From a72fe0cbdfc37bcc1fd289ae08def3c9c8353491 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 23 Sep 2015 03:16:32 +0700 Subject: [PATCH 01/18] Make it usable, tested, using in production --- .bumpversion.cfg | 2 +- CONTRIBUTORS | 2 -- defaults/main.yml | 10 ++++++++-- handlers/main.yml | 7 ++++++- tasks/configure.yml | 32 +++++++++++++------------------ templates/build-server.sh.j2 | 6 +++++- templates/revoke-client.sh.j2 | 4 +++- templates/server.conf.j2 | 36 +++++++++++++++++++---------------- 8 files changed, 56 insertions(+), 43 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 70336e6..d539a30 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,6 +1,6 @@ [bumpversion] commit = True -current_version = 2.0.4 +current_version = 2.0.2 tag = True tag_name = {new_version} diff --git a/CONTRIBUTORS b/CONTRIBUTORS index b8f9e97..5b742e9 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -3,10 +3,8 @@ Contributors: * Kirill Klenov (http://klen.github.io/) * Adam Kunicki (https://github.com/kunickiaj) -* Adham Helal (https://github.com/ahelal) * Jason Bond Pratt (https://github.com/juniorplenty) * Mahmoud Abdelkader (https://github.com/mahmoudimus) -* Marcelo Anton (https://github.com/mbanton) * Michael Frister (https://github.com/meeee) * Thomas Krille (https://github.com/tkrille) * https://github.com/teadur diff --git a/defaults/main.yml b/defaults/main.yml index 6daba2d..6bba82f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,11 @@ openvpn_port: 1194 openvpn_proto: udp openvpn_dev: tun openvpn_server: 10.8.0.0 255.255.255.0 # Set empty for skip +openvpn_push_nets: [] +openvpn_dns: [] +openvpn_topology: subnet # Recommended topology but + # brake compatibility with old Windows + # net30 - legacy topology openvpn_max_clients: 100 openvpn_log: /var/log/openvpn.log # Log's directory openvpn_keepalive: "10 120" @@ -22,7 +27,7 @@ openvpn_user: nobody openvpn_group: nogroup openvpn_resolv_retry: infinite openvpn_client_to_client: yes -openvpn_server_options: [] # Additional server options +openvpn_server_options: [duplicate-cn] # Additional server options # openvpn_server_options: # - dev-node MyTap # - client-to-client @@ -43,7 +48,8 @@ openvpn_clients_revoke: [] # Revoke clients certificates # Use PAM authentication openvpn_use_pam: yes -openvpn_use_pam_users: [] # If empty use system users +openvpn_disable_cert: no +#openvpn_use_pam_users: [] # If empty use system users # otherwise use users from the option # openvpn_use_pam_users: # - { name: user, password: password } diff --git a/handlers/main.yml b/handlers/main.yml index 71ddb38..92c89b6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,6 +4,11 @@ service: name=openvpn state=restarted - name: openvpn pack clients - command: tar cvzf {{openvpn_keydir}}/{{item.item}}.tar.gz -C {{openvpn_keydir}} {{item.item}}.crt {{item.item}}.key {{item.item}}.ovpn ca.crt + command: zip -j --password $ecured_vpn {{openvpn_keydir}}/{{item.item}} {{openvpn_keydir}}/{{item.item}}.crt {{openvpn_keydir}}/{{item.item}}.ovpn {{openvpn_keydir}}/{{item.item}}.key {{openvpn_keydir}}/ca.crt when: item.changed with_items: openvpn_clients_changed.results + +- name: openvpn copy pack clients + fetch: src={{openvpn_keydir}}/{{item.item}}.zip dest=vpn_keys/{{item.item}}.zip flat=yes + when: item.changed + with_items: openvpn_clients_changed.results \ No newline at end of file diff --git a/tasks/configure.yml b/tasks/configure.yml index 3ad9eb1..c224124 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,6 +1,4 @@ --- -- name: Ensure openvpn key dir has the right permission - file: path={{openvpn_keydir}} state=directory mode=0700 owner={{openvpn_user}} - name: Extract easy-rsa files unarchive: src=easy-rsa.tar.gz dest={{openvpn_etcdir}} @@ -13,38 +11,34 @@ command: "{{openvpn_etcdir}}/build-server.sh" args: { creates: "{{ openvpn_keydir }}" } -- name: Generate Clients keys - command: "{{openvpn_etcdir}}/build-client.sh {{item}}" - args: { creates: "{{ openvpn_keydir }}/{{item}}.crt" } - with_items: openvpn_clients - -- name: Revoke Clients keys +- name: Revoke Clients command: "{{openvpn_etcdir}}/revoke-client.sh {{item}}" args: { removes: "{{ openvpn_keydir }}/{{item}}.crt" } with_items: openvpn_clients_revoke -- name: Create client configuration directory if requested - file: > - path={{openvpn_client_config_dir}} - mode=755 - state=directory - when: openvpn_client_config_dir is defined +- name: Revoke Users + lineinfile: dest=/etc/openvpn/users regexp='^{{item}}:' state=absent + with_items: openvpn_use_pam_users_revoke + tags: rev_user -- name: Check if crl.pem exists - stat: path={{openvpn_keydir}}/crl.pem - register: crl_pem_file +- name: Generate Clients keys + command: "{{openvpn_etcdir}}/build-client.sh {{item}}" + args: { creates: "{{ openvpn_keydir }}/{{item}}.crt" } + with_items: openvpn_clients - name: Generate Clients configurations template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item}}.ovpn with_items: openvpn_clients - notify: openvpn pack clients + notify: + - openvpn pack clients + - openvpn copy pack clients register: openvpn_clients_changed - name: Setup PAM template: src=openvpn.pam.j2 dest=/etc/pam.d/openvpn when: openvpn_use_pam -- name: Configure users +- name: Configure PAM users htpasswd: path={{openvpn_etcdir}}/users name={{item.name}} password={{item.password}} crypt_scheme=des_crypt with_items: openvpn_use_pam_users diff --git a/templates/build-server.sh.j2 b/templates/build-server.sh.j2 index b2440d9..3164de2 100644 --- a/templates/build-server.sh.j2 +++ b/templates/build-server.sh.j2 @@ -19,6 +19,10 @@ $EASY_RSA/pkitool --initca && \ $EASY_RSA/pkitool --server server && \ $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +# Need to have revoken certificate to activate revoke cheking in the server.conf +$EASY_RSA/pkitool test +{{openvpn_etcdir}}/revoke-client.sh test + {% for client in openvpn_clients %} $EASY_RSA/pkitool {{ client }} -{% endfor %} +{% endfor %} \ No newline at end of file diff --git a/templates/revoke-client.sh.j2 b/templates/revoke-client.sh.j2 index 85e4b86..35a389f 100644 --- a/templates/revoke-client.sh.j2 +++ b/templates/revoke-client.sh.j2 @@ -11,4 +11,6 @@ $EASY_RSA/revoke-full $@ export CLIENT=$1 -rm -rf $KEY_DIR/$CLIENT* +rm -f $KEY_DIR/$CLIENT.* + +cp $KEY_DIR/crl.pem {{openvpn_etcdir}}/ \ No newline at end of file diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 6ecc01e..7661581 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -43,16 +43,6 @@ key {{openvpn_keydir}}/server.key # This file should be kept secret # dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys. dh {{openvpn_keydir}}/dh{{openvpn_key_size}}.pem -# Client configuration directory. -{% if openvpn_client_config_dir is defined -%} -client-config-dir {{ openvpn_client_config_dir }} -{% endif %} - -# Which VPN topology to use? (net30, subnet, p2p) -{% if openvpn_topology is defined -%} -topology {{ openvpn_topology }} -{% endif %} - # Configure server mode and supply a VPN subnet for OpenVPN to draw client # addresses from. The server will take 10.8.0.1 for itself, the rest will be # made available to clients. Each client will be able to reach the server on @@ -109,6 +99,11 @@ verb {{openvpn_verb}} # The maximum number of concurrently connected clients we want to allow. max-clients {{openvpn_max_clients}} +# The revoke-full script will generate a CRL (certificate revocation list). +# all connecting clients will have their client certificates verified against the CRL, +# and any positive match will result in the connection being dropped. +crl-verify crl.pem + # It's a good idea to reduce the OpenVPN daemon's privileges after # initialization. # @@ -129,18 +124,27 @@ client-to-client {% endif %} {% if openvpn_use_pam %} -client-cert-not-required plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn {% endif %} -{% if openvpn_use_ldap %} -plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" +{% if openvpn_disable_cert %} +client-cert-not-required {% endif %} {% for option in openvpn_server_options %} {{option}} {% endfor %} -{% if openvpn_clients_revoke|length > 0 or crl_pem_file.stat.exists %} -crl-verify {{openvpn_keydir}}/crl.pem -{% endif %} +topology {{ openvpn_topology }} + +{% for net in openvpn_push_nets %} +push "route {{net}}" +{% endfor %} + +{% for dns in openvpn_dns %} +push "dhcp-option DNS {{dns}}" +{% endfor %} + +{% if openvpn_use_ldap %} +plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" +{% endif %} \ No newline at end of file From 378fef7f76439e4c42e68a5ef7f84dbd4afa3161 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 23 Sep 2015 03:31:30 +0700 Subject: [PATCH 02/18] Sync with upstream --- CONTRIBUTORS | 2 ++ tasks/configure.yml | 21 +++++++++++++++++---- templates/build-server.sh.j2 | 6 +----- templates/revoke-client.sh.j2 | 2 -- templates/server.conf.j2 | 27 +++++++++++++++++---------- 5 files changed, 37 insertions(+), 21 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 5b742e9..b8f9e97 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -3,8 +3,10 @@ Contributors: * Kirill Klenov (http://klen.github.io/) * Adam Kunicki (https://github.com/kunickiaj) +* Adham Helal (https://github.com/ahelal) * Jason