@@ -45,7 +45,7 @@ public class ApiConstants { | |||
public static final String DEFAULT_LOCALE = "en_US"; | |||
public static final String[] ROLES_SAGE = {"common", "nginx", "bubble", "finalizer"}; | |||
public static final String[] ROLES_NODE = {"common", "nginx", "algo", "mitmproxy", "bubble", "finalizer"}; | |||
public static final String[] ROLES_NODE = {"common", "nginx", "bubble", "algo", "mitmproxy", "finalizer"}; | |||
public static final String ANSIBLE_DIR = "ansible"; | |||
public static final List<String> BUBBLE_SCRIPTS = splitAndTrim(stream2string(ANSIBLE_DIR + "/bubble_scripts.txt"), "\n") | |||
@@ -10,10 +10,7 @@ import org.glassfish.grizzly.http.server.Request; | |||
import org.glassfish.jersey.server.ContainerRequest; | |||
import org.springframework.beans.factory.annotation.Autowired; | |||
import javax.ws.rs.Consumes; | |||
import javax.ws.rs.GET; | |||
import javax.ws.rs.PUT; | |||
import javax.ws.rs.Produces; | |||
import javax.ws.rs.*; | |||
import javax.ws.rs.core.Context; | |||
import javax.ws.rs.core.Response; | |||
@@ -42,11 +39,11 @@ public class ComputePackerResource { | |||
return ok(driver.getPackerImages()); | |||
} | |||
@PUT | |||
@PUT @Path("/{type}") | |||
public Response writeImages(@Context Request req, | |||
@Context ContainerRequest ctx) { | |||
packer.writePackerImages(cloud, AnsibleInstallType.sage, null); | |||
packer.writePackerImages(cloud, AnsibleInstallType.node, null); | |||
@Context ContainerRequest ctx, | |||
@PathParam("type") AnsibleInstallType installType) { | |||
packer.writePackerImages(cloud, installType, null); | |||
return ok(); | |||
} | |||
@@ -43,10 +43,6 @@ if [[ -f "${ADMIN_PUB_KEY}" ]] ; then | |||
cat "${ADMIN_PUB_KEY}" >> "${AUTH_KEYS}" | |||
fi | |||
sudo apt-get update -y && apt-get upgrade -y || die "Error in apt update / upgrade" | |||
sudo apt-get -y install python3 python3-pip virtualenv || die "Error apt installing python3 or python3-pip" | |||
sudo pip3 install setuptools psycopg2-binary || die "Error pip3 installing setuptools or psycopg2-binary" | |||
SSH_OPTIONS="--ssh-extra-args '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=publickey -i ${ID_FILE}'" | |||
cd "${ANSIBLE_DIR}" && \ | |||
@@ -1,12 +1,8 @@ | |||
{ | |||
"name": "algo-0.0.1", | |||
"priority": 400, | |||
"template": true, | |||
"install": "node", | |||
"config": [ | |||
{"name": "server_name", "value": "[[node.fqdn]]"}, | |||
{"name": "endpoint", "value": "[[node.ip4]]"}, | |||
{"name": "ssl_port", "value": "[[node.sslPort]]"} | |||
], | |||
"tgzB64": "" | |||
] | |||
} |
@@ -1,32 +1,6 @@ | |||
# | |||
# Copyright (c) 2020 Bubble, Inc. All rights reserved. For personal (non-commercial) use, see license: https://getbubblenow.com/bubble-license/ | |||
# | |||
- name: Unzip algo master.zip | |||
unarchive: | |||
src: master.zip | |||
dest: /root/ansible/roles/algo | |||
- name: Write algo config.cfg.hbs | |||
copy: | |||
src: config.cfg.hbs | |||
dest: /root/ansible/roles/algo/algo/config.cfg.hbs | |||
- name: Install algo_refresh_users script and monitor | |||
copy: | |||
src: "{{ item }}" | |||
dest: "/usr/local/bin/{{ item }}" | |||
owner: root | |||
group: root | |||
mode: 0500 | |||
with_items: | |||
- "algo_refresh_users.sh" | |||
- "algo_refresh_users_monitor.sh" | |||
- name: Install algo_refresh_users_monitor supervisor conf file | |||
copy: | |||
src: supervisor_algo_refresh_users_monitor.conf | |||
dest: /etc/supervisor/conf.d/algo_refresh_users_monitor.conf | |||
- name: Write install_algo.sh template | |||
template: | |||
src: install_algo.sh.j2 | |||
@@ -35,30 +9,17 @@ | |||
group: root | |||
mode: 0500 | |||
- name: Install wg_monitor_connections script | |||
copy: | |||
src: wg_monitor_connections.sh | |||
dest: "/usr/local/sbin/wg_monitor_connections.sh" | |||
owner: root | |||
group: root | |||
mode: 0500 | |||
- name: Install wg_monitor_connections supervisor conf file | |||
copy: | |||
src: supervisor_wg_monitor_connections.conf | |||
dest: /etc/supervisor/conf.d/wg_monitor_connections.conf | |||
# Don't setup algo when in restore mode, bubble_restore_monitor.sh will set it up after the CA key has been restored | |||
- name: Run algo playbook to install algo | |||
shell: /root/ansible/roles/algo/algo/install_algo.sh | |||
when: restore_key is not defined | |||
# Don't start monitors when in restore mode, bubble_restore_monitor.sh will start it after algo is installed | |||
- name: Run algo playbook to install algo | |||
- name: Restart algo monitors | |||
shell: bash -c "supervisorctl reload && sleep 5s && supervisorctl restart algo_refresh_users_monitor && supervisorctl restart wg_monitor_connections" | |||
when: restore_key is not defined | |||
- name: Run algo playbook to install algo | |||
- name: Stop algo monitors (in restore mode) | |||
shell: bash -c "supervisorctl reload && sleep 5s && supervisorctl stop algo_refresh_users_monitor && supervisorctl stop wg_monitor_connections" | |||
when: restore_key is defined | |||
@@ -1,8 +1,5 @@ | |||
{ | |||
"name": "mitmproxy-0.0.1", | |||
"priority": 600, | |||
"template": true, | |||
"install": "node", | |||
"config": [ | |||
{"name": "admin_port", "value": "[[node.adminPort]]"}, | |||
{"name": "bubble_network", "value": "[[node.network]]"}, | |||
@@ -10,6 +7,5 @@ | |||
{"name": "server_name", "value": "[[node.fqdn]]"}, | |||
{"name": "server_alias", "value": "[[network.networkDomain]]"}, | |||
{"name": "ssl_port", "value": "[[node.sslPort]]"} | |||
], | |||
"tgzB64": "" | |||
] | |||
} |
@@ -31,43 +31,9 @@ | |||
mode: 0755 | |||
state: directory | |||
- name: Unzip mitmproxy.zip | |||
unarchive: | |||
src: mitmproxy.zip | |||
dest: /home/mitmproxy/mitmproxy | |||
- name: Copy mitmdump files | |||
copy: | |||
src: "{{ item }}" | |||
dest: "/home/mitmproxy/mitmproxy/{{ item }}" | |||
owner: mitmproxy | |||
group: mitmproxy | |||
mode: 0500 | |||
with_items: | |||
- bubble_api.py | |||
- dns_spoofing.py | |||
- bubble_passthru.py | |||
- bubble_modify.py | |||
- run_mitmdump.sh | |||
- name: Install cert helper scripts | |||
copy: | |||
src: "{{ item }}" | |||
dest: "/usr/local/bin/{{ item }}" | |||
owner: root | |||
group: root | |||
mode: 0500 | |||
with_items: | |||
- install_cert.sh | |||
- set_cert_name.sh | |||
- reuse_bubble_mitm_certs.sh | |||
- name: Set the cert name | |||
shell: set_cert_name.sh /home/mitmproxy/mitmproxy {{ server_alias }} | |||
- name: Set ownership of mitmproxy files | |||
shell: chown -R mitmproxy /home/mitmproxy/mitmproxy | |||
- name: Reuse bubble mitm certs if available | |||
shell: reuse_bubble_mitm_certs.sh | |||
@@ -79,14 +45,6 @@ | |||
group: mitmproxy | |||
mode: 0500 | |||
- name: Fix missing symlink for libstdc++ | |||
file: | |||
src: /usr/lib/x86_64-linux-gnu/libstdc++.so.6 | |||
dest: /usr/lib/x86_64-linux-gnu/libstdc++.so | |||
owner: root | |||
group: root | |||
state: link | |||
- name: Restart dnscrypt-proxy | |||
shell: service dnscrypt-proxy restart | |||
@@ -96,20 +54,5 @@ | |||
enabled: yes | |||
state: restarted | |||
- import_tasks: route.yml | |||
- name: Install mitmdump_monitor | |||
copy: | |||
src: "mitmdump_monitor.sh" | |||
dest: "/usr/local/sbin/mitmdump_monitor.sh" | |||
owner: root | |||
group: root | |||
mode: 0500 | |||
- name: Install mitmdump_monitor supervisor conf file | |||
copy: | |||
src: supervisor_mitmdump_monitor.conf | |||
dest: /etc/supervisor/conf.d/mitmdump_monitor.conf | |||
- name: Ensure mitmdump_monitor is started | |||
shell: supervisorctl restart mitmdump_monitor |
@@ -0,0 +1,24 @@ | |||
--- | |||
algo_dns_adblocking: false | |||
apparmor_enabled: true | |||
dns_encryption: true | |||
ipv6_support: false | |||
dnscrypt_servers: | |||
ipv4: | |||
- cloudflare | |||
ipv6: | |||
- cloudflare-ipv6 | |||
unattended_reboot: | |||
enabled: false | |||
time: 06:00 | |||
local_service_ip: 172.16.0.1 | |||
local_service_ipv6: fd00::1 | |||
ipsec_enabled: true | |||
wireguard_enabled: true | |||
wireguard_port: 51820 | |||
wireguard_port_avoid: 53 | |||
wireguard_port_actual: 51820 |
@@ -0,0 +1,4 @@ | |||
// Automatically upgrade packages from these (origin:archive) pairs | |||
Unattended-Upgrade::Allowed-Origins { | |||
"LP-PPA-shevchuk-dnscrypt-proxy:${distro_codename}"; | |||
}; |
@@ -0,0 +1,29 @@ | |||
#include <tunables/global> | |||
/usr/{s,}bin/dnscrypt-proxy flags=(attach_disconnected) { | |||
#include <abstractions/base> | |||
#include <abstractions/nameservice> | |||
#include <abstractions/openssl> | |||
capability chown, | |||
capability dac_override, | |||
capability net_bind_service, | |||
capability setgid, | |||
capability setuid, | |||
capability sys_resource, | |||
/etc/dnscrypt-proxy/** r, | |||
/usr/bin/dnscrypt-proxy mr, | |||
/tmp/public-resolvers.md* rw, | |||
/tmp/*.tmp w, | |||
owner /tmp/*.tmp r, | |||
/run/systemd/notify rw, | |||
/lib/x86_64-linux-gnu/ld-*.so mr, | |||
@{PROC}/sys/kernel/hostname r, | |||
@{PROC}/sys/net/core/somaxconn r, | |||
/etc/ld.so.cache r, | |||
/usr/local/lib/{@{multiarch}/,}libldns.so* mr, | |||
/usr/local/lib/{@{multiarch}/,}libsodium.so* mr, | |||
} |
@@ -2,37 +2,11 @@ | |||
# Copyright (c) 2020 Bubble, Inc. All rights reserved. For personal (non-commercial) use, see license: https://getbubblenow.com/bubble-license/ | |||
# | |||
# Insert additional firewall rules to allow required services to function | |||
- name: Allow HTTP | |||
iptables: | |||
chain: INPUT | |||
action: insert | |||
rule_num: 5 | |||
protocol: tcp | |||
destination_port: 80 | |||
ctstate: NEW | |||
syn: match | |||
jump: ACCEPT | |||
comment: Accept new HTTP connections | |||
become: yes | |||
- name: Allow HTTPS | |||
iptables: | |||
chain: INPUT | |||
action: insert | |||
rule_num: 6 | |||
protocol: tcp | |||
destination_port: 443 | |||
ctstate: NEW | |||
syn: match | |||
jump: ACCEPT | |||
comment: Accept new HTTPS connections | |||
become: yes | |||
- name: Allow admin HTTPS on port 1443 | |||
iptables: | |||
chain: INPUT | |||
action: insert | |||
rule_num: 7 | |||
rule_num: 6 | |||
protocol: tcp | |||
destination_port: 1443 | |||
ctstate: NEW | |||
@@ -45,7 +19,7 @@ | |||
iptables: | |||
chain: INPUT | |||
action: insert | |||
rule_num: 8 | |||
rule_num: 7 | |||
protocol: tcp | |||
destination_port: 1080 | |||
ctstate: NEW | |||
@@ -0,0 +1,249 @@ | |||
# From algo/roles/common/tasks/unattended-upgrades.yml | |||
- name: Install unattended-upgrades | |||
apt: | |||
name: [ 'git', 'apparmor-utils', 'uuid-runtime', 'coreutils', 'cgroup-tools', 'openssl', 'gnupg2', 'linux-headers-generic' ] | |||
state: present | |||
update_cache: yes | |||
- name: Configure unattended-upgrades | |||
template: | |||
src: 50unattended-upgrades.j2 | |||
dest: /etc/apt/apt.conf.d/50unattended-upgrades | |||
owner: root | |||
group: root | |||
mode: 0644 | |||
- name: Periodic upgrades configured | |||
template: | |||
src: 10periodic.j2 | |||
dest: /etc/apt/apt.conf.d/10periodic | |||
owner: root | |||
group: root | |||
mode: 0644 | |||
# From algo/roles/common/tasks/ubuntu.yml | |||
- name: Disable MOTD on login and SSHD | |||
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" | |||
with_items: | |||
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } | |||
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } | |||
- name: Loopback for services configured | |||
template: | |||
src: 10-algo-lo100.network.j2 | |||
dest: /etc/systemd/network/10-algo-lo100.network | |||
# notify: | |||
# - restart systemd-networkd | |||
- name: Install algo packages | |||
apt: | |||
name: [ 'git', 'apparmor-utils', 'uuid-runtime', 'coreutils', 'cgroup-tools', 'openssl', 'gnupg2', 'linux-headers-generic' ] | |||
state: present | |||
update_cache: yes | |||
# From algo/roles/common/tasks/iptables.yml | |||
- name: Iptables configured | |||
template: | |||
src: "{{ item.src }}" | |||
dest: "{{ item.dest }}" | |||
owner: root | |||
group: root | |||
mode: 0640 | |||
with_items: | |||
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } | |||
# notify: | |||
# - restart iptables | |||
- name: Iptables configured | |||
template: | |||
src: "{{ item.src }}" | |||
dest: "{{ item.dest }}" | |||
owner: root | |||
group: root | |||
mode: 0640 | |||
when: ipv6_support | |||
with_items: | |||
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } | |||
# notify: | |||
# - restart iptables | |||
# From algo/roles/dns/tasks/dns_adblocking.yml | |||
- name: Adblock script created | |||
template: | |||
src: adblock.sh.j2 | |||
dest: /usr/local/sbin/adblock.sh | |||
owner: root | |||
group: "{{ root_group|default('root') }}" | |||
mode: 0755 | |||
- name: Adblock script added to cron | |||
cron: | |||
name: Adblock hosts update | |||
minute: "{{ range(0, 60) | random }}" | |||
hour: "{{ range(0, 24) | random }}" | |||
job: /usr/local/sbin/adblock.sh | |||
user: root | |||
- name: Update adblock hosts | |||
command: /usr/local/sbin/adblock.sh | |||
changed_when: false | |||
# From algo/roles/dns/tasks/ubuntu.yml | |||
- name: Add the repository | |||
apt_repository: | |||
state: present | |||
codename: "{{ ansible_distribution_release }}" | |||
repo: ppa:shevchuk/dnscrypt-proxy | |||
register: result | |||
until: result is succeeded | |||
retries: 10 | |||
delay: 3 | |||
- name: Install dnscrypt-proxy | |||
apt: | |||
name: dnscrypt-proxy | |||
state: present | |||
update_cache: true | |||
- name: Install Bubble-enhanced dnscrypt-proxy | |||
get_url: | |||
url: https://github.com/getbubblenow/bubble-dist/raw/master/dnscrypt-proxy/dnscrypt-proxy | |||
dest: /usr/bin/dnscrypt-proxy | |||
checksum: sha256:c0c8db69e0ab1ce6b493c65cb848f1b6cca077a6091eaa8207d76d672e12fc18 | |||
owner: root | |||
group: root | |||
mode: 0500 | |||
- block: | |||
- name: Ubuntu | Configure AppArmor policy for dnscrypt-proxy | |||
copy: | |||
src: apparmor.profile.dnscrypt-proxy | |||
dest: /etc/apparmor.d/usr.bin.dnscrypt-proxy | |||
owner: root | |||
group: root | |||
mode: 0600 | |||
# notify: restart dnscrypt-proxy | |||
- name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy | |||
command: aa-enforce usr.bin.dnscrypt-proxy | |||
changed_when: false | |||
tags: apparmor | |||
when: apparmor_enabled|default(false)|bool | |||
- name: Ubuntu | Ensure that the dnscrypt-proxy service directory exist | |||
file: | |||
path: /etc/systemd/system/dnscrypt-proxy.service.d/ | |||
state: directory | |||
mode: 0755 | |||
owner: root | |||
group: root | |||
- name: Ubuntu | Add custom requirements to successfully start the unit | |||
copy: | |||
dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf | |||
content: | | |||
[Unit] | |||
After=systemd-resolved.service | |||
Requires=systemd-resolved.service | |||
[Service] | |||
AmbientCapabilities=CAP_NET_BIND_SERVICE | |||
# notify: | |||
# - restart dnscrypt-proxy | |||
# From algo/roles/wireguard/tasks/main.yml | |||
- name: Ensure the required directories exist | |||
file: | |||
dest: "{{ item }}" | |||
state: directory | |||
recurse: true | |||
with_items: | |||
- "{{ wireguard_pki_path }}/preshared" | |||
- "{{ wireguard_pki_path }}/private" | |||
- "{{ wireguard_pki_path }}/public" | |||
- "{{ wireguard_config_path }}" | |||
delegate_to: localhost | |||
become: false | |||
- name: WireGuard repository configured | |||
apt_repository: | |||
repo: ppa:wireguard/wireguard | |||
state: present | |||
register: result | |||
until: result is succeeded | |||
retries: 10 | |||
delay: 3 | |||
- name: WireGuard installed | |||
apt: | |||
name: wireguard | |||
state: present | |||
update_cache: true | |||
# From algo/roles/strongswan/tasks/ubuntu.yml | |||
- name: Set OS specific facts | |||
set_fact: | |||
strongswan_additional_plugins: [] | |||
- name: Ubuntu | Install strongSwan | |||
apt: | |||
name: strongswan | |||
state: present | |||
update_cache: yes | |||
install_recommends: yes | |||
- block: | |||
# https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238 | |||
- name: Ubuntu | Charon profile for apparmor configured | |||
copy: | |||
dest: /etc/apparmor.d/local/usr.lib.ipsec.charon | |||
content: ' capability setpcap,' | |||
owner: root | |||
group: root | |||
mode: 0644 | |||
# notify: restart strongswan | |||
- name: Ubuntu | Enforcing ipsec with apparmor | |||
command: aa-enforce "{{ item }}" | |||
changed_when: false | |||
with_items: | |||
- /usr/lib/ipsec/charon | |||
- /usr/lib/ipsec/lookip | |||
- /usr/lib/ipsec/stroke | |||
tags: apparmor | |||
when: apparmor_enabled|default(false)|bool | |||
- name: Ubuntu | Enable services | |||
service: name={{ item }} enabled=yes | |||
with_items: | |||
- apparmor | |||
- strongswan | |||
- netfilter-persistent | |||
- name: Ubuntu | Ensure that the strongswan service directory exists | |||
file: | |||
path: /etc/systemd/system/strongswan.service.d/ | |||
state: directory | |||
mode: 0755 | |||
owner: root | |||
group: root | |||
- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon | |||
template: | |||
src: 100-CustomLimitations.conf.j2 | |||
dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf | |||
# notify: | |||
# - daemon-reload | |||
# - restart strongswan | |||
# From algo/roles/strongswan/tasks/main.yml | |||
- name: Ensure that the strongswan user exists | |||
user: | |||
name: strongswan | |||
group: nogroup | |||
shell: "{{ strongswan_shell }}" | |||
home: "{{ strongswan_home }}" | |||
state: present | |||
- name: Install strongSwan | |||
package: name=strongswan state=present |
@@ -3,7 +3,7 @@ | |||
# | |||
- name: Create algo staging directory | |||
file: | |||
path: /root/ansible-staging/roles/algo/algo | |||
path: /root/ansible/roles/algo/algo | |||
owner: root | |||
group: root | |||
mode: 0770 | |||
@@ -12,19 +12,19 @@ | |||
- name: Download algo dist file | |||
get_url: | |||
url: https://github.com/getbubblenow/bubble-dist/raw/master/algo/master.zip | |||
dest: /root/ansible-staging/algo.zip | |||
checksum: sha256:3d5f297d309af9b956525a2cbb40e0dca216fb735cc35befc3d5a5bdd54163a5 | |||
dest: /tmp/algo.zip | |||
checksum: sha256:62070ada76f19ef81e0fb0563af43d76a8dbd77e528866421a445bc4364960cc | |||
- name: Unzip algo master.zip | |||
unarchive: | |||
remote_src: yes | |||
src: /root/ansible-staging/algo.zip | |||
dest: /root/ansible-staging/roles/algo | |||
src: /tmp/algo.zip | |||
dest: /root/ansible/roles/algo | |||
- name: Write algo config.cfg.hbs | |||
copy: | |||
src: config.cfg.hbs | |||
dest: /root/ansible-staging/roles/algo/algo/config.cfg.hbs | |||
dest: /root/ansible/roles/algo/algo/config.cfg.hbs | |||
- name: Install algo_refresh_users script and monitor | |||
copy: | |||
@@ -55,4 +55,5 @@ | |||
src: supervisor_wg_monitor_connections.conf | |||
dest: /etc/supervisor/conf.d/wg_monitor_connections.conf | |||
- include: algo_packer.yml | |||
- include: algo_firewall.yml |
@@ -0,0 +1,7 @@ | |||
[Match] | |||
Name=lo | |||
[Network] | |||
Description=lo:100 | |||
Address={{ local_service_ip }}/32 | |||
Address={{ local_service_ipv6 }}/128 |
@@ -0,0 +1,2 @@ | |||
[Service] | |||
MemoryLimit=16777216 |
@@ -0,0 +1,4 @@ | |||
APT::Periodic::Update-Package-Lists "1"; | |||
APT::Periodic::Download-Upgradeable-Packages "1"; | |||
APT::Periodic::AutocleanInterval "7"; | |||
APT::Periodic::Unattended-Upgrade "1"; |
@@ -0,0 +1,96 @@ | |||
// Automatically upgrade packages from these (origin:archive) pairs | |||
// | |||
// Note that in Ubuntu security updates may pull in new dependencies | |||
// from non-security sources (e.g. chromium). By allowing the release | |||
// pocket these get automatically pulled in. | |||
Unattended-Upgrade::Allowed-Origins { | |||
"${distro_id}:${distro_codename}-security"; | |||
// Extended Security Maintenance; doesn't necessarily exist for | |||
// every release and this system may not have it installed, but if | |||
// available, the policy for updates is such that unattended-upgrades | |||
// should also install from here by default. | |||
"${distro_id}ESM:${distro_codename}"; | |||
"${distro_id}:${distro_codename}-updates"; | |||
// "${distro_id}:${distro_codename}-proposed"; | |||
// "${distro_id}:${distro_codename}-backports"; | |||
}; | |||
// List of packages to not update (regexp are supported) | |||
Unattended-Upgrade::Package-Blacklist { | |||
// "vim"; | |||
// "libc6"; | |||
// "libc6-dev"; | |||
// "libc6-i686"; | |||
}; | |||
// This option will controls whether the development release of Ubuntu will be | |||
// upgraded automatically. | |||
Unattended-Upgrade::DevRelease "false"; | |||
// This option allows you to control if on a unclean dpkg exit | |||
// unattended-upgrades will automatically run | |||
// dpkg --force-confold --configure -a | |||
// The default is true, to ensure updates keep getting installed | |||
Unattended-Upgrade::AutoFixInterruptedDpkg "true"; | |||
// Split the upgrade into the smallest possible chunks so that | |||
// they can be interrupted with SIGTERM. This makes the upgrade | |||
// a bit slower but it has the benefit that shutdown while a upgrade | |||
// is running is possible (with a small delay) | |||
Unattended-Upgrade::MinimalSteps "true"; | |||
// Install all unattended-upgrades when the machine is shutting down | |||
// instead of doing it in the background while the machine is running | |||
// This will (obviously) make shutdown slower | |||
//Unattended-Upgrade::InstallOnShutdown "true"; | |||
// Send email to this address for problems or packages upgrades | |||
// If empty or unset then no email is sent, make sure that you | |||
// have a working mail setup on your system. A package that provides | |||
// 'mailx' must be installed. E.g. "user@example.com" | |||
//Unattended-Upgrade::Mail "root"; | |||
// Set this value to "true" to get emails only on errors. Default | |||
// is to always send a mail if Unattended-Upgrade::Mail is set | |||
//Unattended-Upgrade::MailOnlyOnError "true"; | |||
// Remove unused automatically installed kernel-related packages | |||
// (kernel images, kernel headers and kernel version locked tools). | |||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; | |||
// Do automatic removal of new unused dependencies after the upgrade | |||
// (equivalent to apt-get autoremove) | |||
Unattended-Upgrade::Remove-Unused-Dependencies "true"; | |||
// Automatically reboot *WITHOUT CONFIRMATION* | |||
// if the file /var/run/reboot-required is found after the upgrade | |||
Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}"; | |||
// If automatic reboot is enabled and needed, reboot at the specific | |||
// time instead of immediately | |||
// Default: "now" | |||
Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot.time }}"; | |||
// Use apt bandwidth limit feature, this example limits the download | |||
// speed to 70kb/sec | |||
//Acquire::http::Dl-Limit "70"; | |||
// Enable logging to syslog. Default is False | |||
Unattended-Upgrade::SyslogEnable "true"; | |||
// Specify syslog facility. Default is daemon | |||
// Unattended-Upgrade::SyslogFacility "daemon"; | |||
// Download and install upgrades only on AC power | |||
// (i.e. skip or gracefully stop updates on battery) | |||
// Unattended-Upgrade::OnlyOnACPower "true"; | |||
// Download and install upgrades only on non-metered connection | |||
// (i.e. skip or gracefully stop updates on a metered connection) | |||
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; | |||
// Keep the custom conffile when upgrading | |||
Dpkg::Options { | |||
"--force-confdef"; | |||
"--force-confold"; | |||
}; |
@@ -0,0 +1,45 @@ | |||
#!/bin/sh | |||
# Block ads, malware, etc.. | |||
TEMP="$(mktemp)" | |||
TEMP_SORTED="$(mktemp)" | |||
WHITELIST="/etc/dnscrypt-proxy/white.list" | |||
BLACKLIST="/etc/dnscrypt-proxy/black.list" | |||
BLOCKHOSTS="{{ config_prefix|default('/') }}etc/dnscrypt-proxy/blacklist.txt" | |||
BLOCKLIST_URLS="{% for url in adblock_lists %}{{ url }} {% endfor %}" | |||
#Delete the old block.hosts to make room for the updates | |||
rm -f $BLOCKHOSTS | |||
echo 'Downloading hosts lists...' | |||
#Download and process the files needed to make the lists (enable/add more, if you want) | |||
for url in $BLOCKLIST_URLS; do | |||
wget --timeout=2 --tries=3 -qO- "$url" | grep -Ev "(localhost)" | grep -Ew "(0.0.0.0|127.0.0.1)" | awk '{sub(/\r$/,"");print $2}' >> "$TEMP" | |||
done | |||
#Add black list, if non-empty | |||
if [ -s "$BLACKLIST" ] | |||
then | |||
echo 'Adding blacklist...' | |||
cat $BLACKLIST >> "$TEMP" | |||
fi | |||
#Sort the download/black lists | |||
awk '/^[^#]/ { print $1 }' "$TEMP" | sort -u > "$TEMP_SORTED" | |||
#Filter (if applicable) | |||
if [ -s "$WHITELIST" ] | |||
then | |||
#Filter the blacklist, suppressing whitelist matches | |||
# This is relatively slow =-( | |||
echo 'Filtering white list...' | |||
grep -v -E "^[[:space:]]*$" $WHITELIST | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - "$TEMP_SORTED" > $BLOCKHOSTS | |||
else | |||
cat "$TEMP_SORTED" > $BLOCKHOSTS | |||
fi | |||
echo 'Restarting dns service...' | |||
#Restart the dns service | |||
systemctl restart dnscrypt-proxy.service | |||
exit 0 |
@@ -0,0 +1,365 @@ | |||
# Options for the charon IKE daemon. | |||
charon { | |||
# Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. | |||
# accept_unencrypted_mainmode_messages = no | |||
# Maximum number of half-open IKE_SAs for a single peer IP. | |||
# block_threshold = 5 | |||
# Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP | |||
# should be saved under a unique file name derived from the public key of | |||
# the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or | |||
# /etc/swanctl/x509crl (vici), respectively. | |||
# cache_crls = no | |||
# Whether relations in validated certificate chains should be cached in | |||
# memory. | |||
# cert_cache = yes | |||
# Send Cisco Unity vendor ID payload (IKEv1 only). | |||
# cisco_unity = no | |||
# Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. | |||
close_ike_on_child_failure = yes | |||
# Number of half-open IKE_SAs that activate the cookie mechanism. | |||
# cookie_threshold = 10 | |||
# Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). | |||
# delete_rekeyed = no | |||
# Delay in seconds until inbound IPsec SAs are deleted after rekeyings | |||
# (IKEv2 only). | |||
# delete_rekeyed_delay = 5 | |||
# Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic | |||
# strength. | |||
# dh_exponent_ansi_x9_42 = yes | |||
# Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal | |||
# missing symbols immediately. | |||
# dlopen_use_rtld_now = no | |||
# DNS server assigned to peer via configuration payload (CP). | |||
# dns1 = | |||
# DNS server assigned to peer via configuration payload (CP). | |||
# dns2 = | |||
# Enable Denial of Service protection using cookies and aggressiveness | |||
# checks. | |||
# dos_protection = yes | |||
# Compliance with the errata for RFC 4753. | |||
# ecp_x_coordinate_only = yes | |||
# Free objects during authentication (might conflict with plugins). | |||
# flush_auth_cfg = no | |||
# Whether to follow IKEv2 redirects (RFC 5685). | |||
# follow_redirects = yes | |||
# Maximum size (complete IP datagram size in bytes) of a sent IKE fragment | |||
# when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults | |||
# to 1280 (use 0 for address family specific default values, which uses a | |||
# lower value for IPv4). If specified this limit is used for both IPv4 and | |||
# IPv6. | |||
# fragment_size = 1280 | |||
# Name of the group the daemon changes to after startup. | |||
# group = | |||
# Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). | |||
half_open_timeout = 5 | |||
# Enable hash and URL support. | |||
# hash_and_url = no | |||
# Allow IKEv1 Aggressive Mode with pre-shared keys as responder. | |||
# i_dont_care_about_security_and_use_aggressive_mode_psk = no | |||
# Whether to ignore the traffic selectors from the kernel's acquire events | |||
# for IKEv2 connections (they are not used for IKEv1). | |||
# ignore_acquire_ts = no | |||
# A space-separated list of routing tables to be excluded from route | |||
# lookups. | |||
# ignore_routing_tables = | |||
# Maximum number of IKE_SAs that can be established at the same time before | |||
# new connection attempts are blocked. | |||
# ikesa_limit = 0 | |||
# Number of exclusively locked segments in the hash table. | |||
# ikesa_table_segments = 1 | |||
# Size of the IKE_SA hash table. | |||
# ikesa_table_size = 1 | |||
# Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. | |||
inactivity_close_ike = yes | |||
# Limit new connections based on the current number of half open IKE_SAs, | |||
# see IKE_SA_INIT DROPPING in strongswan.conf(5). | |||
# init_limit_half_open = 0 | |||
# Limit new connections based on the number of queued jobs. | |||
# init_limit_job_load = 0 | |||
# Causes charon daemon to ignore IKE initiation requests. | |||
# initiator_only = no | |||
# Install routes into a separate routing table for established IPsec | |||
# tunnels. | |||
# install_routes = yes | |||
# Install virtual IP addresses. | |||
# install_virtual_ip = yes | |||
# The name of the interface on which virtual IP addresses should be | |||
# installed. | |||
# install_virtual_ip_on = | |||
# Check daemon, libstrongswan and plugin integrity at startup. | |||
# integrity_test = no | |||
# A comma-separated list of network interfaces that should be ignored, if | |||
# interfaces_use is specified this option has no effect. | |||
# interfaces_ignore = | |||
# A comma-separated list of network interfaces that should be used by | |||
# charon. All other interfaces are ignored. | |||
# interfaces_use = | |||
# NAT keep alive interval. | |||
keep_alive = 25s | |||
# Plugins to load in the IKE daemon charon. | |||
# load = | |||
# Determine plugins to load via each plugin's load option. | |||
# load_modular = no | |||
# Initiate IKEv2 reauthentication with a make-before-break scheme. | |||
# make_before_break = no | |||
# Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about | |||
# and track concurrently. | |||
# max_ikev1_exchanges = 3 | |||
# Maximum packet size accepted by charon. | |||
# max_packet = 10000 | |||
# Enable multiple authentication exchanges (RFC 4739). | |||
# multiple_authentication = yes | |||
# WINS servers assigned to peer via configuration payload (CP). | |||
# nbns1 = | |||
# WINS servers assigned to peer via configuration payload (CP). | |||
# nbns2 = | |||
# UDP port used locally. If set to 0 a random port will be allocated. | |||
# port = 500 | |||
# UDP port used locally in case of NAT-T. If set to 0 a random port will be | |||
# allocated. Has to be different from charon.port, otherwise a random port | |||
# will be allocated. | |||
# port_nat_t = 4500 | |||
# Whether to prefer updating SAs to the path with the best route. | |||
# prefer_best_path = no | |||
# Prefer locally configured proposals for IKE/IPsec over supplied ones as | |||
# responder (disabling this can avoid keying retries due to | |||
# INVALID_KE_PAYLOAD notifies). | |||
# prefer_configured_proposals = yes | |||
# By default public IPv6 addresses are preferred over temporary ones (RFC | |||
# 4941), to make connections more stable. Enable this option to reverse | |||
# this. | |||
# prefer_temporary_addrs = no | |||
# Process RTM_NEWROUTE and RTM_DELROUTE events. | |||
# process_route = yes | |||
# Delay in ms for receiving packets, to simulate larger RTT. | |||
# receive_delay = 0 | |||
# Delay request messages. | |||
# receive_delay_request = yes | |||
# Delay response messages. | |||
# receive_delay_response = yes | |||
# Specific IKEv2 message type to delay, 0 for any. | |||
# receive_delay_type = 0 | |||
# Size of the AH/ESP replay window, in packets. | |||
# replay_window = 32 | |||
# Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION | |||
# in strongswan.conf(5). | |||
# retransmit_base = 1.8 | |||
# Maximum jitter in percent to apply randomly to calculated retransmission | |||
# timeout (0 to disable). | |||
# retransmit_jitter = 0 | |||
# Upper limit in seconds for calculated retransmission timeout (0 to | |||
# disable). | |||
# retransmit_limit = 0 | |||
# Timeout in seconds before sending first retransmit. | |||
# retransmit_timeout = 4.0 | |||
# Number of times to retransmit a packet before giving up. | |||
# retransmit_tries = 5 | |||
# Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if | |||
# DNS resolution failed), 0 to disable retries. | |||
# retry_initiate_interval = 0 | |||
# Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). | |||
reuse_ikesa = yes | |||
# Numerical routing table to install routes to. | |||
# routing_table = | |||
# Priority of the routing table. | |||
# routing_table_prio = | |||
# Whether to use RSA with PSS padding instead of PKCS#1 padding by default. | |||
# rsa_pss = no | |||
# Delay in ms for sending packets, to simulate larger RTT. | |||
# send_delay = 0 | |||
# Delay request messages. | |||
# send_delay_request = yes | |||
# Delay response messages. | |||
# send_delay_response = yes | |||
# Specific IKEv2 message type to delay, 0 for any. | |||
# send_delay_type = 0 | |||
# Send strongSwan vendor ID payload | |||
# send_vendor_id = no | |||
# Whether to enable Signature Authentication as per RFC 7427. | |||
# signature_authentication = yes | |||
# Whether to enable constraints against IKEv2 signature schemes. | |||
# signature_authentication_constraints = yes | |||
# The upper limit for SPIs requested from the kernel for IPsec SAs. | |||
# spi_max = 0xcfffffff | |||
# The lower limit for SPIs requested from the kernel for IPsec SAs. | |||
# spi_min = 0xc0000000 | |||
# Number of worker threads in charon. | |||
# threads = 16 | |||
# Name of the user the daemon changes to after startup. | |||
# user = | |||
crypto_test { | |||
# Benchmark crypto algorithms and order them by efficiency. | |||
# bench = no | |||
# Buffer size used for crypto benchmark. | |||
# bench_size = 1024 | |||
# Number of iterations to test each algorithm. | |||
# bench_time = 50 | |||
# Test crypto algorithms during registration (requires test vectors | |||
# provided by the test-vectors plugin). | |||
# on_add = no | |||
# Test crypto algorithms on each crypto primitive instantiation. | |||
# on_create = no | |||
# Strictly require at least one test vector to enable an algorithm. | |||
# required = no | |||
# Whether to test RNG with TRUE quality; requires a lot of entropy. | |||
# rng_true = no | |||
} | |||
host_resolver { | |||
# Maximum number of concurrent resolver threads (they are terminated if | |||
# unused). | |||
# max_threads = 3 | |||
# Minimum number of resolver threads to keep around. | |||
# min_threads = 0 | |||
} | |||
leak_detective { | |||
# Includes source file names and line numbers in leak detective output. | |||
# detailed = yes | |||
# Threshold in bytes for leaks to be reported (0 to report all). | |||
# usage_threshold = 10240 | |||
# Threshold in number of allocations for leaks to be reported (0 to | |||
# report all). | |||
# usage_threshold_count = 0 | |||
} | |||
processor { | |||
# Section to configure the number of reserved threads per priority class | |||
# see JOB PRIORITY MANAGEMENT in strongswan.conf(5). | |||
priority_threads { | |||
} | |||
} | |||
# Section containing a list of scripts (name = path) that are executed when | |||
# the daemon is started. | |||
start-scripts { | |||
} | |||
# Section containing a list of scripts (name = path) that are executed when | |||
# the daemon is terminated. | |||
stop-scripts { | |||
} | |||
tls { | |||
# List of TLS encryption ciphers. | |||
# cipher = | |||
# List of TLS key exchange methods. | |||
# key_exchange = | |||
# List of TLS MAC algorithms. | |||
# mac = | |||
# List of TLS cipher suites. | |||
# suites = | |||
} | |||
x509 { | |||
# Discard certificates with unsupported or unknown critical extensions. | |||
# enforce_critical = yes | |||
} | |||
} |
@@ -0,0 +1,23 @@ | |||
conn algovpn-{{ IP_subject_alt_name }} | |||
fragmentation=yes | |||
rekey=no | |||
dpdaction=clear | |||
keyexchange=ikev2 | |||
compress=no | |||
dpddelay=35s | |||
ike={{ ciphers.defaults.ike }} | |||
esp={{ ciphers.defaults.esp }} | |||
right={{ IP_subject_alt_name }} | |||
rightid={{ IP_subject_alt_name }} | |||
rightsubnet={{ rightsubnet | default('0.0.0.0/0') }} | |||
rightauth=pubkey | |||
leftsourceip=%config | |||
leftauth=pubkey | |||
leftcert={{ item }}.crt | |||
leftfirewall=yes | |||
left=%defaultroute | |||
auto=add |
@@ -0,0 +1 @@ | |||
{{ IP_subject_alt_name }} : ECDSA {{ item }}.key |
@@ -0,0 +1,568 @@ | |||
############################################## | |||
# # | |||
# dnscrypt-proxy configuration # | |||
# # | |||
############################################## | |||
## This is an example configuration file. | |||
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" | |||
## | |||
## Online documentation is available here: https://dnscrypt.info/doc | |||
################################## | |||
# Global settings # | |||
################################## | |||
## List of servers to use | |||
## | |||
## Servers from the "public-resolvers" source (see down below) can | |||
## be viewed here: https://dnscrypt.info/public-servers | |||
## | |||
## If this line is commented, all registered servers matching the require_* filters | |||
## will be used. | |||
## | |||
## The proxy will automatically pick the fastest, working servers from the list. | |||
## Remove the leading # first to enable this; lines starting with # are ignored. | |||
{# Allow either list to be empty. Output nothing if both are empty. #} | |||
{% set servers = [] %} | |||
{% if dnscrypt_servers.ipv4 %}{% set servers = dnscrypt_servers.ipv4 %}{% endif %} | |||
{% if ipv6_support and dnscrypt_servers.ipv6 %}{% set servers = servers + dnscrypt_servers.ipv6 %}{% endif %} | |||
{% if servers %}server_names = ['{{ servers | join("', '") }}']{% endif %} | |||
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. | |||
## Note: When using systemd socket activation, choose an empty set (i.e. [] ). | |||
listen_addresses = [ | |||
'{{ local_service_ip }}:53'{% if ipv6_support %}, | |||
'[{{ local_service_ipv6 }}]:53'{% endif %} | |||
] | |||
## Maximum number of simultaneous client connections to accept | |||
max_clients = 250 | |||
## Switch to a different system user after listening sockets have been created. | |||
## Note (1): this feature is currently unsupported on Windows. | |||
## Note (2): this feature is not compatible with systemd socket activation. | |||
## Note (3): when using -pidfile, the PID file directory must be writable by the new user | |||
# user_name = 'nobody' | |||
## Require servers (from static + remote sources) to satisfy specific properties | |||
# Use servers reachable over IPv4 | |||
ipv4_servers = true | |||
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity | |||
ipv6_servers = {{ ipv6_support | bool | lower }} | |||
# Use servers implementing the DNSCrypt protocol | |||
dnscrypt_servers = true | |||
# Use servers implementing the DNS-over-HTTPS protocol | |||
doh_servers = true | |||
## Require servers defined by remote sources to satisfy specific properties | |||
# Server must support DNS security extensions (DNSSEC) | |||
require_dnssec = true | |||
# Server must not log user queries (declarative) | |||
require_nolog = true | |||
# Server must not enforce its own blacklist (for parental control, ads blocking...) | |||
require_nofilter = true | |||
# Server names to avoid even if they match all criteria | |||
disabled_server_names = [] | |||
## Always use TCP to connect to upstream servers. | |||
## This can be useful if you need to route everything through Tor. | |||
## Otherwise, leave this to `false`, as it doesn't improve security | |||
## (dnscrypt-proxy will always encrypt everything even using UDP), and can | |||
## only increase latency. | |||
force_tcp = false | |||
## SOCKS proxy | |||
## Uncomment the following line to route all TCP connections to a local Tor node | |||
## Tor doesn't support UDP, so set `force_tcp` to `true` as well. | |||
# proxy = "socks5://127.0.0.1:9050" | |||
## HTTP/HTTPS proxy | |||
## Only for DoH servers | |||
# http_proxy = "http://127.0.0.1:8888" | |||
## How long a DNS query will wait for a response, in milliseconds | |||
timeout = 2500 | |||
## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds | |||
keepalive = 30 | |||
## Use the REFUSED return code for blocked responses | |||
## Setting this to `false` means that some responses will be lies. | |||
## Unfortunately, `false` appears to be required for Android 8+ | |||
refused_code_in_responses = false | |||
## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random' | |||
lb_strategy = 'p2' | |||
## Set to `true` to constantly try to estimate the latency of all the resolvers | |||
## and adjust the load-balancing parameters accordingly, or to `false` to disable. | |||
# lb_estimator = true | |||
## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) | |||
log_level = 2 | |||
## log file for the application | |||
# log_file = 'dnscrypt-proxy.log' | |||
## Use the system logger (syslog on Unix, Event Log on Windows) | |||
use_syslog = true | |||
## Delay, in minutes, after which certificates are reloaded | |||
cert_refresh_delay = 240 | |||
## DNSCrypt: Create a new, unique key for every single DNS query | |||
## This may improve privacy but can also have a significant impact on CPU usage | |||
## Only enable if you don't have a lot of network load | |||
dnscrypt_ephemeral_keys = true | |||
## DoH: Disable TLS session tickets - increases privacy but also latency | |||
tls_disable_session_tickets = true | |||
## DoH: Use a specific cipher suite instead of the server preference | |||
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |||
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |||
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | |||
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | |||
## 4865 = TLS_AES_128_GCM_SHA256 | |||
## 4867 = TLS_CHACHA20_POLY1305_SHA256 | |||
## | |||
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), | |||
## the following suite improves performance. | |||
## This may also help on Intel CPUs running 32-bit operating systems. | |||
## | |||
## Keep tls_cipher_suite empty if you have issues fetching sources or | |||
## connecting to some DoH servers. Google and Cloudflare are fine with it. | |||
# tls_cipher_suite = [52392, 49199] | |||
## Fallback resolver | |||
## This is a normal, non-encrypted DNS resolver, that will be only used | |||
## for one-shot queries when retrieving the initial resolvers list, and | |||
## only if the system DNS configuration doesn't work. | |||
## No user application queries will ever be leaked through this resolver, | |||
## and it will not be used after IP addresses of resolvers URLs have been found. | |||
## It will never be used if lists have already been cached, and if stamps | |||
## don't include host names without IP addresses. | |||
## It will not be used if the configured system DNS works. | |||
## A resolver supporting DNSSEC is recommended. This may become mandatory. | |||
## | |||
## People in China may need to use 114.114.114.114:53 here. | |||
## Other popular options include 8.8.8.8 and 1.1.1.1. | |||
fallback_resolver = '{% if ansible_distribution == "FreeBSD" %}{{ ansible_dns.nameservers.0 }}:53{% else %}127.0.0.53:53{% endif %}' | |||
## Never let dnscrypt-proxy try to use the system DNS settings; | |||
## unconditionally use the fallback resolver. | |||
ignore_system_dns = true | |||
## Maximum time (in seconds) to wait for network connectivity before | |||
## initializing the proxy. | |||
## Useful if the proxy is automatically started at boot, and network | |||
## connectivity is not guaranteed to be immediately available. | |||
## Use 0 to not test for connectivity at all (not recommended), | |||
## and -1 to wait as much as possible. | |||
netprobe_timeout = 60 | |||
## Address and port to try initializing a connection to, just to check | |||
## if the network is up. It can be any address and any port, even if | |||
## there is nothing answering these on the other side. Just don't use | |||
## a local address, as the goal is to check for Internet connectivity. | |||
## On Windows, a datagram with a single, nul byte will be sent, only | |||
## when the system starts. | |||
## On other operating systems, the connection will be initialized | |||
## but nothing will be sent at all. | |||
netprobe_address = "1.1.1.1:53" | |||
## Offline mode - Do not use any remote encrypted servers. | |||
## The proxy will remain fully functional to respond to queries that | |||
## plugins can handle directly (forwarding, cloaking, ...) | |||
# offline_mode = false | |||
## Automatic log files rotation | |||
# Maximum log files size in MB | |||
log_files_max_size = 10 | |||
# How long to keep backup files, in days | |||
log_files_max_age = 7 | |||
# Maximum log files backups to keep (or 0 to keep all backups) | |||
log_files_max_backups = 1 | |||
######################### | |||
# Filters # | |||
######################### | |||
## Immediately respond to IPv6-related queries with an empty response | |||
## This makes things faster when there is no IPv6 connectivity, but can | |||
## also cause reliability issues with some stub resolvers. | |||
## Do not enable if you added a validating resolver such as dnsmasq in front | |||
## of the proxy. | |||
block_ipv6 = false | |||
################################################################################## | |||
# Route queries for specific domains to a dedicated set of servers # | |||
################################################################################## | |||
## Example map entries (one entry per line): | |||
## example.com 9.9.9.9 | |||
## example.net 9.9.9.9,8.8.8.8,1.1.1.1 | |||
# forwarding_rules = 'forwarding-rules.txt' | |||
############################### | |||
# Cloaking rules # | |||
############################### | |||
## Cloaking returns a predefined address for a specific name. | |||
## In addition to acting as a HOSTS file, it can also return the IP address | |||
## of a different name. It will also do CNAME flattening. | |||
## | |||
## Example map entries (one entry per line) | |||
## example.com 10.1.1.1 | |||
## www.google.com forcesafesearch.google.com | |||
# cloaking_rules = 'cloaking-rules.txt' | |||
########################### | |||
# DNS cache # | |||
########################### | |||
## Enable a DNS cache to reduce latency and outgoing traffic | |||
cache = true | |||
## Cache size | |||
cache_size = 512 | |||
## Minimum TTL for cached entries | |||
cache_min_ttl = 600 | |||
## Maximum TTL for cached entries | |||
cache_max_ttl = 86400 | |||
## Minimum TTL for negatively cached entries | |||
cache_neg_min_ttl = 60 | |||
## Maximum TTL for negatively cached entries | |||
cache_neg_max_ttl = 600 | |||
############################### | |||
# Bubble resolver cache # | |||
############################### | |||
## Cache name->IP resolutions in redis. This allows cert-pinned sites and apps to function properly. | |||
## When mitmproxy is performing SSL interception, it will check the name of the IP in redis | |||
## If the name is on the "TLS Passthu" whitelist, then SSL interception will not be performed | |||
[reverse_resolve_cache] | |||
## Redis configuration for cache | |||
prefix = 'bubble_dns_' | |||
############################### | |||
# Query logging # | |||
############################### | |||
## Log client queries to a file | |||
[query_log] | |||
## Path to the query log file (absolute, or relative to the same directory as the executable file) | |||
# file = 'query.log' | |||
## Query log format (currently supported: tsv and ltsv) | |||
format = 'tsv' | |||
## Do not log these query types, to reduce verbosity. Keep empty to log everything. | |||
# ignored_qtypes = ['DNSKEY', 'NS'] | |||
############################################ | |||
# Suspicious queries logging # | |||
############################################ | |||
## Log queries for nonexistent zones | |||
## These queries can reveal the presence of malware, broken/obsolete applications, | |||
## and devices signaling their presence to 3rd parties. | |||
[nx_log] | |||
## Path to the query log file (absolute, or relative to the same directory as the executable file) | |||
# file = 'nx.log' | |||
## Query log format (currently supported: tsv and ltsv) | |||
format = 'tsv' | |||
###################################################### | |||
# Pattern-based blocking (blacklists) # | |||
###################################################### | |||
## Blacklists are made of one pattern per line. Example of valid patterns: | |||
## | |||
## example.com | |||
## =example.com | |||
## *sex* | |||
## ads.* | |||
## ads*.example.* | |||
## ads*.example[0-9]*.com | |||
## | |||
## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ | |||
## A script to build blacklists from public feeds can be found in the | |||
## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. | |||
[blacklist] | |||
## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) | |||
{{ "blacklist_file = 'blacklist.txt'" if algo_dns_adblocking else "" }} | |||
## Optional path to a file logging blocked queries | |||
# log_file = 'blocked.log' | |||
## Optional log format: tsv or ltsv (default: tsv) | |||
# log_format = 'tsv' | |||
########################################################### | |||
# Pattern-based IP blocking (IP blacklists) # | |||
########################################################### | |||
## IP blacklists are made of one pattern per line. Example of valid patterns: | |||
## | |||
## 127.* | |||
## fe80:abcd:* | |||
## 192.168.1.4 | |||
[ip_blacklist] | |||
## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) | |||
blacklist_file = 'ip-blacklist.txt' | |||
## Optional path to a file logging blocked queries | |||
# log_file = 'ip-blocked.log' | |||
## Optional log format: tsv or ltsv (default: tsv) | |||
# log_format = 'tsv' | |||
###################################################### | |||
# Pattern-based whitelisting (blacklists bypass) # | |||
###################################################### | |||
## Whitelists support the same patterns as blacklists | |||
## If a name matches a whitelist entry, the corresponding session | |||
## will bypass names and IP filters. | |||
## | |||
## Time-based rules are also supported to make some websites only accessible at specific times of the day. | |||
[whitelist] | |||
## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) | |||
# whitelist_file = 'whitelist.txt' | |||
## Optional path to a file logging whitelisted queries | |||
# log_file = 'whitelisted.log' | |||
## Optional log format: tsv or ltsv (default: tsv) | |||
# log_format = 'tsv' | |||
########################################## | |||
# Time access restrictions # | |||
########################################## | |||
## One or more weekly schedules can be defined here. | |||
## Patterns in the name-based blocklist can optionally be followed with @schedule_name | |||
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. | |||
## | |||
## For example, the following rule in a blacklist file: | |||
## *.youtube.* @time-to-sleep | |||
## would block access to YouTube only during the days, and period of the days | |||
## define by the 'time-to-sleep' schedule. | |||
## | |||
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 | |||
## {after= '9:00', before='18:00'} matches 9:00-18:00 | |||
[schedules] | |||
# [schedules.'time-to-sleep'] | |||
# mon = [{after='21:00', before='7:00'}] | |||
# tue = [{after='21:00', before='7:00'}] | |||
# wed = [{after='21:00', before='7:00'}] | |||
# thu = [{after='21:00', before='7:00'}] | |||
# fri = [{after='23:00', before='7:00'}] | |||
# sat = [{after='23:00', before='7:00'}] | |||
# sun = [{after='21:00', before='7:00'}] | |||
# [schedules.'work'] | |||
# mon = [{after='9:00', before='18:00'}] | |||
# tue = [{after='9:00', before='18:00'}] | |||
# wed = [{after='9:00', before='18:00'}] | |||
# thu = [{after='9:00', before='18:00'}] | |||
# fri = [{after='9:00', before='17:00'}] | |||
######################### | |||
# Servers # | |||
######################### | |||
## Remote lists of available servers | |||
## Multiple sources can be used simultaneously, but every source | |||
## requires a dedicated cache file. | |||
## | |||
## Refer to the documentation for URLs of public sources. | |||
## | |||
## A prefix can be prepended to server names in order to | |||
## avoid collisions if different sources share the same for | |||
## different servers. In that case, names listed in `server_names` | |||
## must include the prefixes. | |||
## | |||
## If the `urls` property is missing, cache files and valid signatures | |||
## must be already present; This doesn't prevent these cache files from | |||
## expiring after `refresh_delay` hours. | |||
[sources] | |||
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers | |||
[sources.'public-resolvers'] | |||
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] | |||
cache_file = '/tmp/public-resolvers.md' | |||
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' | |||
prefix = '' | |||
## Quad9 over DNSCrypt - https://quad9.net/ | |||
# [sources.quad9-resolvers] | |||
# urls = ["https://www.quad9.net/quad9-resolvers.md"] | |||
# minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN" | |||
# cache_file = "quad9-resolvers.md" | |||
# prefix = "quad9-" | |||
## Another example source, with resolvers censoring some websites not appropriate for children | |||
## This is a subset of the `public-resolvers` list, so enabling both is useless | |||
# [sources.'parental-control'] | |||
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'] | |||
# cache_file = 'parental-control.md' | |||
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' | |||
## Optional, local, static list of additional servers | |||
## Mostly useful for testing your own servers. | |||
[static] | |||
# [static.'myserver'] | |||
# stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' |
@@ -0,0 +1,44 @@ | |||
0.0.0.0 | |||
10.* | |||
127.* | |||
169.254.* | |||
172.16.* | |||
172.17.* | |||
172.18.* | |||
172.19.* | |||
172.20.* | |||
172.21.* | |||
172.22.* | |||
172.23.* | |||
172.24.* | |||
172.25.* | |||
172.26.* | |||
172.27.* | |||
172.28.* | |||
172.29.* | |||
172.30.* | |||
172.31.* | |||
192.168.* | |||
::ffff:0.0.0.0 | |||
::ffff:10.* | |||
::ffff:127.* | |||
::ffff:169.254.* | |||
::ffff:172.16.* | |||
::ffff:172.17.* | |||
::ffff:172.18.* | |||
::ffff:172.19.* | |||
::ffff:172.20.* | |||
::ffff:172.21.* | |||
::ffff:172.22.* | |||
::ffff:172.23.* | |||
::ffff:172.24.* | |||
::ffff:172.25.* | |||
::ffff:172.26.* | |||
::ffff:172.27.* | |||
::ffff:172.28.* | |||
::ffff:172.29.* | |||
::ffff:172.30.* | |||
::ffff:172.31.* | |||
::ffff:192.168.* | |||
fd00::* | |||
fe80::* |
@@ -0,0 +1,35 @@ | |||
config setup | |||
uniqueids=never # allow multiple connections per user | |||
charondebug="ike {{ strongswan_log_level }}, knl {{ strongswan_log_level }}, cfg {{ strongswan_log_level }}, net {{ strongswan_log_level }}, esp {{ strongswan_log_level }}, dmn {{ strongswan_log_level }}, mgr {{ strongswan_log_level }}" | |||
conn %default | |||
fragmentation=yes | |||
rekey=no | |||
dpdaction=clear | |||
keyexchange=ikev2 | |||
compress=yes | |||
dpddelay=35s | |||
lifetime=3h | |||
ikelifetime=12h | |||
ike={{ ciphers.defaults.ike }} | |||
esp={{ ciphers.defaults.esp }} | |||
left=%any | |||
leftauth=pubkey | |||
leftid={{ IP_subject_alt_name }} | |||
leftcert={{ IP_subject_alt_name }}.crt | |||
leftsendcert=always | |||
leftsubnet=0.0.0.0/0,::/0 | |||
right=%any | |||
rightauth=pubkey | |||
rightsourceip={{ strongswan_network }},{{ strongswan_network_ipv6 }} | |||
{% if algo_dns_adblocking or dns_encryption %} | |||
rightdns={{ local_service_ip }}{{ ',' + local_service_ipv6 if ipv6_support else '' }} | |||
{% else %} | |||
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} | |||
{% endif %} | |||
conn ikev2-pubkey | |||
auto=add |
@@ -0,0 +1 @@ | |||
: ECDSA {{ IP_subject_alt_name }}.key |
@@ -0,0 +1,197 @@ | |||
#jinja2:lstrip_blocks: True | |||
<?xml version="1.0" encoding="UTF-8"?> | |||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |||
<plist version="1.0"> | |||
<dict> | |||
<key>PayloadContent</key> | |||
<array> | |||
<dict> | |||
<key>IKEv2</key> | |||
<dict> | |||
<key>OnDemandEnabled</key> | |||
<integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer> | |||
<key>OnDemandRules</key> | |||
<array> | |||
{% if algo_ondemand_wifi or algo_ondemand_cellular %} | |||
{% if algo_ondemand_wifi_exclude|b64decode != '_null' %} | |||
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %} | |||
<dict> | |||
<key>Action</key> | |||
<string>Disconnect</string> | |||
<key>InterfaceTypeMatch</key> | |||
<string>WiFi</string> | |||
<key>SSIDMatch</key> | |||
<array> | |||
{% for network_name in WIFI_EXCLUDE_LIST %} | |||
<string>{{ network_name|e }}</string> | |||
{% endfor %} | |||
</array> | |||
</dict> | |||
{% endif %} | |||
<dict> | |||
<key>Action</key> | |||
{% if algo_ondemand_wifi %} | |||
<string>Connect</string> | |||
{% else %} | |||
<string>Disconnect</string> | |||
{% endif %} | |||
<key>InterfaceTypeMatch</key> | |||
<string>WiFi</string> | |||
<key>URLStringProbe</key> | |||
<string>http://captive.apple.com/hotspot-detect.html</string> | |||
</dict> | |||
<dict> | |||
<key>Action</key> | |||
{% if algo_ondemand_cellular %} | |||
<string>Connect</string> | |||
{% else %} | |||
<string>Disconnect</string> | |||
{% endif %} | |||
<key>InterfaceTypeMatch</key> | |||
<string>Cellular</string> | |||
<key>URLStringProbe</key> | |||
<string>http://captive.apple.com/hotspot-detect.html</string> | |||
</dict> | |||
{% endif %} | |||
<dict> | |||
<key>Action</key> | |||
<string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string> | |||
</dict> | |||
</array> | |||
<key>AuthenticationMethod</key> | |||
<string>Certificate</string> | |||
<key>ChildSecurityAssociationParameters</key> | |||
<dict> | |||
<key>DiffieHellmanGroup</key> | |||
<integer>20</integer> | |||
<key>EncryptionAlgorithm</key> | |||
<string>AES-256-GCM</string> | |||
<key>IntegrityAlgorithm</key> | |||
<string>SHA2-512</string> | |||
<key>LifeTimeInMinutes</key> | |||
<integer>1440</integer> | |||
</dict> | |||
<key>DeadPeerDetectionRate</key> | |||
<string>Medium</string> | |||
<key>DisableMOBIKE</key> | |||
<integer>0</integer> | |||
<key>DisableRedirect</key> | |||
<integer>1</integer> | |||
<key>EnableCertificateRevocationCheck</key> | |||
<integer>0</integer> | |||
<key>EnablePFS</key> | |||
<true/> | |||
<key>IKESecurityAssociationParameters</key> | |||
<dict> | |||
<key>DiffieHellmanGroup</key> | |||
<integer>20</integer> | |||
