Comments (6)
Honestly, at this point, I think the project has sadly been largely abandoned and we're just shouting into a black hole and hoping that someone will see it
from streisand.
@HN-Smith
Good link. That basically the steps I followed by gathering information here and there in this repo.
But at the end I end-up with a running streissand UI serving the config and doc, but the client can't reach the openVPN server. I suspect something is wrong between iptable and ufw.
I'm a bit stretch out by the amount of manual tweak I had to do.
In parallel, I setup a plain-boring openVPN server and that was actually faster to do so.
Streissand does provide very neat documentation and serve the client configs in a neat way. But... I'm starting to loose confidence in the setup, I don't trust myself to review the change I'm doing and I'm afraid to provide only a sense of privacy ( = a leaky VPN )
In addition, It's starting to be challenging to run the ansible script against the 16.04 as well, for instance my server provider don't propose that version anymore. I had to adapt to 18.04.
Shame, I like that project and used it successfully for a long time.
from streisand.
This appears to be affecting AWS targets as well. For reference:
Ansible Information
- Ansible version: 2.8.4
- Ansible system: Linux
- Host OS: Ubuntu
- Host OS version: 20.10
- Python interpreter: python3
- Python version: 3.8.6
Streisand Information
- Streisand Git revision: af5eb7d
- Streisand Git clone has untracked changes: yes
- Genesis role: genesis-amazon
- Custom SSH key: False
Untracked git changes:
diff --git a/util/dependencies.txt b/util/dependencies.txt
index a7a5f9b..7b40033 100644
--- a/util/dependencies.txt
+++ b/util/dependencies.txt
@@ -4,6 +4,6 @@ python3-openssl
python3-dev
python3-setuptools
python3-venv
-python-cffi libffi-dev
+python3-cffi libffi-dev
libssl-dev
libcurl4-openssl-dev
Enabled Roles
- Shadowsocks enabled: False
- Wireguard enabled: True
- OpenVPN enabled: False
- stunnel enabled: False
- Tor enabled: True
- Openconnect enabled: False
- TinyProxy enabled: False
- SSH forward user enabled: False
- Configured number of VPN clients: 10
from streisand.
I'm still in the process and getting it back up and running fully. In my case the install succeed and serve the documentation and configs file, but iptables do not have adequat configuration.
For you particular issues, I did the following workaround.
ssh to the target :
cd /root/.gnupg/
mkdir S.dirmngr
mkdir S.gpg-agent
sudo chown -R $USER ~/.gnupg
from streisand.
This is due to a long-standing PGP key server vulnerability, triggered starting almost 2 years ago:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e
There's a mitigation fix in GnuPG 2.2.17, however Ubuntu 16.04 has version 2.1.11:
https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html
https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
Seen elsewhere such as here: torproject/torbrowser-launcher#401
Fixed by commenting out the refresh for now.
diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml
index 8f88833..e4a9f02 100644
--- a/playbooks/roles/gpg/tasks/main.yml
+++ b/playbooks/roles/gpg/tasks/main.yml
@@ -85,7 +85,8 @@
# in the repo become too stale to be used without successsful refresh the
# maintainers will notice failed builds and fix them by refreshing their own
# keyrings and updating the static repo keys until the build passes again.
- when: not streisand_ci
+ #when: not streisand_ci
+ when: false
- name: "Set up a daily cronjob to refresh the Streisand GPG keyring"
template:
@@ -95,4 +96,5 @@
group: root
mode: 0755
# There's no point installing a cronjob in CI
- when: not streisand_ci
+ #when: not streisand_ci
+ when: false
Then got to another error:
TASK [i18n-docs : Convert the OpenConnect mirror Markdown page into HTML] **********************************************
changed: [55.55.55.55] => (item=English)
changed: [55.55.55.55] => (item=Français)
TASK [openvpn : Add the official OpenVPN APT key; hiding 25 lines of log...] *******************************************
failed: [55.55.55.55] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
fatal: [55.55.55.55]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
Here it turns out the OpenVPN signing public key being installed is outdated:
# apt-key list
/etc/apt/trusted.gpg
--------------------
[...]
pub 2048R/E158C569 2011-08-03 [expired: 2020-07-25]
uid Samuli Seppänen (OpenVPN Technologies, Inc) <[email protected]>
Found a fix here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#Notesonexpiredkeys
Updated like this:
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg > playbooks/roles/openvpn/files/openvpn_signing.key
The V2Ray option for shadowsocks also did not work. I've yet to retry without it.
