Fix DNS resolution for VPN clients by enabling route_localnet

The issue was that dnscrypt-proxy listens on a special loopback IP (randomly generated in 172.16.0.0/12 range) which wasn't accessible from VPN clients. This fix: 1. Enables net.ipv4.conf.all.route_localnet sysctl to allow routing to loopback IPs from other interfaces 2. Ensures dnscrypt-proxy socket is properly restarted when its configuration changes 3. Adds proper handler flushing after socket configuration updates This allows VPN clients to reach the DNS resolver at the local_service_ip address configured on the loopback interface. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-17 21:00:28 -04:00 · 2025-08-17 21:00:28 -04:00 · b00c74707f
commit b00c74707f
parent 9fb0cd1031
3 changed files with 9 additions and 2 deletions
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@ -136,6 +136,8 @@
        value: 1
      - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
        value: 1
+      - item: net.ipv4.conf.all.route_localnet
+        value: 1

 - name: Install packages (batch optimization)
  include_tasks: packages.yml
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -3,7 +3,6 @@
  include_tasks: ubuntu.yml
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

-
 - name: dnscrypt-proxy ip-blacklist configured
  template:
    src: ip-blacklist.txt.j2
@ -26,11 +25,12 @@

 - meta: flush_handlers

- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled
+- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled and started
  systemd:
    name: dnscrypt-proxy.socket
    enabled: true
    state: started
+    daemon_reload: true
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

 - name: dnscrypt-proxy enabled and started
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@ -76,11 +76,16 @@
      NoDelay=true
      DeferAcceptSec=1
    mode: '0644'
+  register: socket_override
  notify:
    - daemon-reload
    - restart dnscrypt-proxy.socket
    - restart dnscrypt-proxy

+- name: Ubuntu | Flush handlers to restart socket if needed
+  meta: flush_handlers
+  when: socket_override.changed
+
 - name: Ubuntu | Add custom requirements to successfully start the unit
  copy:
    dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf