Alternative Ingress IP

[jackivanov]

Description

This PR adds functionality to provision and configure a separate ingress IP to split up incoming and outgoing traffic. The PR is for DigitalOcean only for now.
Because of a bug in Ansible, we're again forced to modify the module locally.

Motivation and Context

Fixes #1047

How Has This Been Tested?

1. Deployed to DigitalOcean
2. Connected via IKEv2 and WireGuard
3. Ensured that the endpoint for both IKEv2 and WireGuard was set to the Floating IP
4. Went to ipleak.net to ensure the ip shown was not the one from the step 3

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist:

• I have read the CONTRIBUTING document.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• All new and existing tests passed.

TODO:

• Short but efficient description comment here
• will be addressed as a separate issue: As we now provision multiple resources without a shared control mechanism (like CloudFormation), we have to create a mechanism to clean up the environment, delete the server and the floating ip by running ./algo destroy which rises cloud specific prompts and displays the resources available for deletion.

Any suggestions welcome!

[jackivanov]

cc @dnesting @davidemyers

[davidemyers]

I suggest a name other than static_ip for the variable in config.cfg as I think that name will confuse people (the IPs for most (all?) providers other than Lightsail can be thought of as static). Perhaps second_ip or ingress_ip.

[davidemyers]

I also suggest that the configs/ subdirectory be named after the primary IP address rather than the secondary ingress IP.

[jackivanov]

Alright, it's ready for more tests

[davidemyers]

This breaks IPv6 for me (tested via http://ipv6-test.com/ and https://browserleaks.com/ip). I don't see the alternate IPv6 address on ens3 even after a reboot.

Deployed from Ubuntu 19.10 using the alternate Python 3.8 and tested using WireGuard on iOS.

[jackivanov]

OK, seems we have to use netplan. @davidemyers I think it's fixed now, works on my end

[davidemyers]

That works for me, thanks.

Should the secondary IPv6 address be /64 like the primary? I tried it that way and it seems to work.

[davidemyers]

The docs should mention that when using this feature with DigitalOcean, after manually deleting a Droplet you need to also delete the Floating IP or you'll get charged for it.

[jackivanov]

Should the secondary IPv6 address be /64 like the primary? I tried it that way and it seems to work.

It will work for sure, but DigitalOcean actually gives you a /124, but not the whole /64, so we take a random address from the /124 subnet

[benturner]

Hm, this doesn't appear to do anything for the IPv4 traffic?

[jackivanov]

@benturner It's disabled by default at the moment. You need to turn it on in config.cfg alternative_ingress_ip: true. Can you try that?

[benturner]

Yep, I did. It properly changed my rules.v6 file but the rules.v4 file didn't get the SNAT option added to it.

[jackivanov]

@benturner It doesn't modify rules.v4, it just sets the destination IP for the vpn connection as the Floating IP.

But I think it might be not a good way in case we want to add more providers.. I'll check that

[jackivanov]

I've refactored the code, so we use the simplest schema with SNAT now

[jackivanov]

@davidemyers could you check out this one please?

[davidemyers]

Works for me, tested from WireGuard on iOS.