diff options
author | Maxb <bittmanmax@gmail.com> | 2022-12-30 18:58:22 -0800 |
---|---|---|
committer | Maxb <bittmanmax@gmail.com> | 2023-02-28 14:03:12 -0800 |
commit | ceef21a518c7d928ba771dae6f3cb3976c31112c (patch) | |
tree | 55257602a4c758319383ca2beaef779008dc6b8b | |
parent | 596ba0495699578299879ad841c74152ffb8b94f (diff) |
First pass at adding a separate obfsvpn based bridge
-rw-r--r-- | Vagrantfile | 4 | ||||
-rw-r--r-- | config/roles/bridge/files/50obfsvpn.firewall | 2 | ||||
-rw-r--r-- | config/roles/bridge/handlers/main.yml | 7 | ||||
-rw-r--r-- | config/roles/bridge/tasks/main.yml | 25 | ||||
-rw-r--r-- | config/services.bitmask.yml (renamed from config/services.openvpn.yml) | 31 | ||||
-rw-r--r-- | config/services.common.yml | 2 | ||||
-rw-r--r-- | config/services.ooni.yml | 2 | ||||
-rw-r--r-- | hosts-vagrant.yml | 8 | ||||
-rw-r--r-- | hosts.yml | 4 | ||||
-rw-r--r-- | site.yml | 4 | ||||
-rw-r--r-- | test/test-full/services.yml | 2 |
11 files changed, 84 insertions, 7 deletions
diff --git a/Vagrantfile b/Vagrantfile index ffd4fbe..4880d19 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -25,4 +25,8 @@ Vagrant.configure(2) do |config| m.vm.hostname = "gateway1" m.vm.network "private_network", ip: "10.121.20.12", libvirt__dhcp_enabled: false end + config.vm.define "bridge1" do |m| + m.vm.hostname = "bridge1" + m.vm.network "private_network", ip: "10.121.20.13", libvirt__dhcp_enabled: false + end end diff --git a/config/roles/bridge/files/50obfsvpn.firewall b/config/roles/bridge/files/50obfsvpn.firewall new file mode 100644 index 0000000..e3f3566 --- /dev/null +++ b/config/roles/bridge/files/50obfsvpn.firewall @@ -0,0 +1,2 @@ +allow_port tcp 443 +allow_port udp 443 diff --git a/config/roles/bridge/handlers/main.yml b/config/roles/bridge/handlers/main.yml new file mode 100644 index 0000000..0d840a5 --- /dev/null +++ b/config/roles/bridge/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: reload firewall + systemd: + name: firewall.service + state: restarted + diff --git a/config/roles/bridge/tasks/main.yml b/config/roles/bridge/tasks/main.yml new file mode 100644 index 0000000..671da63 --- /dev/null +++ b/config/roles/bridge/tasks/main.yml @@ -0,0 +1,25 @@ +# this is a recursive copy +- name: Install obfs4 state + copy: + src: "{{ credentials_dir }}/obfs4/" + dest: "/opt/obfsvpn/data" + owner: docker-obfsvpn + mode: 0600 + +- name: Install firewall config for obfsvpn + copy: + src: "50obfsvpn.firewall" + dest: "/etc/firewall/filter.d/50obfsvpn" + notify: "reload firewall" + +- name: Make sure obfs4 state file ownership is correct + file: + path: "/opt/obfsvpn/data/obfs4_state.json" + owner: docker-obfsvpn + mode: 0600 + +- name: Make sure obfs4 obfs4_bridgeline.txt file ownership is correct + file: + path: "/opt/obfsvpn/data/obfs4_cert.txt" + owner: docker-obfsvpn + mode: 0600 diff --git a/config/services.openvpn.yml b/config/services.bitmask.yml index 117273c..531c71f 100644 --- a/config/services.openvpn.yml +++ b/config/services.bitmask.yml @@ -24,7 +24,7 @@ menshen: skip_acme: true openvpn: - scheduling_group: openvpn + scheduling_group: gateway num_instances: all monitoring_endpoints: - job_name: openvpn @@ -110,3 +110,32 @@ provider: domains: - "{{ domain_public[0] }}" +obfsvpn: + scheduling_group: bridge + num_instances: all + containers: + - name: obfsvpn + image: registry.0xacab.org/leap/obfsvpn:server-main + + # This is how float handles providing a "command" 🙃 + args: /opt/obfsvpn/start_obfsvpn.sh + ports: [443] + drop_capabilities: false + docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE' + volumes: + - /opt/obfsvpn/data: /opt/obfsvpn/data + - /dev/net: /dev/net + env: + # non-hopping: + PROTO: "tcp" + KCP: "0" + OBFS4_HOST: "0.0.0.0" + OPENVPN_HOST: "{{ gateway | default(groups['gateway'][0]) }}" + OPENVPN_PORT: "80" + HOP_PT: "0" + OBFS4_DATA_DIR: /opt/obfsvpn/data + OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json + # necessary for traditional/non-hopping mode + OBFS4_PORT: "443" + LOGLEVEL: DEBUG + diff --git a/config/services.common.yml b/config/services.common.yml index 95b6051..a79452b 100644 --- a/config/services.common.yml +++ b/config/services.common.yml @@ -1,4 +1,4 @@ --- include: - ../float/services.yml.default - - "services.openvpn.yml" + - "services.bitmask.yml" diff --git a/config/services.ooni.yml b/config/services.ooni.yml index eac0148..fc8edea 100644 --- a/config/services.ooni.yml +++ b/config/services.ooni.yml @@ -3,7 +3,7 @@ # before enabling include: - ../float/services.yml.default - - "services.openvpn.yml" + - "services.bitmask.yml" prometheus-pushgateway: scheduling_group: backend diff --git a/hosts-vagrant.yml b/hosts-vagrant.yml index 37a7ffa..11d75ca 100644 --- a/hosts-vagrant.yml +++ b/hosts-vagrant.yml @@ -10,12 +10,18 @@ hosts: ip: 10.121.20.11 ip_vpn0: 172.16.1.2 gateway1: - groups: [openvpn, vagrant] + groups: [gateway, vagrant] ansible_host: 10.121.20.12 ip: 10.121.20.12 ip_vpn0: 172.16.1.3 location: Seattle egress_ip: 10.121.20.44 + bridge1: + groups: [bridge, vagrant] + gateway: gateway1 + ansible_host: 10.121.20.13 + ip: 10.121.20.13 + ip_vpn0: 172.16.1.4 group_vars: vagrant: ansible_user: vagrant @@ -18,7 +18,7 @@ hosts: ip_vpn0: 172.16.1.2 gateway1: ansible_host: gateway1.float.bitmask.net - groups: [openvpn] + groups: [gateway] ips: - 37.218.242.191 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique @@ -30,7 +30,7 @@ hosts: location: Amsterdam gateway2: ansible_host: gateway2.float.bitmask.net - groups: [openvpn] + groups: [gateway] ip_vpn0: 172.16.1.4 ips: - 204.13.164.252 @@ -6,6 +6,10 @@ - kresd - openvpn +- hosts: bridge + roles: + - bridge + - hosts: vpnweb roles: - vpnweb diff --git a/test/test-full/services.yml b/test/test-full/services.yml index bad495a..1b9c749 100644 --- a/test/test-full/services.yml +++ b/test/test-full/services.yml @@ -1,4 +1,4 @@ --- include: - "../../float/services.yml.no-elasticsearch" - - "../../config/services.openvpn.yml" + - "../../config/services.bitmask.yml" |