fix: Prevent sensitive information from being logged (#14779) · trailofbits/algo@454faa9

5 min read Original article ↗

@@ -12,106 +12,61 @@ users:

12121313

### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.

141415-

# Performance optimizations (reduces deployment time)

16-

# Skip reboots unless kernel was updated (saves 0-5 minutes)

17-

performance_skip_optional_reboots: false

18-

# Use parallel key generation for certificates (saves 1-2 minutes)

19-

performance_parallel_crypto: false

20-

# Batch install all packages in one operation (saves 30-60 seconds)

21-

performance_parallel_packages: false

22-

# Pre-install universal packages via cloud-init (saves 30-90 seconds)

23-

performance_preinstall_packages: false

24-

# Configure VPN services in parallel (saves 1-2 minutes)

25-

performance_parallel_services: false

26-27-

# Change default SSH port for the cloud roles only

28-

# It doesn't apply if you deploy to your existing Ubuntu Server

15+

# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers)

2916

ssh_port: 4160

301731-

# Deploy StrongSwan to enable IPsec support

18+

# VPN protocols to deploy

3219

ipsec_enabled: true

33-34-

# Deploy WireGuard

35-

# WireGuard will listen on 51820/UDP. You might need to change to another port

36-

# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some

37-

# mobile data networks.

3820

wireguard_enabled: true

39-

wireguard_port: 51820

21+

wireguard_port: 51820 # Change if blocked by your network (avoid 53/UDP)

402241-

# This feature allows you to configure the Algo server to send outbound traffic

42-

# through a different external IP address than the one you are establishing the VPN connection with.

43-

# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html

44-

# Available for the following cloud providers:

45-

# - DigitalOcean

23+

# Use different IP for outbound traffic (DigitalOcean only)

4624

alternative_ingress_ip: false

472548-

# Reduce the MTU of the VPN tunnel

49-

# Some cloud and internet providers use a smaller MTU (Maximum Transmission

50-

# Unit) than the normal value of 1500 and if you don't reduce the MTU of your

51-

# VPN tunnel some network connections will hang. Algo will attempt to set this

52-

# automatically based on your server, but if connections hang you might need to

53-

# adjust this yourself.

54-

# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn

26+

# Reduce MTU if connections hang (0 = auto-detect)

27+

# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn

5528

reduce_mtu: 0

562957-

# Algo will use the following lists to block ads. You can add new block lists

58-

# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:

59-

# /usr/local/sbin/adblock.sh

60-

# If you load very large blocklists, you may also have to modify resource limits:

61-

# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf

30+

# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more)

6231

adblock_lists:

63-

- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"

32+

- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"

643365-

# Enable DNS encryption.

66-

# If 'false', 'dns_servers' should be specified below.

67-

# DNS encryption can not be disabled if DNS adblocking is enabled

34+

# DNS encryption (required if using ad blocking)

6835

dns_encryption: true

693670-

# Block traffic between connected clients. Change this to false to enable

71-

# connected clients to reach each other, as well as other computers on the

72-

# same LAN as your Algo server (i.e. the "road warrior" setup). In this

73-

# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.

37+

# Client isolation (set false for "road warrior" setup where clients can reach each other)

7438

BetweenClients_DROP: true

39+

block_smb: true # Block SMB/CIFS traffic

40+

block_netbios: true # Block NETBIOS traffic

754176-

# Block SMB/CIFS traffic

77-

block_smb: true

78-79-

# Block NETBIOS traffic

80-

block_netbios: true

81-82-

# Your Algo server will automatically install security updates. Some updates

83-

# require a reboot to take effect but your Algo server will not reboot itself

84-

# automatically unless you change 'enabled' below from 'false' to 'true', in

85-

# which case a reboot will take place if necessary at the time specified (as

86-

# HH:MM) in the time zone of your Algo server. The default time zone is UTC.

42+

# Automatic reboot for security updates (time in server's timezone, default UTC)

8743

unattended_reboot:

