From 0ada56f0feeb8671db10a6563cde4b6462c9df20 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Mar 25 2024 20:19:04 +0000
Subject: Push os-public through OpenVPN


In 7876bac9b553c4d72b93be7ec61ebdec19788984 the firewall rules
were extended to grant VPN clients the same access to hosts in
os-public as over the internet.
Building on this, we push the os-public network as a route to
VPN clients, making public services routed through the VPN if
connected. This allows for access to network restricted areas
of certain public services.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

---

diff --git a/salt/profile/vpn/openvpn/files/odin/etc/openvpn/includes/heroes_common_push.conf.jinja b/salt/profile/vpn/openvpn/files/odin/etc/openvpn/includes/heroes_common_push.conf.jinja
index 6e3822d..f403a4f 100644
--- a/salt/profile/vpn/openvpn/files/odin/etc/openvpn/includes/heroes_common_push.conf.jinja
+++ b/salt/profile/vpn/openvpn/files/odin/etc/openvpn/includes/heroes_common_push.conf.jinja
@@ -6,6 +6,8 @@ push "dhcp-option DOMAIN infra.opensuse.org"
 
 push "route-ipv6 2a07:de40:b27e:1100::/64"  # os-thor
 push "route-ipv6 2a07:de40:b27e:1203::/64"  # os-internal
+push "route-ipv6 2a07:de40:b27e:1204::/64"  # os-public
 push "route-ipv6 2a07:de40:b27e:1205::/64"  # os-mirror
-# os-public, os-salt, os-code are firewall blocked and not pushed on purpose
+# os-public is firewalled to only facilitate the same IP connectivity as over the internet, but we push it to allow for access to restricted services
+# os-salt, os-code, and others are firewall blocked and not pushed on purpose
 push "route-ipv6 2a07:de40:b27e:64::/96"    # NAT64