Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Randomly generated IP address for the local dns resolver #1429

Merged
merged 8 commits into from May 17, 2019
Merged

Randomly generated IP address for the local dns resolver #1429

merged 8 commits into from May 17, 2019

Conversation

jackivanov
Copy link
Collaborator

@jackivanov jackivanov commented May 8, 2019
edited

Description

We need to generate a random service IP for each deployment in order to avoid DNS leaking (see #1422)

Motivation and Context

How Has This Been Tested?

Deployed to EC2 and digitalocean

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • All new and existing tests passed.

@jackivanov jackivanov changed the title Fix 1422 Randomly generated IP address for the local dns resolver May 8, 2019
rodeodomino
rodeodomino reviewed May 8, 2019
View reviewed changes
Copy link
Contributor

@rodeodomino rodeodomino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the IPv6 firewall rules, would the input rule need a -s or does this suggestion keep it with the -d? (or neither because i barely understand iptables)

roles/common/templates/rules.v6.j2 Show resolved Hide resolved
@TC1977
Copy link
Contributor

TC1977 commented May 9, 2019
edited

I wonder if we need to change the IP address ranges in https://github.com/trailofbits/algo/blob/master/roles/cloud-ec2/defaults/main.yml, https://github.com/trailofbits/algo/blob/master/roles/cloud-ec2/files/stack.yaml, and documented https://github.com/trailofbits/algo/blob/master/docs/client-linux-wireguard.md, as well as the documented DNS workaround in the faq.

Also, won't changing the DNS resolver to a random 10.x.x.x IP address introduce the 1/32512 chance that it lands in the 10.19.49.x or 10.19.48.x range and screws with Wireguard or IPsec?

@jackivanov
Copy link
Collaborator Author

@TC1977 EC2 cidr blocks are different from the service IP and used only inside the VPC, so we don't need to change variables, but indeed, we need to update the docs and the faq, I'll do it shortly, thanks!

@TC1977
Copy link
Contributor

TC1977 commented May 10, 2019

Successfully cloud installed onto Vultr from macOS 10.14.4, with new random DNS resolver IP, and confirmed the Wireguard iOS client works:

ok: [173.199.123.37] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 10.229.197.10                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is NyqxmuFb       #\"\n", 
        "    \"#        The CA key password is 4c0d6b38adf6c411e4ddb72588a6d23e       #\"\n", 
        "    \"#      Shell access: ssh -i configs/algo.pem root@173.199.123.37        #\"\n"
    ]
}

Local installation onto a Vultr Ubuntu 18.04 instance also successful, and Wireguard iOS client works:

ok: [localhost] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 10.61.189.116                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is 0NoB9z77       #\"\n", 
        "    \"#        The CA key password is 5971ff0378de844a11063c08cc169e4e       #\"\n", 
        "    "
    ]
}

@TC1977 TC1977 mentioned this pull request May 10, 2019
Merged
4 tasks
@davidemyers

This comment has been minimized.

Sign in to view
@jackivanov
Copy link
Collaborator Author

@davidemyers I've included the docs, thanks!

@jackivanov jackivanov changed the title Randomly generated IP address for the local dns resolver WIP: Randomly generated IP address for the local dns resolver May 14, 2019
@jackivanov
Copy link
Collaborator Author

jackivanov commented May 14, 2019
edited

I revised the whole method of allocating IPs, and made some changes. We need to do more tests. I didn't want to add more requirements, but seems we have to do that

@davidemyers
Copy link
Contributor

IPv6 appears to be broken in WireGuard. The server-side IPv6 AllowedIPs are wrong:

[Interface]
Address = 10.19.49.1/24 ,fd9d:bc11:4021::1/48
ListenPort = 51820
PrivateKey = 4KVwPJFtlvly172KG+fPjVMg7oW3Rkun85+ffs9fL1g=
SaveConfig = false


[Peer]
# phone
PublicKey = nnU54wNnFrm9B/JuZm7U7owLNcYoTHn/OxcsgOhLP0g=
AllowedIPs = 10.19.49.2/32,fd9d:bc11:4021::1/128

[Peer]
# laptop
PublicKey = 6aDQd5kJjqkqP2cALCRyUJqPLkHsABMGLrDHKCYFGEY=
AllowedIPs = 10.19.49.3/32,fd9d:bc11:4021::2/128

[Peer]
# desktop
PublicKey = bK2drxn7oah4x/OGfhA+L6r0gtGVgUxWatV8CRFQ3EM=
AllowedIPs = 10.19.49.4/32,fd9d:bc11:4021::3/128

@davidemyers
Copy link
Contributor

This now works for me on DigitalOcean using WireGuard on iOS and Ubuntu Disco Desktop.

@jackivanov jackivanov changed the title WIP: Randomly generated IP address for the local dns resolver Randomly generated IP address for the local dns resolver May 16, 2019
@jackivanov jackivanov merged commit 5904546 into master May 17, 2019
@jackivanov jackivanov deleted the fix-1422 branch May 17, 2019 12:49
jackivanov pushed a commit that referenced this pull request May 20, 2019
@shapiro125 @jackivanov
Add IPv6 support to DNS (#1425)
72c8e9e 
* Add ipv6

* Add ipv6

* add ipv6

* add ipv6

* Switching out ipv6 address with local_service_ipv6 variable from #1429

* Fixing variable error
iBringit added a commit to iBringit/algo that referenced this pull request Nov 4, 2020
@iBringit
Revert "Randomly generated IP address for the local dns resolver (tra…
ccaa53b 
…ilofbits#1429)"

This reverts commit 5904546.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rodeodomino rodeodomino rodeodomino left review comments

Assignees
No one assigned
Labels
ready_to_merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DNS leak in Linux/Wireguard when LAN gateway/DNS is 172.16.0.1
4 participants
@jackivanov @TC1977 @davidemyers @rodeodomino