algo 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504
  1. #!/usr/bin/env bash
  2. set -e
  3. ACTIVATE_SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/env/bin/activate"
  4. if [ -f "$ACTIVATE_SCRIPT" ]
  5. then
  6. source $ACTIVATE_SCRIPT
  7. else
  8. echo "$ACTIVATE_SCRIPT not found. Did you follow documentation to install dependencies?"
  9. exit 1
  10. fi
  11. SKIP_TAGS="_null encrypted"
  12. ADDITIONAL_PROMPT="[pasted values will not be displayed]"
  13. additional_roles () {
  14. read -p "
  15. Do you want macOS/iOS clients to enable \"VPN On Demand\" when connected to cellular networks?
  16. [y/N]: " -r OnDemandEnabled_Cellular
  17. OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
  18. if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
  19. read -p "
  20. Do you want macOS/iOS clients to enable \"VPN On Demand\" when connected to Wi-Fi?
  21. [y/N]: " -r OnDemandEnabled_WIFI
  22. OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n}
  23. if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi
  24. if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then
  25. read -p "
  26. List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
  27. : " -r OnDemandEnabled_WIFI_EXCLUDE
  28. OnDemandEnabled_WIFI_EXCLUDE=${OnDemandEnabled_WIFI_EXCLUDE:-_null}
  29. EXTRA_VARS+=" OnDemandEnabled_WIFI_EXCLUDE=\"$OnDemandEnabled_WIFI_EXCLUDE\""
  30. fi
  31. read -p "
  32. Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
  33. [y/N]: " -r dns_enabled
  34. dns_enabled=${dns_enabled:-n}
  35. if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi
  36. read -p "
  37. Do you want each user to have their own account for SSH tunneling?
  38. [y/N]: " -r ssh_tunneling_enabled
  39. ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
  40. if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi
  41. read -p "
  42. Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
  43. [y/N]: " -r security_enabled
  44. security_enabled=${security_enabled:-n}
  45. if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi
  46. read -p "
  47. Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
  48. [y/N]: " -r Win10_Enabled
  49. Win10_Enabled=${Win10_Enabled:-n}
  50. if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
  51. read -p "
  52. Do you want to retain the CA key? (required to add users in the future, but less secure)
  53. [y/N]: " -r Store_CAKEY
  54. Store_CAKEY=${Store_CAKEY:-N}
  55. if [[ "$Store_CAKEY" =~ ^(n|N)$ ]]; then EXTRA_VARS+=" Store_CAKEY=N"; fi
  56. }
  57. deploy () {
  58. ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}"
  59. }
  60. azure () {
  61. read -p "
  62. Enter your azure secret id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md)
  63. You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
  64. $ADDITIONAL_PROMPT
  65. [...]: " -rs azure_secret
  66. read -p "
  67. Enter your azure tenant id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md)
  68. You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
  69. $ADDITIONAL_PROMPT
  70. [...]: " -rs azure_tenant
  71. read -p "
  72. Enter your azure client id (application id) (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md)
  73. You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
  74. $ADDITIONAL_PROMPT
  75. [...]: " -rs azure_client_id
  76. read -p "
  77. Enter your azure subscription id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md)
  78. You can skip this step if you want to use your defaults credentials from ~/.azure/credentials
  79. $ADDITIONAL_PROMPT
  80. [...]: " -rs azure_subscription_id
  81. read -p "
  82. Name the vpn server:
  83. [algo]: " -r azure_server_name
  84. azure_server_name=${azure_server_name:-algo}
  85. read -p "
