IPSec .mobileconfig files not working on either macOS or iOS #14844
Description
Describe the bug
The IPSec .mobileconfig files to use macOS's or iOS's built-in VPN generated by algo cause the VPN configuration to never connect properly. However, if you use the Wireguard .mobileconfig files and install the Wireguard app, the algo VPN works fine. I don't think I have anything else that could be interfering, but I'm not 100% sure (quit other VPN apps, turned off built-in Firewall, lockdown mode not turned on).
I've tested this with the current HEAD of master (😒, would be nice to change this to "main") or the v2.0.0 tag. I'm running Sequoia 15.7.1 on an M1 MacBook Air, iOS 18.7.1 on an iPhone 12 mini, and iPadOS 17.7.10 on an iPad 6. I am using DigitalOcean with the s-1vcpu-512mb-10gb droplet size, using the SFO3 location. I last created a droplet using Algo 1.1 in Feb 2024 with this same DigitalOcean config and everything worked properly.
Hopefully I'm not missing something obscenely obvious.
To Reproduce
Steps to reproduce the behavior:
- Do a fresh git clone on the algo repo. You can either use the HEAD of master, or checkout the v2.0.0 tag.
- Once the repo is cloned, make changes to config.cfg as necessary. I've changed the name of the three default users, and I changed DigitalOcean to use the s-1vcpu-512mb-10gb size.
- Run
./algoin the directory of the newly cloned git repo. - Once finished, navigate to the configs/IP_ADDRESS/ipsec/apple folder, and install the appropriate .mobileconfig file on whichever device you're trying to use. (Double-click the file on macOS or AirDrop to iOS device, then go through the rigamarole in the Settings apps to actually install the profile.)
- Once the config file is actually installed on the macOS or iOS device, go to the VPN section of the Settings app, and try to turn on the VPN. You'll notice a brief "Connecting..." status message, and then the switch reverts back to off and "Disconnected". If you have "Connect on Demand" activated in the profile, you'll see this happen over and over and over: the VPN will try to connect, fail, and then try to connect again.
- Navigate to the configs/IP_ADDRESS/wireguard/apple folder, and go into the "ios" or "macos" folder as appropriate. Again, install the correct .mobileconfig file for the device you're trying to use. In my case, I went into the "ios" folder and AirDropped the .mobileconfig file to my iPhone, installed WireGuard, and clicked the switch for my VPN config in the Wireguard app. This time, the VPN connects correctly, and I can navigate to websites (and can confirm the VPN is being used because ads are being blocked).
Expected behavior
I expect the IPSec .mobileconfig files to allow the VPN to connect using the built-in Apple VPN software.
Additional context
Here's what I see in the Console on macOS when attempting to connect the VPN using the IPSec profile:
default 11:39:48.564225-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Received a start command from VPN[989]
default 11:39:48.564265-0700 nesessionmanager Registering session NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]
default 11:39:48.564490-0700 nesessionmanager <NESMServer: 0x1028c13c0>: Register Enterprise VPN Session: NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]
default 11:39:48.564517-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Successfully registered
default 11:39:48.564534-0700 nesessionmanager -[NESMVPNSession unsetDefaultDropAll]: VPN setting IP Drop-All to 0 (Non-Persistent)
default 11:39:48.565530-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: status changed to connecting
default 11:39:48.565745-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateIdle: received start message
default 11:39:48.565761-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateIdle
default 11:39:48.565774-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
default 11:39:48.565912-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
default 11:39:48.565927-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateStarting
default 11:39:48.565937-0700 nesessionmanager NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Sending start command
default 11:39:48.568212-0700 Network NEVPNStatusDidChange:
default 11:39:48.710014-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) initialized with Mach-O UUIDs (
"60E29CA8-3844-301A-975D-5D41BAB070DA",
"9B072267-A3F4-3F8D-B15F-59AFAD04DDE5"
)
default 11:39:48.713830-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) started with PID 9710 error (null)
default 11:39:48.959281-0700 Network /AppleInternal/Library/BuildRoots/4~B5vaugC0N2TQDQ_R5HAg9k4TI3GiWGSqEu_YMV8/Library/Caches/com.apple.xbs/Sources/NetworkPref/NetworkExtension/Model/NetworkPaneSettings.swift:508 notificationDebounceCore() updating observableService for <NetworkSettingsExtension.ANPServiceVPNandProxies: 0x600002db4000>
default 11:39:49.156498-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) did detach from IPC
default 11:39:49.159476-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: didSetStatus - 0
default 11:39:49.159519-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) disconnected with reason Tunnel was terminated by the server
default 11:39:49.160129-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateStarting
default 11:39:49.160170-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
default 11:39:49.160223-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: config request: pushing handler [(null)] (null)
default 11:39:49.160259-0700 nesessionmanager <NESMServer: 0x1028c13c0>: Request to uninstall session: NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]
default 11:39:49.160294-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: status changed to disconnecting
default 11:39:49.160507-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
default 11:39:49.161815-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStopping: session is now uninstalled
default 11:39:49.161926-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStopping: plugin already disconnected, disposing all plugins
default 11:39:49.161961-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateStopping
default 11:39:49.161998-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
default 11:39:49.162910-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: config request: popping handler [(null)] (null)
default 11:39:49.163892-0700 nesessionmanager NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Tearing down plugin connection
default 11:39:49.164901-0700 Network NEVPNStatusDidChange:
default 11:39:49.165880-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateDisposing: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) dispose complete
default 11:39:49.165913-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateDisposing: all plugins have disposed
default 11:39:49.166318-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateDisposing
default 11:39:49.166356-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateIdle
default 11:39:49.166378-0700 nesessionmanager -[NESMVPNSession unsetDefaultDropAll]: VPN setting IP Drop-All to 0 (Non-Persistent)
default 11:39:49.167066-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: status changed to disconnected, last stop reason Tunnel was terminated by the server
default 11:39:49.169557-0700 nesessionmanager -[NESMVPNSession unsetDefaultDropAll]: VPN setting IP Drop-All to 0 (Non-Persistent)
default 11:39:49.177881-0700 Network NEVPNStatusDidChange:
default 11:39:49.515207-0700 Network /AppleInternal/Library/BuildRoots/4~B5vaugC0N2TQDQ_R5HAg9k4TI3GiWGSqEu_YMV8/Library/Caches/com.apple.xbs/Sources/NetworkPref/NetworkExtension/Model/NetworkPaneSettings.swift:508 notificationDebounceCore() updating observableService for <NetworkSettingsExtension.ANPServiceVPNandProxies: 0x600002db4000>
Full log
simx@MacBookAir ~/D/algo ((v2.0.0))> ./algo
warning: The `tool.uv.dev-dependencies` field (used in `pyproject.toml`) is deprecated and will be removed in a future release; use `dependency-groups.dev` instead
Using CPython 3.13.7 interpreter at: /opt/homebrew/opt/python@3.13/bin/python3.13
Creating virtual environment at: .venv
Built algo @ file:///Users/simx/Development/algo
Installed 20 packages in 376ms
PLAY [Algo VPN Setup] *****************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]
TASK [Playbook dir stat] **************************************************************************************************
ok: [localhost]
TASK [Ensure Ansible is not being run in a world writable directory] ******************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Ensure the requirements installed] **********************************************************************************
ok: [localhost]
TASK [Extract ansible version from pyproject.toml] ************************************************************************
ok: [localhost]
TASK [Parse ansible version requirement] **********************************************************************************
ok: [localhost]
TASK [Get current ansible package version] ********************************************************************************
ok: [localhost]
TASK [Extract ansible version from uv package list] ***********************************************************************
ok: [localhost]
TASK [Verify Python meets Algo VPN requirements] **************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Verify Ansible meets Algo VPN requirements] *************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
PLAY [Ask user for the input] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu latest LTS server (for more advanced users)
Enter the number of your desired provider
:
TASK [Cloud prompt] *******************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ***************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:
TASK [VPN server name prompt] *********************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
TASK [Cellular On Demand prompt] ******************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
TASK [Wi-Fi On Demand prompt] *********************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
TASK [Trusted Wi-Fi networks prompt] **************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
TASK [Retain the PKI prompt] **********************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
TASK [DNS adblocking prompt] **********************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
TASK [SSH tunneling prompt] ***********************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ***************************************************************************************
ok: [localhost]
PLAY [Provision the server] ***********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]
--> Please include the following block of text when reporting issues:
Algo running on: macOS 15.7.1
Created from git fork. Last commit: 8dc21ce docs: Add FAQ entries for single cipher support and censorship circumvention (#14827)
uv Python environment:
warning: The `tool.uv.dev-dependencies` field (used in `pyproject.toml`) is deprecated and will be removed in a future release; use `dependency-groups.dev` instead
Python 3.13.7
uv 0.8.23 (Homebrew 2025-10-04)
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "True"
algo_ondemand_wifi "True"
