Algo looks interesting, but the Ansible playbooks it provides do some slightly odd things. For example, in the FreeBSD playbook:
- name: FreeBSD / HardenedBSD | Install prerequisites
raw: sleep 10 && env ASSUME_ALWAYS_YES=YES sudo pkg install -y python27
- name: FreeBSD / HardenedBSD | Configure defaults
raw: sudo ln -sf /usr/local/bin/python2.7 /usr/bin/python2.7
The Ubuntu one does something similar and odd practises are followed throughout. That kind of thing makes me wary.
The first task is fairly common practice used to allow remote boxes (often legacy / lacking python in base) to execute ansible tasks (ansible’s one requirement is to have python on the target machines). Second task is to avoid having to set ansible_python_interpreter, and definitely isn’t the right way to do it!
I do the exact same thing with every FreeBSD/OpenBSD box I fire up, but I go about it differently:
From my ansible hosts:
Then on OpenBSD I have a site.XX.tgz set that installs python (and does various configuration tasks) using autoinstall(8). I don’t use FreeBSD often enough to have an auto-install method for python.
Indeed. The sleep 10 is the bit that had me raise an eyebrow (well, along with the Python symlink). I’ve checked out the other playbooks and in a few cases ansible_python_interpreter is set, but it’s set to /usr/bin/python2.7 (hence the crude FreeBSD hack). Also, checking for the existence of Python before installing might be a good idea…
Easy enough to tidy up though.
Thanks for checking out the code. As qbit said, this is a dirty hack due to Ansible only supporting python2 at the moment (python3 is in tech preview and still has bugs). If you have a cleaner way to work around this issue, we are certainly open to considering it. File a bug or make a pull request, we give out bounties! (note: I am one of the authors of Algo)
Thanks for the response and for creating Algo - I do like the look of it.
I’ve spotted a few things that could (IMHO) be neater (like the symlink) so I’ll take proper browse through and make some suggestions/file PRs.
Considering that I trust digitalocean more than my home ISP to not sell my browsing history, I might install this and start piping some of my home traffic through it
Does not claim to provide anonymity or censorship avoidance
That’s kinda why I use a VPN in the first place.
So, I think they’re using that particular turn of phrase to indicate that they aren’t trying to offer the same kind of protections that Tor claims.
Indeed. It’s also hard to be anonymous if you’re hosting the VPN yourself on a VPS…
Another very easy to setup VPN is cjndns. This one is also easy to setup if you need a ‘real’ VPN, not just a new ‘exit node’ for your internet traffic.
So, I set this up and have been using it for a few weeks. It works like a charm on computers - exactly zero issues on two MBPs and one iMac.
Unfortunately, through exactly ZERO fault of algo, running it on IOS devices has not gone so well. Apple’s “On Demand” VPN profile sucks HARD.
1) Massively accelerated battery drain
2) on iPhone, the phone will go network deaf for several minutes, unless I toggle the VPN switch in Settings, at which point it starts working.
Awful awful awful. Apple really needs to get their act together. I need to invest the time in searching their bug tracker to see if anyone else has reported this.
Such a shame too, Algo makes installing on IOS Mobile SUPER trivial with the .mobileconfig files it auto-generates.
I’m pretty excited about this. I liked the idea of Streissand, but I also felt like Tor was unnecessary for my relatively simplistic use case.
How hard is OpenIKED to set up these days? Last I looked, the documentation looked solid, but there wasn’t a simple how-to guide, which made it look like a high barrier to entry.
OpenIKED was easyish to set up… but I’ve set up the hard ones a few times so I may not have the best perspective. I am using it for a site to site VPN using two APU2e systems and it works flawlessly.
I’m also able to connect to iked using the built-in Windows 10 client.
I have patched iked to support DH group negotiation during the IKE_SA_INIT exchange. This allows stock StrongSwan on Android (from Google Play) to connect. I need to email the appropriate OpenBSD list to start getting the patch in shape for submission.
I don’t believe it supports MOBIKE, though I haven’t looked too deeply. Maybe someone else knows more details here.
(Updated to fix formatting.)
release would be a good tag for what is effectively a software release.