First pass at adding a separate obfsvpn based bridge

11 files changed, 84 insertions, 7 deletions

diff --git a/Vagrantfile b/Vagrantfile
index ffd4fbe..4880d19 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -25,4 +25,8 @@ Vagrant.configure(2) do |config|
     m.vm.hostname = "gateway1"
     m.vm.network "private_network", ip: "10.121.20.12", libvirt__dhcp_enabled: false
   end
+  config.vm.define "bridge1" do |m|
+    m.vm.hostname = "bridge1"
+    m.vm.network "private_network", ip: "10.121.20.13", libvirt__dhcp_enabled: false
+  end
 end
diff --git a/config/roles/bridge/files/50obfsvpn.firewall b/config/roles/bridge/files/50obfsvpn.firewall
new file mode 100644
index 0000000..e3f3566
--- /dev/null
+++ b/config/roles/bridge/files/50obfsvpn.firewall
@@ -0,0 +1,2 @@
+allow_port tcp 443
+allow_port udp 443
diff --git a/config/roles/bridge/handlers/main.yml b/config/roles/bridge/handlers/main.yml
new file mode 100644
index 0000000..0d840a5
--- /dev/null
+++ b/config/roles/bridge/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: reload firewall
+  systemd:
+    name: firewall.service
+    state: restarted
+
diff --git a/config/roles/bridge/tasks/main.yml b/config/roles/bridge/tasks/main.yml
new file mode 100644
index 0000000..671da63
--- /dev/null
+++ b/config/roles/bridge/tasks/main.yml
@@ -0,0 +1,25 @@
+# this is a recursive copy
+- name: Install obfs4 state
+  copy:
+    src: "{{ credentials_dir }}/obfs4/"
+    dest: "/opt/obfsvpn/data"
+    owner: docker-obfsvpn
+    mode: 0600
+
+- name: Install firewall config for obfsvpn
+  copy:
+    src: "50obfsvpn.firewall"
+    dest: "/etc/firewall/filter.d/50obfsvpn"
+  notify: "reload firewall"
+
+- name: Make sure obfs4 state file ownership is correct
+  file:
+    path: "/opt/obfsvpn/data/obfs4_state.json"
+    owner: docker-obfsvpn
+    mode: 0600
+
+- name: Make sure obfs4 obfs4_bridgeline.txt file ownership is correct
+  file:
+    path: "/opt/obfsvpn/data/obfs4_cert.txt"
+    owner: docker-obfsvpn
+    mode: 0600
diff --git a/config/services.openvpn.yml b/config/services.bitmask.yml
index 117273c..531c71f 100644
--- a/config/services.openvpn.yml
+++ b/config/services.bitmask.yml
@@ -24,7 +24,7 @@ menshen:
       skip_acme: true
 
 openvpn:
-  scheduling_group: openvpn
+  scheduling_group: gateway
   num_instances: all
   monitoring_endpoints:
     - job_name: openvpn
@@ -110,3 +110,32 @@ provider:
       domains:
         - "{{ domain_public[0] }}"
 
+obfsvpn:
+  scheduling_group: bridge
+  num_instances: all
+  containers:
+    - name: obfsvpn
+      image: registry.0xacab.org/leap/obfsvpn:server-main
+
+      # This is how float handles providing a "command" 🙃
+      args: /opt/obfsvpn/start_obfsvpn.sh
+      ports: [443]
+      drop_capabilities: false
+      docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
+      volumes:
+        - /opt/obfsvpn/data: /opt/obfsvpn/data
+        - /dev/net: /dev/net
+      env:
+        # non-hopping:
+        PROTO: "tcp"
+        KCP: "0"
+        OBFS4_HOST: "0.0.0.0"
+        OPENVPN_HOST: "{{ gateway | default(groups['gateway'][0]) }}"
+        OPENVPN_PORT: "80"
+        HOP_PT: "0"
+        OBFS4_DATA_DIR: /opt/obfsvpn/data
+        OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json
+        # necessary for traditional/non-hopping mode
+        OBFS4_PORT: "443"
+        LOGLEVEL: DEBUG
+
diff --git a/config/services.common.yml b/config/services.common.yml
index 95b6051..a79452b 100644
--- a/config/services.common.yml
+++ b/config/services.common.yml
@@ -1,4 +1,4 @@
 ---
 include:
   - ../float/services.yml.default
-  - "services.openvpn.yml"
+  - "services.bitmask.yml"
diff --git a/config/services.ooni.yml b/config/services.ooni.yml
index eac0148..fc8edea 100644
--- a/config/services.ooni.yml
+++ b/config/services.ooni.yml
@@ -3,7 +3,7 @@
 # before enabling
 include:
   - ../float/services.yml.default
-  - "services.openvpn.yml"
+  - "services.bitmask.yml"
 
 prometheus-pushgateway:
   scheduling_group: backend
diff --git a/hosts-vagrant.yml b/hosts-vagrant.yml
index 37a7ffa..11d75ca 100644
--- a/hosts-vagrant.yml
+++ b/hosts-vagrant.yml
@@ -10,12 +10,18 @@ hosts:
     ip: 10.121.20.11
     ip_vpn0: 172.16.1.2
   gateway1:
-    groups: [openvpn, vagrant]
+    groups: [gateway, vagrant]
     ansible_host: 10.121.20.12
     ip: 10.121.20.12
     ip_vpn0: 172.16.1.3
     location: Seattle
     egress_ip: 10.121.20.44
+  bridge1:
+    groups: [bridge, vagrant]
+    gateway: gateway1
+    ansible_host: 10.121.20.13
+    ip: 10.121.20.13
+    ip_vpn0: 172.16.1.4
 group_vars:
   vagrant:
     ansible_user: vagrant
diff --git a/hosts.yml b/hosts.yml
index 067a9de..48ce324 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -18,7 +18,7 @@ hosts:
     ip_vpn0: 172.16.1.2
   gateway1:
     ansible_host: gateway1.float.bitmask.net
-    groups: [openvpn]
+    groups: [gateway]
     ips:
       - 37.218.242.191
     # The 'ip_vpn0' is for the internal network overlay only. Assign an unique
@@ -30,7 +30,7 @@ hosts:
     location: Amsterdam
   gateway2:
     ansible_host: gateway2.float.bitmask.net
-    groups: [openvpn]
+    groups: [gateway]
     ip_vpn0: 172.16.1.4
     ips:
       - 204.13.164.252
diff --git a/site.yml b/site.yml
index 5a2b42e..02cc7db 100644
--- a/site.yml
+++ b/site.yml
@@ -6,6 +6,10 @@
     - kresd
     - openvpn
 
+- hosts: bridge
+  roles:
+    - bridge
+
 - hosts: vpnweb
   roles:
     - vpnweb
diff --git a/test/test-full/services.yml b/test/test-full/services.yml
index bad495a..1b9c749 100644
--- a/test/test-full/services.yml
+++ b/test/test-full/services.yml
@@ -1,4 +1,4 @@
 ---
 include:
   - "../../float/services.yml.no-elasticsearch"
-  - "../../config/services.openvpn.yml"
+  - "../../config/services.bitmask.yml"