pyrocufflink-dns: Cloudflare over ProtonVPN

This commit adds a new playbook, `protonvpn.yml`, and its supporting roles *strongswan-swanctl* and *protonvpn*. This playbook configures strongSwan to connect to ProtonVPN using IPsec/IKEv2. With this playbook, we configure the name servers on the Pyrocufflink network to route all DNS requests through the Cloudflare public DNS recursive servers at 1.1.1.1/1.0.0.1 over ProtonVPN. Using this setup, we have the benefit of the speed of using a public DNS server (which is *significantly* faster than running our own recursive server, usually by 1-2 seconds per request), and the benefit of anonymity from ProtonVPN. Using the public DNS server alone is great for performance, but allows the server operator (in this case Cloudflare) to track and analyze usage patterns. Using ProtonVPN gives us anonymity (assuming we trust ProtonVPN not to do the very same tracking), but can have a negative performance impact if its used for all Internet traffic. By combining these solutions, we can get the benefits of both!
2020-09-06 10:40:08 -05:00 · 2020-09-06 10:40:08 -05:00 · 8ca093050b
parent a7b8e2fbfa
commit 8ca093050b
11 changed files with 124 additions and 0 deletions
--- a/group_vars/pyrocufflink-dns/main.yml
+++ b/group_vars/pyrocufflink-dns/main.yml
@ -1,3 +1,8 @@
+protonvpn_tunnel: 1.1.1.1,1.0.0.1
+named_forward_only: true
+named_forwarders:
+- 1.1.1.1
+- 1.0.0.1
 named_listen:
 - addresses:
  - any
--- a/group_vars/pyrocufflink-dns/secrets
+++ b/group_vars/pyrocufflink-dns/secrets
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34303664613262623439636133393766306638343261373633633136323562643761383039376565
+3339663861393833666164633136373966336630346434660a616231343233653366393666336339
+31643862626561643636343666313539343933353138336166373335323830643361303362353864
+3934633236313862620a616561393265336138383339393063613631633030646633363736333139
+37343664333063616430366534633366383565613530613439313732333232363336626236613235
+35636165386565633466306638656662323739396535386565316662353735386466643038613337
+61363936326363323730393132313532326336373761653237623963363163373633623737643434
+66386234303265343262333566356566626531633665626464343962633337373962396533343432
+6163
--- a/3
+++ b/3
@ -81,6 +81,9 @@ dc0.pyrocufflink.blue
 cloud0.pyrocufflink.blue
 hassdb0.pyrocufflink.blue

+[protonvpn:children]
+pyrocufflink-dns
+
 [public-web]
 web0.pyrocufflink.blue

--- a/protonvpn.yml
+++ b/protonvpn.yml
@ -0,0 +1,3 @@
+- hosts: protonvpn
+  roles:
+  - protonvpn
--- a/roles/protonvpn/defaults/main.yml
+++ b/roles/protonvpn/defaults/main.yml
@ -0,0 +1,2 @@
+protonvpn_server: us-il-41.protonvpn.com
+protonvpn_tunnel: 0.0.0.0/0,::/0
--- a/roles/protonvpn/files/ProtonVPN_ike_root.pem
+++ b/roles/protonvpn/files/ProtonVPN_ike_root.pem
@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
+MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
+QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
+MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
+vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
+wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
+2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
+qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
+nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
+JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
+a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
+WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
+ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
+lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
+m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
+A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
+TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
+blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
+htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
+MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
+ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
+51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
+zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
+eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
+Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
+zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
+N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
+DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
+A1gTTlpi7A==
+-----END CERTIFICATE-----
--- a/roles/protonvpn/handlers/main.yml
+++ b/roles/protonvpn/handlers/main.yml
@ -0,0 +1,3 @@
+- name: reload strongswan config
+  command:
+    swanctl --load-all
--- a/roles/protonvpn/meta/main.yml
+++ b/roles/protonvpn/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+- strongswan-swanctl
--- a/roles/protonvpn/tasks/main.yml
+++ b/roles/protonvpn/tasks/main.yml
@ -0,0 +1,18 @@
+- name: ensure protonvpn ca certificate is installed
+  copy:
+    src: ProtonVPN_ike_root.pem
+    dest: /etc/strongswan/swanctl/x509ca/
+    mode: '0644'
+  notify: reload strongswan config
+  tags:
+  - strongswan-cacert
+
+- name: ensure protonvpn configuration is set
+  template:
+    src: protonvpn.conf.j2
+    dest: /etc/strongswan/swanctl/conf.d/protonvpn.conf
+    mode: '0640'
+  notify: reload strongswan config
+  tags:
+  - strongswan-config
+  - protonvpn-config
--- a/roles/protonvpn/templates/protonvpn.conf.j2
+++ b/roles/protonvpn/templates/protonvpn.conf.j2
@ -0,0 +1,30 @@
+connections {
+    protonvpn {
+        local_addrs = %defaultroute
+        remote_addrs = {{ protonvpn_server }}
+        vips = 0.0.0.0,::
+        local {
+            auth = eap-mschapv2
+            eap_id = {{ protonvpn_username }}
+        }
+        remote {
+            auth = pubkey
+        }
+        children {
+            dpd_delay = 30s
+            protonvpn {
+                remote_ts = {{ protonvpn_tunnel }}
+                start_action = start
+                close_action = start
+                dpd_action = start
+            }
+        }
+    }
+}
+
+secrets {
+    eap-protonvpn {
+        id = {{ protonvpn_username }}
+        secret = {{ protonvpn_password }}
+    }
+}
--- a/roles/strongswan-swanctl/tasks/main.yml
+++ b/roles/strongswan-swanctl/tasks/main.yml
@ -0,0 +1,15 @@
+- name: ensure strongswan is installed
+  package:
+    name: strongswan
+    state: present
+  tags:
+  - install
+
+- name: ensure strongswan starts at boot
+  service:
+    name: strongswan
+    enabled: true
+- name: ensure strongswan is running
+  service:
+    name: strongswan
+    state: started