-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Security Hardening and Certificate Authority Constraints #14811
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit addresses Issues #75 and #14804 with defensive security enhancements that provide additional protection layers for edge case scenarios. ## Issue #75: Technically Constrain Root CA - Add pathlen:0 basic constraints preventing subordinate CA creation - Implement name constraints restricting certificate issuance to specific IPs - Add extended key usage restrictions limiting CA scope to VPN certificates - Separate client/server certificate extensions (serverAuth vs clientAuth) - Enhanced CA with critical constraints for defense-in-depth when CA keys saved ## Issue #14804: Comprehensive SystemD Security Hardening - WireGuard: Added systemd hardening as additional defense-in-depth - StrongSwan: Enhanced systemd configuration complementing AppArmor profiles - dnscrypt-proxy: Additional systemd security alongside AppArmor protection - Applied privilege restrictions, filesystem isolation, and system call filtering ## Technical Changes - CA certificate constraints only relevant when users opt to save CA keys - SystemD hardening provides additional isolation layers beyond existing AppArmor - Enhanced client certificate validation for iOS/macOS profiles - Reliable AppArmor profile enforcement for Ubuntu 22.04 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Claude finished @dguido's task —— View job
Security Hardening PR Review
This PR implements comprehensive security enhancements for Algo VPN with both CA certificate constraints and systemd service hardening. The changes are well-designed and provide meaningful defense-in-depth improvements.
Review Progress
- Initialize todo list and start review process
- Read and analyze all 10 modified files
- Review CA certificate constraint implementation (Issue Technically constrain root CA #75 )
- Analyze systemd security hardening changes (Issue Security: Add comprehensive systemd security hardening for all VPN services #14804 )
- Check for potential bugs, security issues, and compatibility problems
- Evaluate code quality and adherence to best practices
- Assess test coverage and validation approach
- Provide comprehensive review feedback via GitHub comment
🔍 Detailed Review
✅ CA Certificate Constraints (Issue #75)
Strengths:
- Robust Name Constraints: The
nameConstraintsimplementation inroles/strongswan/defaults/main.yml:25-41is excellent, restricting certificate issuance to:- Only the specific server IP/DNS name
- A unique
.algodomain per deployment (openssl_constraint_random_id) - Excluding all major TLDs (.com, .org, .net, etc.)
- Proper IPv6 support with address masking
- Critical Extensions: Properly marks constraints as
criticalto ensure enforcement by clients - Path Length Constraint:
pathlen:0effectively prevents intermediate CA creation - EKU Restrictions: Limits CA to VPN-specific key usage (
serverAuth,clientAuth,1.3.6.1.5.5.7.3.17)
Technical Implementation:
- Template logic correctly handles IP vs DNS scenarios (
roles/strongswan/defaults/main.yml:26-33) - UUID-based deployment isolation prevents certificate reuse across different Algo instances
- Server certificate extensions properly separated from client extensions
✅ SystemD Security Hardening (Issue #14804)
WireGuard Hardening (roles/wireguard/tasks/ubuntu.yml:22-54):
- Appropriate for Kernel Service: Hardening is sensible as additional defense-in-depth for the userland components
- Network Access: Correctly allows
AF_NETLINKfor interface management - File Access: Proper
ReadWritePathsfor/etc/wireguardconfiguration - System Call Filtering: Well-balanced syscall filters excluding dangerous operations
StrongSwan Hardening (roles/strongswan/templates/100-CustomLimitations.conf.j2):
- Complementary to AppArmor: Adds systemd restrictions alongside existing AppArmor profiles
- IPsec Requirements: Correctly includes
AF_PACKETandAF_NETLINKfor kernel communication - File Permissions: Appropriate access to
/etc/ipsec.dand/var/lib/strongswan - Proc Access: Smart inclusion of
/proc/net/pfkeyfor IPsec state monitoring
dnscrypt-proxy Hardening (roles/dns/tasks/ubuntu.yml:66-99):
- Additional Protection: Sensible hardening on top of comprehensive AppArmor profiles
- Service-Specific: Proper cache directory access and network-only syscalls
- Balanced Approach: Good compromise between security and functionality
✅ Code Quality Assessment
Documentation:
- Excellent inline comments explaining the security rationale
- Clear references to compatibility requirements (macOS/iOS SAN requirements)
- Good separation of concerns between different security mechanisms
Template Quality:
- Proper Jinja2 conditionals for IPv6 support
- Correct variable scoping and UUID generation
- Well-structured YAML formatting
Handler Implementation:
- Appropriate service restart triggers for configuration changes
- Proper systemd daemon-reload calls
⚠️ Minor Issues & Recommendations
-
IPv6 Constraint Logic (
roles/strongswan/defaults/main.yml:36-40):# Current implementation excludes specific IPv6 ranges but might miss edge cases # Consider if ULA (fc00::/7) exclusion covers all private IPv6 space adequately
-
System Call Filter Consistency:
- WireGuard excludes
@raw-iobut StrongSwan doesn't - Consider standardizing these filters across services for consistency
- WireGuard excludes
-
Test Coverage Gap:
- PR mentions validation commands but doesn't include automated tests
- Consider adding integration tests to verify constraints work as expected
-
Documentation Enhancement:
- The extensive name constraints could benefit from a README section explaining the security model
✅ Security Analysis
Threat Model Coverage:
- CA Key Compromise: Name constraints effectively limit damage scope
