From c31a28c88a7ae3ed49a4cb1c20bdeda3d1f0a86c Mon Sep 17 00:00:00 2001
From: Victor Torterola <vtorterola@cci.edu.uy>
Date: Wed, 19 Feb 2020 09:03:56 -0300
Subject: [PATCH 1/9] implementation of IPv6 support

---
 defaults/main.yml           |  7 +++++++
 tasks/system/forwarding.yml |  9 +++++++++
 templates/server.conf.j2    | 16 ++++++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 089392c..d4d6c84 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -80,6 +80,13 @@ openvpn_route_traffic: false
 # Whether to create an iptables rule to allow connections to the openvpn server.
 openvpn_open_firewall: true
 
+# Listening also for IPv6
+openvpn_ipv6_enabled: false  
+
+openvpn_ipv6_route_ranges: []
+# - 2000:1::/64
+# - 2000:3::/64
+
 # The interface that traffic will come in from. This is used when creating
 # firewall rules to allow the vpn server to successfully forward traffic (see
 # `openvpn_route_traffic`). The interface you specify here will limit these
diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index 5690068..6cb0020 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -8,3 +8,12 @@
     state: present
     reload: true
   when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool
+
+- name: Set IPv6 forwarding in the sysctl file and reload if necessary
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+  when: openvpn_ipv6_server is defined
\ No newline at end of file
diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index 21668e7..b50a4f3 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -14,6 +14,10 @@ port {{ openvpn_port }}
 # TCP or UDP server?
 proto {{ openvpn_proto }}
 
+% if openvpn_ipv6_enabled %}
+proto {{ openvpn_proto }}6
+{% endif %}
+
 {% if openvpn_portshare is defined %}
 # Port sharing
 port-share 127.0.0.1 {{ openvpn_portshare }}
@@ -31,6 +35,9 @@ cipher {{ openvpn_cipher }}
 # most systems, the VPN will not function unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 dev {{ openvpn_dev }}
+{% if openvpn_ipv6_enabled %}
+dev {{ openvpn_dev }}-ipv6
+{% endif %}
 
 # SSL/TLS root certificate (ca), certificate (cert), and private key (key).
 # Each client and the server must have their own cert and key file.  The server
@@ -73,6 +80,11 @@ topology {{ openvpn_topology }}
 # 10.8.0.1. Comment this line out if you are ethernet bridging. See the man
 # page for more info.
 server {{ openvpn_server }}
+{% if openvpn_ipv6_enabled and openvpn_ipv6_server is defined %}
+server-ipv6 {{ openvpn_ipv6_server }}
+ifconfig-ipv6 {{ openvpn_ipv6_ifconfig }}
+push "route-ipv6-default {{ openvpn_ipv6_route_default }}"
+{% endif %}
 {% endif %}
 {% if openvpn_bridge %}
 # Configure server mode for ethernet bridging.
@@ -190,3 +202,7 @@ push "dhcp-option DNS {{ dns }}"
 {% for push_route in openvpn_route_ranges %}
 push "route {{ push_route }}"
 {% endfor %}
+
+{% for push_route_ipv6 in openvpn_ipv6_route_ranges %}
+push "route-ipv6 {{ push_route_ipv6 }}"
+{% endfor %} 
\ No newline at end of file

From 734f8ebb5267b766903e60254ee31a6050310040 Mon Sep 17 00:00:00 2001
From: Victor Torterola <vtorterola@cci.edu.uy>
Date: Thu, 27 Feb 2020 11:05:19 -0300
Subject: [PATCH 2/9] Fix Travis errors

---
 defaults/main.yml           | 8 ++++++--
 tasks/system/forwarding.yml | 3 ++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index d4d6c84..ddf5d12 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -81,7 +81,11 @@ openvpn_route_traffic: false
 openvpn_open_firewall: true
 
 # Listening also for IPv6
-openvpn_ipv6_enabled: false  
+openvpn_ipv6_enabled: false
+
+openvpn_ipv6_server: # 2001:1::/64
+openvpn_ipv6_ifconfig: # 2001:1:1 2001:1::2
+openvpn_ipv6_route_default: # 2001:1::1
 
 openvpn_ipv6_route_ranges: []
 # - 2000:1::/64
@@ -231,4 +235,4 @@ openvpn_inline_scripts: []
 
