Coder Social home page Coder Social logo

Comments (6)

Vista2003 avatar Vista2003 commented on May 25, 2024 2

Honestly, at this point, I think the project has sadly been largely abandoned and we're just shouting into a black hole and hoping that someone will see it

from streisand.

antoineclaval avatar antoineclaval commented on May 25, 2024 2

@HN-Smith
Good link. That basically the steps I followed by gathering information here and there in this repo.

But at the end I end-up with a running streissand UI serving the config and doc, but the client can't reach the openVPN server. I suspect something is wrong between iptable and ufw.

I'm a bit stretch out by the amount of manual tweak I had to do.
In parallel, I setup a plain-boring openVPN server and that was actually faster to do so.

Streissand does provide very neat documentation and serve the client configs in a neat way. But... I'm starting to loose confidence in the setup, I don't trust myself to review the change I'm doing and I'm afraid to provide only a sense of privacy ( = a leaky VPN )

In addition, It's starting to be challenging to run the ansible script against the 16.04 as well, for instance my server provider don't propose that version anymore. I had to adapt to 18.04.

Shame, I like that project and used it successfully for a long time.

from streisand.

reallyasi9 avatar reallyasi9 commented on May 25, 2024

This appears to be affecting AWS targets as well. For reference:

Ansible Information

  • Ansible version: 2.8.4
  • Ansible system: Linux
  • Host OS: Ubuntu
  • Host OS version: 20.10
  • Python interpreter: python3
  • Python version: 3.8.6

Streisand Information

  • Streisand Git revision: af5eb7d
  • Streisand Git clone has untracked changes: yes
  • Genesis role: genesis-amazon
  • Custom SSH key: False

Untracked git changes:

diff --git a/util/dependencies.txt b/util/dependencies.txt
index a7a5f9b..7b40033 100644
--- a/util/dependencies.txt
+++ b/util/dependencies.txt
@@ -4,6 +4,6 @@ python3-openssl
 python3-dev
 python3-setuptools
 python3-venv
-python-cffi libffi-dev
+python3-cffi libffi-dev
 libssl-dev
 libcurl4-openssl-dev

Enabled Roles

  • Shadowsocks enabled: False
  • Wireguard enabled: True
  • OpenVPN enabled: False
  • stunnel enabled: False
  • Tor enabled: True
  • Openconnect enabled: False
  • TinyProxy enabled: False
  • SSH forward user enabled: False
  • Configured number of VPN clients: 10

from streisand.

antoineclaval avatar antoineclaval commented on May 25, 2024

I'm still in the process and getting it back up and running fully. In my case the install succeed and serve the documentation and configs file, but iptables do not have adequat configuration.

For you particular issues, I did the following workaround.

ssh to the target :

cd /root/.gnupg/
mkdir S.dirmngr
mkdir S.gpg-agent
sudo chown -R $USER ~/.gnupg

from streisand.

HN-Smith avatar HN-Smith commented on May 25, 2024

This is due to a long-standing PGP key server vulnerability, triggered starting almost 2 years ago:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e

There's a mitigation fix in GnuPG 2.2.17, however Ubuntu 16.04 has version 2.1.11:
https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
Seen elsewhere such as here: torproject/torbrowser-launcher#401

Fixed by commenting out the refresh for now.

diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml
index 8f88833..e4a9f02 100644
--- a/playbooks/roles/gpg/tasks/main.yml
+++ b/playbooks/roles/gpg/tasks/main.yml
@@ -85,7 +85,8 @@
   # in the repo become too stale to be used without successsful refresh the
   # maintainers will notice failed builds and fix them by refreshing their own
   # keyrings and updating the static repo keys until the build passes again.
-  when: not streisand_ci
+  #when: not streisand_ci
+  when: false

 - name: "Set up a daily cronjob to refresh the Streisand GPG keyring"
   template:
@@ -95,4 +96,5 @@
     group: root
     mode: 0755
   # There's no point installing a cronjob in CI
-  when: not streisand_ci
+  #when: not streisand_ci
+  when: false

