Lightsail is not workign
vvorlov opened this issue · 2 comments
vvorlov commented
Describe the bug
VPN is not working with Lightsail. Wireguard connected but there is no Internet after connection. Usual macOS client don't connect, freezes on Connecting... state.
To Reproduce
Steps to reproduce the behavior:
- Connect to Lightsail intance via ssh
- Run script:
#!/bin/bash
export USERS=phone
export REPO_BRANCH=master
export STORE_PKI=true
curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
-
I don't know why but you need to run the script twice. At first run it will install dependencies and at the second run it will configure the VPN.
-
Run
chmod 775for every certs in/opt/algo/configs/<IP> -
Download certs
scp -i eu-north-1.pem ubuntu@13.48.104.144:/opt/algo/configs/13.48.104.144/wireguard/phone.conf ~/Downloads/phone.conf
scp -i eu-north-1.pem ubuntu@13.48.104.144:/opt/algo/configs/13.48.104.144/ipsec/apple/phone.mobileconfig ~/Downloads/phone.mobileconfig
- Configure Wireguard or built-in macOS client.
Expected behavior
VPN should work but it doesn't
Full log
ubuntu@ip-172-26-0-161:~$ export USERS=phone
ubuntu@ip-172-26-0-161:~$ export REPO_BRANCH=master
ubuntu@ip-172-26-0-161:~$ export STORE_PKI=true
ubuntu@ip-172-26-0-161:~$ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
+ set -ex
+ METHOD=cloud
+ ONDEMAND_CELLULAR=false
+ ONDEMAND_WIFI=false
+ ONDEMAND_WIFI_EXCLUDE=_null
+ STORE_PKI=true
+ DNS_ADBLOCKING=false
+ SSH_TUNNELING=false
+ ENDPOINT=localhost
+ USERS=phone
+ REPO_SLUG=trailofbits/algo
+ REPO_BRANCH=master
+ EXTRA_VARS=placeholder=null
+ ANSIBLE_EXTRA_ARGS=
+ cd /opt/
+ test cloud = cloud
+ publicIpFromMetadata
+ curl -s http://169.254.169.254/metadata/v1/vendor-data
+ grep DigitalOcean
++ curl -s http://169.254.169.254/latest/meta-data/services/domain
+ test amazonaws.com = amazonaws.com
++ curl -s http://169.254.169.254/latest/meta-data/public-ipv4
+ ENDPOINT=13.48.104.144
+ grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b'
+ echo 13.48.104.144
13.48.104.144
+ export ENDPOINT=13.48.104.144
+ ENDPOINT=13.48.104.144
+ echo 'Using 13.48.104.144 as the endpoint'
Using 13.48.104.144 as the endpoint
+ installRequirements
+ export DEBIAN_FRONTEND=noninteractive
+ DEBIAN_FRONTEND=noninteractive
+ apt-get update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:2 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal InRelease
Get:3 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1135 kB]
Get:5 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:6 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8628 kB]
Get:7 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [205 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [9104 B]
Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [643 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [91.7 kB]
Get:11 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 c-n-f Metadata [536 B]
Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [675 kB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [115 kB]
Get:14 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [13.0 kB]
Get:15 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [21.8 kB]
Get:16 http://security.ubuntu.com/ubuntu focal-security/multiverse Translation-en [4948 B]
Get:17 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [536 B]
Get:18 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe Translation-en [5124 kB]
Get:19 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 c-n-f Metadata [265 kB]
Get:20 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [144 kB]
Get:21 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/multiverse Translation-en [104 kB]
Get:22 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/multiverse amd64 c-n-f Metadata [9136 B]
Get:23 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1469 kB]
Get:24 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [291 kB]
Get:25 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [14.7 kB]
Get:26 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [694 kB]
Get:27 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [99.0 kB]
Get:28 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 c-n-f Metadata [532 B]
Get:29 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [892 kB]
Get:30 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [196 kB]
Get:31 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [19.9 kB]
Get:32 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [24.8 kB]
Get:33 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/multiverse Translation-en [6928 B]
Get:34 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [620 B]
Get:35 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [42.0 kB]
Get:36 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/main Translation-en [10.0 kB]
Get:37 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/main amd64 c-n-f Metadata [864 B]
Get:38 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/restricted amd64 c-n-f Metadata [116 B]
Get:39 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [19.5 kB]
Get:40 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/universe Translation-en [13.4 kB]
Get:41 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/universe amd64 c-n-f Metadata [672 B]
Get:42 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports/multiverse amd64 c-n-f Metadata [116 B]
Fetched 21.3 MB in 4s (5948 kB/s)
Reading package lists... Done
+ apt-get install python3-virtualenv jq -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libjq1 libonig5 python-pip-whl python3-appdirs python3-distlib
python3-filelock
The following NEW packages will be installed:
jq libjq1 libonig5 python-pip-whl python3-appdirs python3-distlib
python3-filelock python3-virtualenv
0 upgraded, 8 newly installed, 0 to remove and 224 not upgraded.
Need to get 2316 kB of archives.
After this operation, 4405 kB of additional disk space will be used.
Get:1 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libonig5 amd64 6.9.4-1 [142 kB]
Get:2 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libjq1 amd64 1.6-1ubuntu0.20.04.1 [121 kB]
Get:3 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 jq amd64 1.6-1ubuntu0.20.04.1 [50.2 kB]
Get:4 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 python-pip-whl all 20.0.2-5ubuntu1.6 [1805 kB]
Get:5 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/main amd64 python3-appdirs all 1.4.3-2.1 [10.8 kB]
Get:6 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 python3-distlib all 0.3.0-1 [116 kB]
Get:7 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 python3-filelock all 3.0.12-2 [7948 B]
Get:8 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 python3-virtualenv all 20.0.17-1ubuntu0.4 [62.7 kB]
Fetched 2316 kB in 0s (5123 kB/s)
Selecting previously unselected package libonig5:amd64.
(Reading database ... 59624 files and directories currently installed.)
Preparing to unpack .../0-libonig5_6.9.4-1_amd64.deb ...
Unpacking libonig5:amd64 (6.9.4-1) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../1-libjq1_1.6-1ubuntu0.20.04.1_amd64.deb ...
Unpacking libjq1:amd64 (1.6-1ubuntu0.20.04.1) ...
Selecting previously unselected package jq.
Preparing to unpack .../2-jq_1.6-1ubuntu0.20.04.1_amd64.deb ...
Unpacking jq (1.6-1ubuntu0.20.04.1) ...
Selecting previously unselected package python-pip-whl.
Preparing to unpack .../3-python-pip-whl_20.0.2-5ubuntu1.6_all.deb ...
Unpacking python-pip-whl (20.0.2-5ubuntu1.6) ...
Selecting previously unselected package python3-appdirs.
Preparing to unpack .../4-python3-appdirs_1.4.3-2.1_all.deb ...
Unpacking python3-appdirs (1.4.3-2.1) ...
Selecting previously unselected package python3-distlib.
Preparing to unpack .../5-python3-distlib_0.3.0-1_all.deb ...
Unpacking python3-distlib (0.3.0-1) ...
Selecting previously unselected package python3-filelock.
Preparing to unpack .../6-python3-filelock_3.0.12-2_all.deb ...
Unpacking python3-filelock (3.0.12-2) ...
Selecting previously unselected package python3-virtualenv.
Preparing to unpack .../7-python3-virtualenv_20.0.17-1ubuntu0.4_all.deb ...
Unpacking python3-virtualenv (20.0.17-1ubuntu0.4) ...
Setting up python3-filelock (3.0.12-2) ...
Setting up python3-distlib (0.3.0-1) ...
Setting up python-pip-whl (20.0.2-5ubuntu1.6) ...
Setting up python3-appdirs (1.4.3-2.1) ...
Setting up libonig5:amd64 (6.9.4-1) ...
Setting up libjq1:amd64 (1.6-1ubuntu0.20.04.1) ...
Setting up python3-virtualenv (20.0.17-1ubuntu0.4) ...
Setting up jq (1.6-1ubuntu0.20.04.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9) ...
+ deployAlgo
+ getAlgo
+ '[' '!' -d algo ']'
+ git clone https://github.com/trailofbits/algo -b master algo
Cloning into 'algo'...
remote: Enumerating objects: 7270, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 7270 (delta 3), reused 15 (delta 2), pack-reused 7251
Receiving objects: 100% (7270/7270), 2.93 MiB | 1.75 MiB/s, done.
Resolving deltas: 100% (4178/4178), done.
+ cd algo
++ command -v python3
+ python3 -m virtualenv --python=/usr/bin/python3 .venv
created virtual environment CPython3.8.2.final.0-64 in 282ms
creator CPython3Posix(dest=/opt/algo/.venv, clear=False, global=False)
seeder FromAppData(download=False, pip=latest, setuptools=latest, wheel=latest, pkg_resources=latest, via=copy, app_data_dir=/home/ubuntu/.local/share/virtualenv/seed-app-data/v1.0.1.debian.1)
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
+ . .venv/bin/activate
++ '[' .venv/bin/activate = bash ']'
++ deactivate nondestructive
++ unset -f pydoc
++ '[' -z '' ']'
++ '[' -z '' ']'
++ '[' -n /usr/bin/bash ']'
++ hash -r
++ '[' -z '' ']'
++ unset VIRTUAL_ENV
++ '[' '!' nondestructive = nondestructive ']'
++ VIRTUAL_ENV=/opt/algo/.venv
++ export VIRTUAL_ENV
++ _OLD_VIRTUAL_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ PATH=/opt/algo/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ export PATH
++ '[' -z '' ']'
++ '[' -z '' ']'
++ _OLD_VIRTUAL_PS1=
++ '[' x '!=' x ']'
+++ basename /opt/algo/.venv
++ PS1='(.venv) '
++ export PS1
++ alias pydoc
++ true
++ '[' -n /usr/bin/bash ']'
++ hash -r
+ python3 -m pip install -U pip virtualenv
WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
Downloading pip-21.3.1-py3-none-any.whl (1.7 MB)
|████████████████████████████████| 1.7 MB 13.3 MB/s
Collecting virtualenv
Downloading virtualenv-20.13.0-py2.py3-none-any.whl (6.5 MB)
|████████████████████████████████| 6.5 MB 19.8 MB/s
Collecting platformdirs<3,>=2
Downloading platformdirs-2.4.1-py3-none-any.whl (14 kB)
Collecting distlib<1,>=0.3.1
Downloading distlib-0.3.4-py2.py3-none-any.whl (461 kB)
|████████████████████████████████| 461 kB 53.9 MB/s
Collecting six<2,>=1.9.0
Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting filelock<4,>=3.2
Downloading filelock-3.4.2-py3-none-any.whl (9.9 kB)
Installing collected packages: pip, platformdirs, distlib, six, filelock, virtualenv
Attempting uninstall: pip
Found existing installation: pip 20.0.2
Uninstalling pip-20.0.2:
Successfully uninstalled pip-20.0.2
Successfully installed distlib-0.3.4 filelock-3.4.2 pip-21.3.1 platformdirs-2.4.1 six-1.16.0 virtualenv-20.13.0
+ python3 -m pip install -r requirements.txt
WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you should use sudo's -H flag.
Collecting ansible-core==2.12.1
Downloading ansible-core-2.12.1.tar.gz (7.4 MB)
|████████████████████████████████| 7.4 MB 12.9 MB/s
Preparing metadata (setup.py) ... done
Collecting ansible==5.0.1
Downloading ansible-5.0.1.tar.gz (38.4 MB)
|████████████████████████████████| 38.4 MB 25.7 MB/s
Preparing metadata (setup.py) ... done
Collecting jinja2~=3.0.3
Downloading Jinja2-3.0.3-py3-none-any.whl (133 kB)
|████████████████████████████████| 133 kB 89.1 MB/s
Collecting netaddr
Downloading netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB)
|████████████████████████████████| 1.9 MB 55.8 MB/s
Collecting PyYAML
Downloading PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (701 kB)
|████████████████████████████████| 701 kB 61.1 MB/s
Collecting cryptography
Downloading cryptography-36.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (3.6 MB)
|████████████████████████████████| 3.6 MB 53.2 MB/s
Collecting packaging
Downloading packaging-21.3-py3-none-any.whl (40 kB)
|████████████████████████████████| 40 kB 63.1 MB/s
Collecting resolvelib<0.6.0,>=0.5.3
Downloading resolvelib-0.5.4-py2.py3-none-any.whl (12 kB)
Collecting MarkupSafe>=2.0
Downloading MarkupSafe-2.0.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (30 kB)
Collecting cffi>=1.12
Downloading cffi-1.15.0-cp38-cp38-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (446 kB)
|████████████████████████████████| 446 kB 61.2 MB/s
Collecting pyparsing!=3.0.5,>=2.0.2
Downloading pyparsing-3.0.6-py3-none-any.whl (97 kB)
|████████████████████████████████| 97 kB 79.3 MB/s
Collecting pycparser
Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
|████████████████████████████████| 118 kB 87.0 MB/s
Building wheels for collected packages: ansible-core, ansible
Building wheel for ansible-core (setup.py) ... done
Created wheel for ansible-core: filename=ansible_core-2.12.1-py3-none-any.whl size=2073412 sha256=1cc80783524337f62e423d49471645320287f064916b085e69c1f2a0a8831608
Stored in directory: /tmp/pip-ephem-wheel-cache-x4hrm7ht/wheels/34/bd/63/4f3348987a1079c559b4f10f5a8460784d8ac803d46e762d87
Building wheel for ansible (setup.py) ... done
Created wheel for ansible: filename=ansible-5.0.1-py3-none-any.whl size=63329150 sha256=dfc4db27abb04e6e3df592097f3dfeecd52f8117fe7affd57dae69e70caa54c9
Stored in directory: /tmp/pip-ephem-wheel-cache-x4hrm7ht/wheels/49/d9/63/4fbb1645ba5df43761442923fa171897aaab39a0cd969d7361
Successfully built ansible-core ansible
Installing collected packages: pycparser, pyparsing, MarkupSafe, cffi, resolvelib, PyYAML, packaging, jinja2, cryptography, ansible-core, netaddr, ansible
main: line 29: 2863 Killed python3 -m pip install -r requirements.txt
ubuntu@ip-172-26-0-161:~$ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
+ set -ex
+ METHOD=cloud
+ ONDEMAND_CELLULAR=false
+ ONDEMAND_WIFI=false
+ ONDEMAND_WIFI_EXCLUDE=_null
+ STORE_PKI=true
+ DNS_ADBLOCKING=false
+ SSH_TUNNELING=false
+ ENDPOINT=localhost
+ USERS=phone
+ REPO_SLUG=trailofbits/algo
+ REPO_BRANCH=master
+ EXTRA_VARS=placeholder=null
+ ANSIBLE_EXTRA_ARGS=
+ cd /opt/
+ test cloud = cloud
+ publicIpFromMetadata
+ curl -s http://169.254.169.254/metadata/v1/vendor-data
+ grep DigitalOcean
++ curl -s http://169.254.169.254/latest/meta-data/services/domain
+ test amazonaws.com = amazonaws.com
++ curl -s http://169.254.169.254/latest/meta-data/public-ipv4
+ ENDPOINT=13.48.104.144
+ echo 13.48.104.144
+ grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b'
13.48.104.144
+ export ENDPOINT=13.48.104.144
+ ENDPOINT=13.48.104.144
+ echo 'Using 13.48.104.144 as the endpoint'
Using 13.48.104.144 as the endpoint
+ installRequirements
+ export DEBIAN_FRONTEND=noninteractive
+ DEBIAN_FRONTEND=noninteractive
+ apt-get update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://eu-north-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease
Reading package lists... Done
+ apt-get install python3-virtualenv jq -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
jq is already the newest version (1.6-1ubuntu0.20.04.1).
python3-virtualenv is already the newest version (20.0.17-1ubuntu0.4).
0 upgraded, 0 newly installed, 0 to remove and 224 not upgraded.
+ deployAlgo
+ getAlgo
+ '[' '!' -d algo ']'
+ cd algo
++ command -v python3
+ python3 -m virtualenv --python=/usr/bin/python3 .venv
created virtual environment CPython3.8.2.final.0-64 in 338ms
creator CPython3Posix(dest=/opt/algo/.venv, clear=False, global=False)
seeder FromAppData(download=False, pip=latest, setuptools=latest, wheel=latest, pkg_resources=latest, via=copy, app_data_dir=/home/ubuntu/.local/share/virtualenv/seed-app-data/v1.0.1.debian.1)
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
+ . .venv/bin/activate
++ '[' .venv/bin/activate = bash ']'
++ deactivate nondestructive
++ unset -f pydoc
++ '[' -z '' ']'
++ '[' -z '' ']'
++ '[' -n /usr/bin/bash ']'
++ hash -r
++ '[' -z '' ']'
++ unset VIRTUAL_ENV
++ '[' '!' nondestructive = nondestructive ']'
++ VIRTUAL_ENV=/opt/algo/.venv
++ export VIRTUAL_ENV
++ _OLD_VIRTUAL_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ PATH=/opt/algo/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ export PATH
++ '[' -z '' ']'
++ '[' -z '' ']'
++ _OLD_VIRTUAL_PS1=
++ '[' x '!=' x ']'
+++ basename /opt/algo/.venv
++ PS1='(.venv) '
++ export PS1
++ alias pydoc
++ true
++ '[' -n /usr/bin/bash ']'
++ hash -r
+ python3 -m pip install -U pip virtualenv
WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already up-to-date: pip in ./.venv/lib/python3.8/site-packages (21.3.1)
Requirement already up-to-date: virtualenv in ./.venv/lib/python3.8/site-packages (20.13.0)
Requirement already satisfied, skipping upgrade: filelock<4,>=3.2 in ./.venv/lib/python3.8/site-packages (from virtualenv) (3.4.2)
Requirement already satisfied, skipping upgrade: six<2,>=1.9.0 in ./.venv/lib/python3.8/site-packages (from virtualenv) (1.16.0)
Requirement already satisfied, skipping upgrade: distlib<1,>=0.3.1 in ./.venv/lib/python3.8/site-packages (from virtualenv) (0.3.4)
Requirement already satisfied, skipping upgrade: platformdirs<3,>=2 in ./.venv/lib/python3.8/site-packages (from virtualenv) (2.4.1)
+ python3 -m pip install -r requirements.txt
WARNING: The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: ansible-core==2.12.1 in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 1)) (2.12.1)
Requirement already satisfied: ansible==5.0.1 in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 2)) (5.0.1)
Requirement already satisfied: jinja2~=3.0.3 in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 3)) (3.0.3)
Requirement already satisfied: netaddr in ./.venv/lib/python3.8/site-packages (from -r requirements.txt (line 4)) (0.8.0)
Requirement already satisfied: packaging in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (21.3)
Requirement already satisfied: cryptography in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (36.0.1)
Requirement already satisfied: resolvelib<0.6.0,>=0.5.3 in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (0.5.4)
Requirement already satisfied: PyYAML in ./.venv/lib/python3.8/site-packages (from ansible-core==2.12.1->-r requirements.txt (line 1)) (6.0)
Requirement already satisfied: MarkupSafe>=2.0 in ./.venv/lib/python3.8/site-packages (from jinja2~=3.0.3->-r requirements.txt (line 3)) (2.0.1)
Requirement already satisfied: pyparsing!=3.0.5,>=2.0.2 in ./.venv/lib/python3.8/site-packages (from packaging->ansible-core==2.12.1->-r requirements.txt (line 1)) (3.0.6)
Requirement already satisfied: cffi>=1.12 in ./.venv/lib/python3.8/site-packages (from cryptography->ansible-core==2.12.1->-r requirements.txt (line 1)) (1.15.0)
Requirement already satisfied: pycparser in ./.venv/lib/python3.8/site-packages (from cffi>=1.12->cryptography->ansible-core==2.12.1->-r requirements.txt (line 1)) (2.21)
+ cd /opt/algo
+ . .venv/bin/activate
++ '[' .venv/bin/activate = bash ']'
++ deactivate nondestructive
++ unset -f pydoc
++ '[' -z _ ']'
++ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ export PATH
++ unset _OLD_VIRTUAL_PATH
++ '[' -z '' ']'
++ '[' -n /usr/bin/bash ']'
++ hash -r
++ '[' -z _ ']'
++ PS1=
++ export PS1
++ unset _OLD_VIRTUAL_PS1
++ unset VIRTUAL_ENV
++ '[' '!' nondestructive = nondestructive ']'
++ VIRTUAL_ENV=/opt/algo/.venv
++ export VIRTUAL_ENV
++ _OLD_VIRTUAL_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ PATH=/opt/algo/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
++ export PATH
++ '[' -z '' ']'
++ '[' -z '' ']'
++ _OLD_VIRTUAL_PS1=
++ '[' x '!=' x ']'
+++ basename /opt/algo/.venv
++ PS1='(.venv) '
++ export PS1
++ alias pydoc
++ true
++ '[' -n /usr/bin/bash ']'
++ hash -r
+ export HOME=/root
+ HOME=/root
+ export ANSIBLE_LOCAL_TEMP=/root/.ansible/tmp
+ ANSIBLE_LOCAL_TEMP=/root/.ansible/tmp
+ export ANSIBLE_REMOTE_TEMP=/root/.ansible/tmp
+ ANSIBLE_REMOTE_TEMP=/root/.ansible/tmp
+ tee /var/log/algo.log
++ echo phone
++ jq -Rc 'split(",")'
+ ansible-playbook main.yml -e provider=local -e ondemand_cellular=false -e ondemand_wifi=false -e ondemand_wifi_exclude=_null -e store_pki=true -e dns_adblocking=false -e ssh_tunneling=false -e endpoint=13.48.104.144 -e 'users=["phone"]' -e server=localhost -e ssh_user=root -e placeholder=null --skip-tags debug
PLAY [localhost] ***************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [Playbook dir stat] *******************************************************
ok: [localhost]
TASK [Ensure Ansible is not being run in a world writable directory] ***********
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
[WARNING]: The value '' is not a valid IP address or network, passing this
value to ipaddr filter might result in breaking change in future.
TASK [Ensure the requirements installed] ***************************************
ok: [localhost]
TASK [Set required ansible version as a fact] **********************************
ok: [localhost] => (item=ansible-core==2.12.1)
TASK [Verify Python meets Algo VPN requirements] *******************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Verify Ansible meets Algo VPN requirements] ******************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log
PLAY [Ask user for the input] **************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [Set facts based on the input] ********************************************
ok: [localhost]
TASK [Set facts based on the input] ********************************************
ok: [localhost]
PLAY [Provision the server] ****************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [Install the requirements] ************************************************
changed: [localhost]
TASK [Include a provisioning role] *********************************************
TASK [local : Set the facts] ***************************************************
ok: [localhost]
TASK [local : Set the facts] ***************************************************
ok: [localhost]
TASK [Set subjectAltName as a fact] ********************************************
ok: [localhost]
TASK [Add the server to an inventory group] ************************************
changed: [localhost]
TASK [debug] *******************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "13.48.104.144"
}
[WARNING]: Reset is not implemented for this connection
TASK [Wait 600 seconds for target connection to become reachable/usable] *******
ok: [localhost] => (item=localhost)
PLAY [Configure the server and install required software] **********************
TASK [common : Check the system] ***********************************************
ok: [localhost]
TASK [common : include_tasks] **************************************************
included: /opt/algo/roles/common/tasks/ubuntu.yml for localhost
TASK [common : Gather facts] ***************************************************
ok: [localhost]
TASK [common : Install unattended-upgrades] ************************************
ok: [localhost]
TASK [common : Configure unattended-upgrades] **********************************
changed: [localhost]
TASK [common : Periodic upgrades configured] ***********************************
changed: [localhost]
TASK [common : Disable MOTD on login and SSHD] *********************************
changed: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
TASK [common : Ensure fallback resolvers are set] ******************************
changed: [localhost]
TASK [common : Loopback for services configured] *******************************
changed: [localhost]
TASK [common : systemd services enabled and started] ***************************
ok: [localhost] => (item=systemd-networkd)
ok: [localhost] => (item=systemd-resolved)
RUNNING HANDLER [common : restart systemd-networkd] ****************************
changed: [localhost]
RUNNING HANDLER [common : restart systemd-resolved] ****************************
changed: [localhost]
TASK [common : Check apparmor support] *****************************************
ok: [localhost]
TASK [common : Set fact if apparmor enabled] ***********************************
ok: [localhost]
TASK [common : Define facts] ***************************************************
ok: [localhost]
TASK [common : Set facts] ******************************************************
ok: [localhost]
TASK [common : Set IPv6 support as a fact] *************************************
ok: [localhost]
TASK [common : Check size of MTU] **********************************************
ok: [localhost]
TASK [common : Set OS specific facts] ******************************************
ok: [localhost]
TASK [common : Install tools] **************************************************
changed: [localhost]
TASK [common : include_tasks] **************************************************
included: /opt/algo/roles/common/tasks/iptables.yml for localhost
TASK [common : Iptables configured] ********************************************
changed: [localhost] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})
TASK [common : Iptables configured] ********************************************
changed: [localhost] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})
TASK [common : Sysctl tuning] **************************************************
changed: [localhost] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [localhost] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [localhost] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})
RUNNING HANDLER [common : restart iptables] ************************************
changed: [localhost]
TASK [dns : Include tasks for Ubuntu] ******************************************
included: /opt/algo/roles/dns/tasks/ubuntu.yml for localhost
TASK [dns : Install dnscrypt-proxy] ********************************************
changed: [localhost]
TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] *************
changed: [localhost]
TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ***************
ok: [localhost]
TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***
changed: [localhost]
TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] ***
changed: [localhost]
TASK [dns : dnscrypt-proxy ip-blacklist configured] ****************************
changed: [localhost]
TASK [dns : dnscrypt-proxy configured] *****************************************
changed: [localhost]
[WARNING]: flush_handlers task does not support when conditional
RUNNING HANDLER [dns : restart dnscrypt-proxy] *********************************
changed: [localhost]
TASK [dns : dnscrypt-proxy enabled and started] ********************************
ok: [localhost]
TASK [wireguard : Ensure the required directories exist] ***********************
changed: [localhost] => (item=configs/13.48.104.144/wireguard//.pki//preshared)
changed: [localhost] => (item=configs/13.48.104.144/wireguard//.pki//private)
changed: [localhost] => (item=configs/13.48.104.144/wireguard//.pki//public)
changed: [localhost] => (item=configs/13.48.104.144/wireguard//apple/ios)
changed: [localhost] => (item=configs/13.48.104.144/wireguard//apple/macos)
TASK [wireguard : Include tasks for Ubuntu] ************************************
included: /opt/algo/roles/wireguard/tasks/ubuntu.yml for localhost
TASK [wireguard : WireGuard installed] *****************************************
changed: [localhost]
TASK [wireguard : Set OS specific facts] ***************************************
ok: [localhost]
TASK [wireguard : Generate private keys] ***************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=13.48.104.144)
TASK [wireguard : Save private keys] *******************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost]
TASK [wireguard : Touch the lock file] *****************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=13.48.104.144)
TASK [wireguard : Generate preshared keys] *************************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=13.48.104.144)
TASK [wireguard : Save preshared keys] *****************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost]
TASK [wireguard : Touch the preshared lock file] *******************************
changed: [localhost] => (item=phone)
changed: [localhost] => (item=13.48.104.144)
TASK [wireguard : Generate public keys] ****************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=13.48.104.144)
TASK [wireguard : Save public keys] ********************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=None)
changed: [localhost]
TASK [wireguard : WireGuard user list updated] *********************************
changed: [localhost] => (item=phone)
TASK [wireguard : set_fact] ****************************************************
ok: [localhost]
TASK [wireguard : WireGuard users config generated] ****************************
changed: [localhost] => (item=[0, 'phone'])
TASK [wireguard : include_tasks] ***********************************************
included: /opt/algo/roles/wireguard/tasks/mobileconfig.yml for localhost => (item=ios)
included: /opt/algo/roles/wireguard/tasks/mobileconfig.yml for localhost => (item=macos)
TASK [wireguard : WireGuard apple mobileconfig generated] **********************
changed: [localhost] => (item=[0, 'phone'])
TASK [wireguard : WireGuard apple mobileconfig generated] **********************
changed: [localhost] => (item=[0, 'phone'])
TASK [wireguard : Generate QR codes] *******************************************
ok: [localhost] => (item=[0, 'phone'])
TASK [wireguard : WireGuard configured] ****************************************
changed: [localhost]
TASK [wireguard : WireGuard enabled and started] *******************************
changed: [localhost]
RUNNING HANDLER [wireguard : restart wireguard] ********************************
changed: [localhost]
TASK [strongswan : include_tasks] **********************************************
included: /opt/algo/roles/strongswan/tasks/ubuntu.yml for localhost
TASK [strongswan : Set OS specific facts] **************************************
ok: [localhost]
TASK [strongswan : Ubuntu | Install strongSwan] ********************************
changed: [localhost]
TASK [strongswan : Ubuntu | Charon profile for apparmor configured] ************
changed: [localhost]
TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] *********************
ok: [localhost] => (item=/usr/lib/ipsec/charon)
ok: [localhost] => (item=/usr/lib/ipsec/lookip)
ok: [localhost] => (item=/usr/lib/ipsec/stroke)
TASK [strongswan : Ubuntu | Enable services] ***********************************
ok: [localhost] => (item=apparmor)
ok: [localhost] => (item=strongswan-starter)
ok: [localhost] => (item=netfilter-persistent)
TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] ***
changed: [localhost]
TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***
changed: [localhost]
TASK [strongswan : Ensure that the strongswan user exists] *********************
ok: [localhost]
TASK [strongswan : Install strongSwan] *****************************************
ok: [localhost]
TASK [strongswan : Setup the config files from our templates] ******************
changed: [localhost] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [localhost] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [localhost] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [localhost] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
TASK [strongswan : Get loaded plugins] *****************************************
ok: [localhost]
TASK [strongswan : Disable unneeded plugins] ***********************************
changed: [localhost] => (item=connmark)
changed: [localhost] => (item=bypass-lan)
changed: [localhost] => (item=rc2)
changed: [localhost] => (item=sha1)
changed: [localhost] => (item=md5)
changed: [localhost] => (item=counters)
changed: [localhost] => (item=resolve)
changed: [localhost] => (item=sshkey)
changed: [localhost] => (item=agent)
changed: [localhost] => (item=xcbc)
changed: [localhost] => (item=mgf1)
changed: [localhost] => (item=xauth-generic)
changed: [localhost] => (item=eap-mschapv2)
