This pull request modifies the Ansible role to install ufw and set up NATing via the ufw configuration instead of directly using iptables.
π Motivation and Context
We previously set up NATing using iptables directly. Now that we are required to harden the OpenVPN AMI, it ends up with ufw installed. As a result, it makes more sense now to set up the NAT via ufw, so that all the firewall configuration is consolidated and ufw and the iptables-restore toolchain don't clobber each other.
Tangentially related to cisagov/openvpn-packer#24.
See also cisagov/openvpn-server-tf-module#40.
π§ͺ Testing
These changes have been used to deploy a working OpenVPN AMI to our staging COOL environment.
π₯ Types of Changes
[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[x] Breaking change (causes existing functionality to change)
β Checklist
[x] My code follows the code style of this project.
[x] My change requires a change to the documentation.
π£ Description
This pull request modifies the Ansible role to install
ufw
and set up NATing via theufw
configuration instead of directly usingiptables
.π Motivation and Context
We previously set up NATing using
iptables
directly. Now that we are required to harden the OpenVPN AMI, it ends up withufw
installed. As a result, it makes more sense now to set up the NAT viaufw
, so that all the firewall configuration is consolidated andufw
and theiptables-restore
toolchain don't clobber each other.Tangentially related to cisagov/openvpn-packer#24.
See also cisagov/openvpn-server-tf-module#40.
π§ͺ Testing
These changes have been used to deploy a working OpenVPN AMI to our staging COOL environment.
π₯ Types of Changes
β Checklist