Algo VPN stops connecting after a day - An unexpected error occurred.

[xmijo]

Algo VPN stops working after a day on macOS Mojave using Vultr as the VPS.

Everything works fine after installing the .mobileconfig and it will work for a day or so. But then later when trying to connect it will just disconnect and a pop-up box appears saying VPN Connection: An unexpected error occurred. This has happened twice now and running ./algo to set up the VPS again fixes it. Note that this behavior does not include my iPhone, where the VPN will still work fine.

Steps to reproduce the behavior:

1. Use macOS Mojave and Vultr as the VPS. Unsure if this matters, but I never had this problem on High Sierra using DigitalOcean.
2. Use your Algo VPN for a day or two.
3. After a day or two, try to connect to Algo VPN as usual and find that it won't connect.

Expected behavior

That it will connect to the Algo VPN.

I'd include the full log but I'm not sure how to retrieve it now. If it is needed I will run ./algo again and set up the VPS instance and then also paste the log here.

[xmijo]

Update: phone profile stops working, too.

Let me know if there's any other data to provide.

I'd just go back to DigitalOcean and try there but I just topped up my balance on Vultr and hoping it won't go to waste.

[Cauchon]

Check to see that all of the block lists in your config are formatted like the two examples they give you.

I had this exact issue happen and it ended up being because one of the block lists I added in the config used a different formatting.

[xmijo]

Which config and block lists are you referring to, could you clarify for me pls?

[Cauchon]

Any custom ad_blocklists you may have added to config.cfg (https://github.com/trailofbits/algo/blob/master/config.cfg)

[xmijo]

I didn't add any custom ad blocklists, the only change I did to config.cfg was add the username

edit: so it only contains the default blocklists..

adblock_lists:
 - "http://winhelp2002.mvps.org/hosts.txt"
 - "https://adaway.org/hosts.txt"
 - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
 - "https://hosts-file.net/ad_servers.txt"

which seem to follow to same format, but the spaces between destination IP and host seem to differ. One list seems to use two spaces instead of just one, and another list seems to use a tab as separation instead of space. This could possibly be causing the issue (although I never had to change anything here before and it has worked fine until now).

I'm going to test using only one list that follows the basic format for one space as a separator. Will report back in a few days to see if it fixes the issue.

[fourtotheside]

Same issue here.

Deployed on DigitalOcean.
iPhone 7, iPad, and Macbook Pro.

iphone will go out first. Other devices may work a bit longer. A reboot (or even forced power cycle) of the server will temporarily fix.

Nothing other than usernames changed in config.cfg.

[davidemyers]

@fourtotheside Are you also seeing a dialog box that says "An unexpected error occurred", and is it on both macOS and iOS?

The next time this happens try running sudo ipsec restart on the server rather than doing a full reboot and see if that helps. Also post the output of journalctl | grep unable | tail -1.

[fourtotheside]

@davidemyers Thank you for the quick reply.

The answers are:

1. I see the "An unexpected error occurred" in iOS only if I have disabled connect on demand and attempt to manually connect. On the relatively rare occasions I have had problems connecting in macOS, there is no explicit error message; the VPN widget in the taskbar just gives up. Also, macOS will sometimes connect even if the iOS clients wont.

2. sudo ipsec restart worked instantaneously.

3. journalctl | grep unable | tail -1 returns:

Oct 31 22:56:44 algooct18 ipsec[16474]: 16[IKE] unable to install IPsec policies (SPD) in kernel

A thousand thanks for your help.

[davidemyers]

I've never seen that iOS error message before but I pretty much always use Connect On Demand, so maybe that's why.

The message in the log is an error that's been reported before but no one has figured out what causes it or how to avoid it (see #963). My thought is that it's a bug in strongSwan.

[fourtotheside]

@davidemyers I was just reading that with interest. I'll stick with sudo ipsec restart for now. Appreciate your work.

[xmijo]

To follow up, I can confirm that replacing the default ad-blocklists with just a single correctly-formatted one, didn't work. Could no longer connect to my Algo instance after a day or two. It still seems to work on the iPhone for now, but I'm expecting it to stop working there too within perhaps another day.

Here's the macOS pop-up box in all it's Mojave Dark Mode glory:

I never get this message on iOS, though. It just won't connect there (Connect on Demand is on).

[TC1977]

@xmijo I had that error twice, ever, on iOS. It would happen in the middle of the "Connecting.../Disconnecting..." loops that are well described in #963. Further comments on those loops are there.

[fourtotheside]

This seems to have everyone, including the strongSwan maintainers, mystified. Any reason not to prophylactically restart strongSwan (i.e. via `cron`) until we know what the hell is going on?

…

On Nov 1, 2018, at 9:50 PM, TC1977 ***@***.***> wrote: @xmijo I had that error twice, ever, on iOS. It would happen in the middle of the "Connecting.../Disconnecting..." loops that are well described in #963. Further comments on those loops are there. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[TC1977]

@fourtotheside I think that's not a crazy idea at all.

[TC1977]

@xmijo @davidemyers I just had "VPN Connection: An unexpected error occurred" show up as a pop-up dialog on my iPhone this evening. As @fourtotheside describes, it was while I was attempting to connect manually, after disabling the "Connect on demand" option. Interestingly, although I was unable to connect to the VPN, either on-demand or manually, it cleared on its own a few minutes later (after leaving McDonald's), and I could connect just fine. And reviewing the logs on the server, I don't see any "unable to install policy, reqid xxx already exists". sudo ip xfrm pol list shows no stale policies. So this time, at least, it was an entirely different problem from #963.

This was in the setting of going to McDonald's and trying to check in so my mobile order could go through. Just in case anyone wants to keep track. 😀

[SmoothJelly456]

I'm having a similar issue, receiving the same screenshot as @xmijo posted. This started happening to me immediately after the Mac booted after the upgrade.

The on-demand connection attempted to take place, but there seems to be kind of loop. I had to stop that, and tried to connect manually but this error occurred: "VPN Connection: An unexpected error occurred". This is on Mojave Version 10.14.

I have an Android phone configured with WireGuard and there were no issues there. I've looked at some relevant issues such as: #963 but this appears to be a sporadic problem, although apparently more common from when the original issue was made (May 23), which was just re-opened 22 hours ago

I've tried sudo ipsec restart on the end server but that did not solve the issue. There seems to be a few attempts by @TC1977 in changing the /etc/ipsec.conf file but appears to be a WIP.

So we'll see how things go I guess 😄 probably will try to play around with it tomorrow

[davidemyers]

I've come up with a "bandage" for this issue that some of you might want to try. It doesn't solve the problem, it just restarts strongSwan immediately whenever the suspect error message is seen in the log. This needs more testing (and more documentation) but I thought it might relieve some of the frustration people are having.

Perform the following steps on your VPN server as root:

Create the file: /usr/local/sbin/watch-ipsec.pl

#!/usr/bin/perl

while(<>) {
    if (/unable to install IPsec policies/) {
        system('sudo systemctl stop strongswan; sudo ip xfrm policy flush; sudo systemctl start strongswan');
    }
}

Run: chmod 755 /usr/local/sbin/watch-ipsec.pl

Create the file: /etc/sudoers.d/60-syslog

syslog ALL = NOPASSWD: /sbin/ip, /bin/systemctl

Run: chmod 440 /etc/sudoers.d/60-syslog

Create the file: /etc/rsyslog.d/60-watch-ipsec.conf

module(load="omprog")

action(type="omprog"
       binary="/usr/local/sbin/watch-ipsec.pl"
       forceSingleInstance="on")

Run: systemctl restart rsyslog

Test with: logger unable to install IPsec policies

EDIT: Changed watch-ipsec.pl to use systemctl instead of ipsec to restart strongSwan so that the IPsec processes don't become children of the rsyslogd process if restarted.

[fourtotheside]

I will test this as soon as my much cruder hourly cron restart fails. One way or another, this kind of logic would seem to make sense at least until this mysterious bug in strongSwan is resolved. If this tests out, think about a pull request.

[TC1977]

Dunno if there's a way to merge this discussion with that in #963, and no way to tell if it's even the same problem behind both, but the solution @davidemyers posted should work for that as well.

[SmoothJelly456]

In my case, sudo ipsec stop; sudo ip xfrm policy flush; sudo ipsec start does not allow for my Mac on Mojave to connect. I've so far been unable to use Algo on the Mac since Mojave (get this error: #1178 (comment)). Not sure if my issue is related to what everyone else is having or something Mojave specific.

[davidemyers]

@SmoothJelly456 Have you rebooted your Mac since the upgrade? I find that sometimes things aren't quite right after a big upgrade and that a reboot can help.

[TC1977]

After upgrading to Mojave, my Mac failed to connect with the same "an unexpected error occurred" dialog box. After rebooting, it connected to the VPN just fine. I don't find anything interesting in the logs, just looks like a typical login. I guess the problem is on the Mojave side?

Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Nov 03 22:42:19 ip-172-16-254-163 ipsec[794]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[IKE] local host is behind NAT, sending keep alives
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[IKE] remote host is behind NAT
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[IKE] sending cert request for "CN=redactedalgoip"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 15[NET] sending packet: from 172.16.254.163[500] to xxx.xxx.xxx.xxx[500] (305 bytes)
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 172.16.254.163[4500] (540 bytes)
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 172.16.254.163[4500] (532 bytes)
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] unknown attribute type (25)
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] received cert request for "CN= redactedalgoip"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] received end entity cert "CN=macbookpro"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG] looking for peer configs matching 172.16.254.163[redactedalgoip]... xxx.xxx.xxx.xxx[macbookpro]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG] selected peer config 'ikev2-pubkey'
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG]   using certificate "CN=macbookpro"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG]   using trusted ca certificate "CN= redactedalgoip"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG] checking certificate status of "CN=macbookpro"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG] certificate status is not available
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG]   reached self-signed root ca with a path length of 0
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] authentication of 'macbookpro' with ECDSA-384 signature successful
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] peer supports MOBIKE
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] authentication of 'redactedalgoip' (myself) with ECDSA-384 signature successful
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] IKE_SA ikev2-pubkey[32] established between 172.16.254.163[redactedalgoip]... xxx.xxx.xxx.xxx[macbookpro]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] IKE_SA ikev2-pubkey[32] established between 172.16.254.163[redactedalgoip]... xxx.xxx.xxx.xxx[macbookpro]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] sending end entity cert "CN= redactedalgoip"
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] peer requested virtual IP %any
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG] assigning new lease to 'macbookpro'
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] assigning virtual IP 10.19.48.3 to peer 'macbookpro'
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] peer requested virtual IP %any6
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[CFG] assigning new lease to 'macbookpro'
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] assigning virtual IP fd9d:bc11:4020::3 to peer 'macbookpro'
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] CHILD_SA ikev2-pubkey{23} established with SPIs ce2c4252_i 06511f8d_o and TS 0.0.0.0/0 ::/0 === 10.19.48.3/32 fd9d:bc11:
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[IKE] CHILD_SA ikev2-pubkey{23} established with SPIs ce2c4252_i 06511f8d_o and TS 0.0.0.0/0 ::/0 === 10.19.48.3/32 fd9d:bc11:
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Nov 03 22:42:19 ip-172-16-254-163 charon[880]: 12[NET] sending packet: from 172.16.254.163[4500] to xxx.xxx.xxx.xxx[4500] (976 bytes)
Nov 03 22:42:32 ip-172-16-254-163 charon[880]: 08[NET] received packet: from xxx.xxx.xxx.xxx[1034] to 172.16.254.163[4500] (128 bytes)
Nov 03 22:42:32 ip-172-16-254-163 charon[880]: 08[ENC] parsed INFORMATIONAL request 2 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]
Nov 03 22:42:32 ip-172-16-254-163 charon[880]: 08[ENC] generating INFORMATIONAL response 2 [ N(NATD_S_IP) N(NATD_D_IP) ]
Nov 03 22:42:32 ip-172-16-254-163 charon[880]: 08[NET] sending packet: from 172.16.254.163[4500] to xxx.xxx.xxx.xxx[1034] (113 bytes)
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[NET] received packet: from xxx.xxx.xxx.xxx[1034] to 172.16.254.163[4500] (72 bytes)
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[ENC] parsed INFORMATIONAL request 3 [ D ]
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[IKE] received DELETE for IKE_SA ikev2-pubkey[32]
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[IKE] deleting IKE_SA ikev2-pubkey[32] between 172.16.254.163[redactedalgoip]... xxx.xxx.xxx.xxx[macbookpro]
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[IKE] deleting IKE_SA ikev2-pubkey[32] between 172.16.254.163[redactedalgoip]... xxx.xxx.xxx.xxx[macbookpro]
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[IKE] IKE_SA deleted
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[IKE] IKE_SA deleted
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[ENC] generating INFORMATIONAL response 3 [ ]
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[NET] sending packet: from 172.16.254.163[4500] to xxx.xxx.xxx.xxx[1034] (57 bytes)
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[CFG] lease fd9d:bc11:4020::3 by 'macbookpro' went offline
Nov 03 22:42:33 ip-172-16-254-163 charon[880]: 07[CFG] lease 10.19.48.3 by 'macbookpro' went offline

[TC1977]

So I just found something weird. If I'm connected to the VPN with one account on the machine (my admin account), that VPN connection stays open, but if I switch accounts (without logging out) the other account isn't logged in. Then if I try to connect, I reliably get the "An unexpected error occurred" dialog box. However! When I check "dnsleaktest.com", or some other website that gives my IP address, it shows my VPN server's IP and not my local IP - indicating that I am in fact connected to the VPN, even though macOS doesn't seem to recognize this.

I have uniqueids=yes configured in /etc/ipsec.conf, and two accounts on the Mac - one for 'everyday' purposes, and an admin account.

[davidemyers]

I'd appreciate feedback on whether my suggested changes above help avoid reconnection loops. Restarting IPsec thus forcing all clients to reconnect is a little heavy handed, but reconnection loops are frustrating.

If my instructions above are too tedious, I've created a fork of Algo that includes the changes for testing. Get a copy of Algo by running:

 git clone -b watch-ipsec https://github.com/davidemyers/algo.git

Then deploy a new Algo VPN in the usual way.

EDIT: Due to lack of feedback I'm no longer maintaining this fork.

[naveensrinivasan]

I tried the solution with sudo ipsec restart in a cron every hour and it seems to cause other problems charon is already running. Is anyone else is running into such issues?

@davidemyers How long have you been running the branch?

I am little tired of running algo especially it gets into this state almost everyday.

[TC1977]

I tried the solution with sudo ipsec restart in a cron every hour and it seems to cause other problems charon is already running. Is anyone else is running into such issues?

Yes. This sounds stupid, because it isn't mentioned in the strongswan.org docs, but you shouldn't use sudo ipsec restart. It's a bug with systemd going back to at least 2016. Do this instead:

sudo service strongswan stop
sudo ip xfrm pol flush
sudo service strongswan start

Or as @davidemyers wrote in his script above, sudo systemctl stop strongswan; sudo ip xfrm policy flush; sudo systemctl start strongswan.

I am little tired of running algo especially it gets into this state almost everyday.

I just went on a trip with four devices, and using rekey=yes and reauth=no instead of vice versa like the default, with longer IKE lifetimes in the mobileconfigs, seemed to solve most (but not all) of the problems. Still a work in progress. But yeah, it's really annoying, and I'm hoping that once WireGuard gets better support with Macs/iOS/Windows, the dev team will look into dropping IPsec and strongSwan entirely.

edit: As @davidemyers mentioned, it's a bug with systemd, not Upstart. Either way, doesn't sound like it's getting fixed anytime soon.

[davidemyers]

@naveensrinivasan I've been running the log monitoring script on existing VPN servers since before my first post about it. My problem is I don't get reconnection problems very often so to test it I have to fake the log message.

If anyone has been trying my suggested change you might not notice if it works correctly. Actually, that's that whole idea. To see if it has been triggered search your server logs for the unable to install IPsec policies message (for example, with journalctl | less -punable) and look to see if any such message is followed by messages indicating IPsec was stopped and restarted. I'd like to know if this is working for people before submitting a PR.

@TC1977 Ubuntu no longer uses Upstart, but that bug you linked to says the problem occurs with systemd as well. Also I think Jack has been working towards adding a config.cfg option to skip installing strongSwan so one can deploy a WireGuard-only server.

[TC1977]

@davidemyers Changed the above. Also, I know Jack is working on a WG-only option, but what I'm waiting for are iOS/macOS clients, built-in like IKEv2, so users can just set "Connect on Demand" and have it work reliably. Or, someone figures out how to fix the strongSwan implementation.

[xmijo]

Wireguard "Connect on Demand" would indeed be fantastic

[SmoothJelly456]

@SmoothJelly456 Have you rebooted your Mac since the upgrade? I find that sometimes things aren't quite right after a big upgrade and that a reboot can help.

I've rebooted at least a few times now since the upgrade but the issue is still prevalent, I've been (unfortunately) using a separate VPN on my Mac since the Mojave upgrade now.

[ahmadelrouby]

I'm getting this on Mojave OS X

I've been running Algo on my server since this morning, then after about 12 hours or so. It started giving me this error. To be specific, It was fine at work on my wifi. I went home tried it out and it was working as well. A few hours later, tried to manually connect to VPN and it just couldn't. Just wondering, does manually disabling ON DEMAND cause problems? And what can I do to fix this? @davidemyers Can you please help!

[davidemyers]

@ahmadelrouby Did you deploy your Algo server from my branch mentioned above which contains a potential mitigation for this issue?

[ahmadelrouby]

@davidemyers I'm doing it now. I also have another question. On DigitalOcean, algo doesn't seem to work unless i manually disable the firewall and flush all iptable rules. I'm pretty sure that this shouldn't be the case but I don't understand why doesn't it work. All I do is create a new droplet on DO, run the commands for the localhost installation, but it never works unless I disable the firewall.

[ahmadelrouby]

@davidemyers and just to elaborate, do you think that the absence of the firewall might be the reason the server fails to connect after some time?

[ahmadelrouby]

@davidemyers Alright, So I just did a fresh install of everything from the branch you mentioned above and I tried to connect now but with no luck. Check this out

What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Vultr
5. Microsoft Azure
6. Google Compute Engine
7. Scaleway
8. OpenStack (DreamCompute optimised)
9. Install to existing Ubuntu 18.04 server (Advanced)

Enter the number of your desired provider
:
9

TASK [pause] *********************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **********************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
N

TASK [pause] *********************************************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
N

TASK [pause] *********************************************************************************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
y

TASK [pause] *********************************************************************************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
N

TASK [pause] *********************************************************************************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
N

TASK [pause] *********************************************************************************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
N

TASK [pause] *********************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **********************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ******************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 18.04.1 LTS (Virtualized: kvm)
Created from git fork. Last commit: 80a7391 Add IPsec log watcher
Python 2.7.15rc1
Runtime variables:
algo_provider "local"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "_null"
algo_local_dns "True"
algo_ssh_tunneling "False"
algo_windows "False"
wireguard_enabled "True"
dns_encryption "True"

[davidemyers]

Rather than a localhost install, try letting Algo set up the server for you. This is the best way to use Algo.

Algo will install its own firewall rules that will not coexist properly with any rules that are present before it is run.

And just to be clear, you cannot use Algo to configure a given system as a VPN server more than once.

(Edited to further clarify the last point.)

[davidemyers]

Also, based on some developments in another issue, perhaps avoid using the Ad Blocking option for the time being.

[ahmadelrouby]

@davidemyers Just did exactly what you said. I used the server install on DigitalOcean and after installing it, I used the mobileconfig file to add the profile on Mac OS X. It gave me the exact same error "The VPN server did not respond" .. also here's the log of what happened.

TASK [Gathering Facts] ****************************************************************************************************************************************************
ok: [localhost]
[pause]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Vultr
5. Microsoft Azure
6. Google Compute Engine
7. Scaleway
8. OpenStack (DreamCompute optimised)
9. Install to existing Ubuntu 18.04 server (Advanced)

Enter the number of your desired provider
:
1

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ***************************************************************************************************************************************
ok: [localhost]
[pause]
Name the vpn server
[algo]
:
roubys

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
N

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
N

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
N

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
N

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
N

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
N

TASK [pause] **************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ***************************************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ***********************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Mac OS X 10.14.1
Created from git fork. Last commit: 80a7391 Add IPsec log watcher
Python 2.7.10
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "_null"
algo_local_dns "False"
algo_ssh_tunneling "False"
algo_windows "False"
wireguard_enabled "True"
dns_encryption "True"

TASK [Display the invocation environment] *********************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] *******************************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Generate the SSH private key] ***************************************************************************************************************************************
changed: [localhost]

TASK [Generate the SSH public key] ****************************************************************************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Install requirements] **************************************************************************************************************************
changed: [localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):

TASK [cloud-digitalocean : pause] *****************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the token as a fact] ***********************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Get regions] ***********************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set facts about thre regions] ******************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set default region] ****************************************************************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3 Amsterdam 3
2. blr1 Bangalore 1
3. fra1 Frankfurt 1
4. lon1 London 1
5. nyc1 New York 1
6. nyc3 New York 3
7. sfo2 San Francisco 2
8. sgp1 Singapore 1
9. tor1 Toronto 1

Enter the number of your desired region
[6]
:
5

TASK [cloud-digitalocean : pause] *****************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set additional facts] **************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] *************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] ****************************************************************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] *************************************************************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] **************************************************************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Tag the droplet] *******************************************************************************************************************************
changed: [localhost]
FAILED - RETRYING: Delete the new Algo SSH key (10 retries left).