<key>EncryptionAlgorithm</key> | |||
<string>AES-256-GCM</string> | |||
<key>IntegrityAlgorithm</key> | |||
<string>SHA2-512</string> | |||
<key>LifeTimeInMinutes</key> | |||
<integer>1440</integer> | |||
</dict> | |||
<key>LocalIdentifier</key> | |||
<string>{{ item.0 }}</string> | |||
<key>PayloadCertificateUUID</key> | |||
<string>{{ pkcs12_PayloadCertificateUUID }}</string> | |||
<key>CertificateType</key> | |||
<string>ECDSA384</string> | |||
<key>ServerCertificateIssuerCommonName</key> | |||
<string>{{ IP_subject_alt_name }}</string> | |||
<key>RemoteAddress</key> | |||
<string>{{ IP_subject_alt_name }}</string> | |||
<key>RemoteIdentifier</key> | |||
<string>{{ IP_subject_alt_name }}</string> | |||
<key>UseConfigurationAttributeInternalIPSubnet</key> | |||
<integer>0</integer> | |||
</dict> | |||
<key>IPv4</key> | |||
<dict> | |||
<key>OverridePrimary</key> | |||
<integer>1</integer> | |||
</dict> | |||
<key>PayloadDescription</key> | |||
<string>Configures VPN settings</string> | |||
<key>PayloadDisplayName</key> | |||
<string>{{ algo_server_name }}</string> | |||
<key>PayloadIdentifier</key> | |||
<string>com.apple.vpn.managed.{{ VPN_PayloadIdentifier }}</string> | |||
<key>PayloadType</key> | |||
<string>com.apple.vpn.managed</string> | |||
<key>PayloadUUID</key> | |||
<string>{{ VPN_PayloadIdentifier }}</string> | |||
<key>PayloadVersion</key> | |||
<real>1</real> | |||
<key>Proxies</key> | |||
<dict> | |||
<key>HTTPEnable</key> | |||
<integer>0</integer> | |||
<key>HTTPSEnable</key> | |||
<integer>0</integer> | |||
</dict> | |||
<key>UserDefinedName</key> | |||
<string>AlgoVPN {{ algo_server_name }} IKEv2</string> | |||
<key>VPNType</key> | |||
<string>IKEv2</string> | |||
</dict> | |||
<dict> | |||
<key>Password</key> | |||
<string>{{ p12_export_password }}</string> | |||
<key>PayloadCertificateFileName</key> | |||
<string>{{ item.0 }}.p12</string> | |||
<key>PayloadContent</key> | |||
<data> | |||
{{ item.1.stdout }} | |||
</data> | |||
<key>PayloadDescription</key> | |||
<string>Adds a PKCS#12-formatted certificate</string> | |||
<key>PayloadDisplayName</key> | |||
<string>{{ algo_server_name }}</string> | |||
<key>PayloadIdentifier</key> | |||
<string>com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }}</string> | |||
<key>PayloadType</key> | |||
<string>com.apple.security.pkcs12</string> | |||
<key>PayloadUUID</key> | |||
<string>{{ pkcs12_PayloadCertificateUUID }}</string> | |||
<key>PayloadVersion</key> | |||
<integer>1</integer> | |||
</dict> | |||
<dict> | |||
<key>PayloadCertificateFileName</key> | |||
<string>ca.crt</string> | |||
<key>PayloadContent</key> | |||
<data> | |||
{{ PayloadContentCA }} | |||
</data> | |||
<key>PayloadDescription</key> | |||
<string>Adds a CA root certificate</string> | |||
<key>PayloadDisplayName</key> | |||
<string>{{ algo_server_name }}</string> | |||
<key>PayloadIdentifier</key> | |||
<string>com.apple.security.root.{{ CA_PayloadIdentifier }}</string> | |||
<key>PayloadType</key> | |||
<string>com.apple.security.root</string> | |||
<key>PayloadUUID</key> | |||
<string>{{ CA_PayloadIdentifier }}</string> | |||
<key>PayloadVersion</key> | |||
<integer>1</integer> | |||
</dict> | |||
</array> | |||
<key>PayloadDisplayName</key> | |||
<string>AlgoVPN {{ algo_server_name }} IKEv2</string> | |||
<key>PayloadIdentifier</key> | |||
<string>donut.local.{{ 500000 | random | to_uuid | upper }}</string> | |||
<key>PayloadOrganization</key> | |||
<string>AlgoVPN</string> | |||
<key>PayloadRemovalDisallowed</key> | |||
<false/> | |||
<key>PayloadType</key> | |||
<string>Configuration</string> | |||
<key>PayloadUUID</key> | |||
<string>{{ 400000 | random | to_uuid | upper }}</string> | |||
<key>PayloadVersion</key> | |||
<integer>1</integer> | |||
</dict> | |||
</plist> |
@@ -0,0 +1,139 @@ | |||
# For use with Easy-RSA 3.0 and OpenSSL 1.0.* | |||
RANDFILE = .rnd | |||
#################################################################### | |||
[ ca ] | |||
default_ca = CA_default # The default ca section | |||
#################################################################### | |||
[ CA_default ] | |||
dir = . # Where everything is kept | |||
certs = $dir # Where the issued certs are kept | |||
crl_dir = $dir # Where the issued crl are kept | |||
database = $dir/index.txt # database index file. | |||
new_certs_dir = $dir/certs # default place for new certs. | |||
certificate = $dir/cacert.pem # The CA certificate | |||
serial = $dir/serial # The current serial number | |||
crl = $dir/crl.pem # The current CRL | |||
private_key = $dir/private/cakey.pem # The private key | |||
RANDFILE = $dir/private/.rand # private random number file | |||
x509_extensions = basic_exts # The extentions to add to the cert | |||
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA | |||
# is designed for will. In return, we get the Issuer attached to CRLs. | |||
crl_extensions = crl_ext | |||
default_days = 3650 # how long to certify for | |||
default_crl_days= 3650 # how long before next CRL | |||
default_md = sha256 # use public key default MD | |||
preserve = no # keep passed DN ordering | |||
# A few difference way of specifying how similar the request should look | |||
# For type CA, the listed attributes must be the same, and the optional | |||
# and supplied fields are just that :-) | |||
policy = policy_anything | |||
# For the 'anything' policy, which defines allowed DN fields | |||
[ policy_anything ] | |||
countryName = optional | |||
stateOrProvinceName = optional | |||
localityName = optional | |||
organizationName = optional | |||
organizationalUnitName = optional | |||
commonName = supplied | |||
name = optional | |||
emailAddress = optional | |||
#################################################################### | |||
# Easy-RSA request handling | |||
# We key off $DN_MODE to determine how to format the DN | |||
[ req ] | |||
default_bits = 2048 | |||
default_keyfile = privkey.pem | |||
default_md = sha256 | |||
distinguished_name = cn_only | |||
x509_extensions = easyrsa_ca # The extentions to add to the self signed cert | |||
# A placeholder to handle the $EXTRA_EXTS feature: | |||
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it | |||
#################################################################### | |||
# Easy-RSA DN (Subject) handling | |||
# Easy-RSA DN for cn_only support: | |||
[ cn_only ] | |||
commonName = Common Name (eg: your user, host, or server name) | |||
commonName_max = 64 | |||
commonName_default = {{ IP_subject_alt_name }} | |||
# Easy-RSA DN for org support: | |||
[ org ] | |||
countryName = Country Name (2 letter code) | |||
countryName_default = US | |||
countryName_min = 2 | |||
countryName_max = 2 | |||
stateOrProvinceName = State or Province Name (full name) | |||
stateOrProvinceName_default = California | |||
localityName = Locality Name (eg, city) | |||
localityName_default = San Francisco | |||
0.organizationName = Organization Name (eg, company) | |||
0.organizationName_default = Copyleft Certificate Co | |||
organizationalUnitName = Organizational Unit Name (eg, section) | |||
organizationalUnitName_default = My Organizational Unit | |||
commonName = Common Name (eg: your user, host, or server name) | |||
commonName_max = 64 | |||
commonName_default = {{ IP_subject_alt_name }} | |||
emailAddress = Email Address | |||
emailAddress_default = me@example.net | |||
emailAddress_max = 64 | |||
#################################################################### | |||
# Easy-RSA cert extension handling | |||
# This section is effectively unused as the main script sets extensions | |||
# dynamically. This core section is left to support the odd usecase where | |||
# a user calls openssl directly. | |||
[ basic_exts ] | |||
basicConstraints = CA:FALSE | |||
subjectKeyIdentifier = hash | |||
authorityKeyIdentifier = keyid,issuer:always | |||
extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.7.3.17 | |||
keyUsage = digitalSignature, keyEncipherment | |||
# The Easy-RSA CA extensions | |||
[ easyrsa_ca ] | |||
# PKIX recommendations: | |||
subjectKeyIdentifier=hash | |||
authorityKeyIdentifier=keyid:always,issuer:always | |||
# This could be marked critical, but it's nice to support reading by any | |||
# broken clients who attempt to do so. | |||
basicConstraints = CA:true | |||
# Limit key usage to CA tasks. If you really want to use the generated pair as | |||
# a self-signed cert, comment this out. | |||
keyUsage = cRLSign, keyCertSign | |||
# nsCertType omitted by default. Let's try to let the deprecated stuff die. | |||
# nsCertType = sslCA | |||
# CRL extensions. | |||
[ crl_ext ] | |||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. | |||
# issuerAltName=issuer:copy | |||
authorityKeyIdentifier=keyid:always,issuer:always |
@@ -0,0 +1,111 @@ | |||
{% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %} | |||
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %} | |||
#### The mangle table | |||
# This table allows us to modify packet headers | |||
# Packets enter this table first | |||
# | |||
*mangle | |||
:PREROUTING ACCEPT [0:0] | |||
:INPUT ACCEPT [0:0] | |||
:FORWARD ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
{% if reduce_mtu|int > 0 and ipsec_enabled %} | |||
-A FORWARD -s {{ strongswan_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1360 - reduce_mtu|int }} | |||
{% endif %} | |||
COMMIT | |||
#### The nat table | |||
# This table enables Network Address Translation | |||
# (This is technically a type of packet mangling) | |||
# | |||
*nat | |||
:PREROUTING ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %} | |||
# Handle the special case of allowing access to WireGuard over an already used | |||
# port like 53 | |||
-A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }} | |||
{% endif %} | |||
# Allow traffic from the VPN network to the outside world, and replies | |||
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE | |||
COMMIT | |||
#### The filter table | |||
# The default ipfilter table | |||
# | |||
*filter | |||
# By default, drop packets that are destined for this server | |||
:INPUT DROP [0:0] | |||
# By default, drop packets that request to be forwarded by this server | |||
:FORWARD DROP [0:0] | |||
# By default, accept any packets originating from this server | |||
:OUTPUT ACCEPT [0:0] | |||
# Accept packets destined for localhost | |||
-A INPUT -i lo -j ACCEPT | |||
# Accept any packet from an open TCP connection | |||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
# Accept packets using the encapsulation protocol | |||
-A INPUT -p esp -j ACCEPT | |||
-A INPUT -p ah -j ACCEPT | |||
# rate limit ICMP traffic per source | |||
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT | |||
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }} | |||
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT | |||
# Allow new traffic to port 22 (SSH) | |||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT | |||
{% if ipsec_enabled %} | |||
# Allow any traffic from the IPsec VPN | |||
-A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT | |||
{% endif %} | |||
# TODO: | |||
# The IP of the resolver should be bound to a DUMMY interface. | |||
# DUMMY interfaces are the proper way to install IPs without assigning them any | |||
# particular virtual (tun,tap,...) or physical (ethernet) interface. | |||
# Accept DNS traffic to the local DNS resolver | |||
-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT | |||
# Drop traffic between VPN clients | |||
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} | |||
# Drop traffic to VPN clients from SSH tunnels | |||
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} | |||
# Drop traffic to the link-local network | |||
-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP | |||
# Drop traffic to the link-local network from SSH tunnels | |||
-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP | |||
# Forward any packet that's part of an established connection | |||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
# Drop SMB/CIFS traffic that requests to be forwarded | |||
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }} | |||
# Drop NETBIOS trafic that requests to be forwarded | |||
-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }} | |||
-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }} | |||
{% if ipsec_enabled %} | |||
# Forward any IPSEC traffic from the VPN network | |||
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network }} -m policy --pol ipsec --dir in -j ACCEPT | |||
{% endif %} | |||
{% if wireguard_enabled %} | |||
# Forward any traffic from the WireGuard VPN network | |||
-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv4 }} -m policy --pol none --dir in -j ACCEPT | |||
{% endif %} | |||
COMMIT |
@@ -0,0 +1,119 @@ | |||
{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %} | |||
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %} | |||
#### The mangle table | |||
# This table allows us to modify packet headers | |||
# Packets enter this table first | |||
# | |||
*mangle | |||
:PREROUTING ACCEPT [0:0] | |||
:INPUT ACCEPT [0:0] | |||
:FORWARD ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
{% if reduce_mtu|int > 0 and ipsec_enabled %} | |||
-A FORWARD -s {{ strongswan_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1340 - reduce_mtu|int }} | |||
{% endif %} | |||
COMMIT | |||
#### The nat table | |||
# This table enables Network Address Translation | |||
# (This is technically a type of packet mangling) | |||
# | |||
*nat | |||
:PREROUTING ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %} | |||
# Handle the special case of allowing access to WireGuard over an already used | |||
# port like 53 | |||
-A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }} | |||
{% endif %} | |||
# Allow traffic from the VPN network to the outside world, and replies | |||
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE | |||
COMMIT | |||
#### The filter table | |||
# The default ipfilter table | |||
# | |||
*filter | |||
# By default, drop packets that are destined for this server | |||
:INPUT DROP [0:0] | |||
# By default, drop packets that request to be forwarded by this server | |||
:FORWARD DROP [0:0] | |||
# By default, accept any packets originating from this server | |||
:OUTPUT ACCEPT [0:0] | |||
# Create the ICMPV6-CHECK chain and its log chain | |||
# These chains are used later to prevent a type of bug that would | |||
# allow malicious traffic to reach over the server into the private network | |||
# An instance of such a bug on Cisco software is described here: | |||
# https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-dos-vulnerability-in-cisco-software/ | |||
# other software implementations might be at least as broken as the one in CISCO gear. | |||
:ICMPV6-CHECK - [0:0] | |||
:ICMPV6-CHECK-LOG - [0:0] | |||
# Accept packets destined for localhost | |||
-A INPUT -i lo -j ACCEPT | |||
# Accept any packet from an open TCP connection | |||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
# Accept packets using the encapsulation protocol | |||
-A INPUT -p esp -j ACCEPT | |||
-A INPUT -m ah -j ACCEPT | |||
# rate limit ICMP traffic per source | |||
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT | |||
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }} | |||
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT | |||
# Allow new traffic to port 22 (SSH) | |||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT | |||
# Accept properly formatted Neighbor Discovery Protocol packets | |||
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | |||
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT | |||
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT | |||
-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT | |||
# DHCP in AWS | |||
-A INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT | |||
# TODO: | |||
# The IP of the resolver should be bound to a DUMMY interface. | |||
# DUMMY interfaces are the proper way to install IPs without assigning them any | |||
# particular virtual (tun,tap,...) or physical (ethernet) interface. | |||
# Accept DNS traffic to the local DNS resolver | |||
-A INPUT -d {{ local_service_ipv6 }}/128 -p udp --dport 53 -j ACCEPT | |||
# Drop traffic between VPN clients | |||
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} | |||
# Drop traffic to VPN clients from SSH tunnels | |||
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} | |||
-A FORWARD -j ICMPV6-CHECK | |||
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }} | |||
-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }} | |||
-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }} | |||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
{% if ipsec_enabled %} | |||
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT | |||
{% endif %} | |||
{% if wireguard_enabled %} | |||
-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv6 }} -m policy --pol none --dir in -j ACCEPT | |||
{% endif %} | |||
# Use the ICMPV6-CHECK chain, described above | |||
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-solicitation -j ICMPV6-CHECK-LOG | |||
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-advertisement -j ICMPV6-CHECK-LOG | |||
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type neighbor-solicitation -j ICMPV6-CHECK-LOG | |||
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type neighbor-advertisement -j ICMPV6-CHECK-LOG | |||
-A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP " | |||
-A ICMPV6-CHECK-LOG -j DROP | |||
COMMIT |
@@ -0,0 +1,28 @@ | |||
# strongswan.conf - strongSwan configuration file | |||
# | |||
# Refer to the strongswan.conf(5) manpage for details | |||
# | |||
# Configuration changes should be made in the included files | |||
charon { | |||
load_modular = yes | |||
plugins { | |||
include strongswan.d/charon/*.conf | |||
} | |||
user = strongswan | |||
group = nogroup | |||
{% if ansible_distribution == 'FreeBSD' %} | |||
filelog { | |||
charon { | |||
path = /var/log/charon.log | |||
time_format = %b %e %T | |||
ike_name = yes | |||
append = no | |||
default = 1 | |||
flush_line = yes | |||
} | |||
} | |||
{% endif %} | |||
} | |||
include strongswan.d/*.conf |
@@ -99,8 +99,7 @@ | |||
dest: /etc/supervisor/conf.d/bubble_peer_manager.conf | |||
when: fw_enable_admin | |||
- include: sage.yml | |||
when: install_type == 'sage' | |||
- include: rules.yml | |||
- name: Creates /etc/iptables directory | |||
file: | |||
@@ -34,13 +34,13 @@ | |||
- name: Download mitmproxy dist file | |||
get_url: | |||
url: https://github.com/getbubblenow/bubble-dist/raw/master/mitmproxy/mitmproxy.zip | |||
dest: /root/ansible-staging/mitmproxy.zip | |||
dest: /tmp/mitmproxy.zip | |||
checksum: sha256:c578ca9da75777a30f7af065583e5e29e65336a2dc346d6453dfa9c002a8bcc2 | |||
- name: Unzip mitmproxy.zip | |||
unarchive: | |||
remote_src: yes | |||
src: /root/ansible-staging/mitmproxy.zip | |||
src: /tmp/mitmproxy.zip | |||
dest: /home/mitmproxy/mitmproxy | |||
- name: Copy mitmdump files | |||
@@ -72,9 +72,6 @@ | |||
- name: Set ownership of mitmproxy files | |||
shell: chown -R mitmproxy /home/mitmproxy/mitmproxy | |||
- name: Reuse bubble mitm certs if available | |||
shell: reuse_bubble_mitm_certs.sh | |||
- name: Fix missing symlink for libstdc++ | |||
file: | |||
src: /usr/lib/x86_64-linux-gnu/libstdc++.so.6 | |||
@@ -18,7 +18,7 @@ | |||
iptables: | |||
chain: INPUT | |||
action: insert | |||
rule_num: 9 | |||
rule_num: 7 | |||
protocol: tcp | |||
destination_port: 8888 | |||
ctstate: NEW | |||