Improve security by using interface-specific route_localnet

Instead of enabling route_localnet globally (net.ipv4.conf.all.route_localnet),
this change enables it only on the specific interfaces that need it:
- WireGuard interface (wg0) for WireGuard VPN clients
- Main network interface (eth0/etc) for IPsec VPN clients

This minimizes the security impact by restricting loopback routing to only
the VPN interfaces, preventing other interfaces from being able to route
to loopback addresses.

The interface-specific approach provides the same functionality (allowing
VPN clients to reach the DNS resolver on the local_service_ip) while
reducing the potential attack surface.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/common/tasks/ubuntu.yml

@@ -136,8 +136,6 @@
         value: 1
       - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
         value: 1
-      - item: net.ipv4.conf.all.route_localnet
-        value: 1
 
 - name: Install packages (batch optimization)
   include_tasks: packages.yml

roles/strongswan/tasks/ubuntu.yml

@@ -9,6 +9,16 @@
     state: present
     persistent: present
 
+- name: Ubuntu | Enable route_localnet for IPsec traffic on main interface
+  sysctl:
+    name: "net.ipv4.conf.{{ ansible_default_ipv4['interface'] }}.route_localnet"
+    value: 1
+    sysctl_set: true
+    state: present
+    reload: true
+  when: ipsec_enabled
+  tags: always
+
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan

roles/wireguard/tasks/ubuntu.yml

@@ -52,3 +52,12 @@
   notify:
     - daemon-reload
     - restart wireguard
+
+- name: Ubuntu | Enable route_localnet for WireGuard interface
+  sysctl:
+    name: "net.ipv4.conf.{{ wireguard_interface }}.route_localnet"
+    value: 1
+    sysctl_set: true
+    state: present
+    reload: true
+  tags: always