algo_ondemand_wifi_exclude "XX83teR99eQgVW5kdWxhdGlvbnMgV2ktRmkgNg=="
algo_dns_adblocking "True"
algo_ssh_tunneling "False"
wireguard_enabled "True"
dns_encryption "True"
TASK [Display the invocation environment] *********************************************************************************
changed: [localhost]
TASK [Install cloud provider dependencies] ********************************************************************************
ok: [localhost]
TASK [Generate the SSH private key] ***************************************************************************************
changed: [localhost]
TASK [Generate the SSH public key] ****************************************************************************************
changed: [localhost]
TASK [Copy the private SSH key to /tmp] ***********************************************************************************
changed: [localhost]
TASK [Include a provisioning role] ****************************************************************************************
included: cloud-digitalocean for localhost
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):
TASK [cloud-digitalocean : pause] *****************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set the token as a fact] ***********************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Get regions] ***********************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set facts about the regions] *******************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set default region] ****************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3 Amsterdam 3
2. atl1 Atlanta 1
3. blr1 Bangalore 1
4. fra1 Frankfurt 1
5. lon1 London 1
6. nyc1 New York 1
7. nyc2 New York 2
8. nyc3 New York 3
9. sfo2 San Francisco 2
10. sfo3 San Francisco 3
11. sgp1 Singapore 1
12. syd1 Sydney 1
13. tor1 Toronto 1
Enter the number of your desired region
[8]
:10
TASK [cloud-digitalocean : pause] *****************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set additional facts] **************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] ****************************************************************************
changed: [localhost]
TASK [cloud-digitalocean : Creating a droplet...] *************************************************************************
changed: [localhost]
TASK [cloud-digitalocean : set_fact] **************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : set_fact] **************************************************************************************
ok: [localhost]
TASK [Set subjectAltName as a fact] ***************************************************************************************
ok: [localhost]
TASK [Add the server to an inventory group] *******************************************************************************
changed: [localhost]
TASK [Additional variables for the server] ********************************************************************************
changed: [localhost]
TASK [Wait until SSH becomes ready...] ************************************************************************************
ok: [localhost]
TASK [MacOS | set OS specific facts] **************************************************************************************
ok: [localhost]
TASK [MacOS | mount a ram disk] *******************************************************************************************
changed: [localhost]
TASK [Set config paths as facts] ******************************************************************************************
ok: [localhost]
TASK [Update config paths] ************************************************************************************************
changed: [localhost]
TASK [debug] **************************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "152.111.26.84"
}
TASK [Wait for target connection to become reachable/usable] **************************************************************
ok: [localhost -> 152.111.26.84] => (item=152.111.26.84)
PLAY [Configure the server and install required software] *****************************************************************
TASK [Wait until the cloud-init completed] ********************************************************************************
ok: [152.111.26.84]
TASK [Ensure the config directory exists] *********************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [Dump the ssh config] ************************************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [common : Check the system] ******************************************************************************************
ok: [152.111.26.84]
TASK [common : include_tasks] *********************************************************************************************
included: /Users/simx/Development/algo/roles/common/tasks/ubuntu.yml for 152.111.26.84
TASK [common : Gather facts] **********************************************************************************************
ok: [152.111.26.84]
TASK [common : Install software updates] **********************************************************************************
ok: [152.111.26.84]
TASK [common : Check if reboot is required] *******************************************************************************
changed: [152.111.26.84]
TASK [common : Reboot (kernel updated or performance optimization disabled)] **********************************************
changed: [152.111.26.84]
TASK [common : Wait until the server becomes ready...] ********************************************************************
ok: [152.111.26.84]
TASK [common : Install unattended-upgrades] *******************************************************************************
ok: [152.111.26.84]
