less MASQ

docker-compose.yml

@@ -204,6 +204,7 @@ services:
     environment:
       - CONFIG=${SF_CRYPTOSTORM_CONFIG:-}
       - PROVIDER=CryptoStorm
+      - NETWORK=${SF_NET_LG}
       - DNS=1.1.1.1 # Cryptostorm's DNS is often broken
       - POST_UP=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-cryptostorm.log up %i
       - PRE_DOWN=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-cryptostorm.log down %i
@@ -297,6 +298,8 @@ services:
       - NET_ADMIN #required
     environment:
       - SF_REDIS_AUTH=${SF_REDIS_AUTH}
+      - NET_LG=${SF_NET_LG:?}
+      - NET_VPN_ROUTER_IP=${SF_NET_VPN_ROUTER_IP:?}
       - SF_NOVPN_IP=${SF_NOVPN_IP}
       - SF_DIRECT
       - SF_DEBUG

router/init-novpn.sh

@@ -38,9 +38,10 @@ SFVPN_EXIT_IP=\"${exit_ip:-333.1.2.3}\"\n" >"${LOGFNAME}"
 
 touch "/config/guest/vpn_status.direct"
 
+ip route add "${NET_LG}" via "${NET_VPN_ROUTER_IP}"
 # All outgoing needs to be MASQ'ed.
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 # Keep 1 process alive so that we can use `nsenter` to enter this network namespace
-[[ -z $SF_DEBUG ]] && exit 0
-exec -a '[novpn-sleep]' sleep infinity
+# [[ -z $SF_DEBUG ]] && exit 0
+exec -a '[novpn-sleep]' sleep infinity

router/init.sh

@@ -174,7 +174,7 @@ monitor_failover()
 {
 	local status_sha
 
-	[[ -z $SF_DIRECT ]] && {
+	[[ -n $SF_DIRECT ]] && {
 		exec -a '[novpn-sleep]' sleep infinity
 		exit 255 # NOT REACHED
 	}
@@ -425,11 +425,12 @@ iptables -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}"
 iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}" -j MARK --set-mark 22
 # -----END GSNC traffic is routed via Internet----
 
-# MASQ all traffic because the VPN/TOR instances dont know the route back
-# to sf-guest (169.254.224/20).
-iptables -t nat -A POSTROUTING -o "${DEV_GW}" -j MASQUERADE
-# MASQ SSHD's forward to user's server
-iptables -t nat -A POSTROUTING -s "${SSHD_IP}" -o "${DEV_LG}" -j MASQUERADE
+# Dont MASQ LG's. FORWARD instead. They are MASQ'ed at VPN endpoints.
+iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -j ACCEPT
+# DNSMASQ does not know route back to LG => MASQ is here.
+iptables -t nat -A POSTROUTING -s "${NET_LG}" -d "${NET_VPN_DNS_IP}" -o "${DEV_GW}" -j MASQUERADE
+# MASQ all traffic from NON-LG's (the VPN/TOR/DNS dont know the route back to them).
+# iptables -t nat -A POSTROUTING ! -s "${NET_LG}" -o "${DEV_GW}" -j MASQUERADE
 # MASQ GSNC to (direct) Internet
 iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE
 # MASQ traffic from TOR to DMZ (nginx)
@@ -449,7 +450,7 @@ echo -e >&2 "FW: SUCCESS"
 echo -e >&2 "TC: SUCCESS"
 
 set +e
-# By default go via DIRECTO or TOR + VPN until vpn_status exists
+# By default go via DIRECT or TOR + VPN until vpn_status exists
 use_other
 monitor_failover
 

sfbin/vpn_wg2status.sh

@@ -120,7 +120,9 @@ SFVPN_EXIT_IP=\"${exit_ip:-333.1.2.3}\"\n" >"${LOGFNAME}"
 
 	create_vpn_status
 
-	# For Reverse Port Forward:
+	# Old cryptostorm containers set a network route to default IP.
+	# Remote old one as we need to route to SF_ROUTER_IP instead.
+	ip route del 10.11.0.0/24 2>/dev/null
 	ip route add 10.11.0.0/16 via "${SF_ROUTER_IP}" 2>/dev/null
 
 	# Delete all old port forwards.