Defaults hiding everywhere

- branch based off of @nopdotcom's PR #1361
- initial commit for supporting all VPNs over IPv6

global_vars/vars.yml

@@ -3,6 +3,10 @@ upstream_dns_servers:
   - 8.8.8.8
   - 8.8.4.4
 
+upstream_dns_servers_v6:
+  - "2001:4860:4860::8888"
+  - "2001:4860:4860::8844"
+
 streisand_client_test: no
 
 streisand_site_vars: "{{ lookup('env','HOME') }}/.streisand/site.yml"

playbooks/roles/certificates/templates/openssl.cnf.j2

@@ -52,6 +52,10 @@ subjectAltName = @alt_names
 {% for item in tls_sans %}
 IP.{{ loop.index }} = {{ item }}
 {% endfor %}
+{% if streisand_ipv6_address is defined %}
+IP.1 = {{ streisand_ipv6_address }}
+{% endif %}
+
 
 [ req_distinguished_name ]
 countryName = Country Name (2 letter code)

playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2

@@ -5,7 +5,7 @@
 #   dnsmasq will not automatically listen on the loopback interface. To achieve
 #   this, its IP address, 127.0.0.1, must be explicitly given as
 #   a --listen-address option.
-listen-address=127.0.0.1
+listen-address=::1,127.0.0.1
 
 # Never forward plain names (without a dot or domain part)
 domain-needed
@@ -21,3 +21,8 @@ no-resolv
 {% for item in upstream_dns_servers %}
 server={{ item }}
 {% endfor %}
+{% if streisand_ipv6_address is defined %}
+{% for item in upstream_dns_servers_v6 %}
+server={{ item }}
+{% endfor %}
+{% endif %}

playbooks/roles/ip-forwarding/tasks/main.yml

@@ -5,9 +5,15 @@
     value: 1
   when: ansible_virtualization_type != 'lxc'
 
-- name: "Add IPv4 traffic forwarding persistence service to init"
-  copy:
-    src: streisand-ipforward.sh
+- name: "Enable IPv6 traffic forwarding"
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: 1
+  when: (ansible_virtualization_type != 'lxc') and (streisand_ipv6_enabled)
+
+- name: "Add IPv4/IPv6 traffic forwarding persistence service to init"
+  template:
+    src: streisand-ipforward.sh.j2
     dest: /etc/init.d/streisand-ipforward
     mode: 0755
 

playbooks/roles/ip-forwarding/files/streisand-ipforward.sh → playbooks/roles/ip-forwarding/templates/streisand-ipforward.sh.j2

@@ -9,7 +9,10 @@
 ### END INIT INFO
 
 echo 1 > /proc/sys/net/ipv4/ip_forward
-
 echo 0 | tee /proc/sys/net/ipv4/conf/*/*_redirects
 
+{% if streisand_ipv6_address is defined %}
+echo 1 >  /proc/sys/net/ipv6/conf/all/forwarding
+{% endif %}
+
 exit 0

playbooks/roles/openconnect/tasks/firewall.yml

@@ -4,7 +4,11 @@
     to_port: "53"
     proto: "udp"
     rule: "allow"
-    from_ip: "192.168.1.0/24"
+    from_ip: "{{ item.addr }}"
+  with_items:
+    - { addr: "{{ ocserv_ipv4_network }}" }
+    - { addr: "{{ ocserv_ipv6_network }}", create: "{{ streisand_ipv6_enabled }}" }
+  when: item.create | default(True) | bool
 
 - name: Ensure UFW allows OpenConnect (ocserv)
   ufw:

playbooks/roles/openconnect/templates/config.j2

@@ -45,8 +45,18 @@ use-occtl = true
 pid-file = {{ ocserv_pid_file }}
 device = vpns
 default-domain = example.com
-ipv4-network = 192.168.1.0
-ipv4-netmask = 255.255.255.0
+ipv4-network = {{ ocserv_ipv4_network }}
+
+{% if streisand_ipv6_address is defined %}
+ipv6-network = {{ ocserv_ipv6_network }}
+{% for item in upstream_dns_servers_v6 %}
+dns = {{ item }}
+{% endfor %}
+ipv6-subnet-prefix = 64
+{% endif %}
+
+route = default
+
 ping-leases = false
 cisco-client-compat = true
 max-clients = {{ vpn_clients + 1 }}

playbooks/roles/openconnect/templates/ocserv-iptables.service.j2

@@ -8,5 +8,9 @@ Type=oneshot
 RemainAfterExit=true
 ExecStart=/sbin/{{ ocserv_firewall_rule }}
 