TASK [common : Configure unattended-upgrades] *****************************************************************************
changed: [152.111.26.84]
TASK [common : Periodic upgrades configured] ******************************************************************************
changed: [152.111.26.84]
TASK [common : Disable MOTD on login and SSHD] ****************************************************************************
changed: [152.111.26.84] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [152.111.26.84] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
TASK [common : Ensure fallback resolvers are set] *************************************************************************
changed: [152.111.26.84]
TASK [common : Loopback for services configured] **************************************************************************
changed: [152.111.26.84]
TASK [common : systemd services enabled and started] **********************************************************************
ok: [152.111.26.84] => (item=systemd-networkd)
ok: [152.111.26.84] => (item=systemd-resolved)
RUNNING HANDLER [common : restart systemd-networkd] ***********************************************************************
changed: [152.111.26.84]
RUNNING HANDLER [common : restart systemd-resolved] ***********************************************************************
changed: [152.111.26.84]
TASK [common : Check apparmor support] ************************************************************************************
ok: [152.111.26.84]
TASK [common : Set fact if apparmor enabled] ******************************************************************************
ok: [152.111.26.84]
TASK [common : Define facts] **********************************************************************************************
ok: [152.111.26.84]
TASK [common : Set facts] *************************************************************************************************
ok: [152.111.26.84]
TASK [common : Set IPv6 support as a fact] ********************************************************************************
ok: [152.111.26.84]
TASK [common : Check size of MTU] *****************************************************************************************
ok: [152.111.26.84]
TASK [common : Set OS specific facts] *************************************************************************************
ok: [152.111.26.84]
TASK [common : Install packages (batch optimization)] *********************************************************************
included: /Users/simx/Development/algo/roles/common/tasks/packages.yml for 152.111.26.84
TASK [common : Initialize package lists] **********************************************************************************
ok: [152.111.26.84]
TASK [common : Add StrongSwan packages] ***********************************************************************************
ok: [152.111.26.84]
TASK [common : Add WireGuard packages] ************************************************************************************
ok: [152.111.26.84]
TASK [common : Add DNS packages] ******************************************************************************************
ok: [152.111.26.84]
TASK [common : Install all packages in batch (performance optimization)] **************************************************
changed: [152.111.26.84]
TASK [common : Debug - Show batched packages] *****************************************************************************
ok: [152.111.26.84] => {
"msg": [
"Batch installed 14 main packages: git, screen, apparmor-utils, uuid-runtime, coreutils, iptables, iptables-persistent, cgroup-tools, openssl, gnupg2, cron, strongswan, wireguard, dnscrypt-proxy",
"Batch installed 0 optional packages: "
]
}
TASK [common : Install iptables packages] *********************************************************************************
ok: [152.111.26.84]
TASK [common : Configure iptables-legacy as default] **********************************************************************
changed: [152.111.26.84] => (item=iptables)
changed: [152.111.26.84] => (item=ip6tables)
TASK [common : include_tasks] *********************************************************************************************
included: /Users/simx/Development/algo/roles/common/tasks/iptables.yml for 152.111.26.84
TASK [common : Iptables configured] ***************************************************************************************
changed: [152.111.26.84] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})
TASK [common : Iptables configured] ***************************************************************************************
changed: [152.111.26.84] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})
TASK [common : Sysctl tuning] *********************************************************************************************
changed: [152.111.26.84] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [152.111.26.84] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [152.111.26.84] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})
changed: [152.111.26.84] => (item={'item': 'net.ipv4.conf.all.route_localnet', 'value': 1})
RUNNING HANDLER [common : restart iptables] *******************************************************************************
changed: [152.111.26.84]
TASK [dns : Include tasks for Ubuntu] *************************************************************************************
included: /Users/simx/Development/algo/roles/dns/tasks/ubuntu.yml for 152.111.26.84
TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] ********************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] **********************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] **********************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Ensure socket override directory exists] *************************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Configure dnscrypt-proxy socket to listen on VPN IPs] ************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Reload systemd daemon after socket configuration] ****************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Restart dnscrypt-proxy socket to apply configuration] ************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] **********************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Reload systemd daemon if override changed] ***********************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Apply systemd security hardening for dnscrypt-proxy] *************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Reload systemd daemon if hardening changed] **********************************************************
ok: [152.111.26.84]
TASK [dns : dnscrypt-proxy ip-blacklist configured] ***********************************************************************
changed: [152.111.26.84]
TASK [dns : dnscrypt-proxy configured] ************************************************************************************
changed: [152.111.26.84]
TASK [dns : Adblock script created] ***************************************************************************************
changed: [152.111.26.84]
TASK [dns : Adblock script added to cron] *********************************************************************************
changed: [152.111.26.84]
TASK [dns : Update adblock hosts] *****************************************************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Ensure dnscrypt-proxy socket is enabled and started] *************************************************
ok: [152.111.26.84]
TASK [dns : dnscrypt-proxy enabled and started] ***************************************************************************
ok: [152.111.26.84]
TASK [wireguard : Ensure the required directories exist] ******************************************************************
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/.pki/preshared)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/.pki/private)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/.pki/public)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/apple/ios)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/apple/macos)
TASK [wireguard : Include tasks for Ubuntu] *******************************************************************************
included: /Users/simx/Development/algo/roles/wireguard/tasks/ubuntu.yml for 152.111.26.84
TASK [wireguard : Set OS specific facts] **********************************************************************************
ok: [152.111.26.84]
TASK [wireguard : Ubuntu | Ensure that the WireGuard service directory exists] ********************************************
changed: [152.111.26.84]
TASK [wireguard : Ubuntu | Apply systemd security hardening for WireGuard] ************************************************
changed: [152.111.26.84]
TASK [wireguard : Generate raw private keys] ******************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
changed: [152.111.26.84 -> localhost] => (item=152.111.26.84)
TASK [wireguard : Save base64 encoded private key] ************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [wireguard : Generate raw preshared keys] ****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
changed: [152.111.26.84 -> localhost] => (item=152.111.26.84)
TASK [wireguard : Save base64 encoded preshared keys] *********************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [wireguard : Generate public keys] ***********************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [wireguard : Set permissions for public keys] ************************************************************************
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost]
TASK [wireguard : WireGuard user list updated] ****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [wireguard : set_fact] ***********************************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [wireguard : WireGuard users config generated] ***********************************************************************
changed: [152.111.26.84 -> localhost] => (item=[0, 'algoiphone'])
changed: [152.111.26.84 -> localhost] => (item=[1, 'algoipad'])
changed: [152.111.26.84 -> localhost] => (item=[2, 'algomacbookair'])
TASK [wireguard : include_tasks] ******************************************************************************************
included: /Users/simx/Development/algo/roles/wireguard/tasks/mobileconfig.yml for 152.111.26.84 => (item=ios)
included: /Users/simx/Development/algo/roles/wireguard/tasks/mobileconfig.yml for 152.111.26.84 => (item=macos)
TASK [wireguard : WireGuard apple mobileconfig generated] *****************************************************************
changed: [152.111.26.84 -> localhost] => (item=[0, 'algoiphone'])
changed: [152.111.26.84 -> localhost] => (item=[1, 'algoipad'])
changed: [152.111.26.84 -> localhost] => (item=[2, 'algomacbookair'])
TASK [wireguard : WireGuard apple mobileconfig generated] *****************************************************************
changed: [152.111.26.84 -> localhost] => (item=[0, 'algoiphone'])
changed: [152.111.26.84 -> localhost] => (item=[1, 'algoipad'])
changed: [152.111.26.84 -> localhost] => (item=[2, 'algomacbookair'])
TASK [wireguard : Generate QR codes] **************************************************************************************
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost]
TASK [wireguard : WireGuard configured] ***********************************************************************************
