Remove an obsolete template. Disable the tcp syn cookies. Move the status file in the correct place.
This commit is contained in:
parent
3d6ed788a2
commit
ae1b190337
|
|
@ -1,6 +1,8 @@
|
|||
---
|
||||
openvpn_enabled: True
|
||||
openvpn_enable_system_forward: True
|
||||
# Only set when the protocol is tcp, anyway
|
||||
openvpn_disable_tcp_syn_cookie: True
|
||||
openvpn_management_enabled: False
|
||||
openvpn_management_ip: 127.0.0.1
|
||||
openvpn_management_port: 1195
|
||||
|
|
@ -35,6 +37,7 @@ openvpn_mode: server
|
|||
openvpn_dev: tun
|
||||
openvpn_port: 1194
|
||||
openvpn_protocol: udp
|
||||
openvpn_status_dir: '/run/openvpn'
|
||||
openvpn_server_net: '192.168.254.0 255.255.255.0'
|
||||
#openvpn_push_routes: []
|
||||
# - '192.168.253.0 255.255.255.0'
|
||||
|
|
|
|||
|
|
@ -123,6 +123,17 @@
|
|||
- not openvpn_is_master_host | bool
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
||||
|
||||
- block:
|
||||
- name: Ensure that the OpenVPN service is enabled and running
|
||||
service: name=openvpn state=started enabled=yes
|
||||
when: openvpn_enabled | bool
|
||||
|
||||
- name: Ensure that the OpenVPN service is stopped and disabled
|
||||
service: name=openvpn state=stopped enabled=no
|
||||
when: not openvpn_enabled | bool
|
||||
|
||||
tags: [ 'openvpn', 'openvpn_service' ]
|
||||
|
||||
- block:
|
||||
- name: Enable kernel forwarding
|
||||
sysctl: name={{ item }} value=1 reload=yes state=present
|
||||
|
|
@ -139,14 +150,23 @@
|
|||
- net.ipv4.ip_forward
|
||||
# - net.ipv6.conf.all.forwarding
|
||||
when: not openvpn_enable_system_forward
|
||||
tags: [ 'openvpn', 'openvpn_kernel_forwarding' ]
|
||||
|
||||
- name: Ensure that the OpenVPN service is enabled and running
|
||||
service: name=openvpn state=started enabled=yes
|
||||
when: openvpn_enabled | bool
|
||||
- block:
|
||||
- name: Disable tcp syn cookies
|
||||
sysctl: name={{ item }} value=0 reload=yes state=present
|
||||
with_items:
|
||||
- net.ipv4.tcp_syncookies
|
||||
when:
|
||||
- openvpn_disable_tcp_syn_cookie | bool
|
||||
- openvpn_protocol == 'tcp'
|
||||
|
||||
- name: Ensure that the OpenVPN service is stopped and disabled
|
||||
service: name=openvpn state=stopped enabled=no
|
||||
when: not openvpn_enabled | bool
|
||||
- name: Enable tcp syn cookies
|
||||
sysctl: name={{ item }} value=1 reload=yes state=present
|
||||
with_items:
|
||||
- net.ipv4.tcp_syncookies
|
||||
when:
|
||||
- not openvpn_disable_tcp_syn_cookie | bool or openvpn_protocol == 'udp'
|
||||
|
||||
tags: openvpn
|
||||
tags: [ 'openvpn', 'openvpn_kernel_syn_cookies' ]
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ tls-auth {{ openvpn_tls_auth }} 1
