algo
algo copied to clipboard
trailofbits
IPSec .mobileconfig files not working on either macOS or iOS
Describe the bug
The IPSec .mobileconfig files to use macOS's or iOS's built-in VPN generated by algo cause the VPN configuration to never connect properly. However, if you use the Wireguard .mobileconfig files and install the Wireguard app, the algo VPN works fine. I don't think I have anything else that could be interfering, but I'm not 100% sure (quit other VPN apps, turned off built-in Firewall, lockdown mode not turned on).
I've tested this with the current HEAD of master (😒, would be nice to change this to "main") or the v2.0.0 tag. I'm running Sequoia 15.7.1 on an M1 MacBook Air, iOS 18.7.1 on an iPhone 12 mini, and iPadOS 17.7.10 on an iPad 6. I am using DigitalOcean with the s-1vcpu-512mb-10gb droplet size, using the SFO3 location. I last created a droplet using Algo 1.1 in Feb 2024 with this same DigitalOcean config and everything worked properly.
Hopefully I'm not missing something obscenely obvious.
To Reproduce
Steps to reproduce the behavior:
- Do a fresh git clone on the algo repo. You can either use the HEAD of master, or checkout the v2.0.0 tag.
- Once the repo is cloned, make changes to config.cfg as necessary. I've changed the name of the three default users, and I changed DigitalOcean to use the s-1vcpu-512mb-10gb size.
- Run
./algoin the directory of the newly cloned git repo. - Once finished, navigate to the configs/IP_ADDRESS/ipsec/apple folder, and install the appropriate .mobileconfig file on whichever device you're trying to use. (Double-click the file on macOS or AirDrop to iOS device, then go through the rigamarole in the Settings apps to actually install the profile.)
- Once the config file is actually installed on the macOS or iOS device, go to the VPN section of the Settings app, and try to turn on the VPN. You'll notice a brief "Connecting..." status message, and then the switch reverts back to off and "Disconnected". If you have "Connect on Demand" activated in the profile, you'll see this happen over and over and over: the VPN will try to connect, fail, and then try to connect again.
- Navigate to the configs/IP_ADDRESS/wireguard/apple folder, and go into the "ios" or "macos" folder as appropriate. Again, install the correct .mobileconfig file for the device you're trying to use. In my case, I went into the "ios" folder and AirDropped the .mobileconfig file to my iPhone, installed WireGuard, and clicked the switch for my VPN config in the Wireguard app. This time, the VPN connects correctly, and I can navigate to websites (and can confirm the VPN is being used because ads are being blocked).
Expected behavior
I expect the IPSec .mobileconfig files to allow the VPN to connect using the built-in Apple VPN software.
Additional context
Here's what I see in the Console on macOS when attempting to connect the VPN using the IPSec profile:
default 11:39:48.564225-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Received a start command from VPN[989]
default 11:39:48.564265-0700 nesessionmanager Registering session NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]
default 11:39:48.564490-0700 nesessionmanager <NESMServer: 0x1028c13c0>: Register Enterprise VPN Session: NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]
default 11:39:48.564517-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Successfully registered
default 11:39:48.564534-0700 nesessionmanager -[NESMVPNSession unsetDefaultDropAll]: VPN setting IP Drop-All to 0 (Non-Persistent)
default 11:39:48.565530-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: status changed to connecting
default 11:39:48.565745-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateIdle: received start message
default 11:39:48.565761-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateIdle
default 11:39:48.565774-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
default 11:39:48.565912-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
default 11:39:48.565927-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateStarting
default 11:39:48.565937-0700 nesessionmanager NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Sending start command
default 11:39:48.568212-0700 Network NEVPNStatusDidChange:
default 11:39:48.710014-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) initialized with Mach-O UUIDs (
"60E29CA8-3844-301A-975D-5D41BAB070DA",
"9B072267-A3F4-3F8D-B15F-59AFAD04DDE5"
)
default 11:39:48.713830-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) started with PID 9710 error (null)
default 11:39:48.959281-0700 Network /AppleInternal/Library/BuildRoots/4~B5vaugC0N2TQDQ_R5HAg9k4TI3GiWGSqEu_YMV8/Library/Caches/com.apple.xbs/Sources/NetworkPref/NetworkExtension/Model/NetworkPaneSettings.swift:508 notificationDebounceCore() updating observableService for <NetworkSettingsExtension.ANPServiceVPNandProxies: 0x600002db4000>
default 11:39:49.156498-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) did detach from IPC
default 11:39:49.159476-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: didSetStatus - 0
default 11:39:49.159519-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) disconnected with reason Tunnel was terminated by the server
default 11:39:49.160129-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateStarting
default 11:39:49.160170-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
default 11:39:49.160223-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: config request: pushing handler [(null)] (null)
default 11:39:49.160259-0700 nesessionmanager <NESMServer: 0x1028c13c0>: Request to uninstall session: NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]
default 11:39:49.160294-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: status changed to disconnecting
default 11:39:49.160507-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
default 11:39:49.161815-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStopping: session is now uninstalled
default 11:39:49.161926-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateStopping: plugin already disconnected, disposing all plugins
default 11:39:49.161961-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateStopping
default 11:39:49.161998-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
default 11:39:49.162910-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: config request: popping handler [(null)] (null)
default 11:39:49.163892-0700 nesessionmanager NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Tearing down plugin connection
default 11:39:49.164901-0700 Network NEVPNStatusDidChange:
default 11:39:49.165880-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateDisposing: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]) dispose complete
default 11:39:49.165913-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)] in state NESMVPNSessionStateDisposing: all plugins have disposed