Then got to another error:

TASK [i18n-docs : Convert the OpenConnect mirror Markdown page into HTML] **********************************************
changed: [55.55.55.55] => (item=English)
changed: [55.55.55.55] => (item=Français)

TASK [openvpn : Add the official OpenVPN APT key; hiding 25 lines of log...] *******************************************
failed: [55.55.55.55] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
fatal: [55.55.55.55]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

Here it turns out the OpenVPN signing public key being installed is outdated:

# apt-key list
/etc/apt/trusted.gpg
--------------------
[...]
pub   2048R/E158C569 2011-08-03 [expired: 2020-07-25]
uid                  Samuli Seppänen (OpenVPN Technologies, Inc) <[email protected]>

Found a fix here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#Notesonexpiredkeys

Updated like this:

wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg > playbooks/roles/openvpn/files/openvpn_signing.key

The V2Ray option for shadowsocks also did not work. I've yet to retry without it.

TASK [shadowsocks : [Temporary] Clone v2ray-core repository manually to GOPATH] ****************************************
changed: [54.189.141.25]

TASK [shadowsocks : Get V2Ray-plugin] **********************************************************************************
fatal: [54.189.141.25]: FAILED! => {"changed": true, "cmd": "go get github.com/shadowsocks/v2ray-plugin", "delta": "0:00:26.172822", "end": "2021-04-14 03:44:36.428888", "msg": "non-zero return code", "rc": 2, "start": "2021-04-14 03:44:10.256066", "stderr": "# github.com/xtls/go\n/root/go/src/github.com/xtls/go/auth.go:29:7: undefined: ecdsa.VerifyASN1\n/root/go/src/github.com/xtls/go/key_schedule.go:177:16: xShared.FillBytes undefined (type *big.Int has no field or method FillBytes)\ngo build github.com/lucas-clemente/quic-go/internal/qtls: build constraints exclude all Go files in /root/go/src/github.com/lucas-clemente/quic-go/internal/qtls", "stderr_lines": ["# github.com/xtls/go", "/root/go/src/github.com/xtls/go/auth.go:29:7: undefined: ecdsa.VerifyASN1", "/root/go/src/github.com/xtls/go/key_schedule.go:177:16: xShared.FillBytes undefined (type *big.Int has no field or method FillBytes)", "go build github.com/lucas-clemente/quic-go/internal/qtls: build constraints exclude all Go files in /root/go/src/github.com/lucas-clemente/quic-go/internal/qtls"], "stdout": "", "stdout_lines": []}

Note: These Ansible playbooks are not idempotent, and not setup to allow the --start-at-task option to work. Configuration choices are not stored anywhere. Fixing bugs involves manually terminating instances and other things and restarting from scratch, answering all prompts (some in the middle), every time. Not the fastest. Perhaps there are tricks to debug and fix these scripts quickly I'm not aware of. The following is apparently needed for --start-at-task and doesn't seem to help:

diff --git a/ansible.cfg b/ansible.cfg
index 059fc44..8768dfe 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -24,3 +24,7 @@ library=library
 # Enables multiplexing (lets ansible reuse opened SSH connections)
 ssh_args = -o ControlMaster=auto -o ControlPersist=60s
 pipelining = True
+
+# Use static includes to allow --start-at-task to work
+task_includes_static = True
+handler_includes_static = True

from streisand.

HN-Smith avatar HN-Smith commented on May 25, 2024

FYI, retrying without V2Ray (as per my last post), the process went further and failed trying to install the WireGuard PPA. Which led me to this web page: https://computingforgeeks.com/setup-vpn-server-on-linux-using-streisand/

WireGuard is now part of standard repos and the attempt to to add a custom package archive (PPA) can simply be removed. Install succeeded after that fix. That page also suggests a solution similar to the last post for the GPG keyring issue.

from streisand.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.