TASK [shadowsocks : [Temporary] Clone v2ray-core repository manually to GOPATH] ****************************************
changed: [54.189.141.25]
TASK [shadowsocks : Get V2Ray-plugin] **********************************************************************************
fatal: [54.189.141.25]: FAILED! => {"changed": true, "cmd": "go get github.com/shadowsocks/v2ray-plugin", "delta": "0:00:26.172822", "end": "2021-04-14 03:44:36.428888", "msg": "non-zero return code", "rc": 2, "start": "2021-04-14 03:44:10.256066", "stderr": "# github.com/xtls/go\n/root/go/src/github.com/xtls/go/auth.go:29:7: undefined: ecdsa.VerifyASN1\n/root/go/src/github.com/xtls/go/key_schedule.go:177:16: xShared.FillBytes undefined (type *big.Int has no field or method FillBytes)\ngo build github.com/lucas-clemente/quic-go/internal/qtls: build constraints exclude all Go files in /root/go/src/github.com/lucas-clemente/quic-go/internal/qtls", "stderr_lines": ["# github.com/xtls/go", "/root/go/src/github.com/xtls/go/auth.go:29:7: undefined: ecdsa.VerifyASN1", "/root/go/src/github.com/xtls/go/key_schedule.go:177:16: xShared.FillBytes undefined (type *big.Int has no field or method FillBytes)", "go build github.com/lucas-clemente/quic-go/internal/qtls: build constraints exclude all Go files in /root/go/src/github.com/lucas-clemente/quic-go/internal/qtls"], "stdout": "", "stdout_lines": []}
Note: These Ansible playbooks are not idempotent, and not setup to allow the --start-at-task option to work. Configuration choices are not stored anywhere. Fixing bugs involves manually terminating instances and other things and restarting from scratch, answering all prompts (some in the middle), every time. Not the fastest. Perhaps there are tricks to debug and fix these scripts quickly I'm not aware of. The following is apparently needed for --start-at-task and doesn't seem to help:
diff --git a/ansible.cfg b/ansible.cfg
index 059fc44..8768dfe 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -24,3 +24,7 @@ library=library
# Enables multiplexing (lets ansible reuse opened SSH connections)
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
pipelining = True
+
+# Use static includes to allow --start-at-task to work
+task_includes_static = True
+handler_includes_static = True
from streisand.
FYI, retrying without V2Ray (as per my last post), the process went further and failed trying to install the WireGuard PPA. Which led me to this web page: https://computingforgeeks.com/setup-vpn-server-on-linux-using-streisand/
WireGuard is now part of standard repos and the attempt to to add a custom package archive (PPA) can simply be removed. Install succeeded after that fix. That page also suggests a solution similar to the last post for the GPG keyring issue.
from streisand.
Related Issues (20)
- Google Cloud
- problem in Refresh the Streisand GPG keyring with keyserver information - Ubuntu 16 HOT 5
- Install fails at "Add the Wireguard PPA" HOT 6
- Error if Install Python using a raw SSH command to enable the execution of Ansible modules
- Wait for the GPG agent and dirmngr control sockets]
- Not possible to install v2ray-plugin any more due to go version conflicts HOT 3
- Giving error at final step HOT 1
- Feedback on installation - Built from Mint 19.3 on real hardware to DigitalOcean droplet HOT 1
- HOWTO: install streisand on ubuntu16 - 2020-11-04 HOT 2
- Feature request: DNS services enabled via manual device setup
- The whole scripts needs update HOT 5
- HOWTO Install on Ubuntu 20.04 HOT 6
- Invalid type for parameter Unit when installing on AWS from Mac HOT 2
- UNREACHABLE! Failed to connect to the host via ssh
- Window 10 Using WSL
- The directory ./venv already exists, and it does not appear to contain a Python virtualenv.
- error install Ubuntu 16.04 HOT 4
- Streisand
- This repository has been marked as archived, but the streisand-discussions repo will remain open
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from streisand.