Update Algo VPN to Support Ubuntu 24.04 LTS

[dguido]

Overview

Algo VPN currently supports Ubuntu 20.04/22.04 LTS as primary platforms. With Ubuntu 24.04 LTS (Noble Numbat) now available, we should update support to use the latest LTS release as the default deployment target.

Current State Analysis

Supported Ubuntu Versions

• Primary: Ubuntu 20.04/22.04 LTS (documented in CLAUDE.md)
• Cloud Images: All cloud providers configured for Ubuntu 22.04 (config.cfg)
• CI/CD: GitHub workflows run on ubuntu-22.04
• Local Development: Vagrant uses bento/ubuntu-20.04

Version-Specific Code Dependencies

Several components have Ubuntu version-specific logic that needs updating:

1. StrongSwan Service Name (roles/strongswan/defaults/main.yml:6):

   strongswan_service: "{{ 'strongswan-starter' if ansible_facts['distribution_version'] is version('20.04', '>=') else 'strongswan' }}"

2. DNS Repository Configuration (roles/dns/tasks/ubuntu.yml:20):

   when: ansible_facts['distribution_version'] is version('20.04', '<')

3. Python Version Requirements: Currently requires Python 3.11+ (updated recently)

Proposed Approach: Multipass-Based Development

Phase 1: Local Development Environment Setup

Create a multipass-based testing framework to enable rapid iteration:

# Launch Ubuntu 24.04 VM
multipass launch 24.04 --name algo-test --cpus 2 --memory 2G --disk 20G

# Mount local algo directory for development
multipass mount . algo-test:/home/ubuntu/algo

# Install cloud-init for automated provisioning
multipass exec algo-test -- sudo apt update && sudo apt install -y cloud-init

Phase 2: Core Components Testing

Test all Ubuntu-specific playbooks against 24.04:

Critical Playbooks to Update:

• roles/common/tasks/ubuntu.yml - System configuration, package installation, firewall
• roles/strongswan/tasks/ubuntu.yml - IPsec/IKEv2 setup
• roles/dns/tasks/ubuntu.yml - DNS encryption (dnscrypt-proxy, dnsmasq)
• roles/wireguard/tasks/ubuntu.yml - WireGuard VPN setup

Key Testing Areas:

1. Package Availability: Verify all required packages exist in Ubuntu 24.04 repos
2. Service Management: Confirm systemd service names and behaviors
3. AppArmor Policies: Test DNS and VPN service confinement
4. Firewall Rules: Validate iptables/netfilter persistence
5. Certificate Generation: Test OpenSSL/community.crypto compatibility
6. Network Configuration: Verify systemd-networkd integration

Phase 3: Cloud Provider Image Updates

Update all cloud provider configurations in config.cfg:

• AWS: Update AMI IDs for Ubuntu 24.04
• DigitalOcean: Change from ubuntu-22-04-x64 to ubuntu-24-04-x64
• GCP: Update to ubuntu-2404-lts
• Azure: Update to Ubuntu 24.04 LTS
• All others: Update respective image identifiers

Phase 4: CI/CD Pipeline Updates

• Update GitHub Actions workflows from ubuntu-22.04 to ubuntu-24.04
• Update Vagrant box from bento/ubuntu-20.04 to bento/ubuntu-24.04
• Update documentation references

Development Workflow

Multipass Testing Script

Create scripts/test-ubuntu-24.sh:

#!/bin/bash
# Launch test VM with Ubuntu 24.04
multipass launch 24.04 --name algo-test-$RANDOM --cpus 2 --memory 4G --disk 30G --cloud-init - <<EOF
#cloud-config
package_update: true
packages:
  - python3
  - python3-pip
users:
  - name: ubuntu
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - $(cat ~/.ssh/id_rsa.pub)
EOF

# Run Algo deployment against test VM
./algo deploy --provider local --server $(multipass info algo-test-$RANDOM --format json | jq -r '.info."algo-test-$RANDOM".ipv4[0]')

Automated Testing Matrix

Test against multiple scenarios:

• Fresh Ubuntu 24.04 installation
• Ubuntu 24.04 with existing services
• Both WireGuard and IPsec enabled
• IPv6 support enabled/disabled
• Different DNS configurations

Potential Breaking Changes to Investigate

Package Changes

• StrongSwan package structure in 24.04
• Python cryptography library versions
• OpenSSL version compatibility (likely 3.0+)
• Systemd service unit changes

Security Updates

• AppArmor policy format changes
• Firewall default configurations
• Certificate validation requirements

Network Stack Changes

• Netplan configuration format
• systemd-resolved behavior
• IPv6 handling improvements

Testing Checklist

Functional Testing

• VPN connection establishment (WireGuard + IPsec)
• Certificate generation and validation
• DNS resolution and encryption
• Client configuration generation (iOS, Android, Windows, macOS)
• User management (add/remove users)
• Firewall rules application
• Service persistence across reboots

Performance Testing

• VPN throughput benchmarks
• Connection establishment latency
• Resource utilization (CPU, memory, network)

Security Testing

• Certificate chain validation
• DNS leak prevention
• Traffic isolation between clients
• AppArmor policy enforcement

Rollout Strategy

1. Development Branch: Create feature/ubuntu-24.04-support branch
2. Multipass Testing: Comprehensive local testing using multipass VMs
3. Cloud Testing: Limited testing on select cloud providers
4. Documentation Updates: Update all Ubuntu version references
5. Staged Release: Make 24.04 available as option before making it default
6. Migration Guide: Provide upgrade instructions for existing deployments

Benefits

• Security: Latest LTS with 5 years of security updates (until 2029)
• Performance: Improved system performance and resource utilization
• Compatibility: Better hardware support and driver updates
• Maintenance: Simplified maintenance with single supported Ubuntu version
• Development: Faster local development cycle with multipass integration

Risks and Mitigation

• Compatibility Issues: Mitigated by comprehensive multipass testing
• Cloud Provider Lag: Some providers may not have 24.04 images ready
• User Migration: Provide clear upgrade documentation and transition period
• Regression Risks: Maintain parallel 22.04 support during transition

Acceptance Criteria

• All existing functionality works on Ubuntu 24.04
• Cloud provider deployments successful across all supported platforms
• Client compatibility maintained (iOS, Android, Windows, macOS, Linux)
• Performance benchmarks meet or exceed Ubuntu 22.04 baseline
• Security posture maintained or improved
• Documentation updated with 24.04 requirements
• Migration path documented for existing deployments