default 11:39:49.166318-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Leaving state NESMVPNSessionStateDisposing
default 11:39:49.166356-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: Entering state NESMVPNSessionStateIdle
default 11:39:49.166378-0700 nesessionmanager -[NESMVPNSession unsetDefaultDropAll]: VPN setting IP Drop-All to 0 (Non-Persistent)
default 11:39:49.167066-0700 nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:AlgoVPN simx-algo-vpn IKEv2:F6CFCB8B-E165-49AB-8B43-E037CB36FE19:(null)]: status changed to disconnected, last stop reason Tunnel was terminated by the server
default 11:39:49.169557-0700 nesessionmanager -[NESMVPNSession unsetDefaultDropAll]: VPN setting IP Drop-All to 0 (Non-Persistent)
default 11:39:49.177881-0700 Network NEVPNStatusDidChange:
default 11:39:49.515207-0700 Network /AppleInternal/Library/BuildRoots/4~B5vaugC0N2TQDQ_R5HAg9k4TI3GiWGSqEu_YMV8/Library/Caches/com.apple.xbs/Sources/NetworkPref/NetworkExtension/Model/NetworkPaneSettings.swift:508 notificationDebounceCore() updating observableService for <NetworkSettingsExtension.ANPServiceVPNandProxies: 0x600002db4000>
Full log
simx@MacBookAir ~/D/algo ((v2.0.0))> ./algo
warning: The `tool.uv.dev-dependencies` field (used in `pyproject.toml`) is deprecated and will be removed in a future release; use `dependency-groups.dev` instead
Using CPython 3.13.7 interpreter at: /opt/homebrew/opt/[email protected]/bin/python3.13
Creating virtual environment at: .venv
Built algo @ file:///Users/simx/Development/algo
Installed 20 packages in 376ms
PLAY [Algo VPN Setup] *****************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]
TASK [Playbook dir stat] **************************************************************************************************
ok: [localhost]
TASK [Ensure Ansible is not being run in a world writable directory] ******************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Ensure the requirements installed] **********************************************************************************
ok: [localhost]
TASK [Extract ansible version from pyproject.toml] ************************************************************************
ok: [localhost]
TASK [Parse ansible version requirement] **********************************************************************************
ok: [localhost]
TASK [Get current ansible package version] ********************************************************************************
ok: [localhost]
TASK [Extract ansible version from uv package list] ***********************************************************************
ok: [localhost]
TASK [Verify Python meets Algo VPN requirements] **************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Verify Ansible meets Algo VPN requirements] *************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
PLAY [Ask user for the input] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu latest LTS server (for more advanced users)
Enter the number of your desired provider
:
TASK [Cloud prompt] *******************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ***************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:
TASK [VPN server name prompt] *********************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
TASK [Cellular On Demand prompt] ******************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
TASK [Wi-Fi On Demand prompt] *********************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
TASK [Trusted Wi-Fi networks prompt] **************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
TASK [Retain the PKI prompt] **********************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
TASK [DNS adblocking prompt] **********************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
TASK [SSH tunneling prompt] ***********************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ***************************************************************************************
ok: [localhost]
PLAY [Provision the server] ***********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]
--> Please include the following block of text when reporting issues:
Algo running on: macOS 15.7.1
Created from git fork. Last commit: 8dc21ce docs: Add FAQ entries for single cipher support and censorship circumvention (#14827)
uv Python environment:
warning: The `tool.uv.dev-dependencies` field (used in `pyproject.toml`) is deprecated and will be removed in a future release; use `dependency-groups.dev` instead
Python 3.13.7
uv 0.8.23 (Homebrew 2025-10-04)
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "True"
algo_ondemand_wifi "True"
algo_ondemand_wifi_exclude "X3828nNoc3ccnxr99hdGlvbnMgV2ktRmkgNg=="
algo_dns_adblocking "True"
algo_ssh_tunneling "False"
wireguard_enabled "True"
dns_encryption "True"
TASK [Display the invocation environment] *********************************************************************************
changed: [localhost]
TASK [Install cloud provider dependencies] ********************************************************************************
ok: [localhost]
TASK [Generate the SSH private key] ***************************************************************************************
changed: [localhost]
TASK [Generate the SSH public key] ****************************************************************************************
changed: [localhost]
TASK [Copy the private SSH key to /tmp] ***********************************************************************************
changed: [localhost]
TASK [Include a provisioning role] ****************************************************************************************
included: cloud-digitalocean for localhost
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):
TASK [cloud-digitalocean : pause] *****************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set the token as a fact] ***********************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Get regions] ***********************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set facts about the regions] *******************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set default region] ****************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3 Amsterdam 3
2. atl1 Atlanta 1
3. blr1 Bangalore 1
4. fra1 Frankfurt 1
5. lon1 London 1
6. nyc1 New York 1
7. nyc2 New York 2
8. nyc3 New York 3
9. sfo2 San Francisco 2
10. sfo3 San Francisco 3
11. sgp1 Singapore 1
12. syd1 Sydney 1
13. tor1 Toronto 1
Enter the number of your desired region
[8]
:10
TASK [cloud-digitalocean : pause] *****************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set additional facts] **************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] ****************************************************************************
changed: [localhost]
TASK [cloud-digitalocean : Creating a droplet...] *************************************************************************
changed: [localhost]
