diff --git a/global_vars/default-site.yml b/global_vars/default-site.yml index 0c572e46a..df674d2b2 100644 --- a/global_vars/default-site.yml +++ b/global_vars/default-site.yml @@ -11,6 +11,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/integration/test-site.yml b/global_vars/integration/test-site.yml index cb5481877..9d906ee2d 100644 --- a/global_vars/integration/test-site.yml +++ b/global_vars/integration/test-site.yml @@ -10,6 +10,8 @@ streisand_admin_email_var: "" # Take a few extra steps during server provisioning to make the client tests work streisand_client_test: true +streisand_ipv6_enabled: yes + # Only services with corresponding tests are enabled. streisand_shadowsocks_enabled: yes streisand_ssh_forward_enabled: yes diff --git a/global_vars/noninteractive/amazon-site.yml b/global_vars/noninteractive/amazon-site.yml index 9a7c050ed..188180ce2 100644 --- a/global_vars/noninteractive/amazon-site.yml +++ b/global_vars/noninteractive/amazon-site.yml @@ -14,6 +14,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/noninteractive/azure-site.yml b/global_vars/noninteractive/azure-site.yml index f8f5273f5..a325e5f2f 100644 --- a/global_vars/noninteractive/azure-site.yml +++ b/global_vars/noninteractive/azure-site.yml @@ -14,6 +14,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/noninteractive/digitalocean-site.yml b/global_vars/noninteractive/digitalocean-site.yml index bc005071f..040407f46 100644 --- a/global_vars/noninteractive/digitalocean-site.yml +++ b/global_vars/noninteractive/digitalocean-site.yml @@ -18,6 +18,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/noninteractive/google-site.yml b/global_vars/noninteractive/google-site.yml index bd57985b0..127e661b0 100644 --- a/global_vars/noninteractive/google-site.yml +++ b/global_vars/noninteractive/google-site.yml @@ -13,6 +13,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/noninteractive/linode-site.yml b/global_vars/noninteractive/linode-site.yml index a6c5e69fd..a66675f76 100644 --- a/global_vars/noninteractive/linode-site.yml +++ b/global_vars/noninteractive/linode-site.yml @@ -12,6 +12,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/noninteractive/local-site.yml b/global_vars/noninteractive/local-site.yml index 7cda0dc83..272673ad2 100644 --- a/global_vars/noninteractive/local-site.yml +++ b/global_vars/noninteractive/local-site.yml @@ -13,6 +13,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/global_vars/noninteractive/rackspace-site.yml b/global_vars/noninteractive/rackspace-site.yml index 50528ccae..d7f85c422 100644 --- a/global_vars/noninteractive/rackspace-site.yml +++ b/global_vars/noninteractive/rackspace-site.yml @@ -12,6 +12,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa" vpn_clients: 5 +streisand_ipv6_enabled: yes + streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes diff --git a/playbooks/customize.yml b/playbooks/customize.yml index 568fe0a2d..219efb27e 100644 --- a/playbooks/customize.yml +++ b/playbooks/customize.yml @@ -12,6 +12,10 @@ prompt: "How many VPN client profiles should be generated per-service (min: 1 max: 20)? Press enter for default " default: 5 private: no + - name: streisand_ipv6_enabled + prompt: "Enable IPv6, if available? Press enter for default " + default: "yes" + private: no - name: streisand_openconnect_enabled prompt: "Enable OpenConnect? Press enter for default " default: "yes" @@ -66,6 +70,10 @@ path: "{{ streisand_site_vars }}" regexp: "^vpn_clients: [\\d]+$" line: "vpn_clients: {{ vpn_clients }}" + - lineinfile: + path: "{{ streisand_site_vars }}" + regexp: "^streisand_ipv6_enabled: (?:yes|no)$" + line: "streisand_ipv6_enabled: {{ streisand_ipv6_enabled }}" - lineinfile: path: "{{ streisand_site_vars }}" regexp: "^streisand_openconnect_enabled: (?:yes|no)$" diff --git a/playbooks/roles/common/tasks/set-default-variables.yml b/playbooks/roles/common/tasks/set-default-variables.yml index 67b11af2e..f7aaeb443 100644 --- a/playbooks/roles/common/tasks/set-default-variables.yml +++ b/playbooks/roles/common/tasks/set-default-variables.yml @@ -39,3 +39,16 @@ - import_tasks: detect-public-ip.yml when: (hostvars['127.0.0.1']['streisand_genesis_role'] is defined and ((hostvars['127.0.0.1']['streisand_genesis_role'] == "localhost") or (hostvars['127.0.0.1']['streisand_genesis_role'] == "existing-server"))) + +- name: If streisand_ipv6_address is undefined and IPv6 is enabled, change it to Ansible's default IPv6 address + set_fact: + streisand_ipv6_address: "{{ ansible_default_ipv6.address }}" + when: + - streisand_ipv6_address is not defined + - streisand_ipv6_enabled + - ansible_default_ipv6.address is defined + +- name: If there's an IPv6 address, generate a gateway URL using it + set_fact: + streisand_gateway_url_ipv6: "https://[{{ streisand_ipv6_address }}]" + when: streisand_ipv6_address is defined \ No newline at end of file diff --git a/playbooks/roles/ec2-security-group/tasks/main.yml b/playbooks/roles/ec2-security-group/tasks/main.yml index 849cc83a3..b1e8296ac 100644 --- a/playbooks/roles/ec2-security-group/tasks/main.yml +++ b/playbooks/roles/ec2-security-group/tasks/main.yml @@ -21,29 +21,19 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" rules: - # Nginx - # --- - proto: tcp - from_port: "{{ nginx_port }}" - to_port: "{{ nginx_port }}" - cidr_ip: 0.0.0.0/0 - # SSH - # --- - - proto: tcp - from_port: "{{ ssh_port }}" - to_port: "{{ ssh_port }}" - cidr_ip: 0.0.0.0/0 - # HTTP (Let's Encrypt) - # --- - - proto: tcp - from_port: "{{ le_port }}" - to_port: "{{ le_port }}" + ports: + - "{{ nginx_port }}" + - "{{ ssh_port }}" + # HTTP, for Let's Encrypt + - "{{ le_port }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 rules_egress: - proto: all - from_port: 1 - to_port: 65535 + ports: 1-65535 cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 # OpenConnect # --- @@ -58,18 +48,14 @@ purge_rules: no purge_rules_egress: no rules: - # OpenConnect TCP - # --- - proto: tcp - from_port: "{{ ocserv_port }}" - to_port: "{{ ocserv_port }}" + ports: "{{ ocserv_port }}" cidr_ip: 0.0.0.0/0 - # OpenConnect UDP - # --- + cidr_ipv6: ::/0 - proto: udp - from_port: "{{ ocserv_port }}" - to_port: "{{ ocserv_port }}" + ports: "{{ ocserv_port }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 when: streisand_openconnect_enabled # OpenVPN @@ -85,18 +71,14 @@ purge_rules: no purge_rules_egress: no rules: - # OpenVPN TCP - # --- - proto: tcp - from_port: "{{ openvpn_port }}" - to_port: "{{ openvpn_port }}" + ports: "{{ openvpn_port }}" cidr_ip: 0.0.0.0/0 - # OpenVPN UDP - # --- + cidr_ipv6: ::/0 - proto: udp - from_port: "{{ openvpn_port_udp }}" - to_port: "{{ openvpn_port_udp }}" + ports: "{{ openvpn_port_udp }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 when: streisand_openvpn_enabled # stunnel @@ -112,12 +94,10 @@ purge_rules: no purge_rules_egress: no rules: - # Stunnel - # --- - proto: tcp - from_port: "{{ stunnel_remote_port }}" - to_port: "{{ stunnel_remote_port }}" + ports: "{{ stunnel_remote_port }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 when: streisand_openvpn_enabled and streisand_stunnel_enabled # Shadowsocks @@ -133,18 +113,14 @@ purge_rules: no purge_rules_egress: no rules: - # Shadowsocks TCP - # --- - proto: tcp - from_port: "{{ shadowsocks_server_port }}" - to_port: "{{ shadowsocks_server_port }}" + ports: "{{ shadowsocks_server_port }}" cidr_ip: 0.0.0.0/0 - # Shadowsocks UDP - # --- + cidr_ipv6: ::/0 - proto: udp - from_port: "{{ shadowsocks_server_port }}" - to_port: "{{ shadowsocks_server_port }}" + ports: "{{ shadowsocks_server_port }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 when: streisand_shadowsocks_enabled # Tor @@ -160,18 +136,14 @@ purge_rules: no purge_rules_egress: no rules: - # Tor - # --- - proto: tcp - from_port: "{{ tor_orport }}" - to_port: "{{ tor_orport }}" + ports: "{{ tor_orport }}" cidr_ip: 0.0.0.0/0 - # Tor obfs4 - # --- + cidr_ipv6: ::/0 - proto: tcp - from_port: "{{ tor_obfs4_port }}" - to_port: "{{ tor_obfs4_port }}" + ports: "{{ tor_obfs4_port }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 when: streisand_tor_enabled # WireGuard @@ -188,7 +160,7 @@ purge_rules_egress: no rules: - proto: udp - from_port: "{{ wireguard_port }}" - to_port: "{{ wireguard_port }}" + ports: "{{ wireguard_port }}" cidr_ip: 0.0.0.0/0 + cidr_ipv6: ::/0 when: streisand_wireguard_enabled diff --git a/playbooks/roles/genesis-digitalocean/tasks/main.yml b/playbooks/roles/genesis-digitalocean/tasks/main.yml index 0e8b11ebc..c6315f3de 100644 --- a/playbooks/roles/genesis-digitalocean/tasks/main.yml +++ b/playbooks/roles/genesis-digitalocean/tasks/main.yml @@ -35,6 +35,7 @@ unique_name: yes wait: yes api_token: "{{ do_access_token }}" + ipv6: "{{ streisand_ipv6_enabled }}" register: streisand_server rescue: - fail: diff --git a/playbooks/roles/shadowsocks/templates/config.json.j2 b/playbooks/roles/shadowsocks/templates/config.json.j2 index d315a3c5e..463ce2372 100644 --- a/playbooks/roles/shadowsocks/templates/config.json.j2 +++ b/playbooks/roles/shadowsocks/templates/config.json.j2 @@ -1,5 +1,10 @@ { - "server":"{{ ansible_default_ipv4.address }}", + "server": +{% if streisand_ipv6_address is defined %} + ["{{ ansible_default_ipv4.address }}", "{{ ansible_default_ipv6.address }}"], +{% else %} + "{{ ansible_default_ipv4.address }}", +{% endif %} "server_port":{{ shadowsocks_server_port }}, "local_port":{{ shadowsocks_local_port }}, "password":"{{ shadowsocks_password.stdout }}", diff --git a/playbooks/roles/sslh/templates/sslh.cfg.j2 b/playbooks/roles/sslh/templates/sslh.cfg.j2 index 31623c59d..a0080111b 100644 --- a/playbooks/roles/sslh/templates/sslh.cfg.j2 +++ b/playbooks/roles/sslh/templates/sslh.cfg.j2 @@ -6,6 +6,9 @@ pidfile: "{{ sslh_pid_file }}"; listen: ( +{% if streisand_ipv6_address is defined %} + { host: "{{ ansible_default_ipv6.address }}"; port: "443"; }, +{% endif %} { host: "{{ ansible_default_ipv4.address }}"; port: "443"; } ); diff --git a/playbooks/roles/streisand-gateway/templates/instructions-fr.md.j2 b/playbooks/roles/streisand-gateway/templates/instructions-fr.md.j2 index 67a944b1a..cebc9cb61 100644 --- a/playbooks/roles/streisand-gateway/templates/instructions-fr.md.j2 +++ b/playbooks/roles/streisand-gateway/templates/instructions-fr.md.j2 @@ -190,6 +190,10 @@ Connexion à votre passerelle Streisand [{{ streisand_domain }}](https://{{ streisand_domain }}/index-fr.html) {% else %} [{{ streisand_gateway_url }}]({{ streisand_gateway_url }}/index-fr.html) +{% if streisand_gateway_url_ipv6 is defined %} + +IPv6: [{{ streisand_gateway_url_ipv6 }}]({{ streisand_gateway_url_ipv6 }}) +{% endif %} {% endif %} username: `{{ streisand_gateway_username }}` diff --git a/playbooks/roles/streisand-gateway/templates/instructions.md.j2 b/playbooks/roles/streisand-gateway/templates/instructions.md.j2 index 14b42b4a5..093d846cd 100644 --- a/playbooks/roles/streisand-gateway/templates/instructions.md.j2 +++ b/playbooks/roles/streisand-gateway/templates/instructions.md.j2 @@ -180,6 +180,10 @@ Connecting to your Streisand Gateway [{{ streisand_domain }}](https://{{ streisand_domain }}) {% else %} [{{ streisand_gateway_url }}]({{ streisand_gateway_url }}) +{% if streisand_gateway_url_ipv6 is defined %} + +IPv6: [{{ streisand_gateway_url_ipv6 }}]({{ streisand_gateway_url_ipv6 }}) +{% endif %} {% endif %} username: `{{ streisand_gateway_username }}` diff --git a/playbooks/roles/streisand-gateway/templates/openssl-local.cnf.j2 b/playbooks/roles/streisand-gateway/templates/openssl-local.cnf.j2 index 3dd4eaa80..41dc08324 100644 --- a/playbooks/roles/streisand-gateway/templates/openssl-local.cnf.j2 +++ b/playbooks/roles/streisand-gateway/templates/openssl-local.cnf.j2 @@ -44,6 +44,10 @@ emailAddress = optional [ alt_names ] IP.0 = {{ streisand_ipv4_address }} DNS.0 = {{ streisand_ipv4_address }} +{% if streisand_ipv6_address is defined %} +IP.1 = {{ streisand_ipv6_address }} +DNS.1 = {{ streisand_ipv6_address }} +{% endif %} [ req_distinguished_name ] countryName = Country Name (2 letter code) diff --git a/playbooks/roles/sysctl/vars/main.yml b/playbooks/roles/sysctl/vars/main.yml index c77c25647..b82bcb997 100644 --- a/playbooks/roles/sysctl/vars/main.yml +++ b/playbooks/roles/sysctl/vars/main.yml @@ -7,20 +7,37 @@ sysctl_values: - { key: kernel.msgmax, value: 65536 } - { key: kernel.shmmax, value: 68719476736 } - { key: kernel.shmall, value: 4294967296 } + - { key: net.ipv4.conf.all.accept_source_route, value: 0 } - { key: net.ipv4.conf.default.accept_source_route, value: 0 } + - { key: net.ipv6.conf.all.accept_source_route, value: 0 } + - { key: net.ipv6.conf.default.accept_source_route, value: 0 } + - { key: net.ipv4.conf.all.log_martians, value: 1 } - { key: net.ipv4.conf.default.log_martians, value: 1 } + - { key: net.ipv4.conf.all.accept_redirects, value: 0 } - { key: net.ipv4.conf.default.accept_redirects, value: 0 } + - { key: net.ipv6.conf.all.accept_redirects, value: 0 } + - { key: net.ipv6.conf.default.accept_redirects, value: 0 } + - { key: net.ipv4.conf.all.send_redirects, value: 0 } - { key: net.ipv4.conf.default.send_redirects, value: 0 } + - { key: net.ipv4.conf.all.rp_filter, value: 0 } - { key: net.ipv4.conf.default.rp_filter, value: 0 } + - { key: net.ipv4.icmp_echo_ignore_broadcasts, value: 1 } - { key: net.ipv4.icmp_ignore_bogus_error_responses, value: 1 } + - { key: net.ipv4.conf.all.secure_redirects, value: 0 } - { key: net.ipv4.conf.default.secure_redirects, value: 0 } + - { key: net.ipv6.conf.all.secure_redirects, value: 0 } + - { key: net.ipv6.conf.default.secure_redirects, value: 0 } + + - { key: net.ipv6.conf.all.use_tempaddr, value: 2 } + - { key: net.ipv6.conf.default.use_tempaddr, value: 2 } + - { key: kernel.randomize_va_space, value: 1 } - { key: net.core.wmem_max, value: 12582912 } - { key: net.core.rmem_max, value: 12582912 } diff --git a/tests/site_vars/openconnect.yml b/tests/site_vars/openconnect.yml index 667366d26..84f9dce9c 100644 --- a/tests/site_vars/openconnect.yml +++ b/tests/site_vars/openconnect.yml @@ -1,6 +1,7 @@ --- # This site config only enables OpenConnect vpn_clients: 5 +streisand_ipv6_enabled: yes streisand_openconnect_enabled: yes streisand_openvpn_enabled: no streisand_shadowsocks_enabled: no diff --git a/tests/site_vars/openvpn.yml b/tests/site_vars/openvpn.yml index 00cd191a1..54cb5e73a 100644 --- a/tests/site_vars/openvpn.yml +++ b/tests/site_vars/openvpn.yml @@ -1,6 +1,7 @@ --- # This site config only enables openvpn vpn_clients: 5 +streisand_ipv6_enabled: yes streisand_openconnect_enabled: no streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: no diff --git a/tests/site_vars/random.yml b/tests/site_vars/random.yml index 54be69472..aefc70e85 100644 --- a/tests/site_vars/random.yml +++ b/tests/site_vars/random.yml @@ -2,6 +2,7 @@ vpn_clients: 1 # Streisand CI's task randomizes these "_enabled" vars at build-time +streisand_ipv6_enabled: no streisand_openconnect_enabled: no streisand_openvpn_enabled: no streisand_shadowsocks_enabled: no diff --git a/tests/site_vars/shadowsocks.yml b/tests/site_vars/shadowsocks.yml index f752ba8ed..22b609342 100644 --- a/tests/site_vars/shadowsocks.yml +++ b/tests/site_vars/shadowsocks.yml @@ -1,6 +1,7 @@ --- # This site config only enables Shadowsocks vpn_clients: 5 +streisand_ipv6_enabled: yes streisand_openconnect_enabled: no streisand_openvpn_enabled: no streisand_shadowsocks_enabled: yes diff --git a/tests/site_vars/ssh.yml b/tests/site_vars/ssh.yml index 5e9c13f21..f6de8f34c 100644 --- a/tests/site_vars/ssh.yml +++ b/tests/site_vars/ssh.yml @@ -1,6 +1,7 @@ --- # This site config only enables SSH forwarding and sshutle vpn_clients: 5 +streisand_ipv6_enabled: yes streisand_openconnect_enabled: no streisand_openvpn_enabled: no streisand_shadowsocks_enabled: no