From 8ca093050bfae09c439ec0b778171b85a70bd66c Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 6 Sep 2020 10:40:08 -0500
Subject: [PATCH] pyrocufflink-dns: Cloudflare over ProtonVPN

This commit adds a new playbook, `protonvpn.yml`, and its supporting
roles *strongswan-swanctl* and *protonvpn*.  This playbook configures
strongSwan to connect to ProtonVPN using IPsec/IKEv2.

With this playbook, we configure the name servers on the Pyrocufflink
network to route all DNS requests through the Cloudflare public DNS
recursive servers at 1.1.1.1/1.0.0.1 over ProtonVPN.  Using this setup,
we have the benefit of the speed of using a public DNS server (which is
*significantly* faster than running our own recursive server, usually by
1-2 seconds per request), and the benefit of anonymity from ProtonVPN.

Using the public DNS server alone is great for performance, but allows
the server operator (in this case Cloudflare) to track and analyze usage
patterns.  Using ProtonVPN gives us anonymity (assuming we trust
ProtonVPN not to do the very same tracking), but can have a negative
performance impact if its used for all Internet traffic.  By combining
these solutions, we can get the benefits of both!
---
 .../main.yml}                                 |  5 +++
 group_vars/pyrocufflink-dns/secrets           | 10 ++++++
 hosts                                         |  3 ++
 protonvpn.yml                                 |  3 ++
 roles/protonvpn/defaults/main.yml             |  2 ++
 roles/protonvpn/files/ProtonVPN_ike_root.pem  | 33 +++++++++++++++++++
 roles/protonvpn/handlers/main.yml             |  3 ++
 roles/protonvpn/meta/main.yml                 |  2 ++
 roles/protonvpn/tasks/main.yml                | 18 ++++++++++
 roles/protonvpn/templates/protonvpn.conf.j2   | 30 +++++++++++++++++
 roles/strongswan-swanctl/tasks/main.yml       | 15 +++++++++
 11 files changed, 124 insertions(+)
 rename group_vars/{pyrocufflink-dns.yml => pyrocufflink-dns/main.yml} (92%)
 create mode 100644 group_vars/pyrocufflink-dns/secrets
 create mode 100644 protonvpn.yml
 create mode 100644 roles/protonvpn/defaults/main.yml
 create mode 100644 roles/protonvpn/files/ProtonVPN_ike_root.pem
 create mode 100644 roles/protonvpn/handlers/main.yml
 create mode 100644 roles/protonvpn/meta/main.yml
 create mode 100644 roles/protonvpn/tasks/main.yml
 create mode 100644 roles/protonvpn/templates/protonvpn.conf.j2
 create mode 100644 roles/strongswan-swanctl/tasks/main.yml

diff --git a/group_vars/pyrocufflink-dns.yml b/group_vars/pyrocufflink-dns/main.yml
similarity index 92%
rename from group_vars/pyrocufflink-dns.yml
rename to group_vars/pyrocufflink-dns/main.yml
index 6378778..af18adf 100644
--- a/group_vars/pyrocufflink-dns.yml
+++ b/group_vars/pyrocufflink-dns/main.yml
@@ -1,3 +1,8 @@
+protonvpn_tunnel: 1.1.1.1,1.0.0.1
+named_forward_only: true
+named_forwarders:
+- 1.1.1.1
+- 1.0.0.1
 named_listen:
 - addresses:
   - any
diff --git a/group_vars/pyrocufflink-dns/secrets b/group_vars/pyrocufflink-dns/secrets
new file mode 100644
index 0000000..0fd6105
--- /dev/null
+++ b/group_vars/pyrocufflink-dns/secrets
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34303664613262623439636133393766306638343261373633633136323562643761383039376565
+3339663861393833666164633136373966336630346434660a616231343233653366393666336339
+31643862626561643636343666313539343933353138336166373335323830643361303362353864
+3934633236313862620a616561393265336138383339393063613631633030646633363736333139
+37343664333063616430366534633366383565613530613439313732333232363336626236613235
+35636165386565633466306638656662323739396535386565316662353735386466643038613337
+61363936326363323730393132313532326336373761653237623963363163373633623737643434
+66386234303265343262333566356566626531633665626464343962633337373962396533343432
+6163
diff --git a/hosts b/hosts
index 1b5515c..aae1ac7 100644
--- a/hosts
+++ b/hosts
@@ -81,6 +81,9 @@ dc0.pyrocufflink.blue
 cloud0.pyrocufflink.blue
 hassdb0.pyrocufflink.blue
 