+{% if streisand_ipv6_enabled %}
+ExecStart=/sbin/{{ ocserv_firewall_rule_v6 }}
+{% endif %}
+
 [Install]
 WantedBy=multi-user.target

playbooks/roles/openconnect/templates/ocserv-ipv6tables.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=Set the firewall rules required for ocserv
+After=network.target
+Before=ocserv.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/sbin/{{ ocserv_firewall_rule_v6 }}
+
+[Install]
+WantedBy=multi-user.target

playbooks/roles/openconnect/vars/main.yml

@@ -3,6 +3,10 @@ ocserv_path: "/etc/ocserv"
 ocserv_ca: "{{ ocserv_path }}/ca"
 ocserv_config_file: "{{ ocserv_path }}/ocserv.conf"
 ocserv_firewall_rule: "iptables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -j MASQUERADE"
+ocserv_firewall_rule_v6: "ip6tables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -j MASQUERADE"
+
+ocserv_ipv4_network: "192.168.1.0/24"
+ocserv_ipv6_network: "fda9:4efe:7e3b:03ea::/48"
 
 ocserv_days_valid: "1825"
 ocserv_pid_file:    "/var/run/ocserv.pid"

playbooks/roles/openvpn/tasks/firewall.yml

@@ -3,19 +3,32 @@
   command: "{{ item }}"
   with_items: "{{ openvpn_firewall_rules }}"
 
-- name: Ensure UFW allows DNS requests from OpenVPN clients
+- name: Allow OpenVPN over IPv6 through the firewall
+  command: "{{ item }}"
+  with_items: "{{ openvpn_ipv6_firewall_rules }}"
+  when: streisand_ipv6_address is defined
+
+- name: Ensure UFW allows DNS requests from OpenVPN TCP clients
   ufw:
     to_port: "53"
     proto: "udp"
     rule: "allow"
-    from_ip: "10.8.0.0/24"
+    from_ip: "{{ item.addr }}"
+  with_items:
+    - { addr: "{{ openvpn_server_tcp_ipv4_address }}" }
+    - { addr: "{{ openvpn_server_tcp_ipv6_address }}", create: "{{ streisand_ipv6_enabled }}" }
+  when: item.create | default(True) | bool
 
 - name: Ensure UFW allows DNS requests from OpenVPN UDP clients
   ufw:
     to_port: "53"
     proto: "udp"
     rule: "allow"
-    from_ip: "10.9.0.0/24"
+    from_ip: "{{ item.addr }}"
+  with_items:
+    - { addr: "{{ openvpn_server_udp_ipv4_address }}" }
+    - { addr: "{{ openvpn_server_udp_ipv6_address }}", create: "{{ streisand_ipv6_enabled }}" }
+  when: item.create | default(True) | bool
 
 - name: Ensure UFW allows OpenVPN
   ufw:

playbooks/roles/openvpn/tasks/main.yml

@@ -2,10 +2,14 @@
 # Add the apt key and install OpenVPN
 - import_tasks: install.yml
 
-- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53"
+- name: "Configure DNSMasq to listen on TCP and UDP ports 53"
   template:
     src: openvpn_dnsmasq.conf.j2
     dest: /etc/dnsmasq.d/openvpn.conf
+  with_items:
+    - { src: "openvpn_dnsmasq.conf.j2",   dst: "/etc/dnsmasq.d/openvpn.conf" }
+    - { src: "openvpn_dnsmasqv6.conf.j2", dst: "/etc/dnsmasq.d/openvpnv6.conf", create: "{{ streisand_ipv6_enabled }}" }
+  when: item.create | default(True) | bool
   notify: Restart dnsmasq
 
 - include_role:

playbooks/roles/openvpn/templates/client-common.j2

@@ -1,4 +1,4 @@
-dev tun
+dev tun-ipv6
 cipher {{ openvpn_cipher }}
 auth {{ openvpn_auth_digest }}
 resolv-retry infinite
@@ -10,7 +10,8 @@ verify-x509-name {{ openvpn_server_common_name.stdout }} name
 tls-version-min 1.2
 compress
 verb 3
-route {{ streisand_ipv4_address }} 255.255.255.255 net_gateway
+
+#route {{ streisand_ipv4_address }} 255.255.255.255 net_gateway
 
