pyrocufflink-dns: Cloudflare over ProtonVPN
This commit adds a new playbook, `protonvpn.yml`, and its supporting roles *strongswan-swanctl* and *protonvpn*. This playbook configures strongSwan to connect to ProtonVPN using IPsec/IKEv2. With this playbook, we configure the name servers on the Pyrocufflink network to route all DNS requests through the Cloudflare public DNS recursive servers at 1.1.1.1/1.0.0.1 over ProtonVPN. Using this setup, we have the benefit of the speed of using a public DNS server (which is *significantly* faster than running our own recursive server, usually by 1-2 seconds per request), and the benefit of anonymity from ProtonVPN. Using the public DNS server alone is great for performance, but allows the server operator (in this case Cloudflare) to track and analyze usage patterns. Using ProtonVPN gives us anonymity (assuming we trust ProtonVPN not to do the very same tracking), but can have a negative performance impact if its used for all Internet traffic. By combining these solutions, we can get the benefits of both!
This commit is contained in:
2
roles/protonvpn/defaults/main.yml
Normal file
2
roles/protonvpn/defaults/main.yml
Normal file
@@ -0,0 +1,2 @@
|
||||
protonvpn_server: us-il-41.protonvpn.com
|
||||
protonvpn_tunnel: 0.0.0.0/0,::/0
|
||||
33
roles/protonvpn/files/ProtonVPN_ike_root.pem
Normal file
33
roles/protonvpn/files/ProtonVPN_ike_root.pem
Normal file
@@ -0,0 +1,33 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
|
||||
MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
|
||||
QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
|
||||
MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
|
||||
IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
|
||||
vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
|
||||
wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
|
||||
2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
|
||||
qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
|
||||
nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
|
||||
JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
|
||||
a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
|
||||
WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
|
||||
ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
|
||||
lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
|
||||
m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
|
||||
A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
|
||||
TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
|
||||
blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
|
||||
AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
|
||||
htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
|
||||
MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
|
||||
ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
|
||||
51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
|
||||
zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
|
||||
eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
|
||||
Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
|
||||
zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
|
||||
N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
|
||||
DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
|
||||
A1gTTlpi7A==
|
||||
-----END CERTIFICATE-----
|
||||
3
roles/protonvpn/handlers/main.yml
Normal file
3
roles/protonvpn/handlers/main.yml
Normal file
@@ -0,0 +1,3 @@
|
||||
- name: reload strongswan config
|
||||
command:
|
||||
swanctl --load-all
|
||||
2
roles/protonvpn/meta/main.yml
Normal file
2
roles/protonvpn/meta/main.yml
Normal file
@@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- strongswan-swanctl
|
||||
18
roles/protonvpn/tasks/main.yml
Normal file
18
roles/protonvpn/tasks/main.yml
Normal file
@@ -0,0 +1,18 @@
|
||||
- name: ensure protonvpn ca certificate is installed
|
||||
copy:
|
||||
src: ProtonVPN_ike_root.pem
|
||||
dest: /etc/strongswan/swanctl/x509ca/
|
||||
mode: '0644'
|
||||
notify: reload strongswan config
|
||||
tags:
|
||||
- strongswan-cacert
|
||||
|
||||
- name: ensure protonvpn configuration is set
|
||||
template:
|
||||
src: protonvpn.conf.j2
|
||||
dest: /etc/strongswan/swanctl/conf.d/protonvpn.conf
|
||||
mode: '0640'
|
||||
notify: reload strongswan config
|
||||
tags:
|
||||
- strongswan-config
|
||||
- protonvpn-config
|
||||
30
roles/protonvpn/templates/protonvpn.conf.j2
Normal file
30
roles/protonvpn/templates/protonvpn.conf.j2
Normal file
@@ -0,0 +1,30 @@
|
||||
connections {
|
||||
protonvpn {
|
||||
local_addrs = %defaultroute
|
||||
remote_addrs = {{ protonvpn_server }}
|
||||
vips = 0.0.0.0,::
|
||||
local {
|
||||
auth = eap-mschapv2
|
||||
eap_id = {{ protonvpn_username }}
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
dpd_delay = 30s
|
||||
protonvpn {
|
||||
remote_ts = {{ protonvpn_tunnel }}
|
||||
start_action = start
|
||||
close_action = start
|
||||
dpd_action = start
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
eap-protonvpn {
|
||||
id = {{ protonvpn_username }}
|
||||
secret = {{ protonvpn_password }}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user