+[protonvpn:children]
+pyrocufflink-dns
+
 [public-web]
 web0.pyrocufflink.blue
 
diff --git a/protonvpn.yml b/protonvpn.yml
new file mode 100644
index 0000000..5ab95ce
--- /dev/null
+++ b/protonvpn.yml
@@ -0,0 +1,3 @@
+- hosts: protonvpn
+  roles:
+  - protonvpn
diff --git a/roles/protonvpn/defaults/main.yml b/roles/protonvpn/defaults/main.yml
new file mode 100644
index 0000000..8c9ca64
--- /dev/null
+++ b/roles/protonvpn/defaults/main.yml
@@ -0,0 +1,2 @@
+protonvpn_server: us-il-41.protonvpn.com
+protonvpn_tunnel: 0.0.0.0/0,::/0
diff --git a/roles/protonvpn/files/ProtonVPN_ike_root.pem b/roles/protonvpn/files/ProtonVPN_ike_root.pem
new file mode 100644
index 0000000..6cc7940
--- /dev/null
+++ b/roles/protonvpn/files/ProtonVPN_ike_root.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
+MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
+QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
+MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
+vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
+wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
+2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
+qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
+nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
+JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
+a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
+WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
+ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
+lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
+m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
+A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
+TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
+blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
+htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
+MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
+ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
+51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
+zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
+eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
+Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
+zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
+N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
+DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
+A1gTTlpi7A==
+-----END CERTIFICATE-----
diff --git a/roles/protonvpn/handlers/main.yml b/roles/protonvpn/handlers/main.yml
new file mode 100644
index 0000000..3e98587
--- /dev/null
+++ b/roles/protonvpn/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: reload strongswan config
+  command:
+    swanctl --load-all
diff --git a/roles/protonvpn/meta/main.yml b/roles/protonvpn/meta/main.yml
new file mode 100644
index 0000000..c8e2185
--- /dev/null
+++ b/roles/protonvpn/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- strongswan-swanctl
diff --git a/roles/protonvpn/tasks/main.yml b/roles/protonvpn/tasks/main.yml
new file mode 100644
index 0000000..dd9ee60
--- /dev/null
+++ b/roles/protonvpn/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: ensure protonvpn ca certificate is installed
+  copy:
+    src: ProtonVPN_ike_root.pem
+    dest: /etc/strongswan/swanctl/x509ca/
+    mode: '0644'
+  notify: reload strongswan config
+  tags:
+  - strongswan-cacert
+
+- name: ensure protonvpn configuration is set
+  template:
+    src: protonvpn.conf.j2
+    dest: /etc/strongswan/swanctl/conf.d/protonvpn.conf
+    mode: '0640'
+  notify: reload strongswan config
+  tags:
+  - strongswan-config
+  - protonvpn-config
diff --git a/roles/protonvpn/templates/protonvpn.conf.j2 b/roles/protonvpn/templates/protonvpn.conf.j2
new file mode 100644
index 0000000..50ba0ed
--- /dev/null
+++ b/roles/protonvpn/templates/protonvpn.conf.j2
@@ -0,0 +1,30 @@
+connections {
+    protonvpn {
+        local_addrs = %defaultroute
+        remote_addrs = {{ protonvpn_server }}
+        vips = 0.0.0.0,::
+        local {
+            auth = eap-mschapv2
+            eap_id = {{ protonvpn_username }}
+        }
+        remote {
+            auth = pubkey
+        }
+        children {
+            dpd_delay = 30s
+            protonvpn {
+                remote_ts = {{ protonvpn_tunnel }}
+                start_action = start
+                close_action = start
+                dpd_action = start
+            }
+        }
+    }
+}
+
+secrets {
+    eap-protonvpn {
+        id = {{ protonvpn_username }}
+        secret = {{ protonvpn_password }}
+    }
+}
diff --git a/roles/strongswan-swanctl/tasks/main.yml b/roles/strongswan-swanctl/tasks/main.yml
new file mode 100644
index 0000000..3fb1dac
--- /dev/null
+++ b/roles/strongswan-swanctl/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: ensure strongswan is installed
+  package:
+    name: strongswan
+    state: present
+  tags:
+  - install
+
+- name: ensure strongswan starts at boot
+  service:
+    name: strongswan
+    enabled: true
+- name: ensure strongswan is running
+  service:
+    name: strongswan
+    state: started