Unverified Commit 80ebe753 authored by micah's avatar micah 💬
Browse files

Add UDP support (fixes #29 and fixes #30).

Each protocol must have its own netblock pool to draw its client IPs from. So we
change the `openvpn_network` variable to be per-protocol (`openvpn_tcp_network`
and `openvpn_udp_network`), the same for ipv6.

Additionally, we need to also have the nameserver listen on the UDP IP.

This builds on the simplevpn.py change in the previous commit, which produces
the eip-service.json with the udp ports, as well as changes in the openvpn
container which launches a secondary openvpn process for UDP.
parent b06fae61
Pipeline #62769 passed with stage
in 18 minutes and 11 seconds
......@@ -2,3 +2,8 @@
systemd:
name: "docker-kresd-kresd.service"
state: restarted
- listen: "restart docker-openvpn-openvpn"
systemd:
name: "docker-openvpn-openvpn.service"
state: restarted
......@@ -25,4 +25,5 @@
dest: "/etc/knot-resolver/kresd.conf"
group: docker-openvpn
mode: 0770
notify: "restart docker-openvpn-openvpn"
net.listen('10.41.0.1', 53, { kind = 'dns' })
net.listen('10.42.0.1', 53, { kind = 'dns' })
net.listen('{{ansible_vpn0.ipv4.address}}', 8453, { kind = 'webmgmt' })
-- Load Useful modules
......
......@@ -2,34 +2,50 @@
add_rule4 -A user-input -p tcp -m tcp -d {{ ip }} --dport 80 -j ACCEPT
add_rule4 -A user-input -p udp -m udp -d {{ ip }} --dport 80 -j ACCEPT
{% if openvpn_network6 is defined and openvpn_network6|length -%}
{% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%}
# Allow incoming connections to ipv6 port 80 for both udp and tcp
add_rule6 -A user-input -p tcp -m tcp -d {{ ip6 }} --dport 80 -j ACCEPT
add_rule6 -A user-input -p udp -m udp -d {{ ip6 }} --dport 80 -j ACCEPT
{% endif %}
# let ipv4 vpn hosts reach the internet
add_rule4 -A FORWARD -s {{ openvpn_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT
# allow re/established *inbound* to vpn hosts
add_rule4 -A FORWARD -d {{ openvpn_network | ipaddr('network/prefix') }} -m state --state RELATED,ESTABLISHED -j ACCEPT
# let ipv4 tcp vpn hosts reach the internet
add_rule4 -A FORWARD -s {{ openvpn_tcp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT
# allow re/established tcp *inbound* to vpn hosts
add_rule4 -A FORWARD -d {{ openvpn_tcp_network | ipaddr('network/prefix') }} -m state --state RELATED,ESTABLISHED -j ACCEPT
# let ipv4 udp vpn hosts reach the internet
add_rule4 -A FORWARD -s {{ openvpn_udp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT
# allow re/established udp *inbound* to vpn hosts
add_rule4 -A FORWARD -d {{ openvpn_udp_network | ipaddr('network/prefix') }} -m state --state RELATED,ESTABLISHED -j ACCEPT
{% if openvpn_network6 is defined and openvpn_network6|length -%}
# let ipv6 vpn hosts reach the internet
add_rule6 -A FORWARD -i tun0 -o {{ ansible_default_ipv4.interface }} -s {{ openvpn_network6 }} -m state --state NEW -j ACCEPT
{% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%}
# let ipv6 tcp vpn hosts reach the internet
add_rule6 -A FORWARD -i tun0 -o {{ ansible_default_ipv4.interface }} -s {{ openvpn_tcp_network6 }} -m state --state NEW -j ACCEPT
# let ipv6 udp vpn hosts reach the internet
add_rule6 -A FORWARD -i tun1 -o {{ ansible_default_ipv4.interface }} -s {{ openvpn_udp_network6 }} -m state --state NEW -j ACCEPT
# allow re/established *inbound* to vpn gateways
add_rule6 -A FORWARD -i {{ ansible_default_ipv4.interface }} -m state --state RELATED,ESTABLISHED -j ACCEPT
# deny any unrelated traffic
add_rule6 -A FORWARD -i {{ ansible_default_ipv4.interface }} -o tun0 -d {{ openvpn_network6 }} -j DROP
# deny any unrelated tcp traffic
add_rule6 -A FORWARD -i {{ ansible_default_ipv4.interface }} -o tun0 -d {{ openvpn_tcp_network6 }} -j DROP
# deny any unrelated udp traffic
add_rule6 -A FORWARD -i {{ ansible_default_ipv4.interface }} -o tun1 -d {{ openvpn_udp_network6 }} -j DROP
{% endif %}
# deny v4 client-to-client communication
add_rule4 -A FORWARD -i tun0 -o tun0 -j DROP
{% if openvpn_network6 is defined and openvpn_network6|length -%}
# deny v6 client-to-client communication
add_rule6 -A FORWARD -i tun0 -o tun0 -j DROP
# deny v4 tcp client-to-client communication
add_rule4 -A FORWARD -i tun0 -p tcp -o tun0 -j DROP
# deny v4 udp client-to-client communication
add_rule4 -A FORWARD -i tun1 -p udp -o tun0 -j DROP
{% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%}
# deny v6 tcp client-to-client communication
add_rule6 -A FORWARD -i tun0 -p tcp -o tun0 -j DROP
# deny v6 udp client-to-client communication
add_rule6 -A FORWARD -i tun1 -p udp -o tun0 -j DROP
{% endif %}
# allow vpn clients to resolve DNS (i.e. query knot-resolver)
# allow tcp vpn clients to resolve DNS (i.e. query knot-resolver)
add_rule -A user-input -i tun0 -p udp --dport 53 -j ACCEPT
add_rule -A user-input -i tun0 -p tcp --dport 53 -j ACCEPT
# allow udp vpn clients to resolve DNS (i.e. query knot-resolver)
add_rule -A user-input -i tun1 -p udp --dport 53 -j ACCEPT
add_rule -A user-input -i tun1 -p tcp --dport 53 -j ACCEPT
# Set egress IP
add_rule4 -A POSTROUTING -s {{ openvpn_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }}
add_rule4 -A POSTROUTING -s {{ openvpn_tcp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }}
add_rule4 -A POSTROUTING -s {{ openvpn_udp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ egress_ip }}
# Accept connections on ipv4 port 1194, redirecting them to openvpn
add_rule4 -A PREROUTING -p tcp -d {{ ip }} --dport 1194 -j DNAT --to-destination {{ ip }}:80
add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 1194 -j DNAT --to-destination {{ ip }}:80
......@@ -7,7 +8,7 @@ add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 1194 -j DNAT --to-destination
add_rule4 -A PREROUTING -p tcp -d {{ ip }} --dport 53 -j DNAT --to-destination {{ ip }}:80
add_rule4 -A PREROUTING -p udp -d {{ ip }} --dport 53 -j DNAT --to-destination {{ ip }}:80
{% if openvpn_network6 is defined and openvpn_network6|length -%}
{% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length -%}
# Accept connections on ipv6 port 1194, redirecting them to openvpn
add_rule6 -A PREROUTING -p tcp -d {{ ip6 }} --dport 1194 -j DNAT --to-destination [{{ ip6 }}]:80
add_rule6 -A PREROUTING -p udp -d {{ ip6 }} --dport 1194 -j DNAT --to-destination [{{ ip6 }}]:80
......
......@@ -13,19 +13,19 @@ keepalive 10 30
mute-replay-warnings
mute 5
push "redirect-gateway def1 ipv6"
push "dhcp-option DNS {{ openvpn_network | ipv4('1') | ipv4('address') }}"
{% if openvpn_network6 is defined and openvpn_network6|length %}
push "dhcp-option DNS {{ openvpn_tcp_network | ipv4('1') | ipv4('address') }}"
{% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|length %}
proto tcp6
server-ipv6 {{ openvpn_network6 }}
server-ipv6 {{ openvpn_tcp_network6 }}
push "route-ipv6 2000::/3"
push "dhcp-option DNS {{ openvpn_network6 | ipv6('1') | ipv6('address') }}"
push "dhcp-option DNS {{ openvpn_tcp_network6 | ipv6('1') | ipv6('address') }}"
{% else %}
proto tcp
push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
block-ipv6
{% endif %}
push "block-outside-dns"
server {{ openvpn_network | ipv4('network') }} {{ openvpn_network | ipv4('netmask') }}
server {{ openvpn_tcp_network | ipv4('network') }} {{ openvpn_tcp_network | ipv4('netmask') }}
status /tmp/openvpn-status-tcp 10
status-version 3
tcp-nodelay
......
......@@ -13,19 +13,19 @@ keepalive 10 30
mute-replay-warnings
mute 5
push "redirect-gateway def1 ipv6"
push "dhcp-option DNS {{ openvpn_network | ipv4('1') | ipv4('address') }}"
{% if openvpn_network6 is defined and openvpn_network6|length %}
push "dhcp-option DNS {{ openvpn_udp_network | ipv4('1') | ipv4('address') }}"
{% if openvpn_udp_network6 is defined and openvpn_udp_network6|length %}
proto udp6
server-ipv6 {{ openvpn_network6 }}
server-ipv6 {{ openvpn_udp_network6 }}
push "route-ipv6 2000::/3"
push "dhcp-option DNS {{ openvpn_network6 | ipv6('1') | ipv6('address') }}"
push "dhcp-option DNS {{ openvpn_udp_network6 | ipv6('1') | ipv6('address') }}"
{% else %}
proto udp
push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
block-ipv6
{% endif %}
push "block-outside-dns"
server {{ openvpn_network | ipv4('network') }} {{ openvpn_network | ipv4('netmask') }}
server {{ openvpn_udp_network | ipv4('network') }} {{ openvpn_udp_network | ipv4('netmask') }}
status /tmp/openvpn-status-udp 10
status-version 3
tcp-nodelay
......
......@@ -15,7 +15,8 @@ openvpn_config:
'verb': '3'
# You can leave this rfc1918 ip block as it is
openvpn_network: "10.41.0.0/21"
openvpn_tcp_network: "10.41.0.0/21"
openvpn_udp_network: "10.42.0.0/21"
......@@ -35,12 +35,13 @@ hosts:
# Set the egress source address for ipv4. This address should be distinct
# from the 'ip' value above to prevent traffic leaks.
egress_ip: 204.13.164.84
# For each gateway that has ipv6, you should allocate an ipv6 netblock
# (probably a /64) for each gateway. This ipv6 netblock should be in a
# different network than the ip6 address that you configured above.
# Openvpn will allocate IPs from this pool automatically, and they will
# be used for egress source addresses.
openvpn_network6: "2001:db8:123::/64"
# For each gateway that has ipv6, you should allocate two ipv6 netblocks for
# each gateway, one for TCP and one for UDP connections. These ipv6
# netblocks should be in a different network than the ip6 address that you
# configured above. These are used by Openvpn to allocate client IPs, and
# they will be used for egress source addresses.
openvpn_tcp_network6: "2620:13:4000:eeee:eeee:eeee:eeee:0000/116"
openvpn_udp_network6: "2620:13:4000:ffff:ffff:ffff:ffff:0000/116"
location: Seattle
group_vars:
all:
......
......@@ -14,6 +14,7 @@ openvpn_config:
'key-direction': '1'
'verb': '3'
openvpn_network: "10.41.0.0/21"
openvpn_network6: "2001:db8:123::/64"
openvpn_tcp_network: "10.41.0.0/21"
openvpn_udp_network: "10.42.0.0/21"
openvpn_tcp_network6: "2001:db8:123::/64"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment