Switch to using 'ips', which is required by upstream float

author: Micah Anderson <micah@riseup.net> 2022-01-18 15:26:49 -0500
committer: Micah Anderson <micah@riseup.net> 2022-01-18 15:26:49 -0500
commit: 683895a3b8b3870d4a2b8cd366029dd690d650ec (patch)
tree: d9200e9b6e8fa298f419772e86311047a1226a8b
parent: f83a8cb436ea86f79d4f0d3fe3007c6149b35ba8 (diff)
4 files changed, 27 insertions, 22 deletions
diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2
index 6281f65..4e66c92 100644
--- a/config/roles/openvpn/templates/50openvpn.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn.firewall.j2
@@ -1,11 +1,11 @@
 # Allow incoming connections to ipv4 port 80 for both udp and tcp
-add_rule4 -A user-input -p tcp -m tcp -d {{ ip }} --dport 80 -j ACCEPT
-add_rule4 -A user-input -p udp -m udp -d  {{ ip }} --dport 80 -j ACCEPT
+add_rule4 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT
+add_rule4 -A user-input -p udp -m udp -d  {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT
 
 {% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%}
 # Allow incoming connections to ipv6 port 80 for both udp and tcp
-add_rule6 -A user-input -p tcp -m tcp -d  {{ ip6 }} --dport 80 -j ACCEPT
-add_rule6 -A user-input -p udp -m udp -d  {{ ip6 }} --dport 80 -j ACCEPT
+add_rule6 -A user-input -p tcp -m tcp -d  {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
+add_rule6 -A user-input -p udp -m udp -d  {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
 {% endif %}
 
 # let ipv4 tcp vpn hosts reach the internet
diff --git a/config/roles/openvpn/templates/50openvpn_nat.firewall.j2 b/config/roles/openvpn/templates/50openvpn_nat.firewall.j2
index 9a5faba..add7726 100644
--- a/config/roles/openvpn/templates/50openvpn_nat.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn_nat.firewall.j2
@@ -2,17 +2,17 @@
 add_rule4 -A POSTROUTING -s {{ openvpn_tcp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }}
 add_rule4 -A POSTROUTING -s {{ openvpn_udp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }}
 # Accept connections on ipv4 port 1194, redirecting them to openvpn
-add_rule4 -A PREROUTING -p tcp -d {{ ip }} --dport 1194 -j DNAT --to-destination {{ ip }}:80
-add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 1194 -j DNAT --to-destination {{ ip }}:80
+add_rule4 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 1194 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80
+add_rule4 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 1194 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80
 # Accept connections on ipv4 port 53, redirecting them to openvpn
-add_rule4 -A PREROUTING -p tcp -d {{ ip }} --dport 53 -j DNAT --to-destination {{ ip }}:80
-add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 53 -j DNAT --to-destination {{ ip }}:80
+add_rule4 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 53 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80
+add_rule4 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 53 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80
 
 {% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%}
 # Accept connections on ipv6 port 1194, redirecting them to openvpn
-add_rule6 -A PREROUTING -p tcp -d {{ ip6 }} --dport 1194 -j DNAT --to-destination [{{ ip6 }}]:80
-add_rule6 -A PREROUTING -p udp -d {{ ip6 }} --dport 1194 -j DNAT --to-destination [{{ ip6 }}]:80
+add_rule6 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 1194 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80
+add_rule6 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 1194 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80
 # Accept connections on ipv6 port 53, redirecting them to openvpn
-add_rule6 -A PREROUTING -p tcp -d {{ ip6 }} --dport 53 -j DNAT --to-destination [{{ ip6 }}]:80
-add_rule6 -A PREROUTING -p udp -d {{ ip6 }} --dport 53 -j DNAT --to-destination [{{ ip6 }}]:80
+add_rule6 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 53 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80
+add_rule6 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 53 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80
 {% endif %}
diff --git a/config/services.openvpn.yml b/config/services.openvpn.yml
index e55a5a6..a727233 100644
--- a/config/services.openvpn.yml
+++ b/config/services.openvpn.yml
@@ -48,7 +48,7 @@ openvpn:
       env:
         # Shapeshifter specific environment variables
         LHOST: "::"
-        RHOST: "{{ ip }}"
+        RHOST: "{{ ips | ansible.netcommon.ipv4 | first }}"
         RPORT: '80'
         OBFSPORT: '443'
         EXTORPORT: '3334'
diff --git a/hosts.yml b/hosts.yml
index 30ce68b..067a9de 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -1,22 +1,26 @@
+# NOTE: This is an example hosts.yml, you will need to edit to fit your needs
 hosts:
   floatapp1:
-    ansible_host: 37.218.241.84
+    ansible_host: floatapp1.float.bitmask.net
     groups: [backend]
-    ip: 37.218.241.84
+    ips:
+      - 37.218.241.84
     # The 'ip_vpn0' is for the internal network overlay only. Assign an unique
     # value for each host
     ip_vpn0: 172.16.1.1
   floatrp1:
-    ansible_host: 37.218.241.85
+    ansible_host: floatrp1.float.bitmask.net
     groups: [frontend]
-    ip: 37.218.241.85
+    ips:
+      - 37.218.241.85
     # The 'ip_vpn0' is for the internal network overlay only. Assign an unique
     # value for each host
     ip_vpn0: 172.16.1.2
   gateway1:
-    ansible_host: 37.218.242.191
+    ansible_host: gateway1.float.bitmask.net
     groups: [openvpn]
-    ip: 37.218.242.191
+    ips:
+      - 37.218.242.191
     # The 'ip_vpn0' is for the internal network overlay only. Assign an unique
     # value for each host
     ip_vpn0: 172.16.1.3
@@ -25,13 +29,14 @@ hosts:
     egress_ip: 37.218.242.216
     location: Amsterdam
   gateway2:
-    ansible_host: 204.13.164.252
+    ansible_host: gateway2.float.bitmask.net
     groups: [openvpn]
     ip_vpn0: 172.16.1.4
-    ip: 204.13.164.252
+    ips:
+      - 204.13.164.252
     # If the gateway has ipv6, assign it an address here. This address will be
     # used as the incoming ipv6 address for the gateway.
-    ip6: 2620:13:4000:4000:8080::252
+      - 2620:13:4000:4000:8080::252
     # Set the egress source address for ipv4. This address should be distinct
     # from the 'ip' value above to prevent traffic leaks.
     egress_ip: 204.13.164.84
author	Micah Anderson <micah@riseup.net>	2022-01-18 15:26:49 -0500
committer	Micah Anderson <micah@riseup.net>	2022-01-18 15:26:49 -0500
commit	683895a3b8b3870d4a2b8cd366029dd690d650ec (patch)
tree	d9200e9b6e8fa298f419772e86311047a1226a8b
parent	f83a8cb436ea86f79d4f0d3fe3007c6149b35ba8 (diff)