add support for openvpn up/down scripts

JanSkalny · Jan 24, 2019 · 3e820fb · 3e820fb
1 parent 7642dc3
commit 3e820fb
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 0 deletions.
diff --git a/openvpn-node/defaults/main.yml b/openvpn-node/defaults/main.yml
@@ -8,6 +8,7 @@ use_tls_key: false            # defines whether tls PSK is used to harden initia
 # tls_key_path:               # needs to be filled on per-group basis if use_tls_key is enabled. Expects path to TLS PSK
 enable_compresion: yes
 vpn_cipher: AES-256-CBC
+script_security: 2
 
 #### Fill following values in host/group vars
 # vpn_server:                 # VPN server address
@@ -16,3 +17,9 @@ vpn_cipher: AES-256-CBC
 # vpn_cert:                   # Mutliline PEM encoded host certficate
 # priv_key:                   # Mutliline PEM encoded private key
 ####
+
+#### Optional parameters
+# up_script_local:            # Local path to "up" script, "up" script is executed on openvpn service start
+# up_script_remote:           # Path where "up" script should be stored on remote machine
+# down_script_local:          # Local path to "down" script, "down" script is executed on openvpn service stop
+# down_script_remote:         # Path where "down" script should be stored on remote machine
diff --git a/openvpn-node/tasks/main.yml b/openvpn-node/tasks/main.yml
@@ -13,6 +13,28 @@
   notify:
     - restart openvpn
 
+- name: Upload "up" script
+  template:
+    src: "{{ up_script_local }}"
+    dest: "{{ up_script_remote }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=r,o=
+  when: up_script_local is defined
+  notify:
+    - restart openvpn
+
+- name: Upload "down" script
+  template:
+    src: "{{ down_script_local }}"
+    dest: "{{ down_script_remote }}"
+    owner: nobody
+    group: nogroup
+    mode: u=rwx,g=r,o=
+  when: down_script_local is defined
+  notify:
+    - restart openvpn
+
 - name: Enable openvpn as a service
   systemd:
     name: openvpn@{{ vpn_service_name }}

diff --git a/openvpn-node/templates/client.ovpn b/openvpn-node/templates/client.ovpn
@@ -9,6 +9,15 @@ group nogroup
 persist-key
 persist-tun
 cipher {{ vpn_cipher }}
+script-security {{ script_security }}
+
+{% if up_script_remote is defined %}
+up {{ up_script_remote }}
+{% endif %}
+
+{% if down_script_remote is defined %}
+down {{ down_script_remote }}
+{% endif %}
 
 <ca>
 {{ ca_cert }}

diff --git a/openvpn-node/templates/server.ovpn b/openvpn-node/templates/server.ovpn
@@ -19,6 +19,15 @@ persist-tun
 status /var/log/openvpn/openvpn-status.log
 verb 3
 explicit-exit-notify 1
+script-security {{ script_security }}
+
+{% if up_script_remote is defined %}
+up {{ up_script_remote }}
+{% endif %}
+
+{% if down_script_remote is defined %}
+down {{ down_script_remote }}
+{% endif %}
 
 <ca>
 {{ ca_cert }}