 # NOTE The role also comes with `up` and `down` scripts that are used if you
 # enable bridge configuration (see `openvpn_bridge`). These are handled by the
-# bridge-specific tasks.
+# bridge-specific tasks.
\ No newline at end of file
diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index 6cb0020..f5c6141 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -16,4 +16,5 @@
     sysctl_set: true
     state: present
     reload: true
-  when: openvpn_ipv6_server is defined
\ No newline at end of file
+  when: openvpn_ipv6_server is defined
+  
\ No newline at end of file

From 88e7bb192fd9ee1b01a1907b2e0c0d7bd0291a50 Mon Sep 17 00:00:00 2001
From: Victor Torterola <vtorterola@cci.edu.uy>
Date: Wed, 4 Mar 2020 08:21:05 -0300
Subject: [PATCH 3/9] Fix Molecule failures

---
 defaults/main.yml           | 11 ++++++++---
 tasks/system/forwarding.yml |  1 -
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index d0c50fd..5611b23 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -83,9 +83,14 @@ openvpn_open_firewall: true
 # Listening also for IPv6
 openvpn_ipv6_enabled: false
 
-openvpn_ipv6_server: # 2001:1::/64
-openvpn_ipv6_ifconfig: # 2001:1:1 2001:1::2
-openvpn_ipv6_route_default: # 2001:1::1
+openvpn_ipv6_server: ''
+# 2001:1::/64
+
+openvpn_ipv6_ifconfig: ''
+# 2001:1:1 2001:1::2
+
+openvpn_ipv6_route_default: ''
+# 2001:1::1
 
 openvpn_ipv6_route_ranges: []
 # - 2000:1::/64
diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index f5c6141..6fdd0c2 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -17,4 +17,3 @@
     state: present
     reload: true
   when: openvpn_ipv6_server is defined
-  
\ No newline at end of file

From 30bf129cde2e5666390d77afe114b26be21d4918 Mon Sep 17 00:00:00 2001
From: Victor Torterola <tricovictor@gmail.com>
Date: Mon, 30 Mar 2020 10:45:52 -0300
Subject: [PATCH 4/9] Fix \n in server.conf

---
 templates/server.conf.j2 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index b50a4f3..94dc88a 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -4,7 +4,8 @@
 {% if openvpn_local is defined -%}
 local {{ openvpn_local }}
 {% else -%}
-;local a.b.c.d {% endif %}
+;local a.b.c.d 
+{% endif %}
 
 # Which TCP/UDP port should OpenVPN listen on? If you want to run multiple
 # OpenVPN instances on the same machine, use a different port number for each

From 1fc9a770c0d406c754e6afeace34bda674b8b0e1 Mon Sep 17 00:00:00 2001
From: Victor Torterola <tricovictor@gmail.com>
Date: Mon, 30 Mar 2020 11:13:50 -0300
Subject: [PATCH 5/9] Fix \n in server.conf

---
 templates/server.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index 94dc88a..b547e0b 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -15,7 +15,7 @@ port {{ openvpn_port }}
 # TCP or UDP server?
 proto {{ openvpn_proto }}
 
-% if openvpn_ipv6_enabled %}
+{% if openvpn_ipv6_enabled %}
 proto {{ openvpn_proto }}6
 {% endif %}
 

From 0e51e638fd5bd31a0216e22712c7edeb9d3f76b2 Mon Sep 17 00:00:00 2001
From: Victor Torterola <tricovictor@gmail.com>
Date: Mon, 20 Apr 2020 15:47:02 -0300
Subject: [PATCH 6/9] Fix error for compile Molecule

---
 handlers/main.yml           | 4 ++--
 tasks/openvpn.yml           | 2 --
 tasks/system/forwarding.yml | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 7eec5fe..39c28da 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -23,14 +23,14 @@
       command: /etc/init.d/iptables-persistent save
       when:
         - ansible_os_family == "Debian"
-        - ansible_lsb.codename == "trusty"
+        - ansible_distribution_release == "trusty"
       listen: openvpn save iptables
 
     - name: Save the rules (Ubuntu)
       command: netfilter-persistent save
       when:
         - ansible_os_family == "Debian"
-        - ansible_lsb.codename != "trusty"
+        - ansible_distribution_release != "trusty"
       listen: openvpn save iptables
 
