Skip to content
Snippets Groups Projects
Commit 27314b92 authored by sgk's avatar sgk
Browse files

Merge branch 'feat/bridge-quic' into 'main'

#120 : deployment code for quic

See merge request leap/container-platform/lilypad!109
parents 060d6537 9507ffd4
No related branches found
No related tags found
1 merge request!109#120 : deployment code for quic
Pipeline #258532 passed
......@@ -33,6 +33,7 @@ Monitoring, alerting, log-collection and analysis, DNS and Let's Encrypt certifi
- Backend: runs the application services that the reverse proxy talks to, it runs, among other things, the LEAP web API, the gateway selection service, and the infrastructure that provides monitoring and alerting.
- Gateway/s: These run openvpn and act as **VPN gateways, which ideally require two publicly addressable IP addresses, one for ingress and one for egress.**
- Bridge: runs an [obfsvpn](https://0xacab.org/leap/obfsvpn) service, can run on the same machine as the gateway.
To remove optional services, delete the import lines from config/services.common.yml and the corresponding tags from host.yml.
- Introducer(optional): runs as an obfsification proxy between client and reverse-proxy, used for reaching API from censored networks. (advised to run on port 443 to make it resemble with https)
For disabling this service : remove "services.introducer.yml" from config/services.common.yml and remove `[introducer]` tag on hosts.yml
......@@ -139,6 +140,7 @@ You can tag any gateway hosts with below listed tag for scheduling respective ob
supported `group_names`:
- bridge : for running traditional bridge
- bridge-kcp : for running kcp
- bridge-quic[beta]: for running quic
- introducer : for running introducer (introducer always runs on port 443, with no extra configuration needed)
For gateway hosts, use the variables below to run each app on specific ports. If not specified, the apps will use the default ports listed.
......
---
- name: reload firewall
systemd:
name: firewall.service
state: restarted
# this is a recursive copy
- name: Install obfs4 state
copy:
src: "{{ credentials_dir }}/obfs4/"
dest: "/opt/obfsvpn-quic/data"
owner: docker-obfsvpn-quic
group: docker-obfsvpn-quic
mode: 0640
- name: Install firewall config for obfsvpn
template:
src: "50obfsvpn.quic.firewall.j2"
dest: "/etc/firewall/filter.d/50obfsvpn-quic"
notify: "reload firewall"
- name: Generate a private key
openssl_privatekey:
path: "/opt/obfsvpn-quic/data/quic.key"
type: Ed25519
register: private_key
- name: Generate a self-signed certificate
openssl_certificate:
path: "/opt/obfsvpn-quic/data/quic.crt"
privatekey_path: "/opt/obfsvpn-quic/data/quic.key"
provider: selfsigned
- name: Set ownership of files and directories under /data
ansible.builtin.file:
path: "/opt/obfsvpn-quic/data/"
owner: docker-obfsvpn-quic
group: docker-obfsvpn-quic
recurse: yes
\ No newline at end of file
{% if ports is defined %}
allow_port udp {{ hostvars[inventory_hostname]['ports']['bridge-quic'] | default(4432) }}
{% else %}
allow_port udp 4432
{% endif %}
---
obfsvpn-kcp:
scheduling_group: bridge-kcp
num_instances: all
containers:
- name: obfsvpn
image: registry.0xacab.org/leap/obfsvpn:server-v1-3-0
# This is how float handles providing a "command" 🙃
args: /opt/obfsvpn/start_obfsvpn.sh
ports: ["{{ hostvars[inventory_hostname]['ports']['bridge-kcp'] | default(4431) }}"]
drop_capabilities: false
docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
volumes:
- /opt/obfsvpn-kcp/data: /opt/obfsvpn/data
- /dev/net: /dev/net
env:
# non-hopping:
KCP: "1"
OBFS4_HOST: "0.0.0.0"
OPENVPN_HOST: "{{ ips | ansible.utils.ipv4 | first }}"
OPENVPN_PORT: "{{ ports.openvpn[0] | default(80) }}"
HOP_PT: "0"
OBFS4_DATA_DIR: /opt/obfsvpn/data
OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json
OBFS4_IP: "{{ ips | ansible.utils.ipv4 | first }}"
OBFSVPN_LOCATION: "{{ hostvars[inventory_hostname]['location'] | default('unknown') }}"
OBFS4_PORT: "{{ hostvars[inventory_hostname]['ports']['bridge-kcp'] | default(4431) }}"
CONTROL_PORT: "9091"
PERSIST_BRIDGE_STATE: "true"
LOGLEVEL: DEBUG
---
obfsvpn-quic:
scheduling_group: bridge-quic
num_instances: all
containers:
- name: obfsvpn
image: registry.0xacab.org/leap/obfsvpn:server-v1-3-0
# This is how float handles providing a "command" 🙃
args: /opt/obfsvpn/start_obfsvpn.sh
ports: ["{{ hostvars[inventory_hostname]['ports']['bridge-quic'] | default(4432) }}"]
drop_capabilities: false
docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
volumes:
- /opt/obfsvpn-quic/data: /opt/obfsvpn/data
- /dev/net: /dev/net
env:
# non-hopping:
QUIC: "1"
OBFS4_HOST: "0.0.0.0"
OPENVPN_HOST: "{{ ips | ansible.utils.ipv4 | first }}"
OPENVPN_PORT: "{{ ports.openvpn[0] | default(80) }}"
HOP_PT: "0"
QUIC_TLS_CERT: /opt/obfsvpn/data/quic.crt
QUIC_TLS_KEY: /opt/obfsvpn/data/quic.key
OBFS4_DATA_DIR: /opt/obfsvpn/data
OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json
OBFS4_IP: "{{ ips | ansible.utils.ipv4 | first }}"
OBFSVPN_LOCATION: "{{ hostvars[inventory_hostname]['location'] | default('unknown') }}"
OBFS4_PORT: "{{ hostvars[inventory_hostname]['ports']['bridge-quic'] | default(4432) }}"
CONTROL_PORT: "9091"
PERSIST_BRIDGE_STATE: "true"
LOGLEVEL: DEBUG
......@@ -32,35 +32,3 @@ obfsvpn:
OBFS4_PORT: "{{ hostvars[inventory_hostname]['ports']['bridge'] | default(443) }}"
PERSIST_BRIDGE_STATE: "true"
LOGLEVEL: DEBUG
obfsvpn-kcp:
scheduling_group: bridge-kcp
num_instances: all
containers:
- name: obfsvpn
image: registry.0xacab.org/leap/obfsvpn:server-v1-3-0
# This is how float handles providing a "command" 🙃
args: /opt/obfsvpn/start_obfsvpn.sh
ports: ["{{ hostvars[inventory_hostname]['ports']['bridge-kcp'] | default(4431) }}"]
drop_capabilities: false
docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
volumes:
- /opt/obfsvpn-kcp/data: /opt/obfsvpn/data
- /dev/net: /dev/net
env:
# non-hopping:
KCP: "1"
OBFS4_HOST: "0.0.0.0"
OPENVPN_HOST: "{{ ips | ansible.utils.ipv4 | first }}"
OPENVPN_PORT: "{{ ports.openvpn[0] | default(80) }}"
HOP_PT: "0"
OBFS4_DATA_DIR: /opt/obfsvpn/data
OBFS4_KEY_FILE: /opt/obfsvpn/data/obfs4_state.json
OBFS4_IP: "{{ ips | ansible.utils.ipv4 | first }}"
OBFSVPN_LOCATION: "{{ hostvars[inventory_hostname]['location'] | default('unknown') }}"
OBFS4_PORT: "{{ hostvars[inventory_hostname]['ports']['bridge-kcp'] | default(4431) }}"
CONTROL_PORT: "9091"
PERSIST_BRIDGE_STATE: "true"
LOGLEVEL: DEBUG
......@@ -2,5 +2,8 @@
include:
- ../float/services.yml.default
- "services.bitmask.yml"
# optional services
- "services.bridge.yml"
- "services.bridge.kcp.yml"
- "services.bridge.quic.yml"
- "services.introducer.yml"
......@@ -28,7 +28,7 @@ hosts:
ip_vpn0: 172.16.1.3
gateway1:
ansible_host: gateway1.float.bitmask.net
groups: [gateway, bridge, bridge-kcp]
groups: [gateway, bridge, bridge-kcp, bridge-quic]
ips:
- 37.218.242.191
# The 'ip_vpn0' is for the internal network overlay only. Assign an unique
......@@ -41,6 +41,7 @@ hosts:
openvpn: [80, 53, 1194]
bridge: 443
bridge-kcp: 4431
bridge-quic: 4432
# Set the egress source address for ipv4. This address should be distinct
# from the 'ip' value above to prevent traffic leaks.
egress_ip: 37.218.242.216
......
......@@ -95,6 +95,22 @@ def render_transports(host, hostvars, cert):
)
)
]
if "bridge-quic" in hostvars[host]["group_names"]:
if hostvars[host].get("ports"):
bridge_port = str(hostvars[host]["ports"].get("bridge-quic", 4432))
else:
bridge_port = "4432"
transports += [
dict(
type="obfs4",
protocols=["quic"],
ports=[str(bridge_port)],
options = dict(
cert = cert,
iatMode = "0"
)
)
]
if "gateway" in hostvars[host]["group_names"] and hostvars[host].get("direct_openvpn_access", True):
if hostvars[host].get("ports"):
ovpn_port = hostvars[host]["ports"].get("openvpn", ['53', '80', '1194'])
......
......@@ -14,6 +14,10 @@
roles:
- bridge-kcp
- hosts: bridge-quic
roles:
- bridge-quic
- hosts: introducer
roles:
- bridge-introducer
......
......@@ -10,6 +10,10 @@
roles:
- bridge
- hosts: bridge-quic
roles:
- bridge-quic
- hosts: introducer
roles:
- bridge-introducer
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment