Merge branch 'v6fixes' into 'main'

Openvpn v6 support Closes #42, #37, and #39 See merge request !31

Merge branch 'v6fixes' into 'main'
c6aa669a · micah · cd881db7 · 2ec45d24 · c6aa669a · c6aa669a
Commit c6aa669a authored 4 years ago by micah
--- a/config/roles/kresd/templates/kresd.conf.j2
+++ b/config/roles/kresd/templates/kresd.conf.j2
-net.listen('127.0.0.1', '::1', 53, { kind = 'dns' })
+net.listen('::', 53, { kind = 'dns' })
+net.listen('0.0.0.0', 53, { kind = 'dns' })
 net.listen('::', 8453, { kind = 'webmgmt' })

 -- Load Useful modules

--- a/config/roles/openvpn/tasks/openvpn.yml
+++ b/config/roles/openvpn/tasks/openvpn.yml
@@ -11,12 +11,18 @@
    dest: "/etc/firewall/filter.d/50openvpn"
  notify: "reload firewall"

-# Set ip forwarding necessary for openvpn
+# Set ip forwarding necessary for openvpn ipv4
 - sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes

+# Set ip forwarding necessary for openvpn ipv6
+- sysctl:
+    name: net.ipv6.ip_forward
+    value: '1'
+    sysctl_set: yes
+
 - name: Install firewall nat config for vpnweb
  template:
    src: "50openvpn_nat.firewall.j2"

--- a/config/roles/openvpn/templates/50openvpn.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn.firewall.j2
@@ -9,5 +9,11 @@ allow_port udp 1194
 add_rule4 -A FORWARD -s {{ openvpn_network | ipaddr('network') }}/{{ openvpn_network | ipaddr('netmask') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT
 # allow re/established *inbound* to vpn hosts
 add_rule4 -A FORWARD -d {{ openvpn_network | ipaddr('network') }}/{{ openvpn_network | ipaddr('netmask') }} -m state --state RELATED,ESTABLISHED -j ACCEPT
+add_rule6 -A FORWARD -s {{ openvpn_network6 }} -o tun0 -j ACCEPT
+# allow re/established *inbound* to vpn gateways
+add_rule6 -A FORWARD -d {{ openvpn_network6 }} -m state --state RELATED,ESTABLISHED -j ACCEPT
+# deny client-to-client communication
+add_rule4 -A FORWARD -i tun0 -o tun0 -j DROP
+add_rule6 -A FORWARD -i tun0 -o tun0 -j DROP


--- a/config/roles/openvpn/templates/tcp.conf.j2
+++ b/config/roles/openvpn/templates/tcp.conf.j2
@@ -12,10 +12,18 @@ duplicate-cn
 keepalive 10 30
 mute-replay-warnings
 mute 5
-proto tcp
+push "redirect-gateway def1 ipv6"
 push "dhcp-option DNS {{ openvpn_network | ipaddr('1') | ipaddr('address') }}"
-push "redirect-gateway def1"
+{% if openvpn_network6 is defined and openvpn_network6|length %}
+proto tcp6
+server-ipv6 {{ openvpn_network6 }}
 push "route-ipv6 2000::/3"
+push "dhcp-option DNS {{ openvpn_network6 }}"
+{% else %}
+proto tcp
+push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
+block-ipv6
+{% endif %}
 push "block-outside-dns"
 server {{ openvpn_network | ipaddr('network') }} {{ openvpn_network | ipaddr('netmask') }}
 status /tmp/openvpn-status-tcp 10

--- a/config/roles/openvpn/templates/udp.conf.j2
+++ b/config/roles/openvpn/templates/udp.conf.j2
@@ -12,10 +12,18 @@ duplicate-cn
 keepalive 10 30
 mute-replay-warnings
 mute 5
-proto udp
+push "redirect-gateway def1 ipv6"
 push "dhcp-option DNS {{ openvpn_network | ipaddr('1') | ipaddr('address') }}"
-push "redirect-gateway def1"
+{% if openvpn_network6 is defined and openvpn_network6|length %}
+proto udp6
+server-ipv6 {{ openvpn_network6 }}
 push "route-ipv6 2000::/3"
+push "dhcp-option DNS {{ openvpn_network6 }}"
+{% else %}
+proto udp
+push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
+block-ipv6
+{% endif %}
 push "block-outside-dns"
 server {{ openvpn_network | ipaddr('network') }} {{ openvpn_network | ipaddr('netmask') }}
 status /tmp/openvpn-status-udp 10

--- a/config/services.openvpn.yml
+++ b/config/services.openvpn.yml
@@ -46,7 +46,7 @@ openvpn:
  containers:
    - name: openvpn
      image: registry.0xacab.org/leap/container-platform/openvpn:latest
-      ports: [1194, 23042]
+      ports: [1194, 23042, 53]
      drop_capabilities: false
      docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
      volumes: