Ansible configuration policy for the private network/home lab of Dustin C. Hatch
http://dustin.hatch.name/
Dustin
0add34a9a3
One major problem with the current DNS-over-VPN implementation is that the ProtonVPN servers are prone to random outages. When the server we're using goes down, there is not a straightforward way to switch to another one. At first I tried creating a fake DNS zone with A records for each ProtonVPN server, all for the same name. This ultimately did not work, but I am not sure I understand why. strongSwan would correctly resolve the name each time it tried to connect, and send IKE initialization requests to a different address each time, but would reject the responses from all except the first address it used. The only way to get it working again was to restart the daemon. Since strongSwan is apparently not going to be able to handle this kind of fallback on its own, I decided to write a script to do it externally. Enter `protonvpn-watchdog.py`. This script reads the syslog messages from strongSwan (via the systemd journal, using `journalctl`'s JSON output) and reacts when it receives the "giving up after X tries" message. This message indicates that strongSwan has lost connection to the current server and has not been able to reestablish it within the retry period. When this happens, the script will consult the cached list of ProtonVPN servers and find the next one available. It keeps track of the ones that have failed in the past, and will not connect to them again, so as not to simply bounce back-and-forth between two (possibly dead) servers. Approximately every hour, it will attempt to refresh the server list, to ensure that the most accurate server scores and availability are known. |
||
|---|---|---|
| .certs@654b52b608 | ||
| certs | ||
| ci | ||
| group_vars | ||
| host_vars | ||
| passwords/kojiweb_secret | ||
| roles | ||
| vars | ||
| vault | ||
| .gitignore | ||
| .gitmodules | ||
| .vault-secret.sh | ||
| ansible.cfg | ||
| ansible.yml | ||
| aria2.yml | ||
| base.yml | ||
| bitwarden_rs.yml | ||
| burp-client.yml | ||
| burp-server.yml | ||
| certbot.yml | ||
| collectd.yml | ||
| dch-gw.yml | ||
| dch-proxy.yml | ||
| dch-root-ca.crt | ||
| dch-vpn.yml | ||
| dhcpcd.yml | ||
| dhcpd.yml | ||
| docker.yml | ||
| domain-controller.yml | ||
| dyngroups.yml | ||
| fileserver.yml | ||
| firewalld.yml | ||
| gitea.yml | ||
| graylog.yml | ||
| hassdb.yml | ||
| homeassistant.yml | ||
| hostname.yml | ||
| hosts | ||
| hosts.offline | ||
| jenkins-slave.yml | ||
| koji-builder.yml | ||
| koji-hub.yml | ||
| koji-web.yml | ||
| koji.yml | ||
| motioneye.yml | ||
| named-server.yml | ||
| net-ifaces.yml | ||
| network.yml | ||
| nextcloud.yml | ||
| ntp.yml | ||
| postgresql.yml | ||
| protonvpn.yml | ||
| pyrocufflink.yml | ||
| radius.yml | ||
| radvd.yml | ||
| remount.yml | ||
| rngd.yml | ||
| samba-dc.yml | ||
| smtp-relay.yml | ||
| squid.yml | ||
| synapse.yml | ||
| taiga.yml | ||
| vmhost.yml | ||
| websites.yml | ||
| wheelhost.yml | ||
| zabbix-agent.yml | ||
| zabbix-server.yml | ||
| zabbix.yml | ||