changed: [152.111.26.84]
TASK [wireguard : WireGuard enabled and started] **************************************************************************
changed: [152.111.26.84]
TASK [strongswan : include_tasks] *****************************************************************************************
included: /Users/simx/Development/algo/roles/strongswan/tasks/ubuntu.yml for 152.111.26.84
TASK [strongswan : Set OS specific facts] *********************************************************************************
ok: [152.111.26.84]
TASK [strongswan : Ubuntu | Ensure af_key kernel module is loaded] ********************************************************
changed: [152.111.26.84]
TASK [strongswan : Ubuntu | Charon profile for apparmor configured] *******************************************************
changed: [152.111.26.84]
TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ****************************************************************
ok: [152.111.26.84] => (item=/usr/lib/ipsec/charon)
ok: [152.111.26.84] => (item=/usr/lib/ipsec/lookip)
ok: [152.111.26.84] => (item=/usr/lib/ipsec/stroke)
TASK [strongswan : Ubuntu | Enable services] ******************************************************************************
ok: [152.111.26.84] => (item=apparmor)
ok: [152.111.26.84] => (item=strongswan-starter)
ok: [152.111.26.84] => (item=netfilter-persistent)
TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] ******************************************
changed: [152.111.26.84]
TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********************************************
changed: [152.111.26.84]
TASK [strongswan : Ensure that the strongswan user exists] ****************************************************************
ok: [152.111.26.84]
TASK [strongswan : Install strongSwan] ************************************************************************************
ok: [152.111.26.84]
TASK [strongswan : Setup the config files from our templates] *************************************************************
changed: [152.111.26.84] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [152.111.26.84] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [152.111.26.84] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [152.111.26.84] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
TASK [strongswan : Get loaded plugins] ************************************************************************************
ok: [152.111.26.84]
TASK [strongswan : Disable unneeded plugins] ******************************************************************************
changed: [152.111.26.84] => (item=constraints)
changed: [152.111.26.84] => (item=sha1)
changed: [152.111.26.84] => (item=fips-prf)
changed: [152.111.26.84] => (item=bypass-lan)
changed: [152.111.26.84] => (item=xauth-generic)
changed: [152.111.26.84] => (item=counters)
changed: [152.111.26.84] => (item=connmark)
changed: [152.111.26.84] => (item=attr)
changed: [152.111.26.84] => (item=mgf1)
changed: [152.111.26.84] => (item=drbg)
changed: [152.111.26.84] => (item=dnskey)
changed: [152.111.26.84] => (item=aesni)
changed: [152.111.26.84] => (item=rc2)
changed: [152.111.26.84] => (item=md5)
changed: [152.111.26.84] => (item=updown)
changed: [152.111.26.84] => (item=pkcs1)
changed: [152.111.26.84] => (item=eap-mschapv2)
changed: [152.111.26.84] => (item=gmp)
changed: [152.111.26.84] => (item=agent)
changed: [152.111.26.84] => (item=resolve)
changed: [152.111.26.84] => (item=sshkey)
changed: [152.111.26.84] => (item=xcbc)
TASK [strongswan : Ensure that required plugins are enabled] **************************************************************
changed: [152.111.26.84] => (item=hmac)
changed: [152.111.26.84] => (item=pkcs8)
changed: [152.111.26.84] => (item=random)
changed: [152.111.26.84] => (item=pubkey)
changed: [152.111.26.84] => (item=pkcs7)
changed: [152.111.26.84] => (item=pkcs12)
changed: [152.111.26.84] => (item=nonce)
changed: [152.111.26.84] => (item=gcm)
changed: [152.111.26.84] => (item=openssl)
changed: [152.111.26.84] => (item=aes)
changed: [152.111.26.84] => (item=sha2)
changed: [152.111.26.84] => (item=pem)
changed: [152.111.26.84] => (item=stroke)
changed: [152.111.26.84] => (item=x509)
changed: [152.111.26.84] => (item=kernel-netlink)
changed: [152.111.26.84] => (item=socket-default)
changed: [152.111.26.84] => (item=pgp)
changed: [152.111.26.84] => (item=revocation)
TASK [strongswan : debug] *************************************************************************************************
ok: [152.111.26.84 -> localhost] => {
"subjectAltName": "IP:152.111.26.84,IP:2604:a880:4:1d0:0:1:108f:1000"
}
TASK [strongswan : Ensure the pki directories exist] **********************************************************************
changed: [152.111.26.84 -> localhost] => (item=certs)
changed: [152.111.26.84 -> localhost] => (item=private)
changed: [152.111.26.84 -> localhost] => (item=public)
TASK [strongswan : Ensure the config directories exist] *******************************************************************
changed: [152.111.26.84 -> localhost] => (item=apple)
changed: [152.111.26.84 -> localhost] => (item=manual)
TASK [strongswan : Create private key with password protection] ***********************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create certificate signing request (CSR) for CA certificate with security constraints] *****************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create self-signed CA certificate from CSR] ************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Copy the CA certificate] *******************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create private keys for users and server] **************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
changed: [152.111.26.84 -> localhost] => (item=152.111.26.84)
TASK [strongswan : Create CSRs for server certificate with SAN] ***********************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create CSRs for client certificates] *******************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Sign server certificate with CA] ***********************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Sign client certificates with CA] **********************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Generate p12 files] ************************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Generate p12 files with CA certificate included] *******************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Copy the p12 certificates] *****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Build openssh public keys] *****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Add all users to the file] *****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Set all users as a fact] *******************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Calculate current timestamp for CRL] *******************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Identify users whose certificates need revocation] *****************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Build revoked certificates list] ***********************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Generate a CRL] ****************************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Set CRL file permissions] ******************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Copy the CRL to the vpn server] ************************************************************************
changed: [152.111.26.84]
TASK [strongswan : Copy the keys to the strongswan directory] *************************************************************
changed: [152.111.26.84] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [152.111.26.84] => (item={'src': 'certs/152.111.26.84.crt', 'dest': 'certs/152.111.26.84.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [152.111.26.84] => (item={'src': 'private/152.111.26.84.key', 'dest': 'private/152.111.26.84.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
TASK [strongswan : Register p12 PayloadContent] ***************************************************************************
ok: [152.111.26.84 -> localhost] => (item=algoiphone)
ok: [152.111.26.84 -> localhost] => (item=algoipad)
ok: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Set facts for mobileconfigs] ***************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Build the mobileconfigs] *******************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Build the client ipsec config file] ********************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Build the client ipsec secret file] ********************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Restrict permissions for the local private directories] ************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : strongSwan started] ************************************************************************************
ok: [152.111.26.84]
TASK [Display VPN service completion status] ******************************************************************************
ok: [152.111.26.84] => {
"msg": "VPN Service Status Summary (Parallel Mode):\nDNS: SKIPPED\nWireGuard: SKIPPED\nStrongSwan: SKIPPED\nSSH Tunneling: >-\n SKIPPED\n"
}
TASK [privacy : Display privacy enhancements status] **********************************************************************
ok: [152.111.26.84] => {
"msg": "Privacy enhancements are enabled"
}
TASK [privacy : Include log rotation tasks] *******************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/log_rotation.yml for 152.111.26.84
TASK [privacy : Check if default rsyslog logrotate config exists] *********************************************************
ok: [152.111.26.84]
TASK [privacy : Disable default rsyslog logrotate to prevent conflicts] ***************************************************
changed: [152.111.26.84]
TASK [privacy : Configure aggressive logrotate for system logs] ***********************************************************
changed: [152.111.26.84]
TASK [privacy : Configure logrotate for auth logs with shorter retention] *************************************************
changed: [152.111.26.84]
TASK [privacy : Configure logrotate for kern logs with VPN filtering] *****************************************************
changed: [152.111.26.84]
TASK [privacy : Set more frequent logrotate execution] ********************************************************************
changed: [152.111.26.84]
TASK [privacy : Create privacy log cleanup script] ************************************************************************
changed: [152.111.26.84]
TASK [privacy : Include history clearing tasks] ***************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/clear_history.yml for 152.111.26.84
TASK [privacy : Clear bash history for all users] *************************************************************************
ok: [152.111.26.84]
TASK [privacy : Clear system command history logs] ************************************************************************
changed: [152.111.26.84] => (item=/var/log/lastlog)
ok: [152.111.26.84] => (item=/var/log/wtmp.1)
ok: [152.111.26.84] => (item=/var/log/btmp.1)
ok: [152.111.26.84] => (item=/tmp/.X*)
changed: [152.111.26.84] => (item=/tmp/.font-unix)
changed: [152.111.26.84] => (item=/tmp/.ICE-unix)
TASK [privacy : Configure bash to not save history for service users] *****************************************************
changed: [152.111.26.84] => (item=/root)
changed: [152.111.26.84] => (item=/home/ubuntu)
TASK [privacy : Create history clearing script for logout] ****************************************************************
changed: [152.111.26.84]
TASK [privacy : Include log filtering tasks] ******************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/log_filtering.yml for 152.111.26.84
TASK [privacy : Create rsyslog privacy configuration directory] ***********************************************************
ok: [152.111.26.84]
TASK [privacy : Configure rsyslog to exclude VPN-related logs] ************************************************************
changed: [152.111.26.84]
TASK [privacy : Configure rsyslog to filter kernel VPN logs] **************************************************************
changed: [152.111.26.84]
TASK [privacy : Test rsyslog configuration] *******************************************************************************
ok: [152.111.26.84]
TASK [privacy : Display rsyslog test results] *****************************************************************************
ok: [152.111.26.84] => {
"msg": "Rsyslog configuration test passed"
}
TASK [privacy : Include automatic cleanup tasks] **************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/auto_cleanup.yml for 152.111.26.84
TASK [privacy : Create privacy cleanup script] ****************************************************************************
changed: [152.111.26.84]
TASK [privacy : Set up automatic privacy cleanup cron job] ****************************************************************
changed: [152.111.26.84]
TASK [privacy : Clean up temporary files immediately] *********************************************************************
ok: [152.111.26.84]
TASK [privacy : Clean package cache immediately] **************************************************************************
ok: [152.111.26.84]
TASK [privacy : Include advanced privacy tasks] ***************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/advanced_privacy.yml for 152.111.26.84
TASK [privacy : Reduce kernel log verbosity for privacy] ******************************************************************
changed: [152.111.26.84] => (item={'name': 'kernel.printk', 'value': '3 4 1 3'})
changed: [152.111.26.84] => (item={'name': 'kernel.dmesg_restrict', 'value': '1'})
TASK [privacy : Configure kernel parameters for privacy] ******************************************************************
changed: [152.111.26.84] => (item=# Privacy enhancements - reduce kernel logging)
changed: [152.111.26.84] => (item=kernel.printk = 3 4 1 3)
changed: [152.111.26.84] => (item=kernel.dmesg_restrict = 1)
TASK [privacy : Configure journal settings for privacy] *******************************************************************
changed: [152.111.26.84] => (item={'key': 'MaxRetentionSec', 'value': '604800'})
changed: [152.111.26.84] => (item={'key': 'MaxFileSec', 'value': '1day'})
changed: [152.111.26.84] => (item={'key': 'SystemMaxUse', 'value': '100M'})
changed: [152.111.26.84] => (item={'key': 'SystemMaxFileSize', 'value': '10M'})
changed: [152.111.26.84] => (item={'key': 'ForwardToSyslog', 'value': 'no'})
TASK [privacy : Disable persistent systemd journal] ***********************************************************************
changed: [152.111.26.84]
TASK [privacy : Create journal configuration for volatile storage only] ***************************************************
changed: [152.111.26.84]
TASK [privacy : Configure rsyslog for minimal logging] ********************************************************************
changed: [152.111.26.84]
TASK [privacy : Set up privacy monitoring script] *************************************************************************
changed: [152.111.26.84]
TASK [privacy : Display privacy configuration summary] ********************************************************************
ok: [152.111.26.84] => {
"msg": [
"Privacy enhancements applied:",
" - Log retention: 7 days",
" - VPN log filtering: True",
" - History clearing: True",
" - Auto cleanup: True",
" - Kernel verbosity reduction: True"
]
}
TASK [privacy : Display privacy enhancements completion] ******************************************************************
ok: [152.111.26.84] => {
"msg": "Privacy enhancements have been successfully applied"
}
TASK [Dump the configuration] *********************************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [MacOS | check fs the ramdisk exists] ********************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [MacOS | unmount and eject the ram disk] *****************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [debug] **************************************************************************************************************
ok: [152.111.26.84] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.34.100.1, fe56::c:0c51 #\"",
""
],
" \"# The p12 and SSH keys password for new users is riieC.76l #\"\n",
" ",
" \"# Shell access: ssh -F configs/152.111.26.84/ssh_config simx-algo-vpn #\"\n"
]
}
RUNNING HANDLER [privacy : restart rsyslog] *******************************************************************************
changed: [152.111.26.84]
RUNNING HANDLER [privacy : restart systemd-journald] **********************************************************************
changed: [152.111.26.84]
PLAY RECAP ****************************************************************************************************************
152.111.26.84 : ok=168 changed=94 unreachable=0 failed=0 skipped=126 rescued=0 ignored=0
localhost : ok=49 changed=10 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0