Bond Pratt (https://github.com/juniorplenty) * Mahmoud Abdelkader (https://github.com/mahmoudimus) +* Marcelo Anton (https://github.com/mbanton) * Michael Frister (https://github.com/meeee) * Thomas Krille (https://github.com/tkrille) * https://github.com/teadur diff --git a/tasks/configure.yml b/tasks/configure.yml index c224124..7e00d65 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,4 +1,6 @@ --- +- name: Ensure openvpn key dir has the right permission + file: path={{openvpn_keydir}} state=directory mode=0700 owner={{openvpn_user}} - name: Extract easy-rsa files unarchive: src=easy-rsa.tar.gz dest={{openvpn_etcdir}} @@ -11,20 +13,31 @@ command: "{{openvpn_etcdir}}/build-server.sh" args: { creates: "{{ openvpn_keydir }}" } +- name: Generate Clients keys + command: "{{openvpn_etcdir}}/build-client.sh {{item}}" + args: { creates: "{{ openvpn_keydir }}/{{item}}.crt" } + with_items: openvpn_clients + - name: Revoke Clients command: "{{openvpn_etcdir}}/revoke-client.sh {{item}}" args: { removes: "{{ openvpn_keydir }}/{{item}}.crt" } with_items: openvpn_clients_revoke +- name: Create client configuration directory if requested + file: > + path={{openvpn_client_config_dir}} + mode=755 + state=directory + when: openvpn_client_config_dir is defined + - name: Revoke Users lineinfile: dest=/etc/openvpn/users regexp='^{{item}}:' state=absent with_items: openvpn_use_pam_users_revoke tags: rev_user -- name: Generate Clients keys - command: "{{openvpn_etcdir}}/build-client.sh {{item}}" - args: { creates: "{{ openvpn_keydir }}/{{item}}.crt" } - with_items: openvpn_clients +- name: Check if crl.pem exists + stat: path={{openvpn_keydir}}/crl.pem + register: crl_pem_file - name: Generate Clients configurations template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item}}.ovpn diff --git a/templates/build-server.sh.j2 b/templates/build-server.sh.j2 index 3164de2..b2440d9 100644 --- a/templates/build-server.sh.j2 +++ b/templates/build-server.sh.j2 @@ -19,10 +19,6 @@ $EASY_RSA/pkitool --initca && \ $EASY_RSA/pkitool --server server && \ $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} -# Need to have revoken certificate to activate revoke cheking in the server.conf -$EASY_RSA/pkitool test -{{openvpn_etcdir}}/revoke-client.sh test - {% for client in openvpn_clients %} $EASY_RSA/pkitool {{ client }} -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/templates/revoke-client.sh.j2 b/templates/revoke-client.sh.j2 index 35a389f..f8e1a4d 100644 --- a/templates/revoke-client.sh.j2 +++ b/templates/revoke-client.sh.j2 @@ -12,5 +12,3 @@ $EASY_RSA/revoke-full $@ export CLIENT=$1 rm -f $KEY_DIR/$CLIENT.* - -cp $KEY_DIR/crl.pem {{openvpn_etcdir}}/ \ No newline at end of file diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 7661581..4743804 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -43,6 +43,16 @@ key {{openvpn_keydir}}/server.key # This file should be kept secret # dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys. dh {{openvpn_keydir}}/dh{{openvpn_key_size}}.pem +# Client configuration directory. +{% if openvpn_client_config_dir is defined -%} +client-config-dir {{ openvpn_client_config_dir }} +{% endif %} + +# Which VPN topology to use? (net30, subnet, p2p) +{% if openvpn_topology is defined -%} +topology {{ openvpn_topology }} +{% endif %} + # Configure server mode and supply a VPN subnet for OpenVPN to draw client # addresses from. The server will take 10.8.0.1 for itself, the rest will be # made available to clients. Each client will be able to reach the server on @@ -99,11 +109,6 @@ verb {{openvpn_verb}} # The maximum number of concurrently connected clients we want to allow. max-clients {{openvpn_max_clients}} -# The revoke-full script will generate a CRL (certificate revocation list). -# all connecting clients will have their client certificates verified against the CRL, -# and any positive match will result in the connection being dropped. -crl-verify crl.pem - # It's a good idea to reduce the OpenVPN daemon's privileges after # initialization. # @@ -127,6 +132,10 @@ client-to-client plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn {% endif %} +{% if openvpn_use_ldap %} +plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" +{% endif %} + {% if openvpn_disable_cert %} client-cert-not-required {% endif %} @@ -135,7 +144,9 @@ client-cert-not-required {{option}} {% endfor %} -topology {{ openvpn_topology }} +{% if openvpn_clients_revoke|length > 0 or crl_pem_file.stat.exists %} +crl-verify {{openvpn_keydir}}/crl.pem +{% endif %} {% for net in openvpn_push_nets %} push "route {{net}}" @@ -144,7 +155,3 @@ push "route {{net}}" {% for dns in openvpn_dns %} push "dhcp-option DNS {{dns}}" {% endfor %} - -{% if openvpn_use_ldap %} -plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" -{% endif %} \ No newline at end of file From efb3b73f3e8896ee7fdde8547492aca51990611c Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 23 Sep 2015 03:34:14 +0700 Subject: [PATCH 03/18] Sync with upstream2 --- .bumpversion.cfg | 2 +- defaults/main.yml | 2 +- handlers/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index d539a30..b23d528 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,6 +1,6 @@ [bumpversion] commit = True -current_version = 2.0.2 +current_version = 2.0.5 tag = True tag_name = {new_version} diff --git a/defaults/main.yml b/defaults/main.yml index 6bba82f..5724f73 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,7 +49,7 @@ openvpn_clients_revoke: [] # Revoke clients certificates # Use PAM authentication openvpn_use_pam: yes openvpn_disable_cert: no -#openvpn_use_pam_users: [] # If empty use system users +openvpn_use_pam_users: [] # If empty use system users # otherwise use users from the option # openvpn_use_pam_users: # - { name: user, password: password } diff --git a/handlers/main.yml b/handlers/main.yml index 92c89b6..d60a524 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -11,4 +11,4 @@ - name: openvpn copy pack clients fetch: src={{openvpn_keydir}}/{{item.item}}.zip dest=vpn_keys/{{item.item}}.zip flat=yes when: item.changed - with_items: openvpn_clients_changed.results \ No newline at end of file + with_items: openvpn_clients_changed.results From a44737bcc424c30a839e38c5f4074327c5181caa Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 23 Sep 2015 04:02:22 +0700 Subject: [PATCH 04/18] Add zip install for easier pack --- defaults/main.yml | 1 + handlers/main.yml | 2 +- tasks/install.deb.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5724f73..8b7112a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,6 +4,7 @@ openvpn_enabled: yes # The role is enabled openvpn_etcdir: /etc/openvpn openvpn_keydir: "{{openvpn_etcdir}}/keys" +openvpn_pack_pass: "$ecured_vpn" # Default settings (See OpenVPN documentation) openvpn_host: "{{inventory_hostname}}" # The server address diff --git a/handlers/main.yml b/handlers/main.yml index d60a524..5da8c91 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,7 +4,7 @@ service: name=openvpn state=restarted - name: openvpn pack clients - command: zip -j --password $ecured_vpn {{openvpn_keydir}}/{{item.item}} {{openvpn_keydir}}/{{item.item}}.crt {{openvpn_keydir}}/{{item.item}}.ovpn {{openvpn_keydir}}/{{item.item}}.key {{openvpn_keydir}}/ca.crt + command: zip -j --password {{ openvpn_pack_pass }} {{openvpn_keydir}}/{{item.item}} {{openvpn_keydir}}/{{item.item}}.crt {{openvpn_keydir}}/{{item.item}}.ovpn {{openvpn_keydir}}/{{item.item}}.key {{openvpn_keydir}}/ca.crt when: item.changed with_items: openvpn_clients_changed.results diff --git a/tasks/install.deb.yml b/tasks/install.deb.yml index b569199..0a750a7 100644 --- a/tasks/install.deb.yml +++ b/tasks/install.deb.yml @@ -2,7 +2,7 @@ - name: Install requirements (Debian) apt: name={{item}} - with_items: [openvpn, udev, openssl] + with_items: [openvpn, udev, openssl, zip] - name: Install dependencies (Debian) apt: name={{item}} From 9beb0c3fbfdebbc30bb25f23be713334e27c8053 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 30 Sep 2015 05:26:54 +0700 Subject: [PATCH 05/18] Certificates now are password protected. Client configuration allows to use Windows Certificate System Store --- defaults/main.yml | 4 ++-- handlers/main.yml | 8 ++++---- tasks/configure.yml | 36 +++++++++++++++++++++++++----------- templates/build-server.sh.j2 | 2 +- templates/client.conf.j2 | 3 +-- 5 files changed, 33 insertions(+), 20 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8b7112a..267a081 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,7 +4,7 @@ openvpn_enabled: yes # The role is enabled openvpn_etcdir: /etc/openvpn openvpn_keydir: "{{openvpn_etcdir}}/keys" -openvpn_pack_pass: "$ecured_vpn" +openvpn_cert_pass: "$ecured_vpn" # Default settings (See OpenVPN documentation) openvpn_host: "{{inventory_hostname}}" # The server address @@ -48,7 +48,7 @@ openvpn_clients: [client] # Make clients certificate openvpn_clients_revoke: [] # Revoke clients certificates # Use PAM authentication -openvpn_use_pam: yes +openvpn_use_pam: no openvpn_disable_cert: no openvpn_use_pam_users: [] # If empty use system users # otherwise use users from the option diff --git a/handlers/main.yml b/handlers/main.yml index 5da8c91..e4421f2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,11 +4,11 @@ service: name=openvpn state=restarted - name: openvpn pack clients - command: zip -j --password {{ openvpn_pack_pass }} {{openvpn_keydir}}/{{item.item}} {{openvpn_keydir}}/{{item.item}}.crt {{openvpn_keydir}}/{{item.item}}.ovpn {{openvpn_keydir}}/{{item.item}}.key {{openvpn_keydir}}/ca.crt + command: zip -j {{openvpn_keydir}}/{{item.item.name}} {{openvpn_keydir}}/{{item.item.name}}.p12 {{openvpn_keydir}}/{{item.item.name}}.ovpn {{openvpn_keydir}}/ca.crt when: item.changed - with_items: openvpn_clients_changed.results + with_items: pfx.results - name: openvpn copy pack clients - fetch: src={{openvpn_keydir}}/{{item.item}}.zip dest=vpn_keys/{{item.item}}.zip flat=yes + fetch: src={{openvpn_keydir}}/{{item.item.name}}.zip dest=vpn_keys/{{item.item.name}}.zip flat=yes when: item.changed - with_items: openvpn_clients_changed.results + with_items: pfx.results diff --git a/tasks/configure.yml b/tasks/configure.yml index 7e00d65..465d4a0 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,6 +1,4 @@ --- -- name: Ensure openvpn key dir has the right permission - file: path={{openvpn_keydir}} state=directory mode=0700 owner={{openvpn_user}} - name: Extract easy-rsa files unarchive: src=easy-rsa.tar.gz dest={{openvpn_etcdir}} @@ -11,12 +9,31 @@ - name: Generate Server keys command: "{{openvpn_etcdir}}/build-server.sh" - args: { creates: "{{ openvpn_keydir }}" } + args: { creates: "{{ openvpn_keydir }}/server.key" } + notify: [openvpn restart] - name: Generate Clients keys - command: "{{openvpn_etcdir}}/build-client.sh {{item}}" - args: { creates: "{{ openvpn_keydir }}/{{item}}.crt" } + command: "{{openvpn_etcdir}}/build-client.sh {{item.name}}" + args: { creates: "{{ openvpn_keydir }}/{{item.name}}.crt" } + with_items: openvpn_clients + +- name: Convert Clients cert/key to p12 + command: "openssl pkcs12 -export -out {{openvpn_keydir}}/{{item.name}}.p12 -inkey {{openvpn_keydir}}/{{item.name}}.key -in {{openvpn_keydir}}/{{item.name}}.crt -certfile {{openvpn_keydir}}/ca.crt -password pass:{{item.password}}" + args: { creates: "{{ openvpn_keydir }}/{{item.name}}.p12" } with_items: openvpn_clients + notify: + - openvpn pack clients + - openvpn copy pack clients + register: pfx + +- name: Ensure openvpn key dir has the right permission + file: path={{openvpn_keydir}} state=directory mode=0700 owner={{openvpn_user}} + +- name: Get client certificate fingerprint + shell: "openssl pkcs12 -in {{openvpn_keydir}}/{{item.item.name}}.p12 -nodes -passin pass:{{item.item.password}} | openssl x509 -noout -fingerprint | cut -d= -f2 | sed 's/:/ /g'" + with_items: pfx.results + when: item.changed + register: cert_fp - name: Revoke Clients command: "{{openvpn_etcdir}}/revoke-client.sh {{item}}" @@ -40,12 +57,9 @@ register: crl_pem_file - name: Generate Clients configurations - template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item}}.ovpn - with_items: openvpn_clients - notify: - - openvpn pack clients - - openvpn copy pack clients - register: openvpn_clients_changed + template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item.item.item.name}}.ovpn + with_items: cert_fp.results + when: item.changed - name: Setup PAM template: src=openvpn.pam.j2 dest=/etc/pam.d/openvpn diff --git a/templates/build-server.sh.j2 b/templates/build-server.sh.j2 index b2440d9..6789b24 100644 --- a/templates/build-server.sh.j2 +++ b/templates/build-server.sh.j2 @@ -20,5 +20,5 @@ $EASY_RSA/pkitool --server server && \ $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} {% for client in openvpn_clients %} -$EASY_RSA/pkitool {{ client }} +$EASY_RSA/pkitool {{ client.name }} {% endfor %} diff --git a/templates/client.conf.j2 b/templates/client.conf.j2 index 14fe1da..70ac0e5 100644 --- a/templates/client.conf.j2 +++ b/templates/client.conf.j2 @@ -36,8 +36,7 @@ persist-tun # use a separate .crt/.key file pair for each client. A single ca file can be # used for all clients. ca ca.crt -cert {{client}}.crt -key {{client}}.key +cryptoapicert "THUMB:{{ item.stdout }}" # Verify server certificate by checking that the certicate has the nsCertType # field set to "server". This is an important precaution to protect against a From 68b4c256ef82a94b22ca00ae7ca4671e296cf496 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Tue, 13 Oct 2015 15:44:51 +0700 Subject: [PATCH 06/18] config defaults moving out of role --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 267a081..55e3b2f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,7 +4,7 @@ openvpn_enabled: yes # The role is enabled openvpn_etcdir: /etc/openvpn openvpn_keydir: "{{openvpn_etcdir}}/keys" -openvpn_cert_pass: "$ecured_vpn" +openvpn_cert_pass: "" # Default settings (See OpenVPN documentation) openvpn_host: "{{inventory_hostname}}" # The server address @@ -28,7 +28,7 @@ openvpn_user: nobody openvpn_group: nogroup openvpn_resolv_retry: infinite openvpn_client_to_client: yes -openvpn_server_options: [duplicate-cn] # Additional server options +openvpn_server_options: [] # Additional server options # openvpn_server_options: # - dev-node MyTap # - client-to-client From f80f93597248ab6ab27568de171e3ad31d67f527 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Tue, 13 Oct 2015 15:48:58 +0700 Subject: [PATCH 07/18] config defaults moving out of role --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 55e3b2f..c372254 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,7 +28,7 @@ openvpn_user: nobody openvpn_group: nogroup openvpn_resolv_retry: infinite openvpn_client_to_client: yes -openvpn_server_options: [] # Additional server options +openvpn_server_options: [] # Additional server options # openvpn_server_options: # - dev-node MyTap # - client-to-client From 12ad01756d34025b331729fbb9e5101d957d6a10 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 31 Oct 2015 07:55:06 +0700 Subject: [PATCH 08/18] fix crt.pem permissions after client revoke --- tasks/configure.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/configure.yml b/tasks/configure.yml index 465d4a0..2ac6cfb 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -56,6 +56,10 @@ stat: path={{openvpn_keydir}}/crl.pem register: crl_pem_file +- name: Check crl.pem ACL + file: path={{openvpn_keydir}}/crl.pem + owner={{ openvpn_user }} mode=400 + - name: Generate Clients configurations template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item.item.item.name}}.ovpn with_items: cert_fp.results From b09e498786ab05b1242a1b75e6b98799f503cec8 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 23 Nov 2015 04:05:28 +0700 Subject: [PATCH 09/18] integrated option not to generate keys but move from another server --- defaults/main.yml | 1 + tasks/configure.yml | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c372254..fdc5d08 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- openvpn_enabled: yes # The role is enabled +openvpn_generate_keys: no openvpn_etcdir: /etc/openvpn openvpn_keydir: "{{openvpn_etcdir}}/keys" diff --git a/tasks/configure.yml b/tasks/configure.yml index 2ac6cfb..218d77a 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -11,11 +11,13 @@ command: "{{openvpn_etcdir}}/build-server.sh" args: { creates: "{{ openvpn_keydir }}/server.key" } notify: [openvpn restart] + when: openvpn_generate_keys - name: Generate Clients keys command: "{{openvpn_etcdir}}/build-client.sh {{item.name}}" args: { creates: "{{ openvpn_keydir }}/{{item.name}}.crt" } with_items: openvpn_clients + when: openvpn_generate_keys - name: Convert Clients cert/key to p12 command: "openssl pkcs12 -export -out {{openvpn_keydir}}/{{item.name}}.p12 -inkey {{openvpn_keydir}}/{{item.name}}.key -in {{openvpn_keydir}}/{{item.name}}.crt -certfile {{openvpn_keydir}}/ca.crt -password pass:{{item.password}}" @@ -25,14 +27,22 @@ - openvpn pack clients - openvpn copy pack clients register: pfx + when: openvpn_generate_keys - name: Ensure openvpn key dir has the right permission file: path={{openvpn_keydir}} state=directory mode=0700 owner={{openvpn_user}} +- name: Server keys and certs are copied + copy: src="../../../../../../VPN keys/server/{{ item }}" + dest={{openvpn_keydir}}/{{ item }} + owner=root group=root mode=0600 + with_items: [ "ca.crt","server.crt","server.key","dh1024.pem" ] + when: not openvpn_generate_keys + - name: Get client certificate fingerprint shell: "openssl pkcs12 -in {{openvpn_keydir}}/{{item.item.name}}.p12 -nodes -passin pass:{{item.item.password}} | openssl x509 -noout -fingerprint | cut -d= -f2 | sed 's/:/ /g'" with_items: pfx.results - when: item.changed + when: item.changed and openvpn_generate_keys register: cert_fp - name: Revoke Clients @@ -59,11 +69,12 @@ - name: Check crl.pem ACL file: path={{openvpn_keydir}}/crl.pem owner={{ openvpn_user }} mode=400 + when: crl_pem_file.stat.exists - name: Generate Clients configurations template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item.item.item.name}}.ovpn with_items: cert_fp.results - when: item.changed + when: item.changed and openvpn_generate_keys - name: Setup PAM template: src=openvpn.pam.j2 dest=/etc/pam.d/openvpn From c439140766d27864690b5f90e7ca09d8e6628e88 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 8 Feb 2016 