 - name: Restart OpenVPN service
diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml
index 196d9cc..e008ef4 100644
--- a/tasks/openvpn.yml
+++ b/tasks/openvpn.yml
@@ -42,6 +42,4 @@
 
 - include_tasks: "system/bridge/{{ ansible_os_family }}.yml"
 
-- include_tasks: "system/bridge/{{ ansible_os_family }}.yml"
-
 - include_tasks: service.yml
diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index 6fdd0c2..9ba6ab3 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -16,4 +16,4 @@
     sysctl_set: true
     state: present
     reload: true
-  when: openvpn_ipv6_server is defined
+  when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool and openvpn_ipv6_server is defined

From c1cbc8c419dbb85091151304e87d41ddfdfe60db Mon Sep 17 00:00:00 2001
From: santiagomr <s@santiagomr.com>
Date: Fri, 8 May 2020 15:48:15 -0300
Subject: [PATCH 7/9] Requested changes - Ansible linter improvements

---
 defaults/main.yml           |  3 ---
 tasks/system/forwarding.yml |  6 ++++--
 templates/server.conf.j2    | 32 ++++++++++++++++----------------
 3 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 5611b23..b58f243 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -89,9 +89,6 @@ openvpn_ipv6_server: ''
 openvpn_ipv6_ifconfig: ''
 # 2001:1:1 2001:1::2
 
-openvpn_ipv6_route_default: ''
-# 2001:1::1
-
 openvpn_ipv6_route_ranges: []
 # - 2000:1::/64
 # - 2000:3::/64
diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index 9ba6ab3..8d1a73a 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Set ip forwarding in the sysctl file and reload if necessary
+- name: Set IPv4 forwarding in the sysctl file and reload if necessary
   sysctl:
     name: net.ipv4.ip_forward
     value: '1'
@@ -16,4 +16,6 @@
     sysctl_set: true
     state: present
     reload: true
-  when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool and openvpn_ipv6_server is defined
+  when:
+    not lookup('env', 'IN_MOLECULE') | d(true, true) | bool
+    and openvpn_ipv6_server is defined
diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index b547e0b..9702728 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -4,7 +4,7 @@
 {% if openvpn_local is defined -%}
 local {{ openvpn_local }}
 {% else -%}
-;local a.b.c.d 
+;local a.b.c.d
 {% endif %}
 
 # Which TCP/UDP port should OpenVPN listen on? If you want to run multiple
@@ -15,7 +15,7 @@ port {{ openvpn_port }}
 # TCP or UDP server?
 proto {{ openvpn_proto }}
 
-{% if openvpn_ipv6_enabled %}
+{% if openvpn_ipv6_enabled | bool %}
 proto {{ openvpn_proto }}6
 {% endif %}
 
@@ -36,7 +36,7 @@ cipher {{ openvpn_cipher }}
 # most systems, the VPN will not function unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 dev {{ openvpn_dev }}
-{% if openvpn_ipv6_enabled %}
+{% if openvpn_ipv6_enabled | bool %}
 dev {{ openvpn_dev }}-ipv6
 {% endif %}
 
@@ -81,12 +81,12 @@ topology {{ openvpn_topology }}
 # 10.8.0.1. Comment this line out if you are ethernet bridging. See the man
 # page for more info.
 server {{ openvpn_server }}
-{% if openvpn_ipv6_enabled and openvpn_ipv6_server is defined %}
+{% if openvpn_ipv6_enabled | bool and openvpn_ipv6_server | length > 0 %}
 server-ipv6 {{ openvpn_ipv6_server }}
-ifconfig-ipv6 {{ openvpn_ipv6_ifconfig }}
-push "route-ipv6-default {{ openvpn_ipv6_route_default }}"
+{% if openvpn_ipv6_ifconfig | length > 0 %}ifconfig-ipv6 {{ openvpn_ipv6_ifconfig }}{% endif %}
 {% endif %}
 {% endif %}
+
 {% if openvpn_bridge %}
 # Configure server mode for ethernet bridging.
 # You must first use your OS's bridging capability
@@ -117,7 +117,7 @@ ifconfig-pool-persist {{ openvpn_ifconfig_pool_persist }}
 # over the link so that each side knows when the other side has gone down. Ping
 # every 10 seconds, assume that remote peer is down if no ping received during
 # a 120 second time period.
-{%- if openvpn_keepalive != '' %}
+{%- if openvpn_keepalive | length > 0 %}
 keepalive {{ openvpn_keepalive }}
 {% endif %}
 
@@ -136,7 +136,7 @@ persist-tun
 
 # Output a short status file showing current connections, truncated and
 # rewritten every minute.
-status {{openvpn_status}}
+status {{ openvpn_status }}
 
 # By default, log messages will go to the syslog (or on Windows, if running as
 # a service, they will go to the "\Program Files\OpenVPN\log" directory). Use
@@ -144,28 +144,28 @@ status {{openvpn_status}}
 # on OpenVPN startup, while "log-append" will append to it.  Use one or the
 # other (but not both).
 ;log         openvpn.log
-log-append  {{openvpn_log}}
+log-append {{ openvpn_log }}
 
 # Set the appropriate level of log file verbosity.
 #
 # 0 is silent, except for fatal errors 4 is reasonable for general usage 5 and
 # 6 can help to debug connection problems 9 is extremely verbose
-verb {{openvpn_verb}}
+verb {{ openvpn_verb }}
 
 # The maximum number of concurrently connected clients we want to allow.
-max-clients {{openvpn_max_clients}}
+max-clients {{ openvpn_max_clients }}
 
 # It's a good idea to reduce the OpenVPN daemon's privileges after
 # initialization.
 #
 # You can uncomment this out on non-Windows systems.
 {% if openvpn_user -%}
-user {{openvpn_user}}
+user {{ openvpn_user }}
 {% else -%}
 ;user nobody
 {% endif %}
 {% if openvpn_group -%}
-group {{openvpn_group}}
+group {{ openvpn_group }}
 {% else -%}
 group nogroup
 {% endif %}
@@ -176,7 +176,7 @@ client-to-client
 
 {% if openvpn_use_pam %}
 client-cert-not-required
-plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn
+plugin {{ openvpn_use_pam_plugin | default(openvpn_use_pam_plugin_distribution) }} openvpn
 {% endif %}
 
 {% if openvpn_use_ldap %}
@@ -189,7 +189,7 @@ script-security 3 execve
 {% endif %}
 
 {% for option in openvpn_server_options %}
-{{option}}
+{{ option }}
 {% endfor %}
 
 {% if crl_pem_file.stat.exists %}
@@ -206,4 +206,4 @@ push "route {{ push_route }}"
 
 {% for push_route_ipv6 in openvpn_ipv6_route_ranges %}
 push "route-ipv6 {{ push_route_ipv6 }}"
-{% endfor %} 
\ No newline at end of file
+{% endfor %}
\ No newline at end of file

From 9ec969d3e9cece8bc95accb502d1f5b2218a11ba Mon Sep 17 00:00:00 2001
From: santiagomr <s@santiagomr.com>
Date: Tue, 19 May 2020 12:42:26 -0300
Subject: [PATCH 8/9] Fix #159 IP forwarding when deploying

---
 tasks/system/forwarding.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index 8d1a73a..21df49e 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -7,7 +7,7 @@
     sysctl_set: true
     state: present
     reload: true
-  when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool
+  when: not lookup('env', 'IN_MOLECULE') | d(false, true) | bool
 
 - name: Set IPv6 forwarding in the sysctl file and reload if necessary
   sysctl:
@@ -17,5 +17,5 @@
     state: present
     reload: true
   when:
-    not lookup('env', 'IN_MOLECULE') | d(true, true) | bool
+    not lookup('env', 'IN_MOLECULE') | d(false, true) | bool
     and openvpn_ipv6_server is defined

From 9995f24c0879f2277a8a0f7b9e95569ed8a68d49 Mon Sep 17 00:00:00 2001
From: santiagomr <s@santiagomr.com>
Date: Tue, 19 May 2020 17:31:22 -0300
Subject: [PATCH 9/9] IPv6 forwarding only if the VPN server manages an IPv6
 subnet

---
 tasks/system/forwarding.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
index 21df49e..357d26c 100644
--- a/tasks/system/forwarding.yml
+++ b/tasks/system/forwarding.yml
@@ -18,4 +18,4 @@
     reload: true
   when:
     not lookup('env', 'IN_MOLECULE') | d(false, true) | bool
-    and openvpn_ipv6_server is defined
+    and openvpn_ipv6_server | length > 0