From c2ae4fa6d65658d234641a9c2a2661f578880723 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 17 Aug 2025 21:28:44 -0400
Subject: [PATCH] Revert to global route_localnet to fix deployment failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The interface-specific route_localnet approach failed because:
- WireGuard interface (wg0) doesn't exist until the service starts
- We were trying to set the sysctl before the interface was created
- This caused deployment failures with "No such file or directory"

Reverting to the global setting (net.ipv4.conf.all.route_localnet=1) because:
- It always works regardless of interface creation timing
- VPN users are trusted (they have our credentials)
- Firewall rules still restrict access to only port 53
- The security benefit of interface-specific settings is minimal
- The added complexity isn't worth the marginal security improvement

This ensures reliable deployments while maintaining the DNS resolution fix.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/common/tasks/ubuntu.yml     |  2 ++
 roles/strongswan/tasks/ubuntu.yml | 10 ----------
 roles/wireguard/tasks/ubuntu.yml  |  9 ---------
 3 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index 9f59e33e..c2a73f3e 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -136,6 +136,8 @@
         value: 1
       - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
         value: 1
+      - item: net.ipv4.conf.all.route_localnet
+        value: 1
 
 - name: Install packages (batch optimization)
   include_tasks: packages.yml
diff --git a/roles/strongswan/tasks/ubuntu.yml b/roles/strongswan/tasks/ubuntu.yml
index e23d138b..92601905 100644
--- a/roles/strongswan/tasks/ubuntu.yml
+++ b/roles/strongswan/tasks/ubuntu.yml
@@ -9,16 +9,6 @@
     state: present
     persistent: present
 
-- name: Ubuntu | Enable route_localnet for IPsec traffic on main interface
-  sysctl:
-    name: "net.ipv4.conf.{{ ansible_default_ipv4['interface'] }}.route_localnet"
-    value: 1
-    sysctl_set: true
-    state: present
-    reload: true
-  when: ipsec_enabled
-  tags: always
-
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan
diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml
index 06829042..4051d1e9 100644
--- a/roles/wireguard/tasks/ubuntu.yml
+++ b/roles/wireguard/tasks/ubuntu.yml
@@ -52,12 +52,3 @@
   notify:
     - daemon-reload
     - restart wireguard
-
-- name: Ubuntu | Enable route_localnet for WireGuard interface
-  sysctl:
-    name: "net.ipv4.conf.{{ wireguard_interface }}.route_localnet"
-    value: 1
-    sysctl_set: true
-    state: present
-    reload: true
-  tags: always