summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax B <max-b@riseup.net>2023-03-02 23:41:16 +0000
committerMax B <max-b@riseup.net>2023-03-02 23:41:16 +0000
commit72c5268548f75a0d1d06cd4aa84185fa06a649e5 (patch)
tree3c5c31daee8987e33db9479a6e429f96ffdf1625
parente7660f3067eec0ae5201c7be418ccafec370fec7 (diff)
parent6e28692140c7810a3c6c1c0e9181feacb73bc443 (diff)
Merge branch 'maxb/add-obfsvpn-bridge' into 'main'
Integrate obfsvpn bridges See merge request leap/container-platform/lilypad!67
Diffstat
-rw-r--r--Vagrantfile4
-rw-r--r--config/roles/bridge/files/50obfsvpn.firewall2
-rw-r--r--config/roles/bridge/handlers/main.yml7
-rw-r--r--config/roles/bridge/tasks/main.yml25
-rw-r--r--config/roles/openvpn/tasks/shapeshifter.yml4
-rw-r--r--config/roles/simplevpn/tasks/main.yml2
-rw-r--r--config/services.bitmask.yml (renamed from config/services.openvpn.yml)33
-rw-r--r--config/services.common.yml2
-rw-r--r--config/services.ooni.yml2
-rw-r--r--hosts-vagrant.yml8
-rw-r--r--hosts.yml4
-rw-r--r--playbooks/init-credentials.yml12
-rwxr-xr-xplaybooks/scripts/gen-obfs4-state.py (renamed from playbooks/scripts/gen-shapeshifter-state.py)5
-rw-r--r--site.yml4
-rw-r--r--test/test-full/services.yml2
15 files changed, 96 insertions, 20 deletions
diff --git a/Vagrantfile b/Vagrantfile
index ffd4fbe..4880d19 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -25,4 +25,8 @@ Vagrant.configure(2) do |config|
m.vm.hostname = "gateway1"
m.vm.network "private_network", ip: "10.121.20.12", libvirt__dhcp_enabled: false
end
+ config.vm.define "bridge1" do |m|
+ m.vm.hostname = "bridge1"
+ m.vm.network "private_network", ip: "10.121.20.13", libvirt__dhcp_enabled: false
+ end
end
diff --git a/config/roles/bridge/files/50obfsvpn.firewall b/config/roles/bridge/files/50obfsvpn.firewall
new file mode 100644
index 0000000..e3f3566
--- /dev/null
+++ b/config/roles/bridge/files/50obfsvpn.firewall
@@ -0,0 +1,2 @@
+allow_port tcp 443
+allow_port udp 443
diff --git a/config/roles/bridge/handlers/main.yml b/config/roles/bridge/handlers/main.yml
new file mode 100644
index 0000000..0d840a5
--- /dev/null
+++ b/config/roles/bridge/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: reload firewall
+ systemd:
+ name: firewall.service
+ state: restarted
+
diff --git a/config/roles/bridge/tasks/main.yml b/config/roles/bridge/tasks/main.yml
new file mode 100644
index 0000000..671da63
--- /dev/null
+++ b/config/roles/bridge/tasks/main.yml
@@ -0,0 +1,25 @@
+# this is a recursive copy
+- name: Install obfs4 state
+ copy:
+ src: "{{ credentials_dir }}/obfs4/"
+ dest: "/opt/obfsvpn/data"
+ owner: docker-obfsvpn
+ mode: 0600
+
+- name: Install firewall config for obfsvpn
+ copy:
+ src: "50obfsvpn.firewall"
+ dest: "/etc/firewall/filter.d/50obfsvpn"
+ notify: "reload firewall"
+
+- name: Make sure obfs4 state file ownership is correct
+ file:
+ path: "/opt/obfsvpn/data/obfs4_state.json"
+ owner: docker-obfsvpn
+ mode: 0600
+
+- name: Make sure obfs4 obfs4_bridgeline.txt file ownership is correct
+ file:
+ path: "/opt/obfsvpn/data/obfs4_cert.txt"
+ owner: docker-obfsvpn
+ mode: 0600
diff --git a/config/roles/openvpn/tasks/shapeshifter.yml b/config/roles/openvpn/tasks/shapeshifter.yml
index 6afdfc9..4feb362 100644
--- a/config/roles/openvpn/tasks/shapeshifter.yml
+++ b/config/roles/openvpn/tasks/shapeshifter.yml
@@ -1,7 +1,7 @@
# this is a recursive copy
-- name: Install shapeshifter state
+- name: Install obfs4 state
copy:
- src: "{{ credentials_dir }}/shapeshifter/"
+ src: "{{ credentials_dir }}/obfs4/"
dest: "/srv/leap/shapeshifter-state"
owner: docker-openvpn
mode: 0600
diff --git a/config/roles/simplevpn/tasks/main.yml b/config/roles/simplevpn/tasks/main.yml
index 4bfd953..4aaea65 100644
--- a/config/roles/simplevpn/tasks/main.yml
+++ b/config/roles/simplevpn/tasks/main.yml
@@ -1,7 +1,7 @@
- name: "Generate eip-service.json and provider.json"
local_action:
module: simplevpn
- obfs4_state_dir: "{{ credentials_dir }}/shapeshifter"
+ obfs4_state_dir: "{{ credentials_dir }}/obfs4"
locations: "{{ locations }}"
domain: "{{ domain_public[0] }}"
provider_description: "{{ provider_config.description }}"
diff --git a/config/services.openvpn.yml b/config/services.bitmask.yml
index 117273c..8ad547f 100644
--- a/config/services.openvpn.yml
+++ b/config/services.bitmask.yml
@@ -24,7 +24,7 @@ menshen:
skip_acme: true
openvpn:
- scheduling_group: openvpn
+ scheduling_group: gateway
num_instances: all
monitoring_endpoints:
- job_name: openvpn
@@ -35,7 +35,7 @@ openvpn:
scheme: http
containers:
- name: openvpn
- image: registry.0xacab.org/leap/container-platform/openvpn:bullseye
+ image: registry.0xacab.org/leap/container-platform/openvpn:main
ports: [80, 443, 53]
drop_capabilities: false
docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
@@ -110,3 +110,32 @@ provider:
domains:
- "{{ domain_public[0] }}"
+obfsvpn:
+ scheduling_group: bridge
+ num_instances: all
+ containers:
+ - name: obfsvpn
+ image: registry.0xacab.org/leap/obfsvpn:server-main
+
+ # This is how float handles providing a "command" 🙃
+ args: /opt/obfsvpn/start_obfsvpn.sh
+ ports: [443]
+ drop_capabilities: false
+ docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
+ volumes:
+ - /opt/obfsvpn/data: /opt/obfsvpn/data
+ - /dev/net: /dev/net
+ env:
+ # non-hopping:
+ PROTO: "tcp"
+ KCP: "0"
+ OBFS4_HOST: "0.0.0.0"
+ OPENVPN_HOST: "{{ gateway | default(groups['gateway'][0]) }}"
+ OPENVPN_PORT: "80"
+ HOP_PT: "0"
+ OBFS4_DATA_DIR: /opt/obfsvpn/data
+ OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json
+ # necessary for traditional/non-hopping mode
+ OBFS4_PORT: "443"
+ LOGLEVEL: DEBUG
+
diff --git a/config/services.common.yml b/config/services.common.yml
index 95b6051..a79452b 100644
--- a/config/services.common.yml
+++ b/config/services.common.yml
@@ -1,4 +1,4 @@
---
include:
- ../float/services.yml.default
- - "services.openvpn.yml"
+ - "services.bitmask.yml"
diff --git a/config/services.ooni.yml b/config/services.ooni.yml
index eac0148..fc8edea 100644
--- a/config/services.ooni.yml
+++ b/config/services.ooni.yml
@@ -3,7 +3,7 @@
# before enabling
include:
- ../float/services.yml.default
- - "services.openvpn.yml"
+ - "services.bitmask.yml"
prometheus-pushgateway:
scheduling_group: backend
diff --git a/hosts-vagrant.yml b/hosts-vagrant.yml
index 37a7ffa..11d75ca 100644
--- a/hosts-vagrant.yml
+++ b/hosts-vagrant.yml
@@ -10,12 +10,18 @@ hosts:
ip: 10.121.20.11
ip_vpn0: 172.16.1.2
gateway1:
- groups: [openvpn, vagrant]
+ groups: [gateway, vagrant]
ansible_host: 10.121.20.12
ip: 10.121.20.12
ip_vpn0: 172.16.1.3
location: Seattle
egress_ip: 10.121.20.44
+ bridge1:
+ groups: [bridge, vagrant]
+ gateway: gateway1
+ ansible_host: 10.121.20.13
+ ip: 10.121.20.13
+ ip_vpn0: 172.16.1.4
group_vars:
vagrant:
ansible_user: vagrant
diff --git a/hosts.yml b/hosts.yml
index 067a9de..48ce324 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -18,7 +18,7 @@ hosts:
ip_vpn0: 172.16.1.2
gateway1:
ansible_host: gateway1.float.bitmask.net
- groups: [openvpn]
+ groups: [gateway]
ips:
- 37.218.242.191
# The 'ip_vpn0' is for the internal network overlay only. Assign an unique
@@ -30,7 +30,7 @@ hosts:
location: Amsterdam
gateway2:
ansible_host: gateway2.float.bitmask.net
- groups: [openvpn]
+ groups: [gateway]
ip_vpn0: 172.16.1.4
ips:
- 204.13.164.252
diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml
index 2b24871..516cf6b 100644
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -22,17 +22,17 @@
local_action: x509_ca ca_subject="{{ x509_ca_subject | default('CN=LEAP Root CA') }}" ca_cert_path="{{ credentials_dir }}/common/api_ca.crt" ca_key_path="{{ credentials_dir }}/common/api_ca.key"
register: api_ca_should_update
- - name: "Create shapeshifter state directory {{ credentials_dir }}/shapeshifter"
+ - name: "Create obfs4 state directory {{ credentials_dir }}/obfs4"
file:
- path: "{{ credentials_dir }}/shapeshifter"
+ path: "{{ credentials_dir }}/obfs4"
state: directory
# requires python3-pysodium
- - name: "Generate shapeshifter cert and json"
- local_action: shell {{playbook_dir}}/scripts/gen-shapeshifter-state.py {{ credentials_dir }}/shapeshifter
+ - name: "Generate obfs4 cert and json"
+ local_action: shell {{playbook_dir}}/scripts/gen-obfs4-state.py {{ credentials_dir }}/obfs4
- - name: "Encrypt shapeshifter state file"
- local_action: shell ansible-vault encrypt {{ credentials_dir }}/shapeshifter/obfs4_state.json
+ - name: "Encrypt obfs4 state file"
+ local_action: shell ansible-vault encrypt {{ credentials_dir }}/obfs4/obfs4_state.json
when: "lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE')"
- name: Include float init-credentials
diff --git a/playbooks/scripts/gen-shapeshifter-state.py b/playbooks/scripts/gen-obfs4-state.py
index 241c780..5d12617 100755
--- a/playbooks/scripts/gen-shapeshifter-state.py
+++ b/playbooks/scripts/gen-obfs4-state.py
@@ -1,7 +1,6 @@
#!/usr/bin/env python3
"""
-Generates the Curve25519 keypair that is needed by the shapeshifter-dispatcher
-server.
+Generates the Curve25519 keypair that is needed by obfs4
Depends on python3-pysodium package.
"""
@@ -22,7 +21,7 @@ def generate(statedir):
os.makedirs(statedir)
except Exception:
pass
- print("[+] Generating shapeshifter parameters...")
+ print("[+] Generating obfs4 parameters...")
public, private = pysodium.crypto_box_keypair()
diff --git a/site.yml b/site.yml
index 5a2b42e..02cc7db 100644
--- a/site.yml
+++ b/site.yml
@@ -6,6 +6,10 @@
- kresd
- openvpn
+- hosts: bridge
+ roles:
+ - bridge
+
- hosts: vpnweb
roles:
- vpnweb
diff --git a/test/test-full/services.yml b/test/test-full/services.yml
index bad495a..1b9c749 100644
--- a/test/test-full/services.yml
+++ b/test/test-full/services.yml
@@ -1,4 +1,4 @@
---
include:
- "../../float/services.yml.no-elasticsearch"
- - "../../config/services.openvpn.yml"
+ - "../../config/services.bitmask.yml"
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 14:12:19 +0000