StreisandEffect · nopdotcom · May 27, 2018 · Jun 5, 2018 · Jun 8, 2018 · Jun 10, 2018
diff --git a/global_vars/default-site.yml b/global_vars/default-site.yml
@@ -11,6 +11,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/integration/test-site.yml b/global_vars/integration/test-site.yml
@@ -10,6 +10,8 @@ streisand_admin_email_var: ""
 # Take a few extra steps during server provisioning to make the client tests work
 streisand_client_test: true
 
+streisand_ipv6_enabled: yes
+
 # Only services with corresponding tests are enabled.
 streisand_shadowsocks_enabled: yes
 streisand_ssh_forward_enabled: yes

diff --git a/global_vars/noninteractive/amazon-site.yml b/global_vars/noninteractive/amazon-site.yml
@@ -14,6 +14,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/noninteractive/azure-site.yml b/global_vars/noninteractive/azure-site.yml
@@ -14,6 +14,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/noninteractive/digitalocean-site.yml b/global_vars/noninteractive/digitalocean-site.yml
@@ -18,6 +18,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/noninteractive/google-site.yml b/global_vars/noninteractive/google-site.yml
@@ -13,6 +13,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/noninteractive/linode-site.yml b/global_vars/noninteractive/linode-site.yml
@@ -12,6 +12,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/noninteractive/local-site.yml b/global_vars/noninteractive/local-site.yml
@@ -13,6 +13,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/global_vars/noninteractive/rackspace-site.yml b/global_vars/noninteractive/rackspace-site.yml
@@ -12,6 +12,8 @@ streisand_ssh_private_key: "~/.ssh/id_rsa"
 
 vpn_clients: 5
 
+streisand_ipv6_enabled: yes
+
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes

diff --git a/playbooks/customize.yml b/playbooks/customize.yml
@@ -12,6 +12,10 @@
       prompt: "How many VPN client profiles should be generated per-service (min: 1 max: 20)? Press enter for default "
       default: 5
       private: no
+    - name: streisand_ipv6_enabled
+      prompt: "Enable IPv6, if available? Press enter for default "
+      default: "yes"
+      private: no
     - name: streisand_openconnect_enabled
       prompt: "Enable OpenConnect? Press enter for default "
       default: "yes"
@@ -66,6 +70,10 @@
         path: "{{ streisand_site_vars }}"
         regexp: "^vpn_clients: [\\d]+$"
         line: "vpn_clients: {{ vpn_clients }}"
+    - lineinfile:
+        path: "{{ streisand_site_vars }}"
+        regexp: "^streisand_ipv6_enabled: (?:yes|no)$"
+        line: "streisand_ipv6_enabled: {{ streisand_ipv6_enabled }}"
     - lineinfile:
         path: "{{ streisand_site_vars }}"
         regexp: "^streisand_openconnect_enabled: (?:yes|no)$"

diff --git a/playbooks/roles/common/tasks/set-default-variables.yml b/playbooks/roles/common/tasks/set-default-variables.yml
@@ -39,3 +39,16 @@
 
 - import_tasks: detect-public-ip.yml
   when: (hostvars['127.0.0.1']['streisand_genesis_role'] is defined and ((hostvars['127.0.0.1']['streisand_genesis_role'] == "localhost") or (hostvars['127.0.0.1']['streisand_genesis_role'] == "existing-server")))
+
+- name: If streisand_ipv6_address is undefined and IPv6 is enabled, change it to Ansible's default IPv6 address
+  set_fact:
+    streisand_ipv6_address: "{{ ansible_default_ipv6.address }}"
+  when:
+    - streisand_ipv6_address is not defined
+    - streisand_ipv6_enabled
+    - ansible_default_ipv6.address is defined
+
+- name: If there's an IPv6 address, generate a gateway URL using it
+  set_fact:
+    streisand_gateway_url_ipv6: "https://[{{ streisand_ipv6_address }}]"
+  when: streisand_ipv6_address is defined
diff --git a/playbooks/roles/ec2-security-group/tasks/main.yml b/playbooks/roles/ec2-security-group/tasks/main.yml
@@ -21,29 +21,19 @@
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
     rules:
-      # Nginx
-      # ---
       - proto: tcp
-        from_port: "{{ nginx_port }}"
-        to_port: "{{ nginx_port }}"
-        cidr_ip: 0.0.0.0/0
-      # SSH
-      # ---
-      - proto: tcp
-        from_port: "{{ ssh_port }}"
-        to_port: "{{ ssh_port }}"
-        cidr_ip: 0.0.0.0/0
-      # HTTP (Let's Encrypt)
-      # ---
-      - proto: tcp
-        from_port: "{{ le_port }}"
-        to_port: "{{ le_port }}"
+        ports:
+          - "{{ nginx_port }}"
+          - "{{ ssh_port }}"
+          # HTTP, for Let's Encrypt
+          - "{{ le_port }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
     rules_egress:
       - proto: all
-        from_port: 1
-        to_port: 65535
+        ports: 1-65535
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
 