  86. What region should the server be located in? (https://azure.microsoft.com/en-us/regions/)
  87. 1. South Central US
  88. 2. Central US
  89. 3. North Europe
  90. 4. West Europe
  91. 5. Southeast Asia
  92. 6. Japan West
  93. 7. Japan East
  94. 8. Australia Southeast
  95. 9. Australia East
  96. 10. Canada Central
  97. 11. West US 2
  98. 12. West Central US
  99. 13. UK South
  100. 14. UK West
  101. 15. West US
  102. 16. Brazil South
  103. 17. Canada East
  104. 18. Central India
  105. 19. East Asia
  106. 20. Germany Central
  107. 21. Germany Northeast
  108. 22. Korea Central
  109. 23. Korea South
  110. 24. North Central US
  111. 25. South India
  112. 26. West India
  113. 27. East US
  114. 28. East US 2
  115. Enter the number of your desired region:
  116. [1]: " -r azure_region
  117. azure_region=${azure_region:-1}
  118. case "$azure_region" in
  119. 1) region="southcentralus" ;;
  120. 2) region="centralus" ;;
  121. 3) region="northeurope" ;;
  122. 4) region="westeurope" ;;
  123. 5) region="southeastasia" ;;
  124. 6) region="japanwest" ;;
  125. 7) region="japaneast" ;;
  126. 8) region="australiasoutheast" ;;
  127. 9) region="australiaeast" ;;
  128. 10) region="canadacentral" ;;
  129. 11) region="westus2" ;;
  130. 12) region="westcentralus" ;;
  131. 13) region="uksouth" ;;
  132. 14) region="ukwest" ;;
  133. 15) region="westus" ;;
  134. 16) region="brazilsouth" ;;
  135. 17) region="canadaeast" ;;
  136. 18) region="centralindia" ;;
  137. 19) region="eastasia" ;;
  138. 20) region="germanycentral" ;;
  139. 21) region="germanynortheast" ;;
  140. 22) region="koreacentral" ;;
  141. 23) region="koreasouth" ;;
  142. 24) region="northcentralus" ;;
  143. 25) region="southindia" ;;
  144. 26) region="westindia" ;;
  145. 27) region="eastus" ;;
  146. 28) region="eastus2" ;;
  147. esac
  148. ROLES="azure vpn cloud"
  149. EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region"
  150. }
  151. digitalocean () {
  152. read -p "
  153. Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
  154. $ADDITIONAL_PROMPT
  155. : " -rs do_access_token
  156. read -p "
  157. Name the vpn server:
  158. [algo.local]: " -r do_server_name
  159. do_server_name=${do_server_name:-algo.local}
  160. read -p "
  161. What region should the server be located in?
  162. 1. Amsterdam (Datacenter 2)
  163. 2. Amsterdam (Datacenter 3)
  164. 3. Frankfurt
  165. 4. London
  166. 5. New York (Datacenter 1)
  167. 6. New York (Datacenter 2)
  168. 7. New York (Datacenter 3)
  169. 8. San Francisco (Datacenter 1)
  170. 9. San Francisco (Datacenter 2)
  171. 10. Singapore
  172. 11. Toronto
  173. 12. Bangalore
  174. Enter the number of your desired region:
  175. [7]: " -r region
  176. region=${region:-7}
  177. case "$region" in
  178. 1) do_region="ams2" ;;
  179. 2) do_region="ams3" ;;
  180. 3) do_region="fra1" ;;
  181. 4) do_region="lon1" ;;
  182. 5) do_region="nyc1" ;;
  183. 6) do_region="nyc2" ;;
  184. 7) do_region="nyc3" ;;
  185. 8) do_region="sfo1" ;;
  186. 9) do_region="sfo2" ;;
  187. 10) do_region="sgp1" ;;
  188. 11) do_region="tor1" ;;
  189. 12) do_region="blr1" ;;
  190. esac
  191. ROLES="digitalocean vpn cloud"
  192. EXTRA_VARS="do_access_token=$do_access_token do_server_name=$do_server_name do_region=$do_region"
  193. }
  194. ec2 () {
  195. read -p "
  196. Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
  197. Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md).
  198. $ADDITIONAL_PROMPT
  199. [AKIA...]: " -rs aws_access_key
  200. read -p "
  201. Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
  202. $ADDITIONAL_PROMPT
  203. [ABCD...]: " -rs aws_secret_key
  204. read -p "
  205. Name the vpn server:
  206. [algo]: " -r aws_server_name
  207. aws_server_name=${aws_server_name:-algo}
  208. read -p "
