From ed6e2d998da758edef3fe4456a47c7a4ff19bd3a Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Tue, 24 Apr 2018 02:06:34 +0300
Subject: [PATCH] Add ipv6 address to subjectAltName if supported (#881)

CHANGELOG

Some changes

Some changes
---
 CHANGELOG.md                      |  9 +++++++++
 roles/vpn/defaults/main.yml       |  3 +++
 roles/vpn/tasks/openssl.yml       | 14 +++++++++-----
 roles/vpn/templates/ipsec.conf.j2 |  2 +-
 4 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..47b09d0
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,9 @@
+## 19 Apr 2018
+### Added
+- IPv6 in subjectAltName of the certificates. This allows connecting to the Algo instance via the main IPv6 address
+
+### Fixed
+- IPv6 DNS addresses were not passing to the client
+
+### Release notes
+- In order to use the IPv6 address as the connection endpoint you need to [reinit](https://github.com/trailofbits/algo/blob/master/config.cfg#L14) the PKI and [reconfigure](https://github.com/trailofbits/algo#configure-the-vpn-clients) your devices with new certificates.
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
index 12f6788..2efc124 100644
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+ipv6_support: false
+domain: false
+subjectAltName_IP: "IP:{{ IP_subject_alt_name }}"
 openssl_bin: openssl
 strongswan_enabled_plugins:
   - aes
diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
index 2457ea7..b4928cd 100644
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@@ -1,11 +1,15 @@
 ---
-
 - block:
+  - name: Set subjectAltName as a fact
+    set_fact:
+      subjectAltName: "{{ subjectAltName_IP }}{% if ipv6_support and ansible_default_ipv6 %},IP:{{ ansible_default_ipv6['address'] }}{% endif %}{% if domain and subjectAltName_DNS %},DNS:{{ subjectAltName_DNS }}{% endif %}"
+    tags: always
+
   - name: Ensure the pki directory does not exist
     file:
       dest: configs/{{ IP_subject_alt_name }}/pki
       state: absent
-    when: easyrsa_reinit_existent == True
+    when: easyrsa_reinit_existent|bool == True
 
   - name: Ensure the pki directories exist
     file:
@@ -41,7 +45,7 @@
       {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
       {{ openssl_bin }} req -utf8 -new
       -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
       -keyout private/cakey.pem
       -out cacert.pem -x509 -days 3650
       -batch
@@ -68,7 +72,7 @@
     shell: >
       {{ openssl_bin }} req -utf8 -new
       -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
       -keyout private/{{ IP_subject_alt_name }}.key
       -out reqs/{{ IP_subject_alt_name }}.req -nodes
       -passin pass:"{{ easyrsa_CA_password }}"
@@ -76,7 +80,7 @@
       {{ openssl_bin }} ca -utf8
       -in reqs/{{ IP_subject_alt_name }}.req
       -out certs/{{ IP_subject_alt_name }}.crt
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
       -days 3650 -batch
       -passin pass:"{{ easyrsa_CA_password }}"
       -subj "/CN={{ IP_subject_alt_name }}" &&
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index 6c5a2d4..1c4f6df 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -31,7 +31,7 @@ conn %default
 {% if local_dns is defined and local_dns == "Y" %}
     rightdns={{ local_service_ip }}
 {% else %}
-    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
+    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
 {% endif %}
 
 conn ikev2-pubkey