Ansible playbooks for installing OpenVPN, IPsec, Tor, etc. on popular clouds (github.com)
46 points by kevlar1818 2 hours ago





Streisand is a good idea, but I don't believe users want 500 services running on their VPN gateway. Most of these protocols require a specific client, like OpenVPN. This is a 'kitchen sink' collection.

TrailOfBits released their ansible scripts for StrongS/WAN, which has sensible secure defaults (IPSec using AES-GCM only). They are calling the project algo.

https://github.com/trailofbits/algo

It is pretty easy to turn off any roles you don't want on Streisand. If you know for sure you will be using IPSEC I agree with you, use the ToB setup.

Specifically, compare their IKE setups:

https://github.com/jlund/streisand/blob/master/playbooks/rol...

https://github.com/trailofbits/algo/blob/master/roles/vpn/te...

Algo's is much more conservative. Streisand lets 3des and SHA1 into the mix. If you allow it, users will end up using it.

Otherwise, I think you are spot on and I prefer Algo (having used both for various things and just playing around).

Ironic that a project to do automated installation of packages on a remote machine has two pages of manual installation instructions for prerequisites on the command machine, before it can be run.

For this reason, amongst others, I've made a simple Bash script to install StrongSwan: https://github.com/jawj/IKEv2-setup

I thought you were being snarky but I went and had a look and I see what you mean there, other than installing ansible, seems like that can just be another role as well.

I don't know Ansible very well... is it possible to install only a subset (namely, the vpn service you plan to actually use)? It seems like a large attack service to have every VPN software possible running on the machine.

Yes. It depends on how well organized the Playbook is, but this one is nice. As long as they kept their dependencies clean edit:

https://github.com/jlund/streisand/blob/master/playbooks/str...

Comment out any roles you don't want with a # at the beginning of the line, YAML is very picky about syntax.

comment edit: Think of roles in ansible like building blocks or common chores you can apply to any server. It might be nice to not have so much stuff by default, but this tool isn't meant for complete technical novices, so it is expected (in my opinion) that you go in and prune anything out you don't want/need. What is nice is that you have lots of options and if you ever need to add a role you can just uncomment it and re-run the playbook.

I think you'd typically want to use tags [0] for controlling which portions of an ansible playbook run, for a one-off set of tasks like this. This one in particular isn't set up to work that way though.

[0] http://docs.ansible.com/ansible/playbooks_tags.html