17:44:51 +0700 Subject: [PATCH 10/18] server config updates --- defaults/main.yml | 5 +++-- tasks/configure.yml | 7 +++++++ templates/server.conf.j2 | 23 +++++++++++++++++++---- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fdc5d08..dc08e99 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,8 +13,8 @@ openvpn_port: 1194 openvpn_proto: udp openvpn_dev: tun openvpn_server: 10.8.0.0 255.255.255.0 # Set empty for skip -openvpn_push_nets: [] -openvpn_dns: [] +#openvpn_push_nets: [] +#openvpn_dns: [] openvpn_topology: subnet # Recommended topology but # brake compatibility with old Windows # net30 - legacy topology @@ -23,6 +23,7 @@ openvpn_log: /var/log/openvpn.log # Log's directory openvpn_keepalive: "10 120" openvpn_ifconfig_pool_persist: ipp.txt openvpn_comp_lzo: yes # Enable compression +openvpn_float: yes # Allow remote peer to change its IP address and/or port number openvpn_status: openvpn-status.log openvpn_verb: 3 openvpn_user: nobody diff --git a/tasks/configure.yml b/tasks/configure.yml index 218d77a..8b38aed 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -91,3 +91,10 @@ - name: Configure server template: src=server.conf.j2 dest={{openvpn_etcdir}}/server.conf notify: [openvpn restart] + +- name: UFW allow limited OpenVPN + ufw: rule=limit port=openvpn + tags: + - ufw + - openvpn + - ufw_openvpn \ No newline at end of file diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 4743804..53582b2 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -128,6 +128,10 @@ group nogroup client-to-client {% endif %} +{% if openvpn_float %} +float +{% endif %} + {% if openvpn_use_pam %} plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn {% endif %} @@ -148,10 +152,21 @@ client-cert-not-required crl-verify {{openvpn_keydir}}/crl.pem {% endif %} -{% for net in openvpn_push_nets %} -push "route {{net}}" +{% for key, value in interfaces.iteritems() | sort %} +{% if key != 'eth1' %} +#push "route {{ value.ip4_address | ipaddr('network') }} {{ value.ip4_address | ipaddr('netmask') }}" +{% endif %} {% endfor %} +{% for network in dc_networks %} +push "route {{ network | ipaddr('network') }} {{ network | ipaddr('netmask') }}" +{% endfor %} +# route traffic to ELK server +push "route 183.90.170.94 255.255.255.255" -{% for dns in openvpn_dns %} -push "dhcp-option DNS {{dns}}" +{% for item in dns_servers_consul %} +push "dhcp-option DNS {{ item }}" {% endfor %} + +push "dhcp-option SEARCH {{ domain }}" +push "dhcp-option SEARCH consul" +push "dhcp-option DOMAIN consul" From f70854a5fae6859bee1f2b6ecb45af9b079eb944 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 30 Apr 2016 01:35:47 +0700 Subject: [PATCH 11/18] datacenter added to dhcp SEARCH options --- templates/server.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 53582b2..226b45b 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -168,5 +168,6 @@ push "dhcp-option DNS {{ item }}" {% endfor %} push "dhcp-option SEARCH {{ domain }}" +push "dhcp-option SEARCH {{ dc }}.{{ domain }}" push "dhcp-option SEARCH consul" push "dhcp-option DOMAIN consul" From 9b368621c6ef0e248b83c88639400746527b1e64 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Tue, 10 May 2016 21:41:19 +0700 Subject: [PATCH 12/18] trying to push multiple searches --- templates/server.conf.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 226b45b..830c7e3 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -167,7 +167,9 @@ push "route 183.90.170.94 255.255.255.255" push "dhcp-option DNS {{ item }}" {% endfor %} +push "dhcp-option DOMAIN cs.consul" push "dhcp-option SEARCH {{ domain }}" -push "dhcp-option SEARCH {{ dc }}.{{ domain }}" push "dhcp-option SEARCH consul" -push "dhcp-option DOMAIN consul" +push "dhcp-option SEARCH cs.consul" +push "dhcp-option SEARCH node.cs.consul" +push "dhcp-option SEARCH service.cs.consul" From 9dbfba78e2092645212d03e5107f703cb0988026 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 16 May 2016 22:00:06 +0700 Subject: [PATCH 13/18] openvpn | change keepalived timeouts to die faster --- defaults/main.yml | 2 +- templates/server.