configpolicy

dustin

configpolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dustin	0add34a9a3	roles/protonvpn: Add watchdog script One major problem with the current DNS-over-VPN implementation is that the ProtonVPN servers are prone to random outages. When the server we're using goes down, there is not a straightforward way to switch to another one. At first I tried creating a fake DNS zone with A records for each ProtonVPN server, all for the same name. This ultimately did not work, but I am not sure I understand why. strongSwan would correctly resolve the name each time it tried to connect, and send IKE initialization requests to a different address each time, but would reject the responses from all except the first address it used. The only way to get it working again was to restart the daemon. Since strongSwan is apparently not going to be able to handle this kind of fallback on its own, I decided to write a script to do it externally. Enter `protonvpn-watchdog.py`. This script reads the syslog messages from strongSwan (via the systemd journal, using `journalctl`'s JSON output) and reacts when it receives the "giving up after X tries" message. This message indicates that strongSwan has lost connection to the current server and has not been able to reestablish it within the retry period. When this happens, the script will consult the cached list of ProtonVPN servers and find the next one available. It keeps track of the ones that have failed in the past, and will not connect to them again, so as not to simply bounce back-and-forth between two (possibly dead) servers. Approximately every hour, it will attempt to refresh the server list, to ensure that the most accurate server scores and availability are known.	2021-06-21 20:48:23 -05:00
Dustin	8ca093050b	pyrocufflink-dns: Cloudflare over ProtonVPN This commit adds a new playbook, `protonvpn.yml`, and its supporting roles strongswan-swanctl and protonvpn. This playbook configures strongSwan to connect to ProtonVPN using IPsec/IKEv2. With this playbook, we configure the name servers on the Pyrocufflink network to route all DNS requests through the Cloudflare public DNS recursive servers at 1.1.1.1/1.0.0.1 over ProtonVPN. Using this setup, we have the benefit of the speed of using a public DNS server (which is significantly faster than running our own recursive server, usually by 1-2 seconds per request), and the benefit of anonymity from ProtonVPN. Using the public DNS server alone is great for performance, but allows the server operator (in this case Cloudflare) to track and analyze usage patterns. Using ProtonVPN gives us anonymity (assuming we trust ProtonVPN not to do the very same tracking), but can have a negative performance impact if its used for all Internet traffic. By combining these solutions, we can get the benefits of both!	2020-09-06 11:06:58 -05:00

Author

SHA1

Message

Date

Dustin

0add34a9a3

roles/protonvpn: Add watchdog script

One major problem with the current DNS-over-VPN implementation is that
the ProtonVPN servers are prone to random outages.  When the server
we're using goes down, there is not a straightforward way to switch to
another one.  At first I tried creating a fake DNS zone with A records
for each ProtonVPN server, all for the same name.  This ultimately did
not work, but I am not sure I understand why.  strongSwan would
correctly resolve the name each time it tried to connect, and send IKE
initialization requests to a different address each time, but would
reject the responses from all except the first address it used.  The
only way to get it working again was to restart the daemon.

Since strongSwan is apparently not going to be able to handle this kind
of fallback on its own, I decided to write a script to do it externally.
Enter `protonvpn-watchdog.py`.  This script reads the syslog messages
from strongSwan (via the systemd journal, using `journalctl`'s JSON
output) and reacts when it receives the "giving up after X tries"
message.  This message indicates that strongSwan has lost connection to
the current server and has not been able to reestablish it within the
retry period.  When this happens, the script will consult the cached
list of ProtonVPN servers and find the next one available.  It keeps
track of the ones that have failed in the past, and will not connect to
them again, so as not to simply bounce back-and-forth between two
(possibly dead) servers.  Approximately every hour, it will attempt to
refresh the server list, to ensure that the most accurate server scores
and availability are known.

2021-06-21 20:48:23 -05:00

Dustin

8ca093050b

pyrocufflink-dns: Cloudflare over ProtonVPN

This commit adds a new playbook, `protonvpn.yml`, and its supporting
roles *strongswan-swanctl* and *protonvpn*.  This playbook configures
strongSwan to connect to ProtonVPN using IPsec/IKEv2.

With this playbook, we configure the name servers on the Pyrocufflink
network to route all DNS requests through the Cloudflare public DNS
recursive servers at 1.1.1.1/1.0.0.1 over ProtonVPN.  Using this setup,
we have the benefit of the speed of using a public DNS server (which is
*significantly* faster than running our own recursive server, usually by
1-2 seconds per request), and the benefit of anonymity from ProtonVPN.

Using the public DNS server alone is great for performance, but allows
the server operator (in this case Cloudflare) to track and analyze usage
patterns.  Using ProtonVPN gives us anonymity (assuming we trust
ProtonVPN not to do the very same tracking), but can have a negative
performance impact if its used for all Internet traffic.  By combining
these solutions, we can get the benefits of both!

2020-09-06 11:06:58 -05:00

2 Commits (d3a09a2e886058d0297099b822350e4ab095157f)