- Certificate Reuse: UUID-based constraints prevent cross-deployment abuse
- Service Escalation: SystemD hardening limits privilege escalation paths
- Network Attacks: Address family restrictions reduce attack surface
Defense-in-Depth:
- Multiple layers: Certificate constraints + AppArmor + SystemD hardening
- Each layer addresses different attack vectors
- Graceful degradation if any single layer fails
🚀 Performance Considerations
- Certificate Validation: Name constraints add minimal overhead to TLS handshakes
- Service Startup: SystemD restrictions shouldn't impact startup time significantly
- Runtime Impact: No measurable performance impact expected for VPN traffic
📋 Compatibility Assessment
Client Compatibility:
- iOS/macOS: SAN requirements properly addressed in server certificates
- Android: Should work with name constraints (most ignore them anyway)
- Desktop Clients: Modern OpenSSL versions handle name constraints correctly
Deployment Compatibility:
- Backward compatible: Existing deployments won't be affected
- Forward compatible: New constraints only apply to newly generated certificates
📝 Overall Assessment
This is a high-quality security enhancement that meaningfully improves Algo's defense posture:
Strengths:
- ✅ Comprehensive CA constraints implementation
- ✅ Well-balanced systemd hardening across all services
- ✅ Excellent documentation and code comments
- ✅ Proper handling of edge cases (IPv6, different deployment types)
- ✅ Conservative approach aligned with Algo's philosophy
- ✅ No breaking changes to existing functionality
Risk Assessment:
- Low Risk: Changes are additive and don't modify core VPN functionality
- High Value: Provides meaningful security improvements for minimal complexity
- Well-Tested Logic: Certificate constraint logic appears robust
Recommendation:
✅ APPROVE - This PR represents excellent defensive security engineering. The implementations are technically sound, well-documented, and provide genuine security value without compromising usability.
The only suggestions are minor improvements around test coverage and documentation, but these don't block approval.
## Fixes Based on Review Feedback: ### Handler Consistency Issues - Fix notification naming: "daemon reload" → "daemon-reload" for consistency - Update deprecated syntax: `daemon_reload: yes` → `daemon_reload: true` ### Enhanced CA Certificate Constraints - Add .mil and .int to excluded DNS domains for completeness - Add .mil and .int to excluded email domains for consistency - Add explanatory comment for openssl_constraint_random_id security purpose ## Technical Improvements: - Ensures proper handler invocation across DNS and WireGuard services - Provides more comprehensive CA name constraints protection - Documents the security rationale for UUID-based CA constraints 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add IPv6 documentation range (2001:db8::/32) to excluded ranges - Add explanatory comment for CA name constraints defense-in-depth purpose - Remove duplicate DisableMOBIKE key from iOS configuration - Add comprehensive comments to iOS/macOS mobileconfig parameters - Explain MOBIKE, redirect disabling, certificate type, and routing settings 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements defensive security enhancements for Algo VPN, addressing CA certificate constraints (Issue #75) and system-level security hardening (Issue #14804). While these issues address theoretical attack vectors rather than urgent security gaps, they provide additional defense-in-depth for security-conscious deployments.
Issues Resolved
🔒 Issue #75: Technically Constrain Root CA
Problem: The root CA could be used to MITM HTTPS and other TLS connections that use the system certificate store (e.g. Google Chrome, iOS Safari) if the server were compromised or the private key obtained. While Algo already implements strong CA security practices by deleting CA keys by default, additional technical constraints provide defense-in-depth protection for users who choose to retain CA keys.
Important Context: Algo deletes CA keys by default (
store_pki: false), but users can opt to retain them for future user management. When CA keys are saved, there's inherent risk if an attacker gains access to them.Solution Implemented:
pathlen:0basic constraints preventing subordinate/intermediate CA creation under the root CAserverAuth,clientAuth,1.3.6.1.5.5.7.3.17) limiting CA scope to VPN-related certificates only🛡️ Issue #14804: Add Comprehensive SystemD Security Hardening
Problem: While Algo's VPN services are already well-protected by AppArmor profiles, adding systemd security directives provides additional defense-in-depth layers for comprehensive service isolation.
Important Context: WireGuard is implemented primarily in kernel space and has undergone extensive formal verification, making it inherently secure with minimal userland attack surface. The existing VPN services already have appropriate security controls in place.
Current Security Status:
Solution Implemented:
Technical Implementation
CA Certificate Constraints (Issue #75)
SystemD Security Hardening (Issue #14804)
Applied to WireGuard, StrongSwan, and dnscrypt-proxy services:
Files Modified
openssl.cnf.j2,defaults/main.ymlubuntu.yml(wireguard)100-CustomLimitations.conf.j2ubuntu.yml(dns)mobileconfig.j2Testing Validation
openssl x509 -text -noout -in cacert.pem | grep -A10 "Name Constraints"systemctl show wg-quick@wg0 | grep Protectsystemctl show strongswan-starter | grep Protectsudo aa-status | grep ipsecThis PR implements defensive security enhancements that provide additional protection layers for edge case scenarios, complementing Algo's existing security architecture with comprehensive service hardening and CA constraints.