Fix Ubuntu 22.04 compatibility issues (#14824)

This commit addresses two critical issues preventing Algo from working on Ubuntu 22.04: 1. Load af_key kernel module for StrongSwan - Ubuntu 22.04 minimal installs don't load af_key by default - Without this module, StrongSwan fails with namespace errors - Added modprobe task to ensure module is loaded persistently 2. Force iptables-legacy mode on Ubuntu 22.04+ - Ubuntu 22.04 uses iptables-nft backend by default - This causes firewall rules to be reordered incorrectly - VPN traffic gets blocked by misplaced DROP rules - Switching to iptables-legacy ensures correct rule ordering These changes restore full VPN functionality (both WireGuard and IPsec) on Ubuntu 22.04 installations. Closes #14820 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>
2025-08-19 19:23:24 +02:00 · 2025-08-16 13:19:59 -04:00 · 2025-08-16 13:19:59 -04:00 · 315898fafb
commit 315898fafb
parent b821080eba
2 changed files with 33 additions and 0 deletions
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@ -161,5 +161,31 @@
  include_tasks: aip/main.yml
  when: alternative_ingress_ip

+- name: Ubuntu 22.04+ | Use iptables-legacy for compatibility
+  block:
+    - name: Install iptables packages
+      apt:
+        name:
+          - iptables
+          - iptables-persistent
+        state: present
+        update_cache: true
+
+    - name: Configure iptables-legacy as default
+      alternatives:
+        name: "{{ item }}"
+        path: "/usr/sbin/{{ item }}-legacy"
+      with_items:
+        - iptables
+        - ip6tables
+        - iptables-save
+        - iptables-restore
+        - ip6tables-save
+        - ip6tables-restore
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_version is version('22.04', '>=')
+  tags: iptables
+
 - include_tasks: iptables.yml
  tags: iptables
--- a/roles/strongswan/tasks/ubuntu.yml
+++ b/roles/strongswan/tasks/ubuntu.yml
@ -2,6 +2,13 @@
 - name: Set OS specific facts
  set_fact:
    strongswan_additional_plugins: []
+
+- name: Ubuntu | Ensure af_key kernel module is loaded
+  modprobe:
+    name: af_key
+    state: present
+    persistent: present
+
 - name: Ubuntu | Install strongSwan (individual)
  apt:
    name: strongswan