 # OpenConnect
 # ---
@@ -58,18 +48,14 @@
     purge_rules: no
     purge_rules_egress: no
     rules:
-      # OpenConnect TCP
-      # ---
       - proto: tcp
-        from_port: "{{ ocserv_port }}"
-        to_port: "{{ ocserv_port }}"
+        ports: "{{ ocserv_port }}"
         cidr_ip: 0.0.0.0/0
-      # OpenConnect UDP
-      # ---
+        cidr_ipv6: ::/0
       - proto: udp
-        from_port: "{{ ocserv_port }}"
-        to_port: "{{ ocserv_port }}"
+        ports: "{{ ocserv_port }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
   when: streisand_openconnect_enabled
 
 # OpenVPN
@@ -85,18 +71,14 @@
     purge_rules: no
     purge_rules_egress: no
     rules:
-      # OpenVPN TCP
-      # ---
       - proto: tcp
-        from_port: "{{ openvpn_port }}"
-        to_port: "{{ openvpn_port }}"
+        ports: "{{ openvpn_port }}"
         cidr_ip: 0.0.0.0/0
-      # OpenVPN UDP
-      # ---
+        cidr_ipv6: ::/0
       - proto: udp
-        from_port: "{{ openvpn_port_udp }}"
-        to_port: "{{ openvpn_port_udp }}"
+        ports: "{{ openvpn_port_udp }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
   when: streisand_openvpn_enabled
 
 # stunnel
@@ -112,12 +94,10 @@
     purge_rules: no
     purge_rules_egress: no
     rules:
-      # Stunnel
-      # ---
       - proto: tcp
-        from_port: "{{ stunnel_remote_port }}"
-        to_port: "{{ stunnel_remote_port }}"
+        ports: "{{ stunnel_remote_port }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
   when: streisand_openvpn_enabled and streisand_stunnel_enabled
 
 # Shadowsocks
@@ -133,18 +113,14 @@
     purge_rules: no
     purge_rules_egress: no
     rules:
-      # Shadowsocks TCP
-      # ---
       - proto: tcp
-        from_port: "{{ shadowsocks_server_port }}"
-        to_port: "{{ shadowsocks_server_port }}"
+        ports: "{{ shadowsocks_server_port }}"
         cidr_ip: 0.0.0.0/0
-      # Shadowsocks UDP
-      # ---
+        cidr_ipv6: ::/0
       - proto: udp
-        from_port: "{{ shadowsocks_server_port }}"
-        to_port: "{{ shadowsocks_server_port }}"
+        ports: "{{ shadowsocks_server_port }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
   when: streisand_shadowsocks_enabled
 
 # Tor
@@ -160,18 +136,14 @@
     purge_rules: no
     purge_rules_egress: no
     rules:
-      # Tor
-      # ---
       - proto: tcp
-        from_port: "{{ tor_orport }}"
-        to_port: "{{ tor_orport }}"
+        ports: "{{ tor_orport }}"
         cidr_ip: 0.0.0.0/0
-      # Tor obfs4
-      # ---
+        cidr_ipv6: ::/0
       - proto: tcp
-        from_port: "{{ tor_obfs4_port }}"
-        to_port: "{{ tor_obfs4_port }}"
+        ports: "{{ tor_obfs4_port }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
   when: streisand_tor_enabled
 
 # WireGuard
@@ -188,7 +160,7 @@
     purge_rules_egress: no
     rules:
       - proto: udp
-        from_port: "{{ wireguard_port }}"
-        to_port: "{{ wireguard_port }}"
+        ports: "{{ wireguard_port }}"
         cidr_ip: 0.0.0.0/0
+        cidr_ipv6: ::/0
   when: streisand_wireguard_enabled
diff --git a/playbooks/roles/genesis-digitalocean/tasks/main.yml b/playbooks/roles/genesis-digitalocean/tasks/main.yml
@@ -35,6 +35,7 @@
         unique_name: yes
         wait: yes
         api_token: "{{ do_access_token }}"
+        ipv6: "{{ streisand_ipv6_enabled }}"
       register: streisand_server
   rescue:
     - fail:

diff --git a/playbooks/roles/shadowsocks/templates/config.json.j2 b/playbooks/roles/shadowsocks/templates/config.json.j2
@@ -1,5 +1,10 @@
 {
-    "server":"{{ ansible_default_ipv4.address }}",
+    "server":
+{% if streisand_ipv6_address is defined %}
+  ["{{ ansible_default_ipv4.address }}", "{{ ansible_default_ipv6.address }}"],
+{% else %}
+  "{{ ansible_default_ipv4.address }}",
+{% endif %}
     "server_port":{{ shadowsocks_server_port }},
     "local_port":{{ shadowsocks_local_port }},
     "password":"{{ shadowsocks_password.stdout }}",

diff --git a/playbooks/roles/sslh/templates/sslh.cfg.j2 b/playbooks/roles/sslh/templates/sslh.cfg.j2
@@ -6,6 +6,9 @@ pidfile: "{{ sslh_pid_file }}";
 
 listen:
 (
+{% if streisand_ipv6_address is defined %}
+    { host: "{{ ansible_default_ipv6.address }}"; port: "443"; },
+{% endif %}
     { host: "{{ ansible_default_ipv4.address }}"; port: "443"; }
 );
 

diff --git a/playbooks/roles/streisand-gateway/templates/instructions-fr.md.j2 b/playbooks/roles/streisand-gateway/templates/instructions-fr.md.j2
@@ -190,6 +190,10 @@ Connexion à votre passerelle Streisand
 [{{ streisand_domain }}](https://{{ streisand_domain }}/index-fr.html)
 {% else %}
 [{{ streisand_gateway_url }}]({{ streisand_gateway_url }}/index-fr.html)
+{% if streisand_gateway_url_ipv6 is defined %}
+
+IPv6: [{{ streisand_gateway_url_ipv6 }}]({{ streisand_gateway_url_ipv6 }})
+{% endif %}
 {% endif %}
 
 username: `{{ streisand_gateway_username }}`

diff --git a/playbooks/roles/streisand-gateway/templates/instructions.md.j2 b/playbooks/roles/streisand-gateway/templates/instructions.md.j2
@@ -180,6 +180,10 @@ Connecting to your Streisand Gateway
 [{{ streisand_domain }}](https://{{ streisand_domain }})
 {% else %}
 [{{ streisand_gateway_url }}]({{ streisand_gateway_url }})
+{% if streisand_gateway_url_ipv6 is defined %}
+
+IPv6: [{{ streisand_gateway_url_ipv6 }}]({{ streisand_gateway_url_ipv6 }})
+{% endif %}
 {% endif %}
 
 username: `{{ streisand_gateway_username }}`

diff --git a/playbooks/roles/streisand-gateway/templates/openssl-local.cnf.j2 b/playbooks/roles/streisand-gateway/templates/openssl-local.cnf.j2
@@ -44,6 +44,10 @@ emailAddress = optional
 [ alt_names ]
 IP.0 = {{ streisand_ipv4_address }}
 DNS.0 = {{ streisand_ipv4_address }}
+{% if streisand_ipv6_address is defined %}
+IP.1 = {{ streisand_ipv6_address }}
+DNS.1 = {{ streisand_ipv6_address }}
+{% endif %}
 
 [ req_distinguished_name ]
 countryName = Country Name (2 letter code)

diff --git a/playbooks/roles/sysctl/vars/main.yml b/playbooks/roles/sysctl/vars/main.yml
@@ -7,20 +7,37 @@ sysctl_values:
   - { key: kernel.msgmax, value: 65536 }
   - { key: kernel.shmmax, value: 68719476736 }
   - { key: kernel.shmall, value: 4294967296 }
+
   - { key: net.ipv4.conf.all.accept_source_route, value: 0 }
   - { key: net.ipv4.conf.default.accept_source_route, value: 0 }
+  - { key: net.ipv6.conf.all.accept_source_route, value: 0 }
+  - { key: net.ipv6.conf.default.accept_source_route, value: 0 }
+
   - { key: net.ipv4.conf.all.log_martians, value: 1 }
   - { key: net.ipv4.conf.default.log_martians, value: 1 }
+
   - { key: net.ipv4.conf.all.accept_redirects, value: 0 }
   - { key: net.ipv4.conf.default.accept_redirects, value: 0 }
+  - { key: net.ipv6.conf.all.accept_redirects, value: 0 }
+  - { key: net.ipv6.conf.default.accept_redirects, value: 0 }
+
   - { key: net.ipv4.conf.all.send_redirects, value: 0 }
   - { key: net.ipv4.conf.default.send_redirects, value: 0 }
+
   - { key: net.ipv4.conf.all.rp_filter, value: 0 }
   - { key: net.ipv4.conf.default.rp_filter, value: 0 }
+
   - { key: net.ipv4.icmp_echo_ignore_broadcasts, value: 1 }
   - { key: net.ipv4.icmp_ignore_bogus_error_responses, value: 1 }
+
   - { key: net.ipv4.conf.all.secure_redirects, value: 0 }
   - { key: net.ipv4.conf.default.secure_redirects, value: 0 }
+  - { key: net.ipv6.conf.all.secure_redirects, value: 0 }
+  - { key: net.ipv6.conf.default.secure_redirects, value: 0 }
+
+  - { key: net.ipv6.conf.all.use_tempaddr, value: 2 }
+  - { key: net.ipv6.conf.default.use_tempaddr, value: 2 }
+
   - { key: kernel.randomize_va_space, value: 1 }
   - { key: net.core.wmem_max, value: 12582912 }
   - { key: net.core.rmem_max, value: 12582912 }

diff --git a/tests/site_vars/openconnect.yml b/tests/site_vars/openconnect.yml
@@ -1,6 +1,7 @@
 ---
 # This site config only enables OpenConnect
 vpn_clients: 5
+streisand_ipv6_enabled: yes
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: no
 streisand_shadowsocks_enabled: no

diff --git a/tests/site_vars/openvpn.yml b/tests/site_vars/openvpn.yml
@@ -1,6 +1,7 @@
 ---
 # This site config only enables openvpn
 vpn_clients: 5
+streisand_ipv6_enabled: yes
 streisand_openconnect_enabled: no
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: no