From c8d1777ad461b6479f9d01ff83e711a35a7711a3 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 17 Aug 2025 21:17:53 -0400
Subject: [PATCH] Improve security by using interface-specific route_localnet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of enabling route_localnet globally (net.ipv4.conf.all.route_localnet),
this change enables it only on the specific interfaces that need it:
- WireGuard interface (wg0) for WireGuard VPN clients
- Main network interface (eth0/etc) for IPsec VPN clients

This minimizes the security impact by restricting loopback routing to only
the VPN interfaces, preventing other interfaces from being able to route
to loopback addresses.

The interface-specific approach provides the same functionality (allowing
VPN clients to reach the DNS resolver on the local_service_ip) while
reducing the potential attack surface.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/common/tasks/ubuntu.yml     |  2 --
 roles/strongswan/tasks/ubuntu.yml | 10 ++++++++++
 roles/wireguard/tasks/ubuntu.yml  |  9 +++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index c2a73f3e..9f59e33e 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -136,8 +136,6 @@
         value: 1
       - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
         value: 1
-      - item: net.ipv4.conf.all.route_localnet
-        value: 1
 
 - name: Install packages (batch optimization)
   include_tasks: packages.yml
diff --git a/roles/strongswan/tasks/ubuntu.yml b/roles/strongswan/tasks/ubuntu.yml
index 92601905..e23d138b 100644
--- a/roles/strongswan/tasks/ubuntu.yml
+++ b/roles/strongswan/tasks/ubuntu.yml
@@ -9,6 +9,16 @@
     state: present
     persistent: present
 
+- name: Ubuntu | Enable route_localnet for IPsec traffic on main interface
+  sysctl:
+    name: "net.ipv4.conf.{{ ansible_default_ipv4['interface'] }}.route_localnet"
+    value: 1
+    sysctl_set: true
+    state: present
+    reload: true
+  when: ipsec_enabled
+  tags: always
+
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan
diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml
index 4051d1e9..06829042 100644
--- a/roles/wireguard/tasks/ubuntu.yml
+++ b/roles/wireguard/tasks/ubuntu.yml
@@ -52,3 +52,12 @@
   notify:
     - daemon-reload
     - restart wireguard
+
+- name: Ubuntu | Enable route_localnet for WireGuard interface
+  sysctl:
+    name: "net.ipv4.conf.{{ wireguard_interface }}.route_localnet"
+    value: 1
+    sysctl_set: true
+    state: present
+    reload: true
+  tags: always