From aba7121907ea0307f829d8d9ee10de75c4fc1f86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 14:33:53 +0100
Subject: [PATCH] vpn: refs #8748 - Final touch

---
 roles/ipsec/defaults/main.yml | 13 +++++++++
 roles/ipsec/files/charon      | 11 ++++++++
 roles/ipsec/tasks/ipsec.yml   | 50 +++++++++++++++++++++++++----------
 3 files changed, 60 insertions(+), 14 deletions(-)
 create mode 100644 roles/ipsec/files/charon

diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index fedeaef..c8b1cd0 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -14,3 +14,16 @@ config_ipsec_files:
   - { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
   - { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
   - { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
+mangle_block: |
+  *mangle
+  :PREROUTING ACCEPT [0:0]
+  :INPUT ACCEPT [0:0]
+  :FORWARD ACCEPT [0:0]
+  :OUTPUT ACCEPT [0:0]
+  :POSTROUTING ACCEPT [0:0]
+  -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
+  -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
+  COMMIT
+config_and_logrotate:
+  - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
+  - { src: charon, dest: '/etc/logrotate.d/charon' }
diff --git a/roles/ipsec/files/charon b/roles/ipsec/files/charon
new file mode 100644
index 0000000..9a05de0
--- /dev/null
+++ b/roles/ipsec/files/charon
@@ -0,0 +1,11 @@
+/var/log/strongswan/charon.log
+{
+	copytruncate
+	create 644 root root
+        rotate 10
+        weekly
+        missingok
+        notifempty
+        compress
+	delaycompress
+}
diff --git a/roles/ipsec/tasks/ipsec.yml b/roles/ipsec/tasks/ipsec.yml
index a1ed9cd..37f63ce 100644
--- a/roles/ipsec/tasks/ipsec.yml
+++ b/roles/ipsec/tasks/ipsec.yml
@@ -6,6 +6,13 @@
     name: "{{ strongswan_requeriments }}"
     state: present
     install_recommends: no
+- name: Create directory /var/log/strongswan
+  file:
+    path: /var/log/strongswan
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
 - name: Insert certificates
   no_log: true
   copy:
@@ -30,13 +37,16 @@
     group: root
     mode: "{{ item.mode }}"
   loop: "{{ config_ipsec_files }}"
-- name: Copy Configure file
+  notify: restart-ipsec
+- name: Copy Configure file and logrotate Charon
   copy:
-    src: vn.conf
-    dest: /etc/strongswan.d/vn.conf
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: u=rw,g=r,o=r
+  loop: "{{ config_and_logrotate }}"
+  notify: restart-ipsec
 - name: IP forward as a router
   sysctl:
     name: net.ipv4.ip_forward
@@ -47,17 +57,29 @@
 - name: Add iptables rules in rules.v4 file
   blockinfile:
     path: /etc/iptables/rules.v4
-    marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN MANGED"
-    block: |
-      *mangle
-      :PREROUTING ACCEPT [0:0]
-      :INPUT ACCEPT [0:0]
-      :FORWARD ACCEPT [0:0]
-      :OUTPUT ACCEPT [0:0]
-      :POSTROUTING ACCEPT [0:0]
-      -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-      -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360    
+    marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN"
+    block: "{{ mangle_block }}"
   register: iptables
 - name: Reload iptables rules
   command: netfilter-persistent reload
-  when: iptables.changed
\ No newline at end of file
+  when: iptables.changed
+- name: Get default IPv4 interface
+  command: ip -o -4 route show default
+  register: default_route
+- name: Extract interface default name
+  set_fact:
+    active_interface: "{{ default_route.stdout.split()[-1] }}"
+- name: Routing table for VPN
+  lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: "10 vpn"
+    state: present
+    regexp: "vpn"
+- name: Static routing rules to send VPN traffic directly to the firewall
+  lineinfile:
+    path: /etc/network/interfaces
+    insertafter: "dhcp"
+    line: "{{ item }}"
+    state: present
+  loop: "{{ static_routes }}"
+  
\ No newline at end of file