-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Expand file tree
/
Copy pathconfig.cfg
More file actions
210 lines (180 loc) · 7.28 KB
/
config.cfg
File metadata and controls
210 lines (180 loc) · 7.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
---
# ============================================
# TROUBLESHOOTING DEPLOYMENT ISSUES
# ============================================
# If your deployment fails with hidden/censored output, temporarily set
# algo_no_log to 'false' below. This will show detailed error messages
# including API responses.
# IMPORTANT: Set back to 'true' before sharing logs or screenshots!
# ============================================
algo_no_log: true # Set to 'false' for debugging (shows sensitive data in output)
# This is the list of users to generate.
# Every device must have a unique user.
# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
# Email addresses are not allowed.
users:
- phone
- laptop
- desktop
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers)
ssh_port: 4160
# VPN protocols to deploy
ipsec_enabled: true
wireguard_enabled: true
wireguard_port: 51820 # Change if blocked by your network (avoid 53/UDP)
# Use different IP for outbound traffic (DigitalOcean only)
alternative_ingress_ip: false
# Reduce MTU if connections hang (0 = auto-detect)
# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
reduce_mtu: 0
# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more)
adblock_lists:
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# DNS encryption (required if using ad blocking)
dns_encryption: true
# Client isolation (set false for "road warrior" setup where clients can reach each other)
BetweenClients_DROP: true
block_smb: true # Block SMB/CIFS traffic
block_netbios: true # Block NETBIOS traffic
# Automatic reboot for security updates (time in server's timezone, default UTC)
unattended_reboot:
enabled: false
time: 06:00
### Privacy Settings ###
# StrongSwan connection logging (-1 = disabled, 2 = debug)
strongswan_log_level: -1
# Master switch for privacy enhancements (log rotation, history clearing, etc.)
# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml
privacy_enhancements_enabled: true
### Advanced users only below this line ###
# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)
dnscrypt_servers:
ipv4:
- cloudflare
# - google
# - YourCustomServer # For NextDNS etc., add stamp below
ipv6:
- cloudflare-ipv6
custom_server_stamps:
# YourCustomServer: 'sdns://...'
# DNS servers when encryption is disabled
dns_servers:
ipv4:
- 1.1.1.1
- 1.0.0.1
ipv6:
- 2606:4700:4700::1111
- 2606:4700:4700::1001
# Store PKI in RAM disk when not retaining (MacOS/Linux only)
pki_in_tmpfs: true
# Regenerate ALL user credentials on update-users (not just new users)
# When false: existing WireGuard keys and IPsec certs are preserved, new users added
# When true: all credentials deleted and regenerated - ALL CLIENTS MUST RECONFIGURE
# Use true after: suspected key compromise, removing untrusted users, or security audit
keys_clean_all: false
### VPN Network Configuration ###
strongswan_network: 10.48.0.0/16
strongswan_network_ipv6: '2001:db8:4160::/48'
wireguard_network_ipv4: 10.49.0.0/16
wireguard_network_ipv6: 2001:db8:a160::/48
# Keep NAT connections alive (0 = disabled)
wireguard_PersistentKeepalive: 0
### Experimental Performance Options ###
# These are experimental and may cause issues. Enable at your own risk.
# performance_skip_optional_reboots: false # Skip non-kernel reboots
# performance_parallel_crypto: false # Parallel key generation
# performance_parallel_packages: false # Batch package installation
# performance_preinstall_packages: false # Pre-install via cloud-init
# performance_parallel_services: false # Configure VPN services in parallel
# Randomly generated IP address for the local dns resolver
local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
congrats:
common: |
"# Congratulations! #"
"# Your Algo server is running. #"
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
p12_pass: |
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
ca_key_pass: |
"# The CA key password is {{ CA_password|default(omit) }} #"
ssh_access: |
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
SSH_keys:
comment: algo@ssh
private: configs/algo.pem
private_tmp: /tmp/algo-ssh.pem
public: configs/algo.pem.pub
cloud_providers:
azure:
size: Standard_B1S
osDisk:
# The storage account type to use for the OS disk. Possible values:
# 'Standard_LRS', 'Premium_LRS', 'StandardSSD_LRS', 'UltraSSD_LRS',
# 'Premium_ZRS', 'StandardSSD_ZRS', 'PremiumV2_LRS'.
type: Standard_LRS
image:
publisher: Canonical
offer: 0001-com-ubuntu-minimal-jammy-daily
sku: minimal-22_04-daily-lts
version: latest
digitalocean:
# See docs for extended droplet options, pricing, and availability.
# Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ...
size: s-1vcpu-1gb
image: "ubuntu-22-04-x64"
ec2:
# Change the encrypted flag to "false" to disable AWS volume encryption.
encrypted: true
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
# Additional prompt will be raised to determine which IP to use
use_existing_eip: false
size: t3.micro
image:
name: "ubuntu-jammy-22.04"
arch: x86_64
owner: "099720109477"
# Change instance_market_type from "on-demand" to "spot" to launch a spot
# instance. See deploy-from-ansible.md for spot's additional IAM permission
instance_market_type: on-demand
gce:
size: e2-micro
image: ubuntu-2204-lts
external_static_ip: false
lightsail:
size: nano_2_0
image: ubuntu_22_04
scaleway:
size: DEV1-S
image: Ubuntu 22.04 Jammy Jellyfish
arch: x86_64
hetzner:
server_type: cpx22
image: ubuntu-22.04
openstack:
flavor_ram: ">=512"
image: Ubuntu-22.04
cloudstack:
size: Micro
image: Linux Ubuntu 22.04 LTS 64-bit
disk: 10
vultr:
os: Ubuntu 22.04 LTS x64
size: vc2-1c-1gb
linode:
type: g6-nanode-1
image: linode/ubuntu22.04
local:
fail_hint:
- Sorry, but something went wrong!
- Check troubleshooting for common fixes, or file an issue if you found a bug.
- https://trailofbits.github.io/algo/troubleshooting.html
- https://github.com/trailofbits/algo/issues/new
booleans_map:
Y: true
y: true