TASK [cloud-digitalocean : set_fact] **************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : set_fact] **************************************************************************************
ok: [localhost]
TASK [Set subjectAltName as a fact] ***************************************************************************************
ok: [localhost]
TASK [Add the server to an inventory group] *******************************************************************************
changed: [localhost]
TASK [Additional variables for the server] ********************************************************************************
changed: [localhost]
TASK [Wait until SSH becomes ready...] ************************************************************************************
ok: [localhost]
TASK [MacOS | set OS specific facts] **************************************************************************************
ok: [localhost]
TASK [MacOS | mount a ram disk] *******************************************************************************************
changed: [localhost]
TASK [Set config paths as facts] ******************************************************************************************
ok: [localhost]
TASK [Update config paths] ************************************************************************************************
changed: [localhost]
TASK [debug] **************************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "152.111.26.84"
}
TASK [Wait for target connection to become reachable/usable] **************************************************************
ok: [localhost -> 152.111.26.84] => (item=152.111.26.84)
PLAY [Configure the server and install required software] *****************************************************************
TASK [Wait until the cloud-init completed] ********************************************************************************
ok: [152.111.26.84]
TASK [Ensure the config directory exists] *********************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [Dump the ssh config] ************************************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [common : Check the system] ******************************************************************************************
ok: [152.111.26.84]
TASK [common : include_tasks] *********************************************************************************************
included: /Users/simx/Development/algo/roles/common/tasks/ubuntu.yml for 152.111.26.84
TASK [common : Gather facts] **********************************************************************************************
ok: [152.111.26.84]
TASK [common : Install software updates] **********************************************************************************
ok: [152.111.26.84]
TASK [common : Check if reboot is required] *******************************************************************************
changed: [152.111.26.84]
TASK [common : Reboot (kernel updated or performance optimization disabled)] **********************************************
changed: [152.111.26.84]
TASK [common : Wait until the server becomes ready...] ********************************************************************
ok: [152.111.26.84]
TASK [common : Install unattended-upgrades] *******************************************************************************
ok: [152.111.26.84]
TASK [common : Configure unattended-upgrades] *****************************************************************************
changed: [152.111.26.84]
TASK [common : Periodic upgrades configured] ******************************************************************************
changed: [152.111.26.84]
TASK [common : Disable MOTD on login and SSHD] ****************************************************************************
changed: [152.111.26.84] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [152.111.26.84] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
TASK [common : Ensure fallback resolvers are set] *************************************************************************
changed: [152.111.26.84]
TASK [common : Loopback for services configured] **************************************************************************
changed: [152.111.26.84]
TASK [common : systemd services enabled and started] **********************************************************************
ok: [152.111.26.84] => (item=systemd-networkd)
ok: [152.111.26.84] => (item=systemd-resolved)
RUNNING HANDLER [common : restart systemd-networkd] ***********************************************************************
changed: [152.111.26.84]
RUNNING HANDLER [common : restart systemd-resolved] ***********************************************************************
changed: [152.111.26.84]
TASK [common : Check apparmor support] ************************************************************************************
ok: [152.111.26.84]
TASK [common : Set fact if apparmor enabled] ******************************************************************************
ok: [152.111.26.84]
TASK [common : Define facts] **********************************************************************************************
ok: [152.111.26.84]
TASK [common : Set facts] *************************************************************************************************
ok: [152.111.26.84]
TASK [common : Set IPv6 support as a fact] ********************************************************************************
ok: [152.111.26.84]
TASK [common : Check size of MTU] *****************************************************************************************
ok: [152.111.26.84]
TASK [common : Set OS specific facts] *************************************************************************************
ok: [152.111.26.84]
TASK [common : Install packages (batch optimization)] *********************************************************************
included: /Users/simx/Development/algo/roles/common/tasks/packages.yml for 152.111.26.84
TASK [common : Initialize package lists] **********************************************************************************
ok: [152.111.26.84]
TASK [common : Add StrongSwan packages] ***********************************************************************************
ok: [152.111.26.84]
TASK [common : Add WireGuard packages] ************************************************************************************
ok: [152.111.26.84]
TASK [common : Add DNS packages] ******************************************************************************************
ok: [152.111.26.84]
TASK [common : Install all packages in batch (performance optimization)] **************************************************
changed: [152.111.26.84]
TASK [common : Debug - Show batched packages] *****************************************************************************
ok: [152.111.26.84] => {
"msg": [
"Batch installed 14 main packages: git, screen, apparmor-utils, uuid-runtime, coreutils, iptables, iptables-persistent, cgroup-tools, openssl, gnupg2, cron, strongswan, wireguard, dnscrypt-proxy",
"Batch installed 0 optional packages: "
]
}
TASK [common : Install iptables packages] *********************************************************************************
ok: [152.111.26.84]
TASK [common : Configure iptables-legacy as default] **********************************************************************
changed: [152.111.26.84] => (item=iptables)
changed: [152.111.26.84] => (item=ip6tables)
TASK [common : include_tasks] *********************************************************************************************
included: /Users/simx/Development/algo/roles/common/tasks/iptables.yml for 152.111.26.84
TASK [common : Iptables configured] ***************************************************************************************
changed: [152.111.26.84] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})
TASK [common : Iptables configured] ***************************************************************************************
changed: [152.111.26.84] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})
TASK [common : Sysctl tuning] *********************************************************************************************
changed: [152.111.26.84] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [152.111.26.84] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [152.111.26.84] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})
changed: [152.111.26.84] => (item={'item': 'net.ipv4.conf.all.route_localnet', 'value': 1})
RUNNING HANDLER [common : restart iptables] *******************************************************************************
changed: [152.111.26.84]
TASK [dns : Include tasks for Ubuntu] *************************************************************************************
included: /Users/simx/Development/algo/roles/dns/tasks/ubuntu.yml for 152.111.26.84
TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] ********************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] **********************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] **********************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Ensure socket override directory exists] *************************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Configure dnscrypt-proxy socket to listen on VPN IPs] ************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Reload systemd daemon after socket configuration] ****************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Restart dnscrypt-proxy socket to apply configuration] ************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] **********************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Reload systemd daemon if override changed] ***********************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Apply systemd security hardening for dnscrypt-proxy] *************************************************
changed: [152.111.26.84]
TASK [dns : Ubuntu | Reload systemd daemon if hardening changed] **********************************************************
ok: [152.111.26.84]
TASK [dns : dnscrypt-proxy ip-blacklist configured] ***********************************************************************
changed: [152.111.26.84]
TASK [dns : dnscrypt-proxy configured] ************************************************************************************
changed: [152.111.26.84]
TASK [dns : Adblock script created] ***************************************************************************************
changed: [152.111.26.84]
TASK [dns : Adblock script added to cron] *********************************************************************************
changed: [152.111.26.84]
TASK [dns : Update adblock hosts] *****************************************************************************************
ok: [152.111.26.84]
TASK [dns : Ubuntu | Ensure dnscrypt-proxy socket is enabled and started] *************************************************
ok: [152.111.26.84]
TASK [dns : dnscrypt-proxy enabled and started] ***************************************************************************
ok: [152.111.26.84]
TASK [wireguard : Ensure the required directories exist] ******************************************************************
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/.pki/preshared)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/.pki/private)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/.pki/public)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/apple/ios)
changed: [152.111.26.84 -> localhost] => (item=configs/152.111.26.84/wireguard/apple/macos)
TASK [wireguard : Include tasks for Ubuntu] *******************************************************************************
included: /Users/simx/Development/algo/roles/wireguard/tasks/ubuntu.yml for 152.111.26.84
TASK [wireguard : Set OS specific facts] **********************************************************************************
ok: [152.111.26.84]
TASK [wireguard : Ubuntu | Ensure that the WireGuard service directory exists] ********************************************
changed: [152.111.26.84]
TASK [wireguard : Ubuntu | Apply systemd security hardening for WireGuard] ************************************************
changed: [152.111.26.84]
TASK [wireguard : Generate raw private keys] ******************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
changed: [152.111.26.84 -> localhost] => (item=152.111.26.84)
TASK [wireguard : Save base64 encoded private key] ************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [wireguard : Generate raw preshared keys] ****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
changed: [152.111.26.84 -> localhost] => (item=152.111.26.84)
TASK [wireguard : Save base64 encoded preshared keys] *********************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [wireguard : Generate public keys] ***********************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [wireguard : Set permissions for public keys] ************************************************************************
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost]
TASK [wireguard : WireGuard user list updated] ****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [wireguard : set_fact] ***********************************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [wireguard : WireGuard users config generated] ***********************************************************************
changed: [152.111.26.84 -> localhost] => (item=[0, 'algoiphone'])
changed: [152.111.26.84 -> localhost] => (item=[1, 'algoipad'])
changed: [152.111.26.84 -> localhost] => (item=[2, 'algomacbookair'])
TASK [wireguard : include_tasks] ******************************************************************************************
included: /Users/simx/Development/algo/roles/wireguard/tasks/mobileconfig.yml for 152.111.26.84 => (item=ios)
included: /Users/simx/Development/algo/roles/wireguard/tasks/mobileconfig.yml for 152.111.26.84 => (item=macos)
TASK [wireguard : WireGuard apple mobileconfig generated] *****************************************************************
changed: [152.111.26.84 -> localhost] => (item=[0, 'algoiphone'])
changed: [152.111.26.84 -> localhost] => (item=[1, 'algoipad'])
changed: [152.111.26.84 -> localhost] => (item=[2, 'algomacbookair'])
TASK [wireguard : WireGuard apple mobileconfig generated] *****************************************************************
changed: [152.111.26.84 -> localhost] => (item=[0, 'algoiphone'])
changed: [152.111.26.84 -> localhost] => (item=[1, 'algoipad'])
changed: [152.111.26.84 -> localhost] => (item=[2, 'algomacbookair'])
TASK [wireguard : Generate QR codes] **************************************************************************************
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost] => (item=None)
ok: [152.111.26.84 -> localhost]
TASK [wireguard : WireGuard configured] ***********************************************************************************
changed: [152.111.26.84]
TASK [wireguard : WireGuard enabled and started] **************************************************************************
changed: [152.111.26.84]
TASK [strongswan : include_tasks] *****************************************************************************************
included: /Users/simx/Development/algo/roles/strongswan/tasks/ubuntu.yml for 152.111.26.84
TASK [strongswan : Set OS specific facts] *********************************************************************************
ok: [152.111.26.84]
TASK [strongswan : Ubuntu | Ensure af_key kernel module is loaded] ********************************************************
changed: [152.111.26.84]
TASK [strongswan : Ubuntu | Charon profile for apparmor configured] *******************************************************
changed: [152.111.26.84]
TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ****************************************************************
ok: [152.111.26.84] => (item=/usr/lib/ipsec/charon)
ok: [152.111.26.84] => (item=/usr/lib/ipsec/lookip)
ok: [152.111.26.84] => (item=/usr/lib/ipsec/stroke)
TASK [strongswan : Ubuntu | Enable services] ******************************************************************************
ok: [152.111.26.84] => (item=apparmor)
ok: [152.111.26.84] => (item=strongswan-starter)
ok: [152.111.26.84] => (item=netfilter-persistent)
TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] ******************************************
changed: [152.111.26.84]
TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********************************************
changed: [152.111.26.84]
TASK [strongswan : Ensure that the strongswan user exists] ****************************************************************
ok: [152.111.26.84]
TASK [strongswan : Install strongSwan] ************************************************************************************
ok: [152.111.26.84]
TASK [strongswan : Setup the config files from our templates] *************************************************************
changed: [152.111.26.84] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [152.111.26.84] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [152.111.26.84] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [152.111.26.84] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
TASK [strongswan : Get loaded plugins] ************************************************************************************
ok: [152.111.26.84]
TASK [strongswan : Disable unneeded plugins] ******************************************************************************
changed: [152.111.26.84] => (item=constraints)
changed: [152.111.26.84] => (item=sha1)
changed: [152.111.26.84] => (item=fips-prf)
changed: [152.111.26.84] => (item=bypass-lan)
changed: [152.111.26.84] => (item=xauth-generic)
changed: [152.111.26.84] => (item=counters)
changed: [152.111.26.84] => (item=connmark)
changed: [152.111.26.84] => (item=attr)
changed: [152.111.26.84] => (item=mgf1)
changed: [152.111.26.84] => (item=drbg)
changed: [152.111.26.84] => (item=dnskey)
changed: [152.111.26.84] => (item=aesni)
changed: [152.111.26.84] => (item=rc2)
changed: [152.111.26.84] => (item=md5)
changed: [152.111.26.84] => (item=updown)
changed: [152.111.26.84] => (item=pkcs1)
changed: [152.111.26.84] => (item=eap-mschapv2)
changed: [152.111.26.84] => (item=gmp)
changed: [152.111.26.84] => (item=agent)
changed: [152.111.26.84] => (item=resolve)
changed: [152.111.26.84] => (item=sshkey)
changed: [152.111.26.84] => (item=xcbc)
TASK [strongswan : Ensure that required plugins are enabled] **************************************************************
changed: [152.111.26.84] => (item=hmac)
changed: [152.111.26.84] => (item=pkcs8)
changed: [152.111.26.84] => (item=random)
changed: [152.111.26.84] => (item=pubkey)
changed: [152.111.26.84] => (item=pkcs7)
changed: [152.111.26.84] => (item=pkcs12)
changed: [152.111.26.84] => (item=nonce)
changed: [152.111.26.84] => (item=gcm)
changed: [152.111.26.84] => (item=openssl)
changed: [152.111.26.84] => (item=aes)
changed: [152.111.26.84] => (item=sha2)
changed: [152.111.26.84] => (item=pem)
changed: [152.111.26.84] => (item=stroke)
changed: [152.111.26.84] => (item=x509)
changed: [152.111.26.84] => (item=kernel-netlink)
changed: [152.111.26.84] => (item=socket-default)
changed: [152.111.26.84] => (item=pgp)
changed: [152.111.26.84] => (item=revocation)
TASK [strongswan : debug] *************************************************************************************************
ok: [152.111.26.84 -> localhost] => {
"subjectAltName": "IP:152.111.26.84,IP:2604:a880:4:1d0:0:1:108f:1000"
}
TASK [strongswan : Ensure the pki directories exist] **********************************************************************
changed: [152.111.26.84 -> localhost] => (item=certs)
changed: [152.111.26.84 -> localhost] => (item=private)
changed: [152.111.26.84 -> localhost] => (item=public)
TASK [strongswan : Ensure the config directories exist] *******************************************************************
changed: [152.111.26.84 -> localhost] => (item=apple)
changed: [152.111.26.84 -> localhost] => (item=manual)
TASK [strongswan : Create private key with password protection] ***********************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create certificate signing request (CSR) for CA certificate with security constraints] *****************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create self-signed CA certificate from CSR] ************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Copy the CA certificate] *******************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create private keys for users and server] **************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
changed: [152.111.26.84 -> localhost] => (item=152.111.26.84)
TASK [strongswan : Create CSRs for server certificate with SAN] ***********************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Create CSRs for client certificates] *******************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Sign server certificate with CA] ***********************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Sign client certificates with CA] **********************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Generate p12 files] ************************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Generate p12 files with CA certificate included] *******************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Copy the p12 certificates] *****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Build openssh public keys] *****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Add all users to the file] *****************************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Set all users as a fact] *******************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Calculate current timestamp for CRL] *******************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Identify users whose certificates need revocation] *****************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Build revoked certificates list] ***********************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Generate a CRL] ****************************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Set CRL file permissions] ******************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Copy the CRL to the vpn server] ************************************************************************
changed: [152.111.26.84]
TASK [strongswan : Copy the keys to the strongswan directory] *************************************************************
changed: [152.111.26.84] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [152.111.26.84] => (item={'src': 'certs/152.111.26.84.crt', 'dest': 'certs/152.111.26.84.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [152.111.26.84] => (item={'src': 'private/152.111.26.84.key', 'dest': 'private/152.111.26.84.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
TASK [strongswan : Register p12 PayloadContent] ***************************************************************************
ok: [152.111.26.84 -> localhost] => (item=algoiphone)
ok: [152.111.26.84 -> localhost] => (item=algoipad)
ok: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Set facts for mobileconfigs] ***************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : Build the mobileconfigs] *******************************************************************************
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost] => (item=None)
changed: [152.111.26.84 -> localhost]
TASK [strongswan : Build the client ipsec config file] ********************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Build the client ipsec secret file] ********************************************************************
changed: [152.111.26.84 -> localhost] => (item=algoiphone)
changed: [152.111.26.84 -> localhost] => (item=algoipad)
changed: [152.111.26.84 -> localhost] => (item=algomacbookair)
TASK [strongswan : Restrict permissions for the local private directories] ************************************************
ok: [152.111.26.84 -> localhost]
TASK [strongswan : strongSwan started] ************************************************************************************
ok: [152.111.26.84]
TASK [Display VPN service completion status] ******************************************************************************
ok: [152.111.26.84] => {
"msg": "VPN Service Status Summary (Parallel Mode):\nDNS: SKIPPED\nWireGuard: SKIPPED\nStrongSwan: SKIPPED\nSSH Tunneling: >-\n SKIPPED\n"
}
TASK [privacy : Display privacy enhancements status] **********************************************************************
ok: [152.111.26.84] => {
"msg": "Privacy enhancements are enabled"
}
TASK [privacy : Include log rotation tasks] *******************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/log_rotation.yml for 152.111.26.84
TASK [privacy : Check if default rsyslog logrotate config exists] *********************************************************
ok: [152.111.26.84]
TASK [privacy : Disable default rsyslog logrotate to prevent conflicts] ***************************************************
changed: [152.111.26.84]
TASK [privacy : Configure aggressive logrotate for system logs] ***********************************************************
changed: [152.111.26.84]
TASK [privacy : Configure logrotate for auth logs with shorter retention] *************************************************
changed: [152.111.26.84]
TASK [privacy : Configure logrotate for kern logs with VPN filtering] *****************************************************
changed: [152.111.26.84]
TASK [privacy : Set more frequent logrotate execution] ********************************************************************
changed: [152.111.26.84]
TASK [privacy : Create privacy log cleanup script] ************************************************************************
changed: [152.111.26.84]
TASK [privacy : Include history clearing tasks] ***************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/clear_history.yml for 152.111.26.84
TASK [privacy : Clear bash history for all users] *************************************************************************
ok: [152.111.26.84]
TASK [privacy : Clear system command history logs] ************************************************************************
changed: [152.111.26.84] => (item=/var/log/lastlog)
ok: [152.111.26.84] => (item=/var/log/wtmp.1)
ok: [152.111.26.84] => (item=/var/log/btmp.1)
ok: [152.111.26.84] => (item=/tmp/.X*)
changed: [152.111.26.84] => (item=/tmp/.font-unix)
changed: [152.111.26.84] => (item=/tmp/.ICE-unix)
TASK [privacy : Configure bash to not save history for service users] *****************************************************
changed: [152.111.26.84] => (item=/root)
changed: [152.111.26.84] => (item=/home/ubuntu)
TASK [privacy : Create history clearing script for logout] ****************************************************************
changed: [152.111.26.84]
TASK [privacy : Include log filtering tasks] ******************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/log_filtering.yml for 152.111.26.84
TASK [privacy : Create rsyslog privacy configuration directory] ***********************************************************
ok: [152.111.26.84]
TASK [privacy : Configure rsyslog to exclude VPN-related logs] ************************************************************
changed: [152.111.26.84]
TASK [privacy : Configure rsyslog to filter kernel VPN logs] **************************************************************
changed: [152.111.26.84]
TASK [privacy : Test rsyslog configuration] *******************************************************************************
ok: [152.111.26.84]
TASK [privacy : Display rsyslog test results] *****************************************************************************
ok: [152.111.26.84] => {
"msg": "Rsyslog configuration test passed"
}
TASK [privacy : Include automatic cleanup tasks] **************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/auto_cleanup.yml for 152.111.26.84
TASK [privacy : Create privacy cleanup script] ****************************************************************************
changed: [152.111.26.84]
TASK [privacy : Set up automatic privacy cleanup cron job] ****************************************************************
changed: [152.111.26.84]
TASK [privacy : Clean up temporary files immediately] *********************************************************************
ok: [152.111.26.84]
TASK [privacy : Clean package cache immediately] **************************************************************************
ok: [152.111.26.84]
TASK [privacy : Include advanced privacy tasks] ***************************************************************************
included: /Users/simx/Development/algo/roles/privacy/tasks/advanced_privacy.yml for 152.111.26.84
TASK [privacy : Reduce kernel log verbosity for privacy] ******************************************************************
changed: [152.111.26.84] => (item={'name': 'kernel.printk', 'value': '3 4 1 3'})
changed: [152.111.26.84] => (item={'name': 'kernel.dmesg_restrict', 'value': '1'})
TASK [privacy : Configure kernel parameters for privacy] ******************************************************************
changed: [152.111.26.84] => (item=# Privacy enhancements - reduce kernel logging)
changed: [152.111.26.84] => (item=kernel.printk = 3 4 1 3)
changed: [152.111.26.84] => (item=kernel.dmesg_restrict = 1)
TASK [privacy : Configure journal settings for privacy] *******************************************************************
changed: [152.111.26.84] => (item={'key': 'MaxRetentionSec', 'value': '604800'})
changed: [152.111.26.84] => (item={'key': 'MaxFileSec', 'value': '1day'})
changed: [152.111.26.84] => (item={'key': 'SystemMaxUse', 'value': '100M'})
changed: [152.111.26.84] => (item={'key': 'SystemMaxFileSize', 'value': '10M'})
changed: [152.111.26.84] => (item={'key': 'ForwardToSyslog', 'value': 'no'})
TASK [privacy : Disable persistent systemd journal] ***********************************************************************
changed: [152.111.26.84]
TASK [privacy : Create journal configuration for volatile storage only] ***************************************************
changed: [152.111.26.84]
TASK [privacy : Configure rsyslog for minimal logging] ********************************************************************
changed: [152.111.26.84]
TASK [privacy : Set up privacy monitoring script] *************************************************************************
changed: [152.111.26.84]
TASK [privacy : Display privacy configuration summary] ********************************************************************
ok: [152.111.26.84] => {
"msg": [
"Privacy enhancements applied:",
" - Log retention: 7 days",
" - VPN log filtering: True",
" - History clearing: True",
" - Auto cleanup: True",
" - Kernel verbosity reduction: True"
]
}
TASK [privacy : Display privacy enhancements completion] ******************************************************************
ok: [152.111.26.84] => {
"msg": "Privacy enhancements have been successfully applied"
}
TASK [Dump the configuration] *********************************************************************************************
changed: [152.111.26.84 -> localhost]
TASK [MacOS | check fs the ramdisk exists] ********************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [MacOS | unmount and eject the ram disk] *****************************************************************************
ok: [152.111.26.84 -> localhost]
TASK [debug] **************************************************************************************************************
ok: [152.111.26.84] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.34.100.1, fe56::c:0c51 #\"",
""
],
" \"# The p12 and SSH keys password for new users is riieC.76l #\"\n",
" ",
" \"# Shell access: ssh -F configs/152.111.26.84/ssh_config simx-algo-vpn #\"\n"
]
}
RUNNING HANDLER [privacy : restart rsyslog] *******************************************************************************
changed: [152.111.26.84]
RUNNING HANDLER [privacy : restart systemd-journald] **********************************************************************
changed: [152.111.26.84]
PLAY RECAP ****************************************************************************************************************
152.111.26.84 : ok=168 changed=94 unreachable=0 failed=0 skipped=126 rescued=0 ignored=0
localhost : ok=49 changed=10 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0
Regression on macOS 26.0.1 (Tahoe). Same Algo deploy worked before; after updating, importing the IPsec/IKEv2 .mobileconfig causes a rapid connect/disconnect loop.
Investigation Update
We investigated this issue but could not reproduce it on macOS Tahoe (26.1) - IPsec connects successfully with the current master branch.
Since you are on macOS Sequoia 15.7.1, there may be a Sequoia-specific issue. There are documented reports of macOS Sonoma (14.x) and Sequoia (15.x) ignoring custom cipher settings in mobileconfig profiles and forcing different defaults, which can cause cipher negotiation failures.
Can you help us debug?
To determine the root cause, we need to see what happens on the server when you try to connect. Could you:
-
Enable debug logging on your Algo server:
ssh -F configs/YOUR_SERVER_IP/ssh_config algo sudo sed -i 's/charondebug="ike -1/charondebug="ike 4/' /etc/ipsec.conf sudo ipsec restart -
Attempt to connect with the IPsec profile on your Mac
-
Capture the logs:
sudo journalctl -u strongswan-starter --no-pager -n 200 --since "5 minutes ago" -
Share the output here (you can redact IP addresses if desired)
This will show us exactly what cipher suite your macOS is proposing and whether the server is rejecting it.
Background Research
We found several reports of similar issues:
- strongSwan Discussion #1377 - macOS Ventura cipher changes
- Apple Community Thread - IKEv2 profile issues in Sonoma
- hwdsl2/setup-ipsec-vpn #1486 - Sonoma IKEv2 rekey problems
These suggest Sequoia may be forcing DH Group 19 (ECP256) while the server expects Group 20 (ECP384), but we need your logs to confirm.
Happy to help try and debug, I will try to do this later today. However, one question: maybe this could be a Sequoia bug, but then wouldn’t that mean that iOS 18 and iOS 17 should still connect properly? My iPad is end-of-lifed and no longer receiving major updates since iOS 17, and I’m fairly sure the IPsec profiles worked properly before on iOS 17. Although I suppose the latest security update might’ve introduced the bug.
(Also, sellersshrug0y reports this behavior on Tahoe 26.1, but I can’t speak to that. Maybe they can also run through your debugging steps above too.)
So I was getting -- No entries -- from the sudo journalctl -u strongswan-starter --no-pager -n 200 --since "5 minutes ago" command run on the server, even though the shorter sudo journalctl command was showing some logs, so that led me to believe that the IPsec client on macOS was just not even attempting to connect or reaching the VPN server at all for some reason.
On a lark, I connected my Mac to an entirely different Wi-Fi network and then tried the IPsec VPN, and that worked! It was able to connect and maintain a connection perfectly fine. (I don't remember if I did this before filing the bug report in the first place.) Even weirder was that when I changed back to my normal Wi-Fi network, it still continued to work even though I hadn't changed anything. (I had not changed or recreated the VPN server either, I'm still running the same instance as when I had originally filed this bug report.)
So I tried it on my iPad and iPhone devices, and they showed the "Algo will not connect on the current network" message under the main VPN switch in Settings, and I realized that I had added my home Wi-Fi network as one of the networks to exclude the on-demand auto-connect, and that was the Wi-Fi network I was testing on. Huge facepalm. So I was indeed missing something obvious.
However, thinking about this some more, this is still weird. I would have gotten that same message when I initially tested, and I am 100% positive I actually did the test with the IPsec profile on both my iPhone and iPad. On iOS/iPadOS in particular, I don't think there's another way to manually start the VPN other than tapping that main switch in the VPN settings, so I would've had to see that message. I'm also 60% sure I tested with cell service (and Wi-Fi off) only on my iPhone, and that should've worked properly. In addition, is it normal for the "will not connect on the current network" message to not show up on macOS, and just silently fail since the Wi-Fi network is excluded? And why would it suddenly start to work when I switch it back to the normal, excluded network?
Anyway, the IPsec config file seems to be working now on both macOS and iOS, and I'm assigning a 60% chance this is some macOS/iOS user interface/VPN bug and 40% chance of this just PEBKAC on my part. Thanks for investigating.
Update with server-side logs from my existing Algo deployment.
Environment:
- Algo server IP: XX.XXX.XXX.XXX (DigitalOcean)
- Algo commit: current master as of 2025-11-30
- macOS client: macOS Tahoe 26.1
- iOS client: iOS 18.x (same behavior on iPhone and iPad)
- WireGuard profiles to the same server work fine on all devices.
- IPsec/IKEv2 profiles fail immediately on:
- macOS 26.1 over home Wi-Fi
- iPhone over the same home Wi-Fi
- iPhone over LTE/cellular (Wi-Fi off)
Server checks:
- strongSwan status
I ran:
sudo ipsec statusall
and got (relevant part):
Status of IKE charon daemon (strongSwan 5.9.x, Linux 5.15.0-161-generic, x86_64):
...
Listening IP addresses:
XX.XXX.XXX.XXX
10.48.0.1
...
Security Associations (0 up, 0 connecting, 0 rekeying, 0 other)
So the daemon is running, but it never reports even "1 connecting" when I try to connect from macOS or iOS.
- strongSwan / charon logs
This image doesn’t have systemd/journalctl, so I checked /var/log/syslog instead:
sudo grep charon /var/log/syslog | tail -n 40
The only lines I see are ansible/lineinfile edits around the time Algo installed strongSwan, e.g.:
Nov 30 22:15:49 <hostname> python3[3656]: ansible-lineinfile Invoked with dest=/etc/strongswan.d/charon/connmark.conf ...
Nov 30 22:15:59 <hostname> python3[3776]: ansible-lineinfile Invoked with dest=/etc/strongswan.d/charon/openssl.conf ...
(etc.)
There are no new charon log entries at all when I:
- click Connect on the IPsec profile on macOS 26.1
- toggle the same IPsec profile on iPhone (both over Wi-Fi and LTE)
- ipsec.conf
For reference, /etc/ipsec.conf looks like a standard Algo config, for example:
config setup
uniqueids=never
charondebug="ike -1, knl -1, cfg -1, net -1, esp -1, dmn -1, mgr -1"
conn %default
keyexchange=ikev2
ike=aes256gcm16-prfsha512-ecp384!
esp=aes256gcm16-ecp384!
leftid=XX.XXX.XXX.XXX
rightsourceip=10.48.0.0/16,2001:db8:4160::/48
...
Given that:
- WireGuard to the same host works fine
- multiple Apple devices on multiple networks show the same instant-fail behavior
- the IPsec server shows zero IKE_SA attempts in status and logs
it seems like macOS/iOS are either refusing to initiate IKEv2 at all or something in the path is eating UDP 500/4500 before it hits strongSwan.
If you’d like me to capture anything else specific (e.g. tcpdump output on udp/500,4500 while I hit Connect), I can try that with step-by-step instructions.
I have the same issue on iOS 26.2, instant-fail Also same with 26.1
I did nothing special but run the script on a Hetzner Cloud server
@sellersshrug0y That was exactly the behavior I was seeing. Now for some reason it works for me. Do you have another Wi-Fi network you can test on? Also, are you excluding any networks from the auto-join behavior?
@simX I've tried on my home wifi and on cellular data, and I'm not excluding any networks
I guess I wanted to see if you got the same results on a different Wi-Fi network, not cellular data. It shouldn't make any difference whatsoever, but as this bug seems to be somewhat inconsistent, I was just trying a long shot because for some reason a different Wi-Fi network worked for me. ¯_(ツ)_/¯