obfsproxy deployment strategy
Currently the idea is to deploy automatically obsproxy service when a openvpn node is deployed, but also to be able to deploy obfsproxy as standalone.
puppet/manifests/site.pp :
if $services =~ /\bopenvpn\b/ { include site_openvpn include site_obfsproxy } if $services =~ /\bobfsproxy\b/ { include site_obfsproxy }
A couple of issues are raised in the first case:
a) On which interface should the obfsproxy be listening? I guess not the one of the vpn gateway. If an adversary for some reason discovers and bans the public IP of that interface, a user would not be able to connect both to the obfsproxy and the vpn.
b) as discussed in IRC, there was the idea of deploying vpn and tor service to the same node. If this is the case current puppet setup will lead Tor use the ip_address in hiera file, not the openvpn.gateway_address . This seems like a good idea, in order to reduce the probability of our vpn gateway IP getting banned. Now if a) is a good thought, deploying Tor+openvpn would result having the obfsproxy on the same IP as the Tor relay, which is certainly a very bad idea.
So, is the 'Tor+VPN service in the same node' a valid plan?
Should I completely distinguish vpn and obfsproxy services? i.e. not deploy automatically an obfsproxy when vpn is deployed.
(from redmine: created on 2014-05-27, relates #6139 (closed))