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index dc08e99..28dd3e6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,7 +20,7 @@ openvpn_topology: subnet # Recommended topology but # net30 - legacy topology openvpn_max_clients: 100 openvpn_log: /var/log/openvpn.log # Log's directory -openvpn_keepalive: "10 120" +openvpn_keepalive: "10 30" openvpn_ifconfig_pool_persist: ipp.txt openvpn_comp_lzo: yes # Enable compression openvpn_float: yes # Allow remote peer to change its IP address and/or port number diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 830c7e3..b57a4b5 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -72,7 +72,7 @@ ifconfig-pool-persist {{openvpn_ifconfig_pool_persist}} # The keepalive directive causes ping-like messages to be sent back and forth # over the link so that each side knows when the other side has gone down. Ping # every 10 seconds, assume that remote peer is down if no ping received during -# a 120 second time period. +# a 30 second time period. keepalive {{ openvpn_keepalive }} # Enable compression on the VPN link. If you enable it here, you must also From 52741d0e13f73cc52c8224e64353171ade607c33 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Fri, 17 Jun 2016 08:00:10 +0700 Subject: [PATCH 14/18] openvpn | new DNS address for clients --- templates/server.conf.j2 | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index b57a4b5..b539122 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -160,12 +160,11 @@ crl-verify {{openvpn_keydir}}/crl.pem {% for network in dc_networks %} push "route {{ network | ipaddr('network') }} {{ network | ipaddr('netmask') }}" {% endfor %} -# route traffic to ELK server -push "route 183.90.170.94 255.255.255.255" -{% for item in dns_servers_consul %} -push "dhcp-option DNS {{ item }}" -{% endfor %} +#{% for item in dns_servers_consul %} +#push "dhcp-option DNS {{ item }}" +#{% endfor %} +push "dhcp-option DNS 10.1.3.10" push "dhcp-option DOMAIN cs.consul" push "dhcp-option SEARCH {{ domain }}" From b995fcf8c44f62eb55ea3c81e0b36064d7f1153d Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sun, 19 Jun 2016 03:45:18 +0700 Subject: [PATCH 15/18] openvpn | fixed DNS option in server config --- templates/server.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index b539122..07a65dd 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -161,9 +161,9 @@ crl-verify {{openvpn_keydir}}/crl.pem push "route {{ network | ipaddr('network') }} {{ network | ipaddr('netmask') }}" {% endfor %} -#{% for item in dns_servers_consul %} +{% for item in dns_servers_consul %} #push "dhcp-option DNS {{ item }}" -#{% endfor %} +{% endfor %} push "dhcp-option DNS 10.1.3.10" push "dhcp-option DOMAIN cs.consul" From e00c3395bab803aff85e866910f6745d62c48ffe Mon Sep 17 00:00:00 2001 From: fitz123 Date: Fri, 1 Jul 2016 17:58:02 +0700 Subject: [PATCH 16/18] ovenvpn | add comments for Linux ovpn compatibility: resolvconf and certificate --- templates/client.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/templates/client.conf.j2 b/templates/client.conf.j2 index 70ac0e5..826f44c 100644 --- a/templates/client.conf.j2 +++ b/templates/client.conf.j2 @@ -36,6 +36,9 @@ persist-tun # use a separate .crt/.key file pair for each client. A single ca file can be # used for all clients. ca ca.crt +# It works cool for Windows certificate store +# For Linux need to use this: +# pkcs12 certname.p12 cryptoapicert "THUMB:{{ item.stdout }}" # Verify server certificate by checking that the certicate has the nsCertType @@ -65,3 +68,10 @@ auth-user-pass {% for option in openvpn_client_options %} {{option}} {% endfor %} + +# This updates the resolvconf with dns settings +# uncomment it for Linux clients +#script-security 2 +#setenv PATH /usr/bin +#up /etc/openvpn/update-resolv-conf +#down /etc/openvpn/update-resolv-conf From c33e539f09d1dea055039b01e116dc35a86c071b Mon Sep 17 00:00:00 2001 From: fitz123 Date: Tue, 19 Jul 2016 20:51:24 +0700 Subject: [PATCH 17/18] openvpn | tcp by default (looks way better if high latency) --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 28dd3e6..4d3706a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,7 +10,7 @@ openvpn_cert_pass: "" # Default settings (See OpenVPN documentation) openvpn_host: "{{inventory_hostname}}" # The server address openvpn_port: 1194 -openvpn_proto: udp +openvpn_proto: tcp openvpn_dev: tun openvpn_server: 10.8.0.0 255.255.255.0 # Set empty for skip #openvpn_push_nets: [] From 4fa522f68599dec268b54c051e58fb3fb0bfd177 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 10 Oct 2016 10:19:45 +0300 Subject: [PATCH 18/18] some minors --- templates/server.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 07a65dd..90f7422 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -43,8 +43,8 @@ key {{openvpn_keydir}}/server.key # This file should be kept secret # dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys. dh {{openvpn_keydir}}/dh{{openvpn_key_size}}.pem -# Client configuration directory. {% if openvpn_client_config_dir is defined -%} +# Client configuration directory. client-config-dir {{ openvpn_client_config_dir }} {% endif %}