diff --git a/config.cfg b/config.cfg index a652749f..546ddf4b 100644 --- a/config.cfg +++ b/config.cfg @@ -100,8 +100,17 @@ dns_servers: - 2606:4700:4700::1111 - 2606:4700:4700::1001 -# IP address for the local dns resolver -local_service_ip: 172.16.0.1 +# Randomly generated IP address for the local dns resolver +local_service_ip: >- + 10. + {{- 255 | random(seed=algo_server_name + ansible_fqdn + 'second') }}. + {{- 255 | random(seed=algo_server_name + ansible_fqdn + 'third') }}. + {{- 255 | random(seed=algo_server_name + ansible_fqdn + 'fourth') }} +local_service_ipv6: >- + FD{{ 99 | random(seed=algo_server_name + ansible_fqdn + 'first') }}: + {{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'second') }}: + {{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'third') }}: + {{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'fourth') }}::1 # Your Algo server will automatically install security updates. Some updates # require a reboot to take effect but your Algo server will not reboot itself diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 6b369267..ebbe91ad 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -18,7 +18,7 @@ ifconfig lo100 destroy || true && ifconfig lo100 create && ifconfig lo100 inet {{ local_service_ip }} netmask 255.255.255.255 && - ifconfig lo100 inet6 FCAA::1/64; echo $? + ifconfig lo100 inet6 {{ local_service_ipv6 }}/128; echo $? - name: restart iptables service: name=netfilter-persistent state=restarted diff --git a/roles/common/tasks/freebsd.yml b/roles/common/tasks/freebsd.yml index e0d54c16..9dbfb189 100644 --- a/roles/common/tasks/freebsd.yml +++ b/roles/common/tasks/freebsd.yml @@ -54,7 +54,7 @@ block: | cloned_interfaces="lo100" ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255" - ifconfig_lo100_ipv6="inet6 FCAA::1/64" + ifconfig_lo100_ipv6="inet6 {{ local_service_ipv6 }}/128" notify: - restart loopback bsd diff --git a/roles/common/templates/10-algo-lo100.network.j2 b/roles/common/templates/10-algo-lo100.network.j2 index 87280511..ccdca7e6 100644 --- a/roles/common/templates/10-algo-lo100.network.j2 +++ b/roles/common/templates/10-algo-lo100.network.j2 @@ -4,4 +4,4 @@ Name=lo [Network] Description=lo:100 Address={{ local_service_ip }}/32 -Address=FCAA::1/64 +Address={{ local_service_ipv6 }}/128 diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2 index 12bed2b4..adb59f5d 100644 --- a/roles/common/templates/rules.v6.j2 +++ b/roles/common/templates/rules.v6.j2 @@ -83,7 +83,7 @@ COMMIT # particular virtual (tun,tap,...) or physical (ethernet) interface. # Accept DNS traffic to the local DNS resolver --A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT +-A INPUT -d {{ local_service_ipv6 }}/128 -p udp --dport 53 -j ACCEPT # Drop traffic between VPN clients -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index c52b6b9c..1857c55b 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -116,7 +116,7 @@ group=nogroup #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) -listen-address=127.0.0.1,FCAA::1,{{ local_service_ip }} +listen-address=127.0.0.1,{{ local_service_ipv6 }},{{ local_service_ip }} # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. diff --git a/tests/ipsec-client.sh b/tests/ipsec-client.sh index d2c3f548..c64ca533 100755 --- a/tests/ipsec-client.sh +++ b/tests/ipsec-client.sh @@ -21,3 +21,5 @@ fping -t 900 -c3 -r3 -Dse 10.0.8.100 172.16.0.1 host google.com 172.16.0.1 echo "IPsec tests passed" + +ipsec down algovpn-10.0.8.100 diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index 99bf5c21..7699469d 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -2,7 +2,7 @@ set -ex -DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test local_dns=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true" +DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test local_dns=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true local_service_ip=172.16.0.1" if [ "${DEPLOY}" == "docker" ] then diff --git a/tests/update-users.sh b/tests/update-users.sh index d957787d..8c76ba1d 100755 --- a/tests/update-users.sh +++ b/tests/update-users.sh @@ -2,7 +2,7 @@ set -ex -USER_ARGS="{ 'server': '10.0.8.100', 'users': ['desktop', 'user1', 'user2'] }" +USER_ARGS="{ 'server': '10.0.8.100', 'users': ['desktop', 'user1', 'user2'], 'local_service_ip': '172.16.0.1' }" if [ "${DEPLOY}" == "docker" ] then diff --git a/tests/wireguard-client.sh b/tests/wireguard-client.sh index 7dac2a32..f2823d8e 100755 --- a/tests/wireguard-client.sh +++ b/tests/wireguard-client.sh @@ -19,3 +19,5 @@ wg | grep "latest handshake" host google.com 172.16.0.1 echo "WireGuard tests passed" + +wg-quick down user1