add vpn-gateway role

group_vars/dhcp.yml

@@ -3,25 +3,24 @@ dns_primary: 1.1.1.1
 dns_secondary: 1.0.0.1
 dns_over_https: false
 
-gateway_server_ip: 192.168.122.2
-actual_gateway_ip: 192.168.122.1
+gateway_server_ip: 10.0.0.2
+actual_gateway_ip: 10.0.0.1
 wireguard_server_ip: 10.0.0.8 # static route to webers through this server
 # TODO split out static route in dhcpd.conf.j2 (currently hardcoded)
 
-dhcp_cidr: 192.168.122.0
+dhcp_cidr: 10.0.0.0
 dhcp_netmask: 255.255.255.0
-dhcp_range_start: 192.168.122.200
-dhcp_range_end: 192.168.122.230
+dhcp_range_start: 10.0.0.100
+dhcp_range_end: 10.0.0.200
 dhcp_routers: "{{ actual_gateway_ip }}"
 
-subnets:
-  - cidr: 192.168.122.0
-    netmask: 255.255.255.0 # /24
-    range_start: 192.168.122.200
-    range_end: 192.168.122.230
-    routers: 192.168.122.1
 allowed_access_cidrs:
-  - 192.168.122.0/24
+  - 10.0.0.0/24
+
+status_services:
+  - openvpn-client@proton
+  - unbound
+  - dhcpd
 
 
 reservations:

host_vars/gateway-vm.yml

@@ -1,4 +0,0 @@
----
-status_services:
-  - dhcpd
-  - unbound

plays/nodes/gateway.yml

@@ -1,9 +1,13 @@
 ---
-- hosts: gateway-vm
+- hosts: gateway
   gather_facts: true
   become: true
+  vars_files:
+    - "{{ inventory_dir }}/vars/vault.yaml"
   roles:
-  - role: name-resolution
-    tags: name-resolution
-  - role: statusservices
-    tags: statusservices
+    - role: name-resolution
+      tags: dhcp
+    - role: vpn-gateway
+      tags: vpn
+    - role: statusservices
+      tags: statusservices

roles/vpn-gateway/files/auto-configure-unbound.conf

@@ -0,0 +1,4 @@
+[Unit]
+Before=auto-configure-unbound.service
+Wants=auto-configure-unbound.service
+Requires=auto-configure-unbound.service

roles/vpn-gateway/tasks/main.yml

@@ -0,0 +1,113 @@
+---
+- name: Enable EPEL repo
+  dnf:
+    name: epel-release
+    state: present
+  when:
+    - ansible_distribution == "CentOS"
+
+- name: Install openvpn
+  dnf:
+    name: openvpn
+    state: present
+
+- name: Create openvpn scripts directory
+  file:
+    path: /etc/openvpn/scripts
+    owner: root
+    group: openvpn
+    mode: '0750'
+    state: directory
+
+- name: Install update-resolv-conf script
+  template:
+    src: update-resolv-conf.j2
+    dest: /etc/openvpn/scripts/update-resolv-conf
+    owner: root
+    group: openvpn
+    mode: '0750'
+
+- name: Install ProtonVPN Config files
+  template:
+    src: "{{ file.src }}"
+    dest: /etc/openvpn/client/{{ file.dest }}
+    owner: root
+    group: openvpn
+    mode: "{{ file.mode }}"
+  loop_control:
+    label: "{{ file.dest }}"
+    loop_var: file
+  loop:
+    - { src: 'proton.conf.j2', dest: 'proton.conf', mode: '0640' }
+    - { src: 'proton-credentials.j2', dest: 'proton-credentials', mode: '0600' }
+  register: configs
+
+- name: Add service to auto configure Unbound on VPN restarts
+  template:
+    src: auto-configure-unbound.service.j2
+    dest: /etc/systemd/system/auto-configure-unbound.service
+    owner: root
+    group: root
+    mode: '0640'
+  register: auto_configure_unbound_service_file
+  when:
+    - ansible_hostname == 'gateway'
+
+- name: Ensure openvpn-client service.d folder exists
+  file:
+    path: /etc/systemd/system/openvpn-client@.service.d/
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+  when:
+    - ansible_hostname == 'gateway'
+
+- name: Add dependencies to openvpn service to fire off auto-configure-unbound.service
+  copy:
+    src: auto-configure-unbound.conf
+    dest: /etc/systemd/system/openvpn-client@.service.d/auto-configure-unbound.conf
+    owner: root
+    group: root
+    mode: '0640'
+  register: openvpn_auto_unbound_conf
+  when:
+    - ansible_hostname == 'gateway'
+
+- name: Add IP masquerading to drop zone
+  firewalld:
+    zone: drop
+    masquerade: 'yes' # requires quotes to keep from converting to type bool
+    permanent: yes
+    immediate: yes
+    state: enabled
+  when:
+    - ansible_hostname == 'gateway'
+
+- name: Add tun0 interface to drop zone
+  firewalld:
+    zone: drop
+    interface: tun0
+    permanent: yes
+    immediate: yes
+    state: enabled
+
+- name: Tweak kernel parameters
+  sysctl:
+    name: "{{ item }}"
+    value: '1'
+    state: present
+    reload: yes
+  loop:
+    - net.ipv6.conf.all.disable_ipv6
+    - net.ipv6.conf.default.disable_ipv6
+    - net.ipv4.ip_forward
+
+- name: Restart/enable openvpn service
+  systemd:
+    name: openvpn-client@proton
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+  when: configs.changed or auto_configure_unbound_service_file.changed or openvpn_auto_unbound_conf.changed
+

roles/vpn-gateway/templates/auto-configure-unbound.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=Tell Ansible on NAS to reconfigure Unbound for us
+After=openvpn-client@proton.service
+BindsTo=openvpn-client@proton.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "ssh root@nas bash -c 'cd /root/git/ansible && ansible-playbook --vault-password-file /root/.vaultpass -i /root/git/ansible/inventory /root/git/ansible/oneoffs/restart-vpn.yml'"
+RemainAfterExit=true
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target

roles/vpn-gateway/templates/proton-credentials.j2

@@ -0,0 +1,2 @@
+{{ proton_user }}
+{{ proton_pass }}

roles/vpn-gateway/templates/proton-sc.conf.j2

@@ -0,0 +1,129 @@
+# ==============================================================================
+# Copyright (c) 2016-2017 ProtonVPN A.G. (Switzerland)
+# Email: contact@protonvpn.com
+#
+# The MIT License (MIT)
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+# ==============================================================================
+
+client
+dev tun
+proto udp
+
+remote 185.159.157.13 80
+remote 185.159.157.13 443
+remote 185.159.157.13 4569
+remote 185.159.157.13 1194
+remote 185.159.157.13 5060
+remote 185.159.157.54 80
+remote 185.159.157.54 443
+remote 185.159.157.54 4569
+remote 185.159.157.54 1194
+remote 185.159.157.54 5060
+remote 185.159.157.53 80
+remote 185.159.157.53 443
+remote 185.159.157.53 4569
+remote 185.159.157.53 1194
+remote 185.159.157.53 5060
+server-poll-timeout 20
+
+remote-random
+resolv-retry infinite
+nobind
+cipher AES-256-CBC
+auth SHA512
+comp-lzo no
+verb 3
+
+tun-mtu 1500
+tun-mtu-extra 32
+mssfix 1450
+persist-key
+persist-tun
+
+reneg-sec 0
+
+remote-cert-tls server
+auth-user-pass /etc/openvpn/client/proton-credentials
+pull
+fast-io
+
+script-security 2
+up /etc/openvpn/scripts/update-resolv-conf
+down /etc/openvpn/scripts/update-resolv-conf
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
+MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
+QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
+MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
+vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
+wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
+2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
+qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
+nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
+JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
+a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
+WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
+ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
+lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
+m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
+A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
+TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
+blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
+htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
+MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
+ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
+51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
+zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
+eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
+Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
+zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
+N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
+DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
+A1gTTlpi7A==
+-----END CERTIFICATE-----
+</ca>
+
+key-direction 1
+<tls-auth>
+# 2048 bit OpenVPN static key
+-----BEGIN OpenVPN Static key V1-----
+6acef03f62675b4b1bbd03e53b187727
+423cea742242106cb2916a8a4c829756
+3d22c7e5cef430b1103c6f66eb1fc5b3
+75a672f158e2e2e936c3faa48b035a6d
+e17beaac23b5f03b10b868d53d03521d
+8ba115059da777a60cbfd7b2c9c57472
+78a15b8f6e68a3ef7fd583ec9f398c8b
+d4735dab40cbd1e3c62a822e97489186
+c30a0b48c7c38ea32ceb056d3fa5a710
+e10ccc7a0ddb363b08c3d2777a3395e1
+0c0b6080f56309192ab5aacd4b45f55d
+a61fc77af39bd81a19218a79762c3386
+2df55785075f37d8c71dc8a42097ee43
+344739a0dd48d03025b0450cf1fb5e8c
+aeb893d9a96d1f15519bb3c4dcb40ee3
+16672ea16c012664f8a9f11255518deb
+-----END OpenVPN Static key V1-----
+</tls-auth>

roles/vpn-gateway/templates/proton.conf.j2

@@ -0,0 +1,118 @@
+# ==============================================================================
+# Copyright (c) 2016-2020 Proton Technologies AG (Switzerland)
+# Email: contact@protonvpn.com
+#
+# The MIT License (MIT)
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+# ==============================================================================
+
+client
+dev tun
+proto udp
+
+remote us.protonvpn.com 1194
+remote us.protonvpn.com 4569
+remote us.protonvpn.com 80
+remote us.protonvpn.com 443
+remote us.protonvpn.com 5060
+
+remote-random
+resolv-retry infinite
+nobind
+cipher AES-256-CBC
+auth SHA512
+comp-lzo no
+verb 3
+
+tun-mtu 1500
+tun-mtu-extra 32
+mssfix 1450
+persist-key
+persist-tun
+
+reneg-sec 0
+
+remote-cert-tls server
+auth-user-pass /etc/openvpn/client/proton-credentials
+pull
+fast-io
+
+script-security 2
+up /etc/openvpn/scripts/update-resolv-conf
+down /etc/openvpn/scripts/update-resolv-conf
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
+MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
+QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
+MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
+vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
+wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
+2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
+qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
+nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
+JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
+a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
+WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
+ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
+lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
+m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
+A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
+TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
+blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
+htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
+MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
+ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
+51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
+zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
+eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
+Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
+zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
+N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
+DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
+A1gTTlpi7A==
+-----END CERTIFICATE-----
+</ca>
+
+key-direction 1
+<tls-auth>
+# 2048 bit OpenVPN static key
+-----BEGIN OpenVPN Static key V1-----
+6acef03f62675b4b1bbd03e53b187727
+423cea742242106cb2916a8a4c829756
+3d22c7e5cef430b1103c6f66eb1fc5b3
+75a672f158e2e2e936c3faa48b035a6d
+e17beaac23b5f03b10b868d53d03521d
+8ba115059da777a60cbfd7b2c9c57472
+78a15b8f6e68a3ef7fd583ec9f398c8b
+d4735dab40cbd1e3c62a822e97489186
+c30a0b48c7c38ea32ceb056d3fa5a710
+e10ccc7a0ddb363b08c3d2777a3395e1
+0c0b6080f56309192ab5aacd4b45f55d
+a61fc77af39bd81a19218a79762c3386
+2df55785075f37d8c71dc8a42097ee43
+344739a0dd48d03025b0450cf1fb5e8c
+aeb893d9a96d1f15519bb3c4dcb40ee3
+16672ea16c012664f8a9f11255518deb
+-----END OpenVPN Static key V1-----
+</tls-auth>

roles/vpn-gateway/templates/update-resolv-conf.j2

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+#
+# Parses DHCP options from openvpn to update resolv.conf
+# To use set as 'up' and 'down' script in your openvpn *.conf:
+# up /etc/openvpn/update-resolv-conf
+# down /etc/openvpn/update-resolv-conf
+#
+# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
+# and Chris Hanson
+# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
+# 07/2013 colin@daedrum.net Fixed intet name
+# 05/2006 chlauber@bnc.ch
+#
+# Example envs set from openvpn:
+# foreign_option_1='dhcp-option DNS 193.43.27.132'
+# foreign_option_2='dhcp-option DNS 193.43.27.133'
+# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'
+
+## The 'type' builtins will look for file in $PATH variable, so we set the
+## PATH below. You might need to directly set the path to 'resolvconf'
+## manually if it still doesn't work, i.e.
+## RESOLVCONF=/usr/sbin/resolvconf
+export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
+RESOLVCONF=$(type -p resolvconf)
+
+case $script_type in
+
+up)
+  for optionname in ${!foreign_option_*} ; do
+    option="${!optionname}"
+    echo $option
+    part1=$(echo "$option" | cut -d " " -f 1)
+    if [ "$part1" == "dhcp-option" ] ; then
+      part2=$(echo "$option" | cut -d " " -f 2)
+      part3=$(echo "$option" | cut -d " " -f 3)
+      if [ "$part2" == "DNS" ] ; then
+        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
+      fi
+      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
+        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
+      fi
+    fi
+  done
+  R=""
+  if [ "$IF_DNS_SEARCH" ]; then
+    R="search "
+    for DS in $IF_DNS_SEARCH ; do
+      R="${R} $DS"
+    done
+  R="${R}
+"
+  fi
+
+  for NS in $IF_DNS_NAMESERVERS ; do
+    R="${R}nameserver $NS
+"
+  done
+  #echo -n "$R" | $RESOLVCONF -x -p -a "${dev}"
+  echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet"
+  ;;
+down)
+  $RESOLVCONF -d "${dev}.inet"
+  ;;
+esac
+
+# Workaround / jm@epiclabs.io 
+# force exit with no errors. Due to an apparent conflict with the Network Manager
+# $RESOLVCONF sometimes exits with error code 6 even though it has performed the
+# action correctly and OpenVPN shuts down.
+exit 0

roles/vpn-gateway/vars/main.yml

@@ -0,0 +1,3 @@
+---
+proton_user: "{{ vaulted_proton_user }}"
+proton_pass: "{{ vaulted_proton_pass }}"