|
|||
key-direction 1
|
||||
cipher AES-256-CBC
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
status {{ openvpn_status_dir }}/openvpn-status.log
|
||||
# Set log file verbosity.
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
# Silence repeating messages
|
||||
|
|
|
|||
|
|
@ -1,126 +0,0 @@
|
|||
mode {{ openvpn_mode }}
|
||||
dev {{ openvpn_dev }}
|
||||
|
||||
port {{ openvpn_port }}
|
||||
proto {{ openvpn_protocol }}
|
||||
|
||||
{% if openvpn_tls_server %}
|
||||
tls-server
|
||||
{% endif %}
|
||||
|
||||
dh {{ openvpn_dh }}
|
||||
ca {{ openvpn_ca }}
|
||||
cert {{ openvpn_cert }}
|
||||
key {{ openvpn_key }}
|
||||
|
||||
topology subnet
|
||||
|
||||
server {{ openvpn_server_net }}
|
||||
|
||||
ifconfig-pool-persist ipp/ipp.txt
|
||||
|
||||
client-config-dir ccd
|
||||
# EXAMPLE: Suppose the client
|
||||
# having the certificate common name "Thelonious"
|
||||
# also has a small subnet behind his connecting
|
||||
# machine, such as 192.168.40.128/255.255.255.248.
|
||||
# First, uncomment out these lines:
|
||||
;client-config-dir ccd
|
||||
;route 192.168.40.128 255.255.255.248
|
||||
# Then create a file ccd/Thelonious with this line:
|
||||
# iroute 192.168.40.128 255.255.255.248
|
||||
# This will allow Thelonious' private subnet to
|
||||
# access the VPN. This example will only work
|
||||
# if you are routing, not bridging, i.e. you are
|
||||
# using "dev tun" and "server" directives.
|
||||
|
||||
# EXAMPLE: Suppose you want to give
|
||||
# Thelonious a fixed VPN IP address of 10.9.0.1.
|
||||
# First uncomment out these lines:
|
||||
;client-config-dir ccd
|
||||
;route 10.9.0.0 255.255.255.252
|
||||
# Then add this line to ccd/Thelonious:
|
||||
# ifconfig-push 10.9.0.1 10.9.0.2
|
||||
|
||||
# Suppose that you want to enable different
|
||||
# firewall access policies for different groups
|
||||
# of clients. There are two methods:
|
||||
# (1) Run multiple OpenVPN daemons, one for each
|
||||
# group, and firewall the TUN/TAP interface
|
||||
# for each group/daemon appropriately.
|
||||
# (2) (Advanced) Create a script to dynamically
|
||||
# modify the firewall in response to access
|
||||
# from different clients. See man
|
||||
# page for more info on learn-address script.
|
||||
;learn-address ./script
|
||||
|
||||
{% for route in openvpn_push_routes %}
|
||||
push "route {{ route }}"
|
||||
{% endfor %}
|
||||
|
||||
{% for route in openvpn_push_routes %}
|
||||
push "route {{ route }}"
|
||||
{% endfor %}
|
||||
|
||||
{% if openvpn_push_settings is defined %}
|
||||
{% for dhcp_opt in openvpn_push_settings %}
|
||||
push "{{ dhcp_opt }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
tls-auth {{ openvpn_tls_auth }}
|
||||
|
||||
# Select a cryptographic cipher.
|
||||
# This config item must be copied to
|
||||
# the client config file as well.
|
||||
# Note that v2.4 client/server will automatically
|
||||
# negotiate AES-256-GCM in TLS mode.
|
||||
# See also the ncp-cipher option in the manpage
|
||||
cipher AES-256-CBC
|
||||
|
||||
|
||||
{% if openvpn_compression_enabled %}
|
||||
compress lz4-v2
|
||||
push "compress lz4-v2"
|
||||
{% endif %}
|
||||
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
|
||||
{% if not openvpn_cert_auth_enabled %}
|
||||
# Disable cert-auth
|
||||
client-cert-not-required
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_username_pam_auth %}
|
||||
username-as-common-name
|
||||
# PAM login
|
||||
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_auth %}
|
||||
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_perl_auth %}
|
||||
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
||||
#script-security 3 execve
|
||||
{% endif %}
|
||||
|
||||
max-clients {{ openvpn_max_clients }}
|
||||
|
||||
persist-tun
|
||||
persist-key
|
||||
|
||||
status status/openvpn-status.log
|
||||
|
||||
{% if openvpn_run_unprivileged %}
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
{% endif %}
|
||||
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
mute {{ openvpn_mute_after }}
|
||||
|
||||
# Notify the client that when the server restarts so it
|
||||
# can automatically reconnect.
|
||||
explicit-exit-notify 1
|
||||
|
|
@ -70,7 +70,7 @@ persist-key
|
|||
{% if openvpn_persist_tun %}
|
||||
persist-tun
|
||||
{% endif %}
|
||||
status status/openvpn-status.log
|
||||
status {{ openvpn_status_dir }}/openvpn-status.log
|
||||
{% if openvpn_run_unprivileged %}
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
|
|
|
|||
Loading…
Reference in New Issue