA [\#1855](https://github.com/trailofbits/algo/pull/1855)
 - SSH changes [\#1636](https://github.com/trailofbits/algo/pull/1636)
   - Default port is set to `4160` and can be changed in the config
   - SSH user for every cloud provider is `algo`
 - EC2: enable EBS encryption by default [\#1556](https://github.com/trailofbits/algo/pull/1556)
 - Upgrades [\#1549](https://github.com/trailofbits/algo/pull/1549)
   - Python 3
-  - Ansible 2.8
+  - Ansible 2.9 [\#1777](https://github.com/trailofbits/algo/pull/1777)
 
  ### Breaking changes
   - Python virtual environment moved to .env [\#1549](https://github.com/trailofbits/algo/pull/1549)

README.md

@@ -43,7 +43,7 @@ The easiest way to get an Algo server running is to run it on your local system
     - **macOS:** Apple does not provide a suitable version of Python 3 with macOS. Here are two ways to obtain one:
         * Use the [Homebrew](https://brew.sh) package manager. After installing Homebrew install Python 3 by running `brew install python3`.
 
-        * Download and install the latest stable [Python 3.7.x package](https://www.python.org/downloads/mac-osx/) (currently Python 3.8 will not work). Be sure to run the included *Install Certificates* command from Finder.
+        * Download and install the latest stable [Python package](https://www.python.org/downloads/mac-osx/). Be sure to run the included *Install Certificates* command from Finder.
 
         See [Deploy from macOS](docs/deploy-from-macos.md) for more detailed information on installing Python 3 on macOS.
 
@@ -190,11 +190,42 @@ _If you chose to save the CA key during the deploy process,_ then Algo's own scr
 After this process completes, the Algo VPN server will contain only the users listed in the `config.cfg` file.
 
 ## Additional Documentation
-* [Deployment instructions, cloud provider setup instructions, and further client setup instructions available here.](docs/index.md)
 * [FAQ](docs/faq.md)
 * [Troubleshooting](docs/troubleshooting.md)
-
-If you read all the documentation and have further questions, [join the chat on Gitter](https://gitter.im/trailofbits/algo).
+* How Algo uses [Firewalls](docs/firewalls.md)
+
+### Setup Instructions for Specific Cloud Providers
+* Configure [Amazon EC2](docs/cloud-amazon-ec2.md)
+* Configure [Azure](docs/cloud-azure.md)
+* Configure [DigitalOcean](docs/cloud-do.md)
+* Configure [Google Cloud Platform](docs/cloud-gce.md)
+* Configure [Vultr](docs/cloud-vultr.md)
+* Configure [CloudStack](docs/cloud-cloudstack.md)
+* Configure [Hetzner Cloud](docs/cloud-hetzner.md)
+
+### Install and Deploy from Common Platforms
+* Deploy from [macOS](docs/deploy-from-macos.md)
+* Deploy from [Windows](docs/deploy-from-windows.md)
+* Deploy from [Google Cloud Shell](docs/deploy-from-cloudshell.md)
+* Deploy from [RedHat/CentOS 6.x](docs/deploy-from-redhat-centos6.md)
+* Deploy from a [Docker container](docs/deploy-from-docker.md)
+
+### Setup VPN Clients to Connect to the Server
+* Setup [Android](docs/client-android.md) clients
+* Setup [Linux](docs/client-linux.md) clients with Ansible
+* Setup Ubuntu clients to use [WireGuard](docs/client-linux-wireguard.md)
+* Setup Linux clients to use [IPsec](docs/client-linux-ipsec.md)
+* Setup Apple devices to use [IPsec](docs/client-apple-ipsec.md)
+* Setup Macs running macOS 10.13 or older to use [WireGuard](docs/client-macos-wireguard.md)
+
+### Advanced Deployment
+* Deploy to your own [Ubuntu](docs/deploy-to-ubuntu.md) server, and road warrior setup
+* Deploy from [Ansible](docs/deploy-from-ansible.md) non-interactively
+* Deploy onto a [cloud server at time of creation with shell script or cloud-init](docs/deploy-from-script-or-cloud-init-to-localhost.md)
+* Deploy to an [unsupported cloud provider](docs/deploy-to-unsupported-cloud.md)
+* Deploy to your own [FreeBSD](docs/deploy-to-freebsd.md) server
+
+If you've read all the documentation and have further questions, [join the chat on Gitter](https://gitter.im/trailofbits/algo).
 
 ## Endorsements
 

config.cfg

@@ -116,7 +116,7 @@ strongswan_log_level: 2
 # ipv4
 strongswan_network: 10.19.48.0/24
 # ipv6
-strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
+strongswan_network_ipv6: '2001:db8:4160::/48'
 
 # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
 # This option will keep the "connection" open in the eyes of NAT.
@@ -125,7 +125,7 @@ wireguard_PersistentKeepalive: 0
 
 # WireGuard network configuration
 wireguard_network_ipv4: 10.19.49.0/24
-wireguard_network_ipv6: fd9d:bc11:4021::/48
+wireguard_network_ipv6: 2001:db8:a160::/48
 
 # Randomly generated IP address for the local dns resolver
 local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"

docs/client-linux-wireguard.md

@@ -2,18 +2,16 @@
 
 ## Install WireGuard
 
-To connect to your AlgoVPN using [WireGuard](https://www.wireguard.com) from Ubuntu, first install WireGuard:
+To connect to your AlgoVPN using [WireGuard](https://www.wireguard.com) from Ubuntu, make sure your system is up-to-date then install WireGuard:
 
 ```shell
-# Ubuntu 19.04 and earlier:
-# Add the WireGuard repository
-sudo add-apt-repository ppa:wireguard/wireguard
+# Update your system:
+sudo apt update && sudo apt upgrade
 
-# Ubuntu 17.10 and earlier:
-# Update the list of available packages
-sudo apt update
+# If the file /var/run/reboot-required exists then reboot:
+[ -e /var/run/reboot-required ] && sudo reboot
 
-# Install the tools and kernel module:
+# Install WireGuard:
 sudo apt install wireguard openresolv
 ```
 
@@ -62,6 +60,3 @@ search mydomain.com
 nameserver 172.27.153.31
 nameserver fd00::b:991f
 ```
-If you're using the version of WireGuard included with Ubuntu as of 19.10 it might be from before this feature was added. To use the latest version of WireGuard add the PPA repository as shown above.
-
-Note that using the PPA repository on Ubuntu 20.04 LTS instead of the WireGuard modules shipped in the kernel package may cause the installation of about 40 additional packages in order to compile the kernel module.

docs/deploy-from-macos.md

@@ -6,8 +6,6 @@ Algo uses [Ansible](https://www.ansible.com) which requires Python 3. macOS does
 
 You'll need to install Python 3 before you can run Algo. Python 3 is available from several different packagers, three of which are listed below.
 
-**IMPORTANT:** At this time you **cannot** use Python 3.8 or later with Ansible on macOS. Choose a recent version of Python 3.7 instead.
-
 ## macOS 10.15 Catalina
 
 Catalina comes with `/usr/bin/python3` installed. This file, and certain others like `/usr/bin/git`, start out as stub files that prompt you to install the Developer Command Line Tools the first time you run them. Having `git` installed can be useful but whether or not you choose to install the Command Line Tools you **cannot** use this version of Python 3 with Algo at this time. Instead install one of the versions below.
@@ -47,11 +45,11 @@ If you don't want to install a package manager you can download a Python package
 
 #### Installation
 
-Download the most recent version of Python 3.7 and install it like any other macOS package. Then initialize the CA certificate store from Finder by double-clicking on the file `Install Certificates.command` found in the `/Applications/Python 3.7` folder.
+Download the most recent version of Python and install it like any other macOS package. Then initialize the CA certificate store from Finder by double-clicking on the file `Install Certificates.command` found in the `/Applications/Python 3.8` folder.
 
 When you double-click on `Install Certificates.command` a new Terminal window will open. If the window remains blank then the command has not run correctly. This can happen if you've changed the default shell in Terminal Preferences. Try changing it back to the default and run `Install Certificates.command` again.
 
-After installation open a new tab or window in Terminal and verify that the command `which python3` returns either `/usr/local/bin/python3` or  `/Library/Frameworks/Python.framework/Versions/3.7/bin/python3`.
+After installation open a new tab or window in Terminal and verify that the command `which python3` returns either `/usr/local/bin/python3` or  `/Library/Frameworks/Python.framework/Versions/3.8/bin/python3`.
 
 #### Removal
 
@@ -73,13 +71,13 @@ In addition to installing Python you'll need to install the package containing t
 
 #### Installation
 ```
-sudo port install python37
+sudo port install python38
 sudo port install curl-ca-bundle
 ```
 After installation open a new tab or window in Terminal and verify that the command `which python3` returns `/opt/local/bin/python3`.
 
 #### Removal
 ```
-sudo port uninstall python37
+sudo port uninstall python38
 sudo port uninstall curl-ca-bundle
 ```

docs/deploy-from-windows.md

@@ -1,6 +1,6 @@
 # Deploy from Windows
 
-The Algo scripts can't be run directly on Windows, but you can use the Windows Subsystem for Linux (WSL) to run a copy of Ubuntu Linux right on your Windows system.
+The Algo scripts can't be run directly on Windows, but you can use the Windows Subsystem for Linux (WSL) to run a copy of Ubuntu Linux right on your Windows system. You can then run Algo to deploy a VPN server to a supported cloud provider, though you can't turn the instance of Ubuntu running under WSL into a VPN server.
 
 To run WSL you will need:
 
@@ -21,7 +21,7 @@ Wait a minute for Windows to install a few things in the background (it will eve
 2. Click on 'Turn Windows features on or off'
 3. Scroll down and check 'Windows Subsystem for Linux', and then click OK.
 4. The subsystem will be installed, then Windows will require a restart.
-5. Restart Windows and then [install Ubuntu from the Windows Store](https://www.microsoft.com/p/ubuntu/9nblggh4msv6).
+5. Restart Windows and then [install Ubuntu 18.04 LTS from the Windows Store](https://www.microsoft.com/p/ubuntu-1804-lts/9n9tngvndl3q) (at this time Ubuntu 20.04 LTS does not work with Algo when running under WSL).
 6. Run Ubuntu from the Start menu. It will take a few minutes to install. It will have you create a separate user account for the Linux subsystem. Once that's done, you will finally have Ubuntu running somewhat integrated with Windows.
 
 ## Install Algo

docs/faq.md

@@ -21,7 +21,7 @@ No. This project is under active development. We're happy to [accept and fix iss
 
 ## What's the current status of WireGuard?
 
-[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. Your Algo server will automatically upgrade and restart WireGuard from the [official WireGuard PPA for Ubuntu](https://launchpad.net/~wireguard/+archive/ubuntu/wireguard) by default.
+[WireGuard reached "stable" 1.0.0 release](https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html) in Spring 2020. It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review.
 
 ## Why aren't you using Tor?
 

docs/index.md

@@ -16,8 +16,10 @@ First of all, check [this](https://github.com/trailofbits/algo#features) and ens
      * [AWS: "Deploy the template" fails with CREATE_FAILED](#aws-deploy-the-template-fails-with-create_failed)
      * [AWS: not authorized to perform: cloudformation:UpdateStack](#aws-not-authorized-to-perform-cloudformationupdatestack)
      * [DigitalOcean: error tagging resource 'xxxxxxxx': param is missing or the value is empty: resources](#digitalocean-error-tagging-resource)
+     * [Azure: The client xxx with object id xxx does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/write' over scope](#azure-deployment-permissions-error)
      * [Windows: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid](#windows-the-value-of-parameter-linuxconfigurationsshpublickeyskeydata-is-invalid)
      * [Docker: Failed to connect to the host via ssh](#docker-failed-to-connect-to-the-host-via-ssh)
+     * [Error: Failed to create symlinks for deploying to localhost](#error-failed-to-create-symlinks-for-deploying-to-localhost)
      * [Wireguard: Unable to find 'configs/...' in expected paths](#wireguard-unable-to-find-configs-in-expected-paths)
      * [Ubuntu Error: "unable to write 'random state'" when generating CA password](#ubuntu-error-unable-to-write-random-state-when-generating-ca-password)
   * [Connection Problems](#connection-problems)
@@ -240,6 +242,23 @@ See stdout/stderr for the exact error", "rc": 1}
 
 It happens when your machine is not authenticated in the azure cloud, follow this [guide](https://trailofbits.github.io/algo/cloud-azure.html) to configure your environment
 
+### Azure: Deployment Permissions Error
+
+The AAD Application Registration (aka, the 'Service Principal', where you got the ClientId) needs permission to create the resources for the subscription. Otherwise, you will get the following error when you run the Ansible deploy script:
+
+```
+fatal: [localhost]: FAILED! => {"changed": false, "msg": "Resource group create_or_update failed with status code: 403 and message: The client 'xxxxx' with object id 'THE_OBJECT_ID' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/THE_SUBSCRIPTION_ID/resourcegroups/algo' or the scope is invalid. If access was recently granted, please refresh your credentials."}
+```
+
+The solution for this is to open the Azure CLI and run the following command to grant contributor role to the Service Principal:
+
+```
+az role assignment create --assignee-object-id THE_OBJECT_ID --scope subscriptions/THE_SUBSCRIPTION_ID --role contributor
+```
+
+After this is applied, the Service Principal has permissions to create the resources and you can re-run `ansible-playbook main.yml` to complete the deployment.
+
+
 ### Windows: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid
 
 You tried to deploy Algo from Windows and you received an error like this one:
@@ -273,6 +292,41 @@ You need to add the following to the ansible.cfg in repo root:
 control_path_dir=/dev/shm/ansible_control_path
 ```
 
+### Error: Failed to create symlinks for deploying to localhost
+
+You tried to run Algo and you received an error like this one:
+
+```
+TASK [Create a symlink if deploying to localhost] ********************************************************************
+fatal: [localhost]: FAILED! => {"changed": false, "gid": 1000, "group": "ubuntu", "mode": "0775", "msg": "the directory configs/localhost is not empty, refusing to convert it", "owner": "ubuntu", "path": "configs/localhost", "size": 4096, "state": "directory", "uid": 1000}
+included: /home/ubuntu/algo-master/playbooks/rescue.yml for localhost
+
+TASK [debug] *********************************************************************************************************
+ok: [localhost] => {
+    "fail_hint": [
+        "Sorry, but something went wrong!",
+        "Please check the troubleshooting guide.",
+        "https://trailofbits.github.io/algo/troubleshooting.html"
+    ]
+}
+
+TASK [Fail the installation] *****************************************************************************************
+```
+This error is usually encountered when using the local install option and `localhost` is provided in answer to this question, which is expecting an IP address or domain name of your server:
+```
+Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
+[localhost]
+:
+```
+
+You should remove the files in /etc/wireguard/ and configs/ as follows:
+```ssh
+sudo rm -rf /etc/wireguard/*
+rm -rf configs/*
+``` 
+
+And then immediately re-run `./algo` and provide a domain name or IP address in response to the question referenced above. 
+
 ### Wireguard: Unable to find 'configs/...' in expected paths
 
 You tried to run Algo and you received an error like this one:
@@ -283,10 +337,11 @@ TASK [wireguard : Generate public keys] ****************************************
 
 fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"}
 ```
-This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04 or later. You should upgrade your server to Ubuntu 18.04 or later. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows:
+This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04 or later. You should upgrade your server to Ubuntu 18.04 or later. If this doesn't work, try removing files in /etc/wireguard/ and the configs directories as follows:
 
 ```ssh
-sudo rm -rf /etc/wireguard/*.lock
+sudo rm -rf /etc/wireguard/*
+rm -rf configs/*
 ```
 Then immediately re-run `./algo`.