From 94d870e3259c681e17ba0c1f6b9f8dd6cdda4d36 Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 18:41:48 +0100 Subject: [PATCH 1/7] docs/client-linux.md housekeeping --- docs/client-linux.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/client-linux.md b/docs/client-linux.md index 89e17e586..a5fd5b4b2 100644 --- a/docs/client-linux.md +++ b/docs/client-linux.md @@ -1,19 +1,22 @@ # Linux client setup +## Provision client config + After you deploy a server, you can use an included Ansible script to provision Linux clients too! Debian, Ubuntu, CentOS, and Fedora are supported. The playbook is `deploy_client.yml`. -### Required variables: +### Required variables * `client_ip` - The IP address of your client machine (You can use `localhost` in order to deploy locally) * `vpn_user` - The username. (Ensure that you have valid certificates and keys in the `configs/SERVER_ip/pki/` directory) * `ssh_user` - The username that we need to use in order to connect to the client machine via SSH (ignore if you are deploying locally) * `server_ip` - The vpn server ip address -### Example: +### Example ```shell ansible-playbook deploy_client.yml -e 'client_ip=client.com vpn_user=jack server_ip=vpn-server.com ssh_user=root' ``` -### Additional options: -If the user requires sudo password use the following argument: `--ask-become-pass` +### Additional options + +If the user requires sudo password use the following argument: `--ask-become-pass`. \ No newline at end of file From 8bcc0d5d3c37bf2cfb017b8fcf1282dc1637b425 Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 18:58:56 +0100 Subject: [PATCH 2/7] add fedora-workstation instructions to client-linx.md --- docs/client-linux.md | 58 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/docs/client-linux.md b/docs/client-linux.md index a5fd5b4b2..a5155501a 100644 --- a/docs/client-linux.md +++ b/docs/client-linux.md @@ -19,4 +19,60 @@ ansible-playbook deploy_client.yml -e 'client_ip=client.com vpn_user=jack server ### Additional options -If the user requires sudo password use the following argument: `--ask-become-pass`. \ No newline at end of file +If the user requires sudo password use the following argument: `--ask-become-pass`. + +## OS Specific instructions + +Some Linux clients may require more specific and details instructions to configure a connection to the deployed Algo VPN, these are documented here. + +### Fedora Workstation + +#### (Gnome) Network Manager install + +We'll use the [rsclarke/NetworkManager-strongswan](https://copr.fedorainfracloud.org/coprs/rsclarke/NetworkManager-strongswan/) Copr repo (see [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-327820191)), this will make the `IKE` and `ESP` fields available in the Gnome Network Manager. Note that at time of writing the non-Copr repo will result in connection failures. Also note that the Copr repo *instructions are not filled in by author. Author knows what to do. Everybody else should avoid this repo*. So unless you are comfortable with using this repo, you'll want to hold out untill the patches applied in the Copr repo make it into stable. + +First remove the stable `NetworkManager-strongswan` package, ensure you have backups in place and / or take note of config backups taken during the removal of the package. + +```` +dnf remove NetworkManager-strongswan +```` + +Next, enable the Copr repo and install it along with the `NetworkManager-strongswan-gnome` package: + +```` +dnf copr enable -y rsclarke/NetworkManager-strongswan +dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome +```` + +Reboot your machine: + +```` +reboot now +```` + +#### (Gnome) Network Manager configuration + +In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the user we created is `user-name`. + +* Go to *Settings* > *Network* +* Add a new Network (`+` bottom left of the window) +* Select *IPsec/IKEv2 (strongswan)* +* Fill out the options: + * Name: your choice, e.g.: *ikev2-1.2.3.4* + * Gateway: + * Address: IP of the Algo VPN server, e.g: `1.2.3.4` + * Certificate: `cacert.pem` found at `/path/to/algo/1.2.3.4/cacert.pem` + * Client: + * Authentication: *Certificate/Private key* + * Certificate: `user-name.crt` found at `/path/to/algo/1.2.3.4/pki/certs/user-name.crt` + * Private key: `user-name.key` found at `/path/to/algo/1.2.3.4/pki/private/user-name.key` + * Options: + * Check *Request an inner IP address*, connection will fail without this option + * Optionally check *Enforce UDP encapsulation* + * Optionally check *Use IP compression* + * For the later 2 options, hover to option in the settings to see a description + * Cipher proposal: + * Check *Enable custom proposals* + * IKE: `aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256` + * ESP: `aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256` +* Apply and turn the connection on, you should now be connected \ No newline at end of file From 03f8ecbbdf615ba9920589eeb72b699e34d719f2 Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 18:59:36 +0100 Subject: [PATCH 3/7] add deploy-from-fedora-workstation doc --- docs/deploy-from-fedora-workstation.md | 126 +++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 docs/deploy-from-fedora-workstation.md diff --git a/docs/deploy-from-fedora-workstation.md b/docs/deploy-from-fedora-workstation.md new file mode 100644 index 000000000..33f0561f6 --- /dev/null +++ b/docs/deploy-from-fedora-workstation.md @@ -0,0 +1,126 @@ +# Deploy from Fedora Workstation + +These docs were written based on experience on Fedora Workstation 26. + +## Prerequisites + +### DNF counterparts of apt packages + +The following table lists `apt` packages with their `dnf` counterpart. This is purely informative. +Using `python2-*` in favour of `python3-*` as per [declared dependency](https://github.com/trailofbits/algo#deploy-the-algo-server). + +| `apt` | `dnf` | +| ----- | ----- | +| `build-essential` | `make automake gcc gcc-c++ kernel-devel` | +| `libssl-dev` | `openssl-devel` | +| `libffi-dev` | `libffi-devel` | +| `python-dev` | `python-devel` | +| `python-pip` | `python2-pip` | +| `python-setuptools` | `python2-setuptools` | +| `python-virtualenv` | `python2-virtualenv` | + +### Install requirements + +First, let's make sure our system is up-to-date: + +```` +dnf upgrade +``` + +Next, install the required packages: + +```` +dnf install -y \ + ansible \ + automake \ + gcc \ + gcc-c++ \ + kernel-devel \ + openssl-devel \ + libffi-devel \ + libselinux-python \ + python-devel \ + python2-pip \ + python2-setuptools \ + python2-virtualenv \ + make +```` + +## Get Algo + + +[Download](https://github.com/trailofbits/algo/archive/master.zip) or clone: + +```` +git clone git@github.com:trailofbits/algo.git +cd algo +```` + +If you downloaded Algo, unzip to your prefered location and `cd` into it. +We'll assume from this point forward that our working directory is the `algo` root directory. + + +## Prepare algo + +Some steps are needed before we can deploy our Algo VPN server. + +### Check `pip` + +Run `pip -v` and check the pythong version it is using: + +```` +$ pip -V +pip 9.0.1 from /usr/lib/python2.7/site-packages (python 2.7) +```` + +`python 2.7` is what we're looking for. + +### `pip` upgrade and installs + +```` +# Upgrade pip itself +pip -q install --upgrade pip +# python-devel needed to prevent setup.py crash +pip -q install pycrypto +# pycrypto 2.7.1 needed for latest security patch +# This may need to run with sudo to complete without permission violations +pip -q install setuptools --upgrade +# virtualenv to make installing dependencies easier +pip -q install virtualenv +```` + +### Setup virtualenv and install requirements + +```` +virtualenv --system-site-packages env +source env/bin/activate +pip -q install --user -r requirements.txt +```` + +## Configure + +Edit the userlist and any other settings you desire in `config.cfg` using your prefered editor. + +## Deploy + +We can now deploy our server by running: + +```` +./algo +```` + +Ensure to allow Windows / Linux clients when going through the config options. +Note the IP and password of the newly created Alfo VPN server and store it safely. + +If you want to setup client config on your Fedora Workstation, refer to [the Linux Client docs](https://github.com/trailofbits/algo/blob/master/docs/client-linux.md). + +## Notes on SELinux + +If you have SELinux enabled, you'll need to set appropriate file contexts: + +```` +semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?" +restorecon -R -v $(pwd) +```` + +See [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-328053950). \ No newline at end of file From 9a2e0a596b727ecb9c8a6c480e703c8558cb8b41 Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 19:02:30 +0100 Subject: [PATCH 4/7] change client-linux.md to internal link --- docs/deploy-from-fedora-workstation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/deploy-from-fedora-workstation.md b/docs/deploy-from-fedora-workstation.md index 33f0561f6..724f1c99d 100644 --- a/docs/deploy-from-fedora-workstation.md +++ b/docs/deploy-from-fedora-workstation.md @@ -112,7 +112,7 @@ We can now deploy our server by running: Ensure to allow Windows / Linux clients when going through the config options. Note the IP and password of the newly created Alfo VPN server and store it safely. -If you want to setup client config on your Fedora Workstation, refer to [the Linux Client docs](https://github.com/trailofbits/algo/blob/master/docs/client-linux.md). +If you want to setup client config on your Fedora Workstation, refer to [the Linux Client docs](client-linux.md). ## Notes on SELinux @@ -123,4 +123,4 @@ semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?" restorecon -R -v $(pwd) ```` -See [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-328053950). \ No newline at end of file +See [this comment](https://github.com/trailofbits/algo/issues/263#issuecomment-328053950). From 21746b6ae00afb9684e68dfb991e3426f5e82719 Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 19:03:01 +0100 Subject: [PATCH 5/7] add deploy-from-fedora-workstation links --- README.md | 1 + docs/index.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 1a6c2298f..55b1bd6f1 100644 --- a/README.md +++ b/README.md @@ -180,6 +180,7 @@ After this process completes, the Algo VPN server will contains only the users l * Setup instructions - Documentation for available [Ansible roles](docs/setup-roles.md) + - Deploy from [Fedora Workstation (26)](docs/deploy-from-fedora-workstation.md) - Deploy from [RedHat/CentOS 6.x](docs/deploy-from-redhat-centos6.md) - Deploy from [Windows](docs/deploy-from-windows.md) - Deploy from [Ansible](docs/deploy-from-ansible.md) directly diff --git a/docs/index.md b/docs/index.md index 7275901f0..b9b94bb6a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -2,6 +2,7 @@ * Setup instructions - Documentation for available [Ansible roles](setup-roles.md) + - Deploy from [Fedora Workstation (26)](deploy-from-fedora-workstation.md) - Deploy from [RedHat/CentOS 6.x](deploy-from-redhat-centos6.md) - Deploy from [Windows](deploy-from-windows.md) - Deploy from [Ansible](deploy-from-ansible.md) directly From 12f5c5ae4000ac5058c98d35c56770eee61c0103 Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 19:25:03 +0100 Subject: [PATCH 6/7] correct markup --- docs/deploy-from-fedora-workstation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy-from-fedora-workstation.md b/docs/deploy-from-fedora-workstation.md index 724f1c99d..9cb40a7e3 100644 --- a/docs/deploy-from-fedora-workstation.md +++ b/docs/deploy-from-fedora-workstation.md @@ -25,7 +25,7 @@ First, let's make sure our system is up-to-date: ```` dnf upgrade -``` +```` Next, install the required packages: From 62dcb9bbe5d268ab2191fc2814bc78552c79687a Mon Sep 17 00:00:00 2001 From: Jurgen Verhasselt Date: Mon, 30 Oct 2017 19:37:00 +0100 Subject: [PATCH 7/7] correct typo --- docs/deploy-from-fedora-workstation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy-from-fedora-workstation.md b/docs/deploy-from-fedora-workstation.md index 9cb40a7e3..319d74cf2 100644 --- a/docs/deploy-from-fedora-workstation.md +++ b/docs/deploy-from-fedora-workstation.md @@ -66,7 +66,7 @@ Some steps are needed before we can deploy our Algo VPN server. ### Check `pip` -Run `pip -v` and check the pythong version it is using: +Run `pip -v` and check the python version it is using: ```` $ pip -V