This repository was archived by the owner on Oct 24, 2018. It is now read-only.
Getting Started Guide
The goal of this article is to walk users through their first private Cloak team endpoint setup. This article is written for users who may not have had experience with Ansible in the past.
We will be using a DigitalOcean Ubuntu 16.04 droplet to:
- Install Ansible
- Deploy a private Cloak endpoint using Ansible
- Associate the endpoint with your Cloak for Teams account
After you have deployed your machine, we need to install Ansible which is used for deployments.
sudo apt-get install software-properties-common
sudo apt-add-repository ppa:ansible/ansible
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install ansible
Ansible uses the INI format to configure hosts. By default, Ansible host file is located at /etc/ansible/hosts. We will need to add the server that we will be installing the Cloak Private Endpoint on. You can add it by editing the file directly, or filling out the below by replacing IPHERE and USERNAME
sed -i -e "\$a[Cloak]\nIP_OR_FQDN_HERE ansible_ssh_user=USERNAME" /etc/ansible/hosts
For example, the below would be a complete Ansible /etc/ansible/hosts file.
[Cloak]
192.168.1.1 ansible_ssh_user=root
If you are deploying your Cloak Private Endpoint on a remote machine, you will need to add the SSH key to your remote machine by either:
ssh-copy-id [email protected]
cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Note: If you are installing Cloak on the local machine, you can use localhost.
- Download the latest version of the Cloak Private Endpoint Server
wget https://github.com/getcloak/cloak-server-demo/archive/master.zip
- Unzip and move to the cloak server directory.
unzip master.zip && cd cloak-server-demo-master/
- Navigate to your Cloak Teams account → Manage Private Networks.
- Add a new private network. Your management password cannot be changed, so, do not lose it. You will need the management password to add new networks and approve certificates.
- Create your first endpoint. Endpoints are also referred to as
targets.
- If you are running the Cloak Private Endpoint on a remote machine, you will need to install Python.
sudo apt-get install python
If you are running Ansible and intend to deploy your endpoint on the same machine, Python was already installed.
- Use Ansible for registering your server.
ansible-playbook ansible/register.yaml --private-key=/root/.ssh/id_rsa.pub
Note, the registration can only be run once. You will be prompted for your Cloak email address and password and the identifier of the target this server belongs to (which you get through your team dashboard).
root@ansible:~/cloak-server-demo-master# ansible-playbook ansible/register.yaml
PLAY [all] *********************************************************************
TASK [setup] *******************************************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [user] ********************************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [copy] ********************************************************************
changed: [nyc3.cloak.yourdomain.com]
Enter your Cloak email address: [email protected]
Enter your Cloak password:
Enter the target identifier (from your team dashboard): tgt_XXXXXXXXX
Would you like a free letsencrypt certificate for strongSwan (yes/no)? [yes]: yes
PLAY [all] *********************************************************************
TASK [setup] *******************************************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [Initialize .cloak.conf] **************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Save preferences] ********************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Save preferences] ********************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [file] ********************************************************************
changed: [nyc3.cloak.yourdomain.com] => (item=/home/cloak/bin)
changed: [nyc3.cloak.yourdomain.com] => (item=/home/cloak/pki)
changed: [nyc3.cloak.yourdomain.com] => (item=/home/cloak/pki/crls)
TASK [Install python-virtualenv] ***********************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Create /home/cloak/venv] *************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Configure /home/cloak/venv] **********************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Install cloak-server to /home/cloak/venv] ********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Link cloak-server into /home/cloak/bin] **********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Register this server] ****************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Request a certificate] ***************************************************
changed: [nyc3.cloak.yourdomain.com]
PLAY [all] *********************************************************************
TASK [setup] *******************************************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [Gather server facts] *****************************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [Install letsencrypt] *****************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Enable inbound HTTP] *****************************************************
fatal: [nyc3.cloak.yourdomain.com]: FAILED! => {"changed": true, "cmd": ["/sbin/iptables", "-I", "INPUT", "5", "-p", "tcp", "--dport", "http", "-j", "ACCEPT"], "delta": "0:00:00.018827", "end": "2017-03-20 18:35:44.329885", "failed": true, "rc": 1, "start": "2017-03-20 18:35:44.311058", "stderr": "iptables: Index of insertion too big.", "stdout": "", "stdout_lines": [], "warnings": []}
...ignoring
TASK [Acquire certificate] *****************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [Disable inbound HTTP] ****************************************************
fatal: [nyc3.cloak.yourdomain.com]: FAILED! => {"changed": true, "cmd": ["/sbin/iptables", "-D", "INPUT", "-p", "tcp", "--dport", "http", "-j", "ACCEPT"], "delta": "0:00:00.002310", "end": "2017-03-20 18:35:50.804988", "failed": true, "rc": 1, "start": "2017-03-20 18:35:50.802678", "stderr": "iptables: Bad rule (does a matching rule exist in that chain?).", "stdout": "", "stdout_lines": [], "warnings": []}
...ignoring
PLAY RECAP *********************************************************************
nyc3.cloak.yourdomain.com : ok=21 changed=17 unreachable=0 failed=0
root@ansible:~/cloak-server-demo-master#
- You will need to approve the server before deploying. In the Team → Network → Target you will see the approval workflow. You will be asked to input your management password which was created earlier.
- Deploy!
ansible-playbook ansible/deploy.yaml --private-key=/root/.ssh/id_rsa.pub
root@ansible:~/cloak-server-demo-master# ansible-playbook ansible/deploy.yaml
PLAY [all] *********************************************************************
TASK [setup] *******************************************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [Gather server information] ***********************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [pki : Upgrade cloak-server] **********************************************
ok: [nyc3.cloak.yourdomain.com]
TASK [pki : Download the PKI (will wait for certificate approval)] *************
changed: [nyc3.cloak.yourdomain.com]
TASK [pki : Initialize CRLs] ***************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [pki : Diffie-Hellman parameters] *****************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [network : Enable IP forwarding] ******************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [network : Set up iptables.rules] *****************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [network : Set up iptables.rules] *****************************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [network : procps] *********************************************
changed: [nyc3.cloak.yourdomain.com]
[WARNING]: Consider using service module rather than running service
RUNNING HANDLER [network : Restore iptables] ***********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [dns : Install unbound] ***************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [dns : Configure unbound] *************************************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [dns : Restart unbound] ****************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [openvpn : Install OpenVPN] ***********************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [openvpn : Configure openvpn] *********************************************
changed: [nyc3.cloak.yourdomain.com] => (item={u'proto': u'udp', u'cipher': u'AES-256-CBC', u'port': 443, u'digest': u'SHA256', u'fqdn': u'nyc3.cloak.yourdomain.com'})
TASK [strongswan : Install strongSwan] *****************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Update strongSwan AppArmor config] **************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : strongswan.conf] ********************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : ipsec.conf] *************************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : ipsec.secrets] **********************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install Cloak private key] **********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install Cloak certificates] *********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install Cloak certificates] *********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install Cloak certificates] *********************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install Cloak CRLs] *****************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install letsencrypt private key] ****************************
changed: [nyc3.cloak.yourdomain.com]
TASK [strongswan : Install letsencrypt certificates] ***************************
changed: [nyc3.cloak.yourdomain.com]
TASK [maintenance : Install cron scripts] **************************************
changed: [nyc3.cloak.yourdomain.com] => (item=/root/cloak-server-demo-master/ansible/roles/maintenance/files/bin/refresh-crls.sh)
changed: [nyc3.cloak.yourdomain.com] => (item=/root/cloak-server-demo-master/ansible/roles/maintenance/files/bin/update-pki.sh)
TASK [maintenance : PKI cron job] **********************************************
changed: [nyc3.cloak.yourdomain.com]
TASK [maintenance : CRL cron job] **********************************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [openvpn : Restart openvpn] ************************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [strongswan : Reload apparmor] *********************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [strongswan : Restart strongswan] ******************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [strongswan : ipsec reload] ************************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [strongswan : ipsec rereadcacerts] *****************************
changed: [nyc3.cloak.yourdomain.com]
RUNNING HANDLER [strongswan : ipsec rereadcrls] ********************************
changed: [nyc3.cloak.yourdomain.com]
PLAY RECAP *********************************************************************
nyc3.cloak.yourdomain.com : ok=37 changed=34 unreachable=0 failed=0
root@ansible:~/cloak-server-demo-master#
You will see the endpoint is successfully setup. Now, you can use your endpoint on your Cloak Devices!