Revert to global route_localnet to fix deployment failure

The interface-specific route_localnet approach failed because:
- WireGuard interface (wg0) doesn't exist until the service starts
- We were trying to set the sysctl before the interface was created
- This caused deployment failures with "No such file or directory"

Reverting to the global setting (net.ipv4.conf.all.route_localnet=1) because:
- It always works regardless of interface creation timing
- VPN users are trusted (they have our credentials)
- Firewall rules still restrict access to only port 53
- The security benefit of interface-specific settings is minimal
- The added complexity isn't worth the marginal security improvement

This ensures reliable deployments while maintaining the DNS resolution fix.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/common/tasks/ubuntu.yml

@@ -136,6 +136,8 @@
         value: 1
       - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
         value: 1
+      - item: net.ipv4.conf.all.route_localnet
+        value: 1
 
 - name: Install packages (batch optimization)
   include_tasks: packages.yml

roles/strongswan/tasks/ubuntu.yml

@@ -9,16 +9,6 @@
     state: present
     persistent: present
 
-- name: Ubuntu | Enable route_localnet for IPsec traffic on main interface
-  sysctl:
-    name: "net.ipv4.conf.{{ ansible_default_ipv4['interface'] }}.route_localnet"
-    value: 1
-    sysctl_set: true
-    state: present
-    reload: true
-  when: ipsec_enabled
-  tags: always
-
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan

roles/wireguard/tasks/ubuntu.yml

@@ -52,12 +52,3 @@
   notify:
     - daemon-reload
     - restart wireguard
-
-- name: Ubuntu | Enable route_localnet for WireGuard interface
-  sysctl:
-    name: "net.ipv4.conf.{{ wireguard_interface }}.route_localnet"
-    value: 1
-    sysctl_set: true
-    state: present
-    reload: true
-  tags: always