  209. What region should the server be located in?
  210. 1. us-east-1 US East (N. Virginia)
  211. 2. us-east-2 US East (Ohio)
  212. 3. us-west-1 US West (N. California)
  213. 4. us-west-2 US West (Oregon)
  214. 5. ap-south-1 Asia Pacific (Mumbai)
  215. 6. ap-northeast-2 Asia Pacific (Seoul)
  216. 7. ap-southeast-1 Asia Pacific (Singapore)
  217. 8. ap-southeast-2 Asia Pacific (Sydney)
  218. 9. ap-northeast-1 Asia Pacific (Tokyo)
  219. 10. eu-central-1 EU (Frankfurt)
  220. 11. eu-west-1 EU (Ireland)
  221. 12. eu-west-2 EU (London)
  222. 13. ca-central-1 Canada (Central)
  223. 14. sa-east-1 São Paulo
  224. Enter the number of your desired region:
  225. [1]: " -r aws_region
  226. aws_region=${aws_region:-1}
  227. case "$aws_region" in
  228. 1) region="us-east-1" ;;
  229. 2) region="us-east-2" ;;
  230. 3) region="us-west-1" ;;
  231. 4) region="us-west-2" ;;
  232. 5) region="ap-south-1" ;;
  233. 6) region="ap-northeast-2" ;;
  234. 7) region="ap-southeast-1" ;;
  235. 8) region="ap-southeast-2" ;;
  236. 9) region="ap-northeast-1" ;;
  237. 10) region="eu-central-1" ;;
  238. 11) region="eu-west-1" ;;
  239. 12) region="eu-west-2";;
  240. 13) region="ca-central-1" ;;
  241. 14) region="sa-east-1" ;;
  242. esac
  243. ROLES="ec2 vpn cloud"
  244. EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
  245. }
  246. gce () {
  247. read -p "
  248. Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):
  249. : " -r credentials_file
  250. read -p "
  251. Name the vpn server:
  252. [algo]: " -r server_name
  253. server_name=${server_name:-algo}
  254. read -p "
  255. What zone should the server be located in?
  256. 1. Western US (Oregon A)
  257. 2. Western US (Oregon B)
  258. 3. Western US (Oregon C)
  259. 4. Central US (Iowa A)
  260. 5. Central US (Iowa B)
  261. 6. Central US (Iowa C)
  262. 7. Central US (Iowa F)
  263. 8. Eastern US (Northern Virginia A)
  264. 9. Eastern US (Northern Virginia B)
  265. 10. Eastern US (Northern Virginia C)
  266. 11. Eastern US (South Carolina B)
  267. 12. Eastern US (South Carolina C)
  268. 13. Eastern US (South Carolina D)
  269. 14. Western Europe (Belgium B)
  270. 15. Western Europe (Belgium C)
  271. 16. Western Europe (Belgium D)
  272. 17. Western Europe (London A)
  273. 18. Western Europe (London B)
  274. 19. Western Europe (London C)
  275. 20. Western Europe (Frankfurt A)
  276. 21. Western Europe (Frankfurt B)
  277. 22. Western Europe (Frankfurt C)
  278. 23. Southeast Asia (Singapore A)
  279. 24. Southeast Asia (Singapore B)
  280. 25. East Asia (Taiwan A)
  281. 26. East Asia (Taiwan B)
  282. 27. East Asia (Taiwan C)
  283. 28. Northeast Asia (Tokyo A)
  284. 29. Northeast Asia (Tokyo B)
  285. 30. Northeast Asia (Tokyo C)
  286. 31. Australia (Sydney A)
  287. 32. Australia (Sydney B)
  288. 33. Australia (Sydney C)
  289. 34. South America (São Paulo A)
  290. 35. South America (São Paulo B)
  291. 36. South America (São Paulo C)
  292. Please choose the number of your zone. Press enter for default (#14) zone.
  293. [14]: " -r region
  294. region=${region:-14}
  295. case "$region" in
  296. 1) zone="us-west1-a" ;;
  297. 2) zone="us-west1-b" ;;
  298. 3) zone="us-west1-c" ;;
  299. 4) zone="us-central1-a" ;;
  300. 5) zone="us-central1-b" ;;
  301. 6) zone="us-central1-c" ;;
  302. 7) zone="us-central1-f" ;;
  303. 8) zone="us-east4-a" ;;
  304. 9) zone="us-east4-b" ;;
  305. 10) zone="us-east4-c" ;;
  306. 11) zone="us-east1-b" ;;
  307. 12) zone="us-east1-c" ;;
  308. 13) zone="us-east1-d" ;;
  309. 14) zone="europe-west1-b" ;;
  310. 15) zone="europe-west1-c" ;;
  311. 16) zone="europe-west1-d" ;;
  312. 17) zone="europe-west2-a" ;;
  313. 18) zone="europe-west2-b" ;;
  314. 19) zone="europe-west2-c" ;;
  315. 20) zone="europe-west3-a" ;;
  316. 21) zone="europe-west3-b" ;;
  317. 22) zone="europe-west3-c" ;;
  318. 23) zone="asia-southeast1-a" ;;
  319. 24) zone="asia-southeast1-b" ;;
  320. 25) zone="asia-east1-a" ;;
  321. 26) zone="asia-east1-b" ;;
  322. 27) zone="asia-east1-c" ;;
  323. 28) zone="asia-northeast1-a" ;;
  324. 29) zone="asia-northeast1-b" ;;
  325. 30) zone="asia-northeast1-c" ;;
  326. 31) zone="australia-southeast1-a" ;;
  327. 32) zone="australia-southeast1-b" ;;
  328. 33) zone="australia-southeast1-c" ;;
  329. 34) zone="southamerica-east1-a" ;;
  330. 35) zone="southamerica-east1-b" ;;
  331. 36) zone="southamerica-east1-c" ;;
  332. esac
  333. ROLES="gce vpn cloud"
  334. EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone max_mss=1316"
  335. }
  336. non_cloud () {
  337. read -p "
  338. Enter the IP address of your server: (or use localhost for local installation)
  339. [localhost]: " -r server_ip
  340. server_ip=${server_ip:-localhost}
  341. read -p "
  342. What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
  343. [root]: " -r server_user
  344. server_user=${server_user:-root}
  345. if [ "x${server_ip}" = "xlocalhost" ]; then
  346. myip=""
  347. else
  348. myip=${server_ip}
  349. fi
  350. read -p "
  351. Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
  352. [$myip]: " -r IP_subject
  353. IP_subject=${IP_subject:-$myip}
  354. if [ "x${IP_subject}" = "x" ]; then
  355. echo "no server IP given. exiting."
  356. exit 1
  357. fi
  358. ROLES="local vpn"
  359. EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject"
  360. SKIP_TAGS+=" cloud update-alternatives"
  361. read -p "
  362. Was this server deployed by Algo previously?
  363. [y/N]: " -r Deployed_By_Algo
  364. Deployed_By_Algo=${Deployed_By_Algo:-n}
  365. if [[ "$Deployed_By_Algo" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Deployed_By_Algo=Y"; fi
  366. }
  367. algo_provisioning () {
  368. echo -n "
  369. What provider would you like to use?
  370. 1. DigitalOcean
  371. 2. Amazon EC2
  372. 3. Microsoft Azure
  373. 4. Google Compute Engine
  374. 5. Install to existing Ubuntu 16.04 server
  375. Enter the number of your desired provider
  376. : "
  377. read -r N
  378. case "$N" in
  379. 1) digitalocean; ;;
  380. 2) ec2; ;;
  381. 3) azure; ;;
  382. 4) gce; ;;
  383. 5) non_cloud; ;;
  384. *) exit 1 ;;
  385. esac
  386. additional_roles
  387. deploy
  388. }
  389. user_management () {
  390. read -p "
  391. Enter the IP address of your server: (or use localhost for local installation)
  392. : " -r server_ip
  393. read -p "
  394. What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
  395. [root]: " -r server_user
  396. server_user=${server_user:-root}
  397. read -p "
  398. Do you want each user to have their own account for SSH tunneling?
  399. [y/N]: " -r ssh_tunneling_enabled
  400. ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
  401. if [ "x${server_ip}" = "xlocalhost" ]; then
  402. myip=""
  403. else
  404. myip=${server_ip}
  405. fi
  406. read -p "
  407. Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
  408. [$myip]: " -r IP_subject
  409. IP_subject=${IP_subject:-$myip}
  410. if [ "x${IP_subject}" = "x" ]; then
  411. echo "no server IP given. exiting."
  412. exit 1
  413. fi
  414. read -p "
  415. Enter the password for the private CA key:
  416. $ADDITIONAL_PROMPT
  417. : " -rs easyrsa_CA_password
  418. ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject_alt_name=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common
  419. }
  420. case "$1" in
  421. update-users) user_management ;;
  422. *) algo_provisioning ;;
  423. esac