 <ca>
 {{ openvpn_ca_contents.stdout }}

playbooks/roles/openvpn/templates/client-direct-udp.ovpn.j2

@@ -1,4 +1,6 @@
 client
-remote {{ openvpn_server }} {{ openvpn_port_udp }}
-proto udp
+{% if streisand_ipv6_address is defined %}
+remote {{ streisand_ipv6_address }} {{ openvpn_port_udp }} udp6
+{% endif %}
+remote {{ openvpn_server }} {{ openvpn_port_udp }} udp
 {% include "client-common.j2" %}

playbooks/roles/openvpn/templates/client-direct.ovpn.j2

@@ -1,4 +1,6 @@
 client
-remote {{ openvpn_server }} {{ openvpn_port }}
-proto tcp
+{% if streisand_ipv6_address is defined %}
+remote {{ streisand_ipv6_address }} {{ openvpn_port}} tcp6
+{% endif %}
+remote {{ openvpn_server }} {{ openvpn_port }} tcp
 {% include "client-common.j2" %}

playbooks/roles/openvpn/templates/client-sslh.ovpn.j2

@@ -1,4 +1,6 @@
 client
-remote {{ openvpn_server }} {{ openvpn_port_sslh }}
-proto tcp
+{% if streisand_ipv6_address is defined %}
+remote {{ streisand_ipv6_address }} {{ openvpn_port_sslh }} tcp6
+{% endif %}
+remote {{ openvpn_server }} {{ openvpn_port_sslh }} tcp
 {% include "client-common.j2" %}

playbooks/roles/openvpn/templates/etc_openvpn_server.conf.j2

@@ -1,5 +1,11 @@
 server 10.8.0.0 255.255.255.0
 push "dhcp-option DNS {{ dnsmasq_openvpn_tcp_ip }}"
-proto tcp
+proto tcp6
+
+{% if streisand_ipv6_address is defined %}
+server-ipv6 2001:db8:0:124::/64
+push "dhcp-option DNS6 {{ dnsmasq_openvpn_tcp_ipv6 }}"
+{% endif %}
+
 port {{ openvpn_port }}
 {% include "etc_openvpn_server_common.j2" %}

playbooks/roles/openvpn/templates/etc_openvpn_server_common.j2

@@ -6,6 +6,10 @@ dh none
 ifconfig-pool-persist ipp.txt
 push "redirect-gateway def1"
 
+{% if streisand_ipv6_address is defined %}
+push "route-ipv6 ::/0"
+{% endif %}
+
 # Fix for the Windows 10 DNS leak described here:
 # https://community.openvpn.net/openvpn/ticket/605
 push block-outside-dns

playbooks/roles/openvpn/templates/etc_openvpn_server_udp.conf.j2

@@ -1,5 +1,11 @@
 server 10.9.0.0 255.255.255.0
 push "dhcp-option DNS {{ dnsmasq_openvpn_udp_ip }}"
-proto udp
+
+{% if streisand_ipv6_address is defined %}
+server-ipv6 2001:db8:0:123::/64
+push "dhcp-option DNS6 {{ dnsmasq_openvpn_udp_ipv6 }}"
+{% endif %}
+
+proto udp6
 port {{ openvpn_port_udp }}
 {% include "etc_openvpn_server_common.j2" %}

playbooks/roles/openvpn/templates/openvpn-iptables.service.j2

@@ -10,5 +10,11 @@ RemainAfterExit=true
 ExecStart=/sbin/{{ rule }}
 {% endfor %}
 
+{% if streisand_ipv6_enabled %}
+{% for rule in openvpn_ipv6_firewall_rules %}
+ExecStart=/sbin/{{ rule }}
+{% endfor %}
+{% endif %}
+
 [Install]
 WantedBy=multi-user.target

playbooks/roles/openvpn/templates/openvpn_dnsmasqv6.conf.j2

@@ -0,0 +1,2 @@
+# Listen on the OpenVPN TCP and UDP addresses
+listen-address={{ dnsmasq_openvpn_tcp_ipv6 }},{{ dnsmasq_openvpn_udp_ipv6 }}

playbooks/roles/openvpn/vars/main.yml

@@ -16,12 +16,28 @@ openvpn_combined_profile_filename:   "{{ openvpn_server }}-combined.ovpn"
 dnsmasq_openvpn_tcp_ip: "10.8.0.1"
 dnsmasq_openvpn_udp_ip: "10.9.0.1"
 
