diff options
author | Max B <max-b@riseup.net> | 2023-03-02 23:41:16 +0000 |
---|---|---|
committer | Max B <max-b@riseup.net> | 2023-03-02 23:41:16 +0000 |
commit | 72c5268548f75a0d1d06cd4aa84185fa06a649e5 (patch) | |
tree | 3c5c31daee8987e33db9479a6e429f96ffdf1625 | |
parent | e7660f3067eec0ae5201c7be418ccafec370fec7 (diff) | |
parent | 6e28692140c7810a3c6c1c0e9181feacb73bc443 (diff) |
Merge branch 'maxb/add-obfsvpn-bridge' into 'main'
Integrate obfsvpn bridges
See merge request leap/container-platform/lilypad!67
-rw-r--r-- | Vagrantfile | 4 | ||||
-rw-r--r-- | config/roles/bridge/files/50obfsvpn.firewall | 2 | ||||
-rw-r--r-- | config/roles/bridge/handlers/main.yml | 7 | ||||
-rw-r--r-- | config/roles/bridge/tasks/main.yml | 25 | ||||
-rw-r--r-- | config/roles/openvpn/tasks/shapeshifter.yml | 4 | ||||
-rw-r--r-- | config/roles/simplevpn/tasks/main.yml | 2 | ||||
-rw-r--r-- | config/services.bitmask.yml (renamed from config/services.openvpn.yml) | 33 | ||||
-rw-r--r-- | config/services.common.yml | 2 | ||||
-rw-r--r-- | config/services.ooni.yml | 2 | ||||
-rw-r--r-- | hosts-vagrant.yml | 8 | ||||
-rw-r--r-- | hosts.yml | 4 | ||||
-rw-r--r-- | playbooks/init-credentials.yml | 12 | ||||
-rwxr-xr-x | playbooks/scripts/gen-obfs4-state.py (renamed from playbooks/scripts/gen-shapeshifter-state.py) | 5 | ||||
-rw-r--r-- | site.yml | 4 | ||||
-rw-r--r-- | test/test-full/services.yml | 2 |
15 files changed, 96 insertions, 20 deletions
diff --git a/Vagrantfile b/Vagrantfile index ffd4fbe..4880d19 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -25,4 +25,8 @@ Vagrant.configure(2) do |config| m.vm.hostname = "gateway1" m.vm.network "private_network", ip: "10.121.20.12", libvirt__dhcp_enabled: false end + config.vm.define "bridge1" do |m| + m.vm.hostname = "bridge1" + m.vm.network "private_network", ip: "10.121.20.13", libvirt__dhcp_enabled: false + end end diff --git a/config/roles/bridge/files/50obfsvpn.firewall b/config/roles/bridge/files/50obfsvpn.firewall new file mode 100644 index 0000000..e3f3566 --- /dev/null +++ b/config/roles/bridge/files/50obfsvpn.firewall @@ -0,0 +1,2 @@ +allow_port tcp 443 +allow_port udp 443 diff --git a/config/roles/bridge/handlers/main.yml b/config/roles/bridge/handlers/main.yml new file mode 100644 index 0000000..0d840a5 --- /dev/null +++ b/config/roles/bridge/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: reload firewall + systemd: + name: firewall.service + state: restarted + diff --git a/config/roles/bridge/tasks/main.yml b/config/roles/bridge/tasks/main.yml new file mode 100644 index 0000000..671da63 --- /dev/null +++ b/config/roles/bridge/tasks/main.yml @@ -0,0 +1,25 @@ +# this is a recursive copy +- name: Install obfs4 state + copy: + src: "{{ credentials_dir }}/obfs4/" + dest: "/opt/obfsvpn/data" + owner: docker-obfsvpn + mode: 0600 + +- name: Install firewall config for obfsvpn + copy: + src: "50obfsvpn.firewall" + dest: "/etc/firewall/filter.d/50obfsvpn" + notify: "reload firewall" + +- name: Make sure obfs4 state file ownership is correct + file: + path: "/opt/obfsvpn/data/obfs4_state.json" + owner: docker-obfsvpn + mode: 0600 + +- name: Make sure obfs4 obfs4_bridgeline.txt file ownership is correct + file: + path: "/opt/obfsvpn/data/obfs4_cert.txt" + owner: docker-obfsvpn + mode: 0600 diff --git a/config/roles/openvpn/tasks/shapeshifter.yml b/config/roles/openvpn/tasks/shapeshifter.yml index 6afdfc9..4feb362 100644 --- a/config/roles/openvpn/tasks/shapeshifter.yml +++ b/config/roles/openvpn/tasks/shapeshifter.yml @@ -1,7 +1,7 @@ # this is a recursive copy -- name: Install shapeshifter state +- name: Install obfs4 state copy: - src: "{{ credentials_dir }}/shapeshifter/" + src: "{{ credentials_dir }}/obfs4/" dest: "/srv/leap/shapeshifter-state" owner: docker-openvpn mode: 0600 diff --git a/config/roles/simplevpn/tasks/main.yml b/config/roles/simplevpn/tasks/main.yml index 4bfd953..4aaea65 100644 --- a/config/roles/simplevpn/tasks/main.yml +++ b/config/roles/simplevpn/tasks/main.yml @@ -1,7 +1,7 @@ - name: "Generate eip-service.json and provider.json" local_action: module: simplevpn - obfs4_state_dir: "{{ credentials_dir }}/shapeshifter" + obfs4_state_dir: "{{ credentials_dir }}/obfs4" locations: "{{ locations }}" domain: "{{ domain_public[0] }}" provider_description: "{{ provider_config.description }}" diff --git a/config/services.openvpn.yml b/config/services.bitmask.yml index 117273c..8ad547f 100644 --- a/config/services.openvpn.yml +++ b/config/services.bitmask.yml @@ -24,7 +24,7 @@ menshen: skip_acme: true openvpn: - scheduling_group: openvpn + scheduling_group: gateway num_instances: all monitoring_endpoints: - job_name: openvpn @@ -35,7 +35,7 @@ openvpn: scheme: http containers: - name: openvpn - image: registry.0xacab.org/leap/container-platform/openvpn:bullseye + image: registry.0xacab.org/leap/container-platform/openvpn:main ports: [80, 443, 53] drop_capabilities: false docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE' @@ -110,3 +110,32 @@ provider: domains: - "{{ domain_public[0] }}" +obfsvpn: + scheduling_group: bridge + num_instances: all + containers: + - name: obfsvpn + image: registry.0xacab.org/leap/obfsvpn:server-main + + # This is how float handles providing a "command" 🙃 + args: /opt/obfsvpn/start_obfsvpn.sh + ports: [443] + drop_capabilities: false + docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE' + volumes: + - /opt/obfsvpn/data: /opt/obfsvpn/data + - /dev/net: /dev/net + env: + # non-hopping: + PROTO: "tcp" + KCP: "0" + OBFS4_HOST: "0.0.0.0" + OPENVPN_HOST: "{{ gateway | default(groups['gateway'][0]) }}" + OPENVPN_PORT: "80" + HOP_PT: "0" + OBFS4_DATA_DIR: /opt/obfsvpn/data + OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json + # necessary for traditional/non-hopping mode + OBFS4_PORT: "443" + LOGLEVEL: DEBUG + diff --git a/config/services.common.yml b/config/services.common.yml index 95b6051..a79452b 100644 --- a/config/services.common.yml +++ b/config/services.common.yml @@ -1,4 +1,4 @@ --- include: - ../float/services.yml.default - - "services.openvpn.yml" + - "services.bitmask.yml" diff --git a/config/services.ooni.yml b/config/services.ooni.yml index eac0148..fc8edea 100644 --- a/config/services.ooni.yml +++ b/config/services.ooni.yml @@ -3,7 +3,7 @@ # before enabling include: - ../float/services.yml.default - - "services.openvpn.yml" + - "services.bitmask.yml" prometheus-pushgateway: scheduling_group: backend diff --git a/hosts-vagrant.yml b/hosts-vagrant.yml index 37a7ffa..11d75ca 100644 --- a/hosts-vagrant.yml +++ b/hosts-vagrant.yml @@ -10,12 +10,18 @@ hosts: ip: 10.121.20.11 ip_vpn0: 172.16.1.2 gateway1: - groups: [openvpn, vagrant] + groups: [gateway, vagrant] ansible_host: 10.121.20.12 ip: 10.121.20.12 ip_vpn0: 172.16.1.3 location: Seattle egress_ip: 10.121.20.44 + bridge1: + groups: [bridge, vagrant] + gateway: gateway1 + ansible_host: 10.121.20.13 + ip: 10.121.20.13 + ip_vpn0: 172.16.1.4 group_vars: vagrant: ansible_user: vagrant @@ -18,7 +18,7 @@ hosts: ip_vpn0: 172.16.1.2 gateway1: ansible_host: gateway1.float.bitmask.net - groups: [openvpn] + groups: [gateway] ips: - 37.218.242.191 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique @@ -30,7 +30,7 @@ hosts: location: Amsterdam gateway2: ansible_host: gateway2.float.bitmask.net - groups: [openvpn] + groups: [gateway] ip_vpn0: 172.16.1.4 ips: - 204.13.164.252 diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml index 2b24871..516cf6b 100644 --- a/playbooks/init-credentials.yml +++ b/playbooks/init-credentials.yml @@ -22,17 +22,17 @@ local_action: x509_ca ca_subject="{{ x509_ca_subject | default('CN=LEAP Root CA') }}" ca_cert_path="{{ credentials_dir }}/common/api_ca.crt" ca_key_path="{{ credentials_dir }}/common/api_ca.key" register: api_ca_should_update - - name: "Create shapeshifter state directory {{ credentials_dir }}/shapeshifter" + - name: "Create obfs4 state directory {{ credentials_dir }}/obfs4" file: - path: "{{ credentials_dir }}/shapeshifter" + path: "{{ credentials_dir }}/obfs4" state: directory # requires python3-pysodium - - name: "Generate shapeshifter cert and json" - local_action: shell {{playbook_dir}}/scripts/gen-shapeshifter-state.py {{ credentials_dir }}/shapeshifter + - name: "Generate obfs4 cert and json" + local_action: shell {{playbook_dir}}/scripts/gen-obfs4-state.py {{ credentials_dir }}/obfs4 - - name: "Encrypt shapeshifter state file" - local_action: shell ansible-vault encrypt {{ credentials_dir }}/shapeshifter/obfs4_state.json + - name: "Encrypt obfs4 state file" + local_action: shell ansible-vault encrypt {{ credentials_dir }}/obfs4/obfs4_state.json when: "lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE')" - name: Include float init-credentials diff --git a/playbooks/scripts/gen-shapeshifter-state.py b/playbooks/scripts/gen-obfs4-state.py index 241c780..5d12617 100755 --- a/playbooks/scripts/gen-shapeshifter-state.py +++ b/playbooks/scripts/gen-obfs4-state.py @@ -1,7 +1,6 @@ #!/usr/bin/env python3 """ -Generates the Curve25519 keypair that is needed by the shapeshifter-dispatcher -server. +Generates the Curve25519 keypair that is needed by obfs4 Depends on python3-pysodium package. """ @@ -22,7 +21,7 @@ def generate(statedir): os.makedirs(statedir) except Exception: pass - print("[+] Generating shapeshifter parameters...") + print("[+] Generating obfs4 parameters...") public, private = pysodium.crypto_box_keypair() @@ -6,6 +6,10 @@ - kresd - openvpn +- hosts: bridge + roles: + - bridge + - hosts: vpnweb roles: - vpnweb diff --git a/test/test-full/services.yml b/test/test-full/services.yml index bad495a..1b9c749 100644 --- a/test/test-full/services.yml +++ b/test/test-full/services.yml @@ -1,4 +1,4 @@ --- include: - "../../float/services.yml.no-elasticsearch" - - "../../config/services.openvpn.yml" + - "../../config/services.bitmask.yml" |