Merge branch 'feat/toggle-direct-ovpn-connection' into 'main'

#88 variable to toggle direct connection to openvpn See merge request !91

Merge branch 'feat/toggle-direct-ovpn-connection' into 'main'
c1186ef2 · sgk · 448ecc6e · 9d7015f5 · c1186ef2 · c1186ef2
Commit c1186ef2 authored 9 months ago by sgk
--- a/README.md
+++ b/README.md
@@ -107,6 +107,10 @@ Open _hosts.yml_ and change `floatapp1` to your app host's hostname, and specify

 Configure the front-end reverse proxy and the gateway sections in the same way. Change the `floatrp1` to your hostname, and the `ansible_host` and `ip` to the IP it should have. Same for the gateway section: change `gateway1` to your gateway server's hostname and put the respective IP address under `ansible_host` and `ip`. Also set the `location` value to where this server is located. It's important to have two different IP addresses for the gateway server for ingress and egress traffic. Put the secondary gateway IP address in the `egress_ip` variable. If you have more than one gateway, just copy the whole block and modify its values respectively.

+You can control whether direct openvpn access is permitted for each gateway host by adjusting the `direct_openvpn_access` flag. This is enabled by default, you can disable for each gateway by kepping the variable as `false` under each gateway host.      
+Enabling this flag will mandate that users to use censorship-circumvention methods by default.    
+It's important to note that direct connections to openvpn can be easily detected by intermediaries
+
 _NOTE:_ If you use IPv6 addresses uncomment and adapt the gateway example given in the section `gateway2`.

 #### 3.2. Configure _config.yml_ :)

--- a/config/roles/openvpn/templates/50openvpn.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn.firewall.j2
 # Allow incoming connections to ipv4 port 80 for both udp and tcp
 add_rule4 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT
 add_rule4 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT
+{% if direct_openvpn_access is defined and direct_openvpn_access == false -%}
+add_rule4 -I user-input -p udp --dport 80 -j DROP
+add_rule4 -I user-input -p tcp --dport 80 -j DROP
+{% endif %}
+

 {% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|d('')|length > 0 -%}
 # Allow incoming connections to ipv6 port 80 for both udp and tcp
 add_rule6 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
 add_rule6 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
+
+{% if direct_openvpn_access is defined and direct_openvpn_access == false -%}
+add_rule6 -I user-input -p udp --dport 80 -j DROP
+add_rule6 -I user-input -p tcp --dport 80 -j DROP
+{% endif %}
+
 {% endif %}



--- a/hosts.yml
+++ b/hosts.yml
@@ -28,6 +28,8 @@ hosts:
    # from the 'ip' value above to prevent traffic leaks.
    egress_ip: 37.218.242.216
    location: Amsterdam
+    # allow direct connections to openvpn (allowed by default)
+    direct_openvpn_access: true
 #    # For each gateway that has ipv6, you should allocate two ipv6 netblocks for
 #    # each gateway, one for TCP and one for UDP connections. These ipv6
 #    # netblocks should be in a different network than the ip6 address that you