8844

enabled: false

8945

time: 06:00

904647+

### Privacy Settings ###

48+

# StrongSwan connection logging (-1 = disabled, 2 = debug)

49+

strongswan_log_level: -1

50+51+

# Master switch for privacy enhancements (log rotation, history clearing, etc.)

52+

# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml

53+

privacy_enhancements_enabled: true

54+9155

### Advanced users only below this line ###

925693-

# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple

94-

# providers may be specified, but avoid mixing providers that filter results

95-

# (like Cisco) with those that don't (like Cloudflare) or you could get

96-

# inconsistent results. The list of available public providers can be found

97-

# here:

98-

# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md

57+

# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)

9958

dnscrypt_servers:

10059

ipv4:

10160

- cloudflare

10261

# - google

103-

# - <YourCustomServer> # E.g., if using NextDNS, this will be something like NextDNS-abc123.

104-

# You must also fill in custom_server_stamps below. You may specify

105-

# multiple custom servers.

62+

# - YourCustomServer # For NextDNS etc., add stamp below

10663

ipv6:

10764

- cloudflare-ipv6

1086510966

custom_server_stamps:

11067

# YourCustomServer: 'sdns://...'

11168112-

# DNS servers which will be used if 'dns_encryption' is 'false'.

113-

# Fallback resolvers for systemd-resolved

114-

# The default is to use Cloudflare.

69+

# DNS servers when encryption is disabled

11570

dns_servers:

11671

ipv4:

11772

- 1.1.1.1

@@ -120,37 +75,36 @@ dns_servers:

12075

- 2606:4700:4700::1111

12176

- 2606:4700:4700::1001

12277123-

# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false

124-

# Supports on MacOS and Linux only (including Windows Subsystem for Linux)

78+

# Store PKI in RAM disk when not retaining (MacOS/Linux only)

12579

pki_in_tmpfs: true

12680127-

# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.

81+

# Regenerate ALL user certs on update-users (not just new users)

12882

keys_clean_all: false

12983130-

# StrongSwan log level

131-

# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

132-

strongswan_log_level: 2

133-134-

# rightsourceip for ipsec

135-

# ipv4

84+

### VPN Network Configuration ###

13685

strongswan_network: 10.48.0.0/16

137-

# ipv6

13886

strongswan_network_ipv6: '2001:db8:4160::/48'

13987140-

# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.

141-

# This option will keep the "connection" open in the eyes of NAT.

142-

# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence

143-

wireguard_PersistentKeepalive: 0

144-145-

# WireGuard network configuration

14688

wireguard_network_ipv4: 10.49.0.0/16

14789

wireguard_network_ipv6: 2001:db8:a160::/48

1489091+

# Keep NAT connections alive (0 = disabled)

92+

wireguard_PersistentKeepalive: 0

93+94+

### Experimental Performance Options ###

95+

# These are experimental and may cause issues. Enable at your own risk.

96+

# performance_skip_optional_reboots: false # Skip non-kernel reboots

97+

# performance_parallel_crypto: false # Parallel key generation

98+

# performance_parallel_packages: false # Batch package installation

99+

# performance_preinstall_packages: false # Pre-install via cloud-init

100+

# performance_parallel_services: false # Configure VPN services in parallel

101+149102

# Randomly generated IP address for the local dns resolver

150103

local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"

151104

local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"

152105153-

# Hide sensitive data

106+

# Hide sensitive data in Ansible output during deployment (passwords, keys, etc.)

107+

# This is NOT related to privacy/logging on the VPN server itself

154108

algo_no_log: true

155109156110

congrats:

@@ -218,11 +172,11 @@ cloud_providers:

218172

image: Ubuntu 22.04 Jammy Jellyfish

219173

arch: x86_64

220174

hetzner:

221-

server_type: cpx11

175+

server_type: cpx11

222176

image: ubuntu-22.04

223177

openstack:

224178

flavor_ram: ">=512"

225-

image: Ubuntu-22.04

179+

image: Ubuntu-22.04

226180

cloudstack:

227181

size: Micro

228182

image: Linux Ubuntu 22.04 LTS 64-bit