From b00c74707f819684a153527ad2c5a18895d4f9d6 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 17 Aug 2025 21:00:28 -0400
Subject: [PATCH] Fix DNS resolution for VPN clients by enabling route_localnet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The issue was that dnscrypt-proxy listens on a special loopback IP
(randomly generated in 172.16.0.0/12 range) which wasn't accessible
from VPN clients. This fix:

1. Enables net.ipv4.conf.all.route_localnet sysctl to allow routing
   to loopback IPs from other interfaces
2. Ensures dnscrypt-proxy socket is properly restarted when its
   configuration changes
3. Adds proper handler flushing after socket configuration updates

This allows VPN clients to reach the DNS resolver at the local_service_ip
address configured on the loopback interface.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/common/tasks/ubuntu.yml | 2 ++
 roles/dns/tasks/main.yml      | 4 ++--
 roles/dns/tasks/ubuntu.yml    | 5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index 9f59e33e..c2a73f3e 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -136,6 +136,8 @@
         value: 1
       - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
         value: 1
+      - item: net.ipv4.conf.all.route_localnet
+        value: 1
 
 - name: Install packages (batch optimization)
   include_tasks: packages.yml
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 0937d896..e1eee5f2 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -3,7 +3,6 @@
   include_tasks: ubuntu.yml
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
-
 - name: dnscrypt-proxy ip-blacklist configured
   template:
     src: ip-blacklist.txt.j2
@@ -26,11 +25,12 @@
 
 - meta: flush_handlers
 
-- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled
+- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled and started
   systemd:
     name: dnscrypt-proxy.socket
     enabled: true
     state: started
+    daemon_reload: true
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
 - name: dnscrypt-proxy enabled and started
diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml
index c1bc239c..fc9bbca7 100644
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@@ -76,11 +76,16 @@
       NoDelay=true
       DeferAcceptSec=1
     mode: '0644'
+  register: socket_override
   notify:
     - daemon-reload
     - restart dnscrypt-proxy.socket
     - restart dnscrypt-proxy
 
+- name: Ubuntu | Flush handlers to restart socket if needed
+  meta: flush_handlers
+  when: socket_override.changed
+
 - name: Ubuntu | Add custom requirements to successfully start the unit
   copy:
     dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf