diff options
author | Micah Anderson <micah@riseup.net> | 2022-01-18 15:26:49 -0500 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2022-01-18 15:26:49 -0500 |
commit | 683895a3b8b3870d4a2b8cd366029dd690d650ec (patch) | |
tree | d9200e9b6e8fa298f419772e86311047a1226a8b | |
parent | f83a8cb436ea86f79d4f0d3fe3007c6149b35ba8 (diff) |
Switch to using 'ips', which is required by upstream float
-rw-r--r-- | config/roles/openvpn/templates/50openvpn.firewall.j2 | 8 | ||||
-rw-r--r-- | config/roles/openvpn/templates/50openvpn_nat.firewall.j2 | 16 | ||||
-rw-r--r-- | config/services.openvpn.yml | 2 | ||||
-rw-r--r-- | hosts.yml | 23 |
4 files changed, 27 insertions, 22 deletions
diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2 index 6281f65..4e66c92 100644 --- a/config/roles/openvpn/templates/50openvpn.firewall.j2 +++ b/config/roles/openvpn/templates/50openvpn.firewall.j2 @@ -1,11 +1,11 @@ # Allow incoming connections to ipv4 port 80 for both udp and tcp -add_rule4 -A user-input -p tcp -m tcp -d {{ ip }} --dport 80 -j ACCEPT -add_rule4 -A user-input -p udp -m udp -d {{ ip }} --dport 80 -j ACCEPT +add_rule4 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT +add_rule4 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT {% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%} # Allow incoming connections to ipv6 port 80 for both udp and tcp -add_rule6 -A user-input -p tcp -m tcp -d {{ ip6 }} --dport 80 -j ACCEPT -add_rule6 -A user-input -p udp -m udp -d {{ ip6 }} --dport 80 -j ACCEPT +add_rule6 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT +add_rule6 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT {% endif %} # let ipv4 tcp vpn hosts reach the internet diff --git a/config/roles/openvpn/templates/50openvpn_nat.firewall.j2 b/config/roles/openvpn/templates/50openvpn_nat.firewall.j2 index 9a5faba..add7726 100644 --- a/config/roles/openvpn/templates/50openvpn_nat.firewall.j2 +++ b/config/roles/openvpn/templates/50openvpn_nat.firewall.j2 @@ -2,17 +2,17 @@ add_rule4 -A POSTROUTING -s {{ openvpn_tcp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }} add_rule4 -A POSTROUTING -s {{ openvpn_udp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }} # Accept connections on ipv4 port 1194, redirecting them to openvpn -add_rule4 -A PREROUTING -p tcp -d {{ ip }} --dport 1194 -j DNAT --to-destination {{ ip }}:80 -add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 1194 -j DNAT --to-destination {{ ip }}:80 +add_rule4 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 1194 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80 +add_rule4 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 1194 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80 # Accept connections on ipv4 port 53, redirecting them to openvpn -add_rule4 -A PREROUTING -p tcp -d {{ ip }} --dport 53 -j DNAT --to-destination {{ ip }}:80 -add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 53 -j DNAT --to-destination {{ ip }}:80 +add_rule4 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 53 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80 +add_rule4 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 53 -j DNAT --to-destination {{ ips | ansible.netcommon.ipv4 | first }}:80 {% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%} # Accept connections on ipv6 port 1194, redirecting them to openvpn -add_rule6 -A PREROUTING -p tcp -d {{ ip6 }} --dport 1194 -j DNAT --to-destination [{{ ip6 }}]:80 -add_rule6 -A PREROUTING -p udp -d {{ ip6 }} --dport 1194 -j DNAT --to-destination [{{ ip6 }}]:80 +add_rule6 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 1194 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80 +add_rule6 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 1194 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80 # Accept connections on ipv6 port 53, redirecting them to openvpn -add_rule6 -A PREROUTING -p tcp -d {{ ip6 }} --dport 53 -j DNAT --to-destination [{{ ip6 }}]:80 -add_rule6 -A PREROUTING -p udp -d {{ ip6 }} --dport 53 -j DNAT --to-destination [{{ ip6 }}]:80 +add_rule6 -A PREROUTING -p tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 53 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80 +add_rule6 -A PREROUTING -p udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 53 -j DNAT --to-destination [{{ ips | ansible.netcommon.ipv6 | first }}]:80 {% endif %} diff --git a/config/services.openvpn.yml b/config/services.openvpn.yml index e55a5a6..a727233 100644 --- a/config/services.openvpn.yml +++ b/config/services.openvpn.yml @@ -48,7 +48,7 @@ openvpn: env: # Shapeshifter specific environment variables LHOST: "::" - RHOST: "{{ ip }}" + RHOST: "{{ ips | ansible.netcommon.ipv4 | first }}" RPORT: '80' OBFSPORT: '443' EXTORPORT: '3334' @@ -1,22 +1,26 @@ +# NOTE: This is an example hosts.yml, you will need to edit to fit your needs hosts: floatapp1: - ansible_host: 37.218.241.84 + ansible_host: floatapp1.float.bitmask.net groups: [backend] - ip: 37.218.241.84 + ips: + - 37.218.241.84 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique # value for each host ip_vpn0: 172.16.1.1 floatrp1: - ansible_host: 37.218.241.85 + ansible_host: floatrp1.float.bitmask.net groups: [frontend] - ip: 37.218.241.85 + ips: + - 37.218.241.85 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique # value for each host ip_vpn0: 172.16.1.2 gateway1: - ansible_host: 37.218.242.191 + ansible_host: gateway1.float.bitmask.net groups: [openvpn] - ip: 37.218.242.191 + ips: + - 37.218.242.191 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique # value for each host ip_vpn0: 172.16.1.3 @@ -25,13 +29,14 @@ hosts: egress_ip: 37.218.242.216 location: Amsterdam gateway2: - ansible_host: 204.13.164.252 + ansible_host: gateway2.float.bitmask.net groups: [openvpn] ip_vpn0: 172.16.1.4 - ip: 204.13.164.252 + ips: + - 204.13.164.252 # If the gateway has ipv6, assign it an address here. This address will be # used as the incoming ipv6 address for the gateway. - ip6: 2620:13:4000:4000:8080::252 + - 2620:13:4000:4000:8080::252 # Set the egress source address for ipv4. This address should be distinct # from the 'ip' value above to prevent traffic leaks. egress_ip: 204.13.164.84 |