+openvpn_server_tcp_ipv4_address: "10.9.0.0/24"
+openvpn_server_udp_ipv4_address: "10.8.0.0/24"
+
+dnsmasq_openvpn_tcp_ipv6: "2001:db8:0:124::1001"
+dnsmasq_openvpn_udp_ipv6: "2001:db8:0:123::1001"
+
+openvpn_server_tcp_ipv6_address: "2001:db8:0:124::/64"
+openvpn_server_udp_ipv6_address: "2001:db8:0:123::/64"
+
 openvpn_firewall_rules:
   - "iptables --wait {{ streisand_iptables_wait }} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
-  - "iptables --wait {{ streisand_iptables_wait }} -A FORWARD -s 10.8.0.0/24 -j ACCEPT"
-  - "iptables --wait {{ streisand_iptables_wait }} -A FORWARD -s 10.9.0.0/24 -j ACCEPT"
-  - "iptables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
-  - "iptables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -s 10.9.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+  - "iptables --wait {{ streisand_iptables_wait }} -A FORWARD -s {{ openvpn_server_udp_ipv4_address }} -j ACCEPT"
+  - "iptables --wait {{ streisand_iptables_wait }} -A FORWARD -s {{ openvpn_server_tcp_ipv4_address }} -j ACCEPT"
+  - "iptables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -s {{ openvpn_server_udp_ipv4_address }} -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+  - "iptables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -s {{ openvpn_server_tcp_ipv4_address }} -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+
+openvpn_ipv6_firewall_rules:
+  - "ip6tables --wait {{ streisand_iptables_wait }} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
+  - "ip6tables --wait {{ streisand_iptables_wait }} -A FORWARD -s {{ openvpn_server_tcp_ipv6_address }} -j ACCEPT"
+  - "ip6tables --wait {{ streisand_iptables_wait }} -A FORWARD -s {{ openvpn_server_udp_ipv6_address }} -j ACCEPT"
+  - "ip6tables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -s {{ openvpn_server_tcp_ipv6_address }} -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+  - "ip6tables --wait {{ streisand_iptables_wait }} -t nat -A POSTROUTING -s {{ openvpn_server_udp_ipv6_address }} -o {{ ansible_default_ipv6.interface }} -j MASQUERADE"
 
 openvpn_gateway_location: "{{ streisand_gateway_location }}/openvpn"
 

playbooks/roles/stunnel/templates/stunnel-local.conf.j2

@@ -2,4 +2,7 @@ client = yes
 
 [stunnel]
 accept = 127.0.0.1:{{ stunnel_local_port }}
+{% if streisand_ipv6_address is defined %}
+connect = {{ streisand_ipv6_address }}:{{ stunnel_remote_port }}
+{% endif %}
 connect = {{ streisand_ipv4_address }}:{{ stunnel_remote_port }}

playbooks/roles/wireguard/tasks/firewall.yml

@@ -1,28 +1,43 @@
 ---
-- name: Ensure UFW allows DNS requests from WireGuard clients
+- name: "Ensure UFW allows DNS requests from WireGuard clients"
   ufw:
     to_port: "53"
     proto: "udp"
     rule: "allow"
     from_ip: "10.192.122.0/24"
 
-- name: Ensure UFW allows WireGuard
+- name: "Ensure UFW allows DNS requests from WireGuard IPv6 clients"
+  ufw:
+    to_port: "53"
+    proto: "udp"
+    rule: "allow"
+    from_ip: "fde9:7496:c3d7:a47f::/64"
+  when: streisand_ipv6_address is defined
+
+- name: "Ensure UFW allows WireGuard"
   ufw:
     to_port: "{{ wireguard_port }}"
     proto: "udp"
     rule: "allow"
 
-- name: Allow WireGuard through the firewall
+- name: "Allow WireGuard through the firewall"
   command: "{{ item }}"
   with_items: "{{ wireguard_firewall_rules }}"
 
-- name: "Add WireGuard firewall persistence service to init"
+- name: "Allow WireGuard over IPv6 through the firewall"
+  command: "{{ item }}"
+  with_items: "{{ wireguard_firewallv6_rules }}"
+  when: streisand_ipv6_address is defined
+
+- name: "Add WireGuard firewall persistence service"
   template:
-    src: streisand-wireguard-service.sh.j2
-    dest: /etc/init.d/streisand-wireguard
-    mode: 0755
+    src: wireguard-iptables.service.j2
+    dest: /etc/systemd/system/wireguard-iptables.service
+    mode: 0644
 
-- name: "Enable the streisand-wireguard init service"
-  service:
-    name: streisand-wireguard
+- name: "Enable the wireguard-iptables service"
+  systemd:
+    daemon_reload: yes
+    name: wireguard-iptables.service
     enabled: yes
+    state: started

playbooks/roles/wireguard/tasks/main.yml

@@ -122,6 +122,12 @@
     src: wireguard_dnsmasq.conf.j2
     dest: /etc/dnsmasq.d/wireguard.conf
 
+- name: "Configure DNSMasq to listen on {{ dnsmasq_wireguard_ipv6 }}:53"
+  template:
+    src: wireguard_dnsmasqv6.conf.j2
+    dest: /etc/dnsmasq.d/wireguardv6.conf
+  when: streisand_ipv6_enabled
+
 # NOTE(@cpu): We don't use a `notify` to "Restart dnsmasq" here because it seems
 # that in some conditions Ansible mistakenly believes the dnsmasq restart can be
 # skipped. We also don't use "reloaded" instead of "restarted" here because