AlgoVPN installing failing with "Failed to connect to the host via ssh"

[radame2]

Hi folks. Thanks in advance for any assistance.

I'm attempting to install AlgoVPN on my DigitalOcean droplet. Ubuntu 18.04, 2 GB RAM, 50 GB disk. I've done the following successfully,

1. git clone https://github.com/trailofbits/algo
2. cd algo
3. python3 -m virtualenv --python=/usr/bin/python3 .env
4. source .env/bin/activate
5. python3 -m pip install -U pip virtualenv
6. python3 -m pip install -r requirements.txt

Full output of ./algo script is below.

I believe the install may be failing at cloud-post.yml. Specifically,

=======

• name: Wait until SSH becomes ready...
  wait_for:
  port: 22
  host: "{{ cloud_instance_ip }}"
  search_regex: "OpenSSH"
  delay: 10
  timeout: 320
  state: present
  when: cloud_instance_ip != "localhost"
  =======

For the SSH validation, is the algo install script just pinching port 22 and looking for "OpenSSH"? Something more? For ssh I'm only allowing public key authentication and I think that may be killing the install. Want to confirm. Thank you.

~/algo$ ./algo
[WARNING]: Could not match supplied host pattern, ignoring: vpn-host

PLAY [localhost] ***************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] *******************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ***********************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}

TASK [Ensure the requirements installed] ***************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] **********************************************************************************
ok: [localhost] => (item=ansible==2.8.3)

TASK [Verify Python meets Algo VPN requirements] *******************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] ******************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}

PLAY [Ask user for the input] **************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Install to existing Ubuntu 18.04

Enter the number of your desired provider
:
1
TASK [Cloud prompt] ************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:
a.b.c.d
TASK [VPN server name prompt] **************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
n
TASK [Cellular On Demand prompt] ***********************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
n
TASK [Wi-Fi On Demand prompt] **************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
n
TASK [Retain the PKI prompt] ***************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
n
TASK [DNS adblocking prompt] ***************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
n
TASK [SSH tunneling prompt] ****************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************************************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 18.04.3 LTS (Virtualized: kvm)
Created from git fork. Last commit: d72f3b5 Update Windows documentation (#1640)
Python 3.6.9
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "X251bGw="
algo_dns_adblocking "False"
algo_ssh_tunneling "False"
wireguard_enabled "True"
dns_encryption "True"

TASK [Display the invocation environment] **************************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] ************************************************************************************************
ok: [localhost -> localhost]

TASK [Generate the SSH private key] ********************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *********************************************************************************************
ok: [localhost]

TASK [Copy the private SSH key to /tmp] ****************************************************************************************
ok: [localhost -> localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):

TASK [cloud-digitalocean : pause] **********************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the token as a fact] ****************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Get regions] ****************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set facts about the regions] ************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set default region] *********************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3 Amsterdam 3
2. blr1 Bangalore 1
3. fra1 Frankfurt 1
4. lon1 London 1
5. nyc1 New York 1
6. nyc3 New York 3
7. sfo2 San Francisco 2
8. sgp1 Singapore 1
9. tor1 Toronto 1

Enter the number of your desired region
[6]
:

TASK [cloud-digitalocean : pause] **********************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set additional facts] *******************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *********************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ******************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : set_fact] *******************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ********************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] *************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *****************************************************************************************
ok: [localhost]

TASK [Linux | set OS specific facts] *******************************************************************************************
ok: [localhost]

TASK [Set config paths as facts] ***********************************************************************************************
ok: [localhost]

TASK [Update config paths] *****************************************************************************************************
changed: [localhost]

TASK [debug] *******************************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "a.b.c.d"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] ****************************************************************
ok: [localhost]

PLAY [Configure the server and install required software]

TASK [common : Check the system] ***********************************************************************************************
fatal: [a.b.c.d]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'a.b.c.d' (ECDSA) to the list of known hosts.\r\nroot@a.b.c.d: Permission denied (publickey).", "unreachable": true}

PLAY RECAP *********************************************************************************************************************
a.b.c.d : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
localhost : ok=42 changed=4 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0

[davidemyers]

I'm attempting to install AlgoVPN on my DigitalOcean droplet.

When you choose option 1. DigitalOcean, what you're attempting to do is have Algo create a new Droplet for your AlgoVPN. That's fine, but if you really intended to turn the Droplet you already created into an AlgoVPN then choose option 11. Install to existing Ubuntu.

If you intended to create a new Droplet then this sounds like the same issue as #1613, which will hopefully be fixed by #1636. One thing to try is go into Account/Security on DigitalOcean and delete any SSH keys you find, then try Algo again.

If you intended to turn your existing Droplet into your AlgoVPN then just run ./algo again and choose option 11. This should work because Algo doesn't need to deal with SSH keys for a local install.

[radame2]

I had one job. :( Mon dieu! Install was successful. Thanks, David.