Merge acc3fe4c95 into 4da752b603

.travis.yml

@@ -45,6 +45,7 @@ install:
   - sudo cp -v ~/.ssh/id_rsa.pub $LXC_ROOTFS/root/.ssh/authorized_keys
   - sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt
   - pip install ansible-lint
+  - pip install netaddr
   - gem install awesome_bot
 
 script:

config.cfg

@@ -47,6 +47,12 @@ CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
 # Block traffic between connected clients
 BetweenClients_DROP: Y
 
+# Used for resolving hosts within the VPN, not connecting to the VPN
+# If BetweenClients_DROP is set to 'N', and the dns_adblocking role is enabled,
+# connected users will be able to communicate with each other using
+# $user.$vpn_domain DNS names
+vpn_domain: algo.internal
+
 congrats:
   common: |
     "#                          Congratulations!                            #"

requirements.txt

@@ -10,3 +10,4 @@ apache-libcloud
 six
 pyopenssl
 jinja2==2.8
+netaddr

roles/dns_adblocking/tasks/main.yml

@@ -27,6 +27,13 @@
       notify:
         - restart dnsmasq
 
+    - name: VPN hosts file configured
+      template:
+        src: etc.hosts.ipsecclients.j2
+        dest: "{{ config_prefix|default('/') }}etc/hosts.ipsecclients"
+      notify:
+        - restart dnsmasq
+
     - name: Adblock script created
       template:
         src: adblock.sh.j2

roles/dns_adblocking/templates/dnsmasq.conf.j2

@@ -132,6 +132,7 @@ bind-interfaces
 # or if you want it to read another file, as well as /etc/hosts, use
 # this.
 # addn-hosts=/var/lib/dnsmasq/block.hosts
+addn-hosts=/etc/hosts.ipsecclients
 
 # Set this (and domain: see below) if you want to have a domain
 # automatically added to simple names in a hosts-file.

roles/dns_adblocking/templates/etc.hosts.ipsecclients.j2

@@ -0,0 +1,3 @@
+{% for user in users %}
+{{ vpn_network | ipaddr(loop.index) | ipaddr('address') }} {{ user }}.{{ vpn_domain }}
+{% endfor %}

roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2

@@ -17,6 +17,7 @@
   /var/lib/dnsmasq/block.hosts r,
   /etc/dnsmasq.d-available/ r,
   /etc/dnsmasq.d-available/* r,
+  /etc/hosts.ipsecclients r,
 
   /usr/sbin/dnsmasq mr,
 

roles/vpn/templates/client_ipsec.conf.j2

@@ -21,6 +21,7 @@ conn ikev2-{{ IP_subject_alt_name }}
 
     leftsourceip=%config
     leftauth=pubkey
+    leftid={{ item }}
     leftcert={{ item }}.crt
     leftfirewall=yes
     left=%defaultroute

roles/vpn/templates/ipsec.conf.j2

@@ -1,5 +1,5 @@
 config setup
-    uniqueids=never # allow multiple connections per user
+    uniqueids=replace  # if the same user connects twice, replace the old connection with the new one
     charondebug="ike {{ strongswan_log_level }}, knl {{ strongswan_log_level }}, cfg {{ strongswan_log_level }}, net {{ strongswan_log_level }}, esp {{ strongswan_log_level }}, dmn {{ strongswan_log_level }},  mgr {{ strongswan_log_level }}"
 
 conn %default
@@ -27,12 +27,17 @@ conn %default
 
     right=%any
     rightauth=pubkey
-    rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }}
 {% if local_dns is defined and local_dns == "Y" %}
     rightdns={{ local_service_ip }}
 {% else %}
     rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
 {% endif %}
 
-conn ikev2-pubkey
+{% for user in users %}
+
+conn AlgoUser-{{ user }}
+    rightid={{ user }}
+    rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }}
     auto=add
+
+{% endfor %}