TASK [cloud-digitalocean : Delete the new Algo SSH key] *******************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as afact] ****************************************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] *******************************************************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] ********************************************************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] ************************************************************************************************************************************
ok: [localhost]

TASK [debug] **************************************************************************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "204.48.29.168"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
Press 'C' to continue the play or 'A' to abort

TASK [A short pause, in order to be sure the instance is ready] ***********************************************************************************************************
ok: [localhost]

PLAY [Configure the server and install required software] *****************************************************************************************************************

TASK [common : Check the system] ******************************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : include_tasks] *********************************************************************************************************************************************
included: /Users/ahmadrefaat/Desktop/Algos/algo/roles/common/tasks/ubuntu.yml for 204.48.29.168
changed: [204.48.29.168] => (item=[u'python2.7', u'sudo'])

TASK [common : Ubuntu | Install prerequisites] ****************************************************************************************************************************

TASK [common : Ubuntu | Configure defaults] *******************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Gather facts] **********************************************************************************************************************************************
ok: [204.48.29.168]

TASK [common : Install software updates] **********************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Check if reboot is required] *******************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Reboot] ****************************************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Wait until SSH becomes ready...] ***************************************************************************************************************************
ok: [204.48.29.168 -> localhost]

TASK [common : Install unattended-upgrades] *******************************************************************************************************************************
ok: [204.48.29.168]

TASK [common : Configure unattended-upgrades] *****************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Periodic upgrades configured] ******************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Unattended reboots configured] *****************************************************************************************************************************
changed: [204.48.29.168]
changed: [204.48.29.168] => (item={u'regexp': u'^session.*optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [204.48.29.168] => (item={u'regexp': u'^session.*optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] ****************************************************************************************************************************

TASK [common : Loopback for services configured] **************************************************************************************************************************
changed: [204.48.29.168]
ok: [204.48.29.168] => (item=systemd-networkd)
ok: [204.48.29.168] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] **********************************************************************************************************************

RUNNING HANDLER [common : restart systemd-networkd] ***********************************************************************************************************************
changed: [204.48.29.168]

TASK [common : Check apparmor support] ************************************************************************************************************************************
changed: [204.48.29.168]

TASK [common : set_fact] **************************************************************************************************************************************************
ok: [204.48.29.168]

TASK [common : set_fact] **************************************************************************************************************************************************
ok: [204.48.29.168]
ok: [204.48.29.168] => (item=git)
ok: [204.48.29.168] => (item=screen)
changed: [204.48.29.168] => (item=apparmor-utils)
ok: [204.48.29.168] => (item=uuid-runtime)
ok: [204.48.29.168] => (item=coreutils)
changed: [204.48.29.168] => (item=iptables-persistent)
changed: [204.48.29.168] => (item=cgroup-tools)
ok: [204.48.29.168] => (item=openssl)

TASK [common : Install tools] *********************************************************************************************************************************************
ok: [204.48.29.168] => (item=[u'linux-headers-generic', u'linux-headers-4.15.0-38-generic'])

TASK [common : Install headers] *******************************************************************************************************************************************

TASK [common : Generate password for the CA key] **************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [common : Generate p12 export password] ******************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [common : Define facts] **********************************************************************************************************************************************
ok: [204.48.29.168]

TASK [common : set_fact] **************************************************************************************************************************************************
ok: [204.48.29.168]

TASK [common : Set IPv6 support as a fact] ********************************************************************************************************************************
ok: [204.48.29.168]
changed: [204.48.29.168] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [204.48.29.168] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [204.48.29.168] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [common : Sysctl tuning] *********************************************************************************************************************************************

TASK [dns_encryption : Include tasks for Ubuntu] **************************************************************************************************************************
included: /Users/ahmadrefaat/Desktop/Algos/algo/roles/dns_encryption/tasks/ubuntu.yml for 204.48.29.168

TASK [dns_encryption : Add the repository] ********************************************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : Install dnscrypt-proxy] ****************************************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : Configure unattended-upgrades] *********************************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] **************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ***********************************************************************************************
ok: [204.48.29.168]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***********************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] ***********************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] ************************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : dnscrypt-proxy configured] *************************************************************************************************************************
changed: [204.48.29.168]

TASK [dns_encryption : dnscrypt-proxy enabled and started] ****************************************************************************************************************
ok: [204.48.29.168]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] *****************************************************************************************************************
changed: [204.48.29.168]
changed: [204.48.29.168 -> localhost] => (item=private)
changed: [204.48.29.168 -> localhost] => (item=public)

TASK [wireguard : Ensure the required directories exist] ******************************************************************************************************************

TASK [wireguard : Include tasks for Ubuntu] *******************************************************************************************************************************
included: /Users/ahmadrefaat/Desktop/Algos/algo/roles/wireguard/tasks/ubuntu.yml for 204.48.29.168

TASK [wireguard : WireGuard repository configured] ************************************************************************************************************************
changed: [204.48.29.168]

TASK [wireguard : WireGuard installed] ************************************************************************************************************************************
changed: [204.48.29.168]

TASK [wireguard : WireGuard reload-module-on-update] **********************************************************************************************************************
changed: [204.48.29.168]

TASK [wireguard : Configure unattended-upgrades] **************************************************************************************************************************
changed: [204.48.29.168]

TASK [wireguard : set_fact] ***********************************************************************************************************************************************
ok: [204.48.29.168]
changed: [204.48.29.168] => (item=dan)
changed: [204.48.29.168] => (item=jack)
changed: [204.48.29.168] => (item=204.48.29.168)

TASK [wireguard : Generate private keys] **********************************************************************************************************************************
changed: [204.48.29.168] => (item=None)
changed: [204.48.29.168] => (item=None)
changed: [204.48.29.168] => (item=None)

TASK [wireguard : Save private keys] **************************************************************************************************************************************
changed: [204.48.29.168] => (item=dan)
changed: [204.48.29.168] => (item=jack)
changed: [204.48.29.168] => (item=204.48.29.168)

TASK [wireguard : Touch the lock file] ************************************************************************************************************************************
ok: [204.48.29.168] => (item=dan)
ok: [204.48.29.168] => (item=jack)
ok: [204.48.29.168] => (item=204.48.29.168)

TASK [wireguard : Generate public keys] ***********************************************************************************************************************************
changed: [204.48.29.168] => (item=None)
changed: [204.48.29.168] => (item=None)
changed: [204.48.29.168] => (item=None)

TASK [wireguard : Save public keys] ***************************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [wireguard : WireGuard user list updated] ****************************************************************************************************************************

TASK [wireguard : set_fact] ***********************************************************************************************************************************************
ok: [204.48.29.168 -> localhost]
changed: [204.48.29.168 -> localhost] => (item=(0, u'dan'))
changed: [204.48.29.168 -> localhost] => (item=(1, u'jack'))

TASK [wireguard : WireGuard users config generated] ***********************************************************************************************************************
ok: [204.48.29.168 -> localhost] => (item=(0, u'dan'))
ok: [204.48.29.168 -> localhost] => (item=(1, u'jack'))

TASK [wireguard : Generate QR codes] **************************************************************************************************************************************

TASK [wireguard : WireGuard configured] ***********************************************************************************************************************************
changed: [204.48.29.168]

TASK [wireguard : WireGuard enabled and started] **************************************************************************************************************************
changed: [204.48.29.168]

RUNNING HANDLER [wireguard : restart wireguard] ***************************************************************************************************************************
changed: [204.48.29.168]

TASK [vpn : Include WireGuard role] ***************************************************************************************************************************************
ok: [204.48.29.168 -> localhost] => (item=private)
ok: [204.48.29.168 -> localhost] => (item=public)

TASK [wireguard : Ensure the required directories exist] ******************************************************************************************************************

TASK [wireguard : Include tasks for Ubuntu] *******************************************************************************************************************************
included: /Users/ahmadrefaat/Desktop/Algos/algo/roles/wireguard/tasks/ubuntu.yml for 204.48.29.168

TASK [wireguard : WireGuard repository configured] ************************************************************************************************************************
ok: [204.48.29.168]

TASK [wireguard : WireGuard installed] ************************************************************************************************************************************
ok: [204.48.29.168]

TASK [wireguard : WireGuard reload-module-on-update] **********************************************************************************************************************
changed: [204.48.29.168]

TASK [wireguard : Configure unattended-upgrades] **************************************************************************************************************************
ok: [204.48.29.168]

TASK [wireguard : set_fact] ***********************************************************************************************************************************************
ok: [204.48.29.168]
ok: [204.48.29.168] => (item=dan)
ok: [204.48.29.168] => (item=jack)
ok: [204.48.29.168] => (item=204.48.29.168)

TASK [wireguard : Generate private keys] **********************************************************************************************************************************
ok: [204.48.29.168] => (item=dan)
ok: [204.48.29.168] => (item=jack)
ok: [204.48.29.168] => (item=204.48.29.168)

TASK [wireguard : Generate public keys] ***********************************************************************************************************************************
ok: [204.48.29.168] => (item=None)
ok: [204.48.29.168] => (item=None)
ok: [204.48.29.168] => (item=None)

TASK [wireguard : Save public keys] ***************************************************************************************************************************************
ok: [204.48.29.168 -> localhost] => (item=dan)
ok: [204.48.29.168 -> localhost] => (item=jack)

TASK [wireguard : WireGuard user list updated] ****************************************************************************************************************************

TASK [wireguard : set_fact] ***********************************************************************************************************************************************
ok: [204.48.29.168 -> localhost]
ok: [204.48.29.168 -> localhost] => (item=(0, u'dan'))
ok: [204.48.29.168 -> localhost] => (item=(1, u'jack'))

TASK [wireguard : WireGuard users config generated] ***********************************************************************************************************************
ok: [204.48.29.168 -> localhost] => (item=(0, u'dan'))
ok: [204.48.29.168 -> localhost] => (item=(1, u'jack'))

TASK [wireguard : Generate QR codes] **************************************************************************************************************************************

TASK [wireguard : WireGuard configured] ***********************************************************************************************************************************
ok: [204.48.29.168]

TASK [wireguard : WireGuard enabled and started] **************************************************************************************************************************
ok: [204.48.29.168]

TASK [vpn : include_tasks] ************************************************************************************************************************************************
included: /Users/ahmadrefaat/Desktop/Algos/algo/roles/vpn/tasks/ubuntu.yml for 204.48.29.168

TASK [vpn : set_fact] *****************************************************************************************************************************************************
ok: [204.48.29.168]

TASK [vpn : Ubuntu | Install strongSwan] **********************************************************************************************************************************
changed: [204.48.29.168]
changed: [204.48.29.168] => (item=/usr/lib/ipsec/charon)
changed: [204.48.29.168] => (item=/usr/lib/ipsec/lookip)
changed: [204.48.29.168] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ***********************************************************************************************************************
ok: [204.48.29.168] => (item=apparmor)
ok: [204.48.29.168] => (item=strongswan)
ok: [204.48.29.168] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Enable services] *************************************************************************************************************************************

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] **************************************************************************************************
changed: [204.48.29.168]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***************************************************************************************************
changed: [204.48.29.168]

TASK [vpn : Ubuntu | Install IPsec log watcher script] ********************************************************************************************************************
changed: [204.48.29.168]

TASK [vpn : Ubuntu | Enable IPsec log watcher sudo permissions] ***********************************************************************************************************
changed: [204.48.29.168]

TASK [vpn : Ubuntu | Feed IPsec log watcher program the system logs] ******************************************************************************************************
changed: [204.48.29.168]

TASK [vpn : include_tasks] ************************************************************************************************************************************************
included: /Users/ahmadrefaat/Desktop/Algos/algo/roles/vpn/tasks/iptables.yml for 204.48.29.168
changed: [204.48.29.168] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ******************************************************************************************************************************************
changed: [204.48.29.168] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : Iptables configured] ******************************************************************************************************************************************

TASK [vpn : Ensure that the strongswan user exist] ************************************************************************************************************************
ok: [204.48.29.168]

TASK [vpn : Install strongSwan] *******************************************************************************************************************************************
ok: [204.48.29.168]
changed: [204.48.29.168] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [204.48.29.168] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [204.48.29.168] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Setup the config files from our templates] ********************************************************************************************************************

TASK [vpn : Get loaded plugins] *******************************************************************************************************************************************
changed: [204.48.29.168]
changed: [204.48.29.168] => (item=md4)
changed: [204.48.29.168] => (item=counters)
changed: [204.48.29.168] => (item=updown)
changed: [204.48.29.168] => (item=resolve)
changed: [204.48.29.168] => (item=xcbc)
changed: [204.48.29.168] => (item=agent)
changed: [204.48.29.168] => (item=md5)
changed: [204.48.29.168] => (item=eap-mschapv2)
changed: [204.48.29.168] => (item=mgf1)
changed: [204.48.29.168] => (item=constraints)
changed: [204.48.29.168] => (item=connmark)
changed: [204.48.29.168] => (item=bypass-lan)
changed: [204.48.29.168] => (item=sha1)
changed: [204.48.29.168] => (item=pkcs1)
changed: [204.48.29.168] => (item=gmp)
changed: [204.48.29.168] => (item=dnskey)
changed: [204.48.29.168] => (item=sshkey)
changed: [204.48.29.168] => (item=rc2)
changed: [204.48.29.168] => (item=xauth-generic)
changed: [204.48.29.168] => (item=attr)
changed: [204.48.29.168] => (item=aesni)
changed: [204.48.29.168] => (item=fips-prf)
changed: [204.48.29.168] => (item=revocation)
changed: [204.48.29.168] => (item=nonce)
changed: [204.48.29.168] => (item=kernel-netlink)
changed: [204.48.29.168] => (item=aes)
changed: [204.48.29.168] => (item=pubkey)
changed: [204.48.29.168] => (item=pkcs8)
changed: [204.48.29.168] => (item=sha2)
changed: [204.48.29.168] => (item=stroke)
changed: [204.48.29.168] => (item=hmac)
changed: [204.48.29.168] => (item=openssl)
changed: [204.48.29.168] => (item=random)
changed: [204.48.29.168] => (item=x509)
changed: [204.48.29.168] => (item=pgp)
changed: [204.48.29.168] => (item=socket-default)
changed: [204.48.29.168] => (item=pkcs7)
changed: [204.48.29.168] => (item=pem)
changed: [204.48.29.168] => (item=pkcs12)
changed: [204.48.29.168] => (item=gcm)

TASK [vpn : Set subjectAltName as a fact] *********************************************************************************************************************************
ok: [204.48.29.168 -> localhost]
changed: [204.48.29.168 -> localhost] => (item=ecparams)
changed: [204.48.29.168 -> localhost] => (item=certs)
changed: [204.48.29.168 -> localhost] => (item=crl)
changed: [204.48.29.168 -> localhost] => (item=newcerts)
changed: [204.48.29.168 -> localhost] => (item=private)
changed: [204.48.29.168 -> localhost] => (item=public)
changed: [204.48.29.168 -> localhost] => (item=reqs)

TASK [vpn : Ensure the pki directories exist] *****************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=.rnd)
changed: [204.48.29.168 -> localhost] => (item=private/.rnd)
changed: [204.48.29.168 -> localhost] => (item=index.txt)
changed: [204.48.29.168 -> localhost] => (item=index.txt.attr)
changed: [204.48.29.168 -> localhost] => (item=serial)

TASK [vpn : Ensure the files exist] ***************************************************************************************************************************************

TASK [vpn : Generate the openssl server configs] **************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [vpn : Build the CA pair] ********************************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [vpn : Copy the CA certificate] **************************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [vpn : Generate the serial number] ***********************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [vpn : Build the server pair] ****************************************************************************************************************************************
changed: [204.48.29.168 -> localhost]
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Build the client's pair] **************************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Create links for the private keys] ****************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Build openssh public keys] ************************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Build the client's p12] ***************************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Copy the p12 certificates] ************************************************************************************************************************************

TASK [vpn : Get active users] *********************************************************************************************************************************************
changed: [204.48.29.168 -> localhost]
changed: [204.48.29.168] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/204.48.29.168/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [204.48.29.168] => (item={u'dest': u'/etc/ipsec.d/certs/204.48.29.168.crt', u'src': u'configs/204.48.29.168/pki/certs/204.48.29.168.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [204.48.29.168] => (item={u'dest': u'/etc/ipsec.d/private/204.48.29.168.key', u'src': u'configs/204.48.29.168/pki/private/204.48.29.168.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Copy the keys to the strongswan directory] ********************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Register p12 PayloadContent] **********************************************************************************************************************************

TASK [vpn : Set facts for mobileconfigs] **********************************************************************************************************************************
ok: [204.48.29.168 -> localhost]
changed: [204.48.29.168] => (item=None)
changed: [204.48.29.168] => (item=None)

TASK [vpn : Build the mobileconfigs] **************************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Build the client ipsec config file] ***************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=dan)
changed: [204.48.29.168 -> localhost] => (item=jack)

TASK [vpn : Build the client ipsec secret file] ***************************************************************************************************************************
changed: [204.48.29.168 -> localhost] => (item=configs/204.48.29.168)

TASK [vpn : Restrict permissions for the local private directories] *******************************************************************************************************

TASK [vpn : strongSwan started] *******************************************************************************************************************************************
ok: [204.48.29.168]

RUNNING HANDLER [dns_adblocking : restart apparmor] ***********************************************************************************************************************

RUNNING HANDLER [vpn : restart strongswan] ********************************************************************************************************************************
changed: [204.48.29.168]

RUNNING HANDLER [vpn : daemon-reload] *************************************************************************************************************************************
changed: [204.48.29.168]

RUNNING HANDLER [vpn : restart iptables] **********************************************************************************************************************************
changed: [204.48.29.168]

RUNNING HANDLER [vpn : restart rsyslogd] **********************************************************************************************************************************
changed: [204.48.29.168]

TASK [Delete the CA key] **************************************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

TASK [Dump the configuration] *********************************************************************************************************************************************
changed: [204.48.29.168 -> localhost]

[davidemyers]

@ahmadelrouby Thank you for redeploying per my suggestions, but I'm stumped as to why you can't connect. I just deployed a new server with settings similar to yours and could connect immediately from Mojave. Maybe reboot your Mac?

Algo running on: Ubuntu 18.04.1 LTS
Created from git fork. Last commit: 80a7391 Add IPsec log watcher
Python 2.7.15rc1
Runtime variables:
    algo_provider "digitalocean"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude ""
    algo_local_dns "False"
    algo_ssh_tunneling "False"
    algo_windows "False"
    wireguard_enabled "True"
    dns_encryption "True"

BTW, I think all Apple device users will want to use Connect On Demand for Wi-Fi or their devices will just disconnect themselves on their own after a while.

[ahmadelrouby]

@davidemyers Okay so I tried the VPN server again when I went to work and it works! Do you think something at home is causing the problem? At home I tried using my wifi and a hotspot from my mobile. Both at home don't work. At work both wifi and cellular hotspot work... I really can't figure out what's the problem and is there anyway I can figure out where the problem is? Whether it's with my computer, network or server?

[SmoothJelly456]

Just wanted to follow up on this; after re-installing a brand new version of the latest Algo main branch on a new VPS, I am no longer seeing the issues on MacOS Mojave that I had mentioned with regard to the "unexpected error" -- previously I could not even connect to the Algo VPN without getting this error.

Will report back in a few days if I have encountered the error or not.

[norenjr]

Hey, I am having the same issues with the latest MAC OS and latest Algo. The only fix i've found is a hard reboot of my Digital Ocean droplet.

[inlinecoder]

I'm having the same issue once in a while on ALL my devices. Most frequently it happens on iOS. macOS is more resistant to that kind of stuff. For iOS reboot helps in most cases.

[davidemyers]

With the WireGuard app for iOS working well and the WireGuard app for macOS on the way, we can soon put these annoying IPsec issues behind us.

[inlinecoder]

@here
Guys, any progress with this issue? I've deployed a new instance with NO adblock whatsoever and still the same issue occurs after a day or something.

I'd dig on this matter for myself, but my experience lies beyond this area, unfortunately

[norenjr]

The WireGuard app for iOS listed above works flawlessly for me, and it looks like an official MAC OS app is coming soon as well.

[davidemyers]

WireGuard for macOS is now available in the Mac App Store. Here's the announcement. It looks like it requires Mojave.

[inlinecoder]

Started to use WireGuard on all my devices and ended up with the MUCH worse overall result. I've got a feeling that every few seconds everything just hangs, e.g. no network communication happening. Impossible to browse or use any other application that sends or receives data.

Tested on 2 macOS Mojave 10.14.2 and 4 iOS 12.1.4.
Restarted algo server, of course.
Restarted devices, of course.
Removed profiles, of course, prior to using WireGuard.
Searched for similar issues, but no results found.

That's a disaster. 😩
WAIDW? Does it have something to do with a KEEPALIVE timer? Or maybe it's happening only with using Vultr.com?

[zx2c4]

Can you attach your debug log, exported while you're facing trouble?

[inlinecoder]

@zx2c4 , sorry for the long response, been travelling.

Attached log:
wireguard-log-2019-02-25T224655Z.txt

[norenjr]

Hey I noticed extremely high data usage on iOS, is this typical? Usually VPN usage bumps data a bit, but this is extreme