Dual-homed servers: Write both IPv4 and IPv6 in generated docs.

[tsunamaru]

Hello.

I recently build streisand on new VPS using IPv6 adress for SSH connection (my provider and hosting service provide me IPv4 and IPv6, so no problem with installation didn't arise). But in final docs been writen only IPv6 adress, which I used when install streisand:

I think It would be nice if you create an IPv4 and IPv6 check on server and writing both adresses in docs (of course if server has it).

Many thanks, and please sorry my bad English.

[cpu]

Hi @Fconn,

Thanks for opening an issue. I agree that Streisand should try to handle dual-homed hosts with both IPv6 and IPv4 addresses better.

I changed the title of your issue to make it easier to find in the future when we have a chance to evaluate IPv6 related features.

[nopdotcom]

This is primarily concerned with IPv6 ingress, right? Egress is something we have to think about more; the natural model is to NAT6 everything so it comes out the same IPv6 address. That's all we can do on systems where we aren't delegated a big enough prefix.

[tsunamaru]

This is primarily concerned with IPv6 ingress, right?

Personnaly for me, the main reason is the Russian government (Roskomnadzor), which blocks only IPv4 adresses, but do not touch IPv6.

In the light of the latest news, this has become particularly important: https://t.me/zatelecom/4773 (english version: https://t.me/zatelecom/4780)
TL:DR; Roskomnadzor scans the entire Internet to find private proxies / VPN (like a Streisand), and blocks access from Russia. And I just want save access to my server (and services), if IPv4 address will be banned.

[nopdotcom]

Thank you; that's very clarifying.

[nopdotcom]

An update: there's semi-active work in #1382 to support this, and I believe people have been working in forks as well.

I've also been looking at supporting a separate ingress-only IPv4 address for providers which support multiple IPv4 addresses per machine. If I understand this threat correctly, the "primary"/egress address should have all its ports closed, to avoid being marked as a potential proxy.

[cpu]

@Fconn If you had a chance to test #1382 it would be valuable feedback!

[tsunamaru]

Sorry for probably stupid question (I'm not a developer), but how I can test it? I don't understand how download this #1382, can you please explain?

[cpu]

@Fconn Not a stupid question at all!

The easiest way is probably for you to:

1. Clone @nopdotcom's copy of Streisand into a new directory by running git clone https://github.com/nopdotcom/streisand.git streisand-copy
2. Change into the streisand-copy directory with cd streisand-copy
3. Run git checkout nop-optional-ipv6 to switch to the branch from Explicit IPv6 config option: sslh/shadowsocks/gateway, plus DO IPv6 #1382
4. Follow the normal Streisand setup and install options, the same as you've done in the past.

@Fconn Note: I'm away from my usual computer at the moment and haven't tested those instructions. If they don't work its probably my fault and we can iterate if you share the error messages. Thanks!

[tsunamaru]

Okay, I clone it and started install using IPv6 as server address. In the middle of installation I got this:

This is both public IP's, but I can choose only one of them?

UPD: No matter what I choose, installation everytime stop on error:

[nopdotcom]

I think picking the IPv4 address is correct.

Do you have a generated streisand-diagnostics.md file?

For my curiosity, I'd love to see the results of these commands run on a server:

ip -o addr show permanent scope global
curl https://v4.ident.me
curl https://v6.ident.me

Presumably it won't hurt you to delete those sysctls. If you'd like to try a run without them, edit playbooks/roles/sysctl/vars/main.html and remove these lines:

  - { key: net.ipv4.conf.all.secure_redirects, value: 0 }
  - { key: net.ipv4.conf.default.secure_redirects, value: 0 }
  - { key: net.ipv6.conf.all.secure_redirects, value: 0 }
  - { key: net.ipv6.conf.default.secure_redirects, value: 0 }

By the way: Any diagnostics are good, but copy&pasting the text is even better than a screenshot alone.

[tsunamaru]

<!--

Please share the contents of this file when you open a new Streisand issue
https://github.com/StreisandEffect/streisand-discussions/issues/ 

It will help the developers reproduce your problem and provide a fix.
-->

### Ansible Information

* Ansible version: 2.7.0
* Ansible system: Linux
* Host OS: Fedora
* Host OS version:  28
* Python interpreter: python
* Python version: 2.7.15

### Streisand Information

* Streisand Git revision: ede1a0484d7f6cd179d9dda87996d0fec2d01a44
* Streisand Git clone has untracked changes: no
* Genesis role: existing-server
* Custom SSH key: False

### Enabled Roles

* Shadowsocks enabled:  True
* Wireguard enabled: True
* OpenVPN enabled: True
* stunnel enabled: True
* Tor enabled: False
* Openconnect enabled: True
* TinyProxy enabled: True
* SSH forward user enabled: True
* Configured number of VPN clients: 5

root@test:~# ip -o addr show permanent scope global
2: eth0    inet 80.211.134.149/24 brd 80.211.134.255 scope global eth0\       valid_lft forever preferred_lft forever
2: eth0    inet6 2a00:6d40:72:2f95::1/64 scope global \       valid_lft forever preferred_lft forever
5: tun0    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0\       valid_lft forever preferred_lft forever
6: tun1    inet 10.9.0.1 peer 10.9.0.2/32 scope global tun1\       valid_lft forever preferred_lft forever
root@test:~# curl v4.ident.me
80.211.134.149
root@test:~# curl v6.ident.me
2a00:6d40:72:2f95::1

[nopdotcom]

Thanks. I don't see anything out of the ordinary there, so I think a scratch install, removing those sysctls, may do it for you.

[tsunamaru]

I removed those lines and installation completed successfully, thanks. Right now I do not have much time for testing, but I already see that the OpenVPN still redirect only IPv4, and IPv6 traffic go through local ISP.

[nopdotcom]

So 80.211.134.149 is correct; that's at least where outbound connections originate from. I'm not sure why there is a choice between v4 and v6.

Although we don't do anything strange with Ansible, we've discovered some Ansible releases have bugs which affect us. My strong suggestion is to use a virtualenv to set up a Streisand-specific version of Ansible. The process is detailed in the README but the quick version is to run ./util/venv-dependencies ./venv and then source ./venv/bin/activate before running ./streisand.

If there turns out to be a bug against Ansible 2.7.0, it would be great to know that; this might just affect 2.7.0, but it could hit the other 2.7.x releases too.

[BossTownUSA]

Did you find a solution tsunamaru? My results are identical to yours.