changed: [localhost] => (item=updown)
changed: [localhost] => (item=dnskey)
changed: [localhost] => (item=constraints)
changed: [localhost] => (item=pkcs1)
changed: [localhost] => (item=aesni)
changed: [localhost] => (item=drbg)
changed: [localhost] => (item=attr)
changed: [localhost] => (item=gmp)
changed: [localhost] => (item=fips-prf)
TASK [strongswan : Ensure that required plugins are enabled] *******************
changed: [localhost] => (item=aes)
changed: [localhost] => (item=x509)
changed: [localhost] => (item=pkcs7)
changed: [localhost] => (item=nonce)
changed: [localhost] => (item=pkcs8)
changed: [localhost] => (item=gcm)
changed: [localhost] => (item=stroke)
changed: [localhost] => (item=pem)
changed: [localhost] => (item=revocation)
changed: [localhost] => (item=socket-default)
changed: [localhost] => (item=hmac)
changed: [localhost] => (item=pkcs12)
changed: [localhost] => (item=random)
changed: [localhost] => (item=pubkey)
changed: [localhost] => (item=kernel-netlink)
changed: [localhost] => (item=pgp)
changed: [localhost] => (item=sha2)
changed: [localhost] => (item=openssl)
TASK [strongswan : debug] ******************************************************
ok: [localhost] => {
"subjectAltName": "IP:13.48.104.144,IP:2a05:d016:68d:f200:c553:15be:6c28:e8d8"
}
TASK [strongswan : Ensure the pki directories exist] ***************************
changed: [localhost] => (item=ecparams)
changed: [localhost] => (item=certs)
changed: [localhost] => (item=crl)
changed: [localhost] => (item=newcerts)
changed: [localhost] => (item=private)
changed: [localhost] => (item=public)
changed: [localhost] => (item=reqs)
TASK [strongswan : Ensure the config directories exist] ************************
changed: [localhost] => (item=apple)
changed: [localhost] => (item=manual)
TASK [strongswan : Ensure the files exist] *************************************
changed: [localhost] => (item=.rnd)
changed: [localhost] => (item=private/.rnd)
changed: [localhost] => (item=index.txt)
changed: [localhost] => (item=index.txt.attr)
changed: [localhost] => (item=serial)
TASK [strongswan : Generate the openssl server configs] ************************
changed: [localhost]
TASK [strongswan : Build the CA pair] ******************************************
changed: [localhost]
TASK [strongswan : Copy the CA certificate] ************************************
changed: [localhost]
TASK [strongswan : Generate the serial number] *********************************
changed: [localhost]
TASK [strongswan : Build the server pair] **************************************
changed: [localhost]
TASK [strongswan : Build the client's pair] ************************************
changed: [localhost] => (item=phone)
TASK [strongswan : Build openssh public keys] **********************************
changed: [localhost] => (item=phone)
TASK [strongswan : Build the client's p12] *************************************
changed: [localhost] => (item=phone)
TASK [strongswan : Build the client's p12 with the CA cert included] ***********
changed: [localhost] => (item=phone)
TASK [strongswan : Copy the p12 certificates] **********************************
changed: [localhost] => (item=phone)
TASK [strongswan : Get active users] *******************************************
changed: [localhost]
TASK [strongswan : Copy the keys to the strongswan directory] ******************
changed: [localhost] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [localhost] => (item={'src': 'certs/13.48.104.144.crt', 'dest': 'certs/13.48.104.144.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [localhost] => (item={'src': 'private/13.48.104.144.key', 'dest': 'private/13.48.104.144.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
TASK [strongswan : Register p12 PayloadContent] ********************************
ok: [localhost] => (item=phone)
TASK [strongswan : Set facts for mobileconfigs] ********************************
ok: [localhost]
TASK [strongswan : Build the mobileconfigs] ************************************
changed: [localhost] => (item=None)
changed: [localhost]
TASK [strongswan : Build the client ipsec config file] *************************
changed: [localhost] => (item=phone)
TASK [strongswan : Build the client ipsec secret file] *************************
changed: [localhost] => (item=phone)
TASK [strongswan : Restrict permissions for the local private directories] *****
ok: [localhost]
TASK [strongswan : strongSwan started] *****************************************
ok: [localhost]
RUNNING HANDLER [strongswan : restart strongswan] ******************************
changed: [localhost]
RUNNING HANDLER [strongswan : daemon-reload] ***********************************
ok: [localhost]
TASK [Dump the configuration] **************************************************
changed: [localhost]
TASK [Create a symlink if deploying to localhost] ******************************
changed: [localhost]
TASK [debug] *******************************************************************
ok: [localhost] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.28.68.46, fd00::c:442e #\"",
""
],
" \"# The p12 and SSH keys password for new users is r15RG4_Sw #\"\n",
" \"# The CA key password is ueHAJDCWyIa9bbAg #\"\n",
" "
]
}
PLAY RECAP *********************************************************************
localhost : ok=118 changed=65 unreachable=0 failed=0 skipped=65 rescued=0 ignored=0
davidemyers commented
Since you created the Lightsail instance yourself (rather then letting Algo create it for you) make sure you open the necessary ports in the Lightsail firewall. See AlgoVPN and Firewalls.
vvorlov commented
Great, thank you a lot!