openvpn: better user ccd management, option that enables the management interface, option to force the presence of a ccd entry.

2020-03-22 15:14:33 +01:00 · 2020-03-22 15:14:33 +01:00 · c5f0ee75ef
parent 8331f98490
commit c5f0ee75ef
7 changed files with 47 additions and 23 deletions
--- a/library/roles/openvpn/defaults/main.yml
+++ b/library/roles/openvpn/defaults/main.yml
@ -1,6 +1,11 @@
 ---
 openvpn_enabled: True
 openvpn_enable_system_forward: True
 openvpn_management_enabled: False
 openvpn_management_ip: 127.0.0.1
 openvpn_management_port: 1195
 openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt'
 # openvpn_management_password: 'set into a vault file'
 openvpn_pkg_state: latest
 openvpn_pkgs:
  - openvpn
@ -22,7 +27,7 @@ openvpn_ldap_perl_auth: False
 openvpn_perl_pkg:
  - libnet-ldap-perl
-# Server con parameters
+# Server conf parameters
 openvpn_conf_dir: /etc/openvpn
 openvpn_conf_name: openvpn.conf
@ -39,8 +44,9 @@ openvpn_server_net: '192.168.254.0 255.255.255.0'
 #openvpn_remote_servers: []
 openvpn_force_ccd: False
 # openvpn_users_customizations: 
-  # - { user: '', config: '', route: '' }
+#   - { cn: 'Joe Bar', ip: '<Client IP>', netmask: '<openvpn_server_net netmask>', routes: [ '192.168.253.0 255.255.255.0' ] }
 openvpn_tls_server: True
 openvpn_dh: /etc/openvpn/dh2048.pem
@ -64,7 +70,8 @@ openvpn_max_clients: 100
 openvpn_run_unprivileged: True
 openvpn_unprivileged_user: nobody
 openvpn_unprivileged_group: nogroup
-openvpn_letsencrypt_managed: True
+# Not recommended. Use a private CA if possible
 openvpn_letsencrypt_managed: False
 openvpn_verbosity_log: 3
 openvpn_mute_after: 20
--- a/library/roles/openvpn/tasks/main.yml
+++ b/library/roles/openvpn/tasks/main.yml
@ -1,4 +1,4 @@
 ---
 - import_tasks: openvpn.yml
 - import_tasks: letsencrypt-openvpn.yml
-  when: openvpn_letsencrypt_managed
+  when: openvpn_letsencrypt_managed | bool
--- a/library/roles/openvpn/tasks/openvpn.yml
+++ b/library/roles/openvpn/tasks/openvpn.yml
@ -11,16 +11,23 @@
        - auth
        - ccd
-  when: openvpn_enabled
+  when: openvpn_enabled | bool
  tags: openvpn
 - block: 
    - name: Install the OpenVPN radius auth plugin package
      apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
-  when: openvpn_radius_auth
+  when: openvpn_radius_auth | bool
  tags: [ 'openvpn', 'openvpn_radius' ]
 - block: 
    - name: Install the OpenVPN radius auth plugin package
      template: src=management.txt.j2 dest={{ openvpn_management_file }}owner=root group=root mode=0400
  when: openvpn_management_enabled | bool
  tags: [ 'openvpn', 'openvpn_management' ]
 - block:
    - name: Install the OpenVPN ldap auth plugin package
      apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
@ -54,17 +61,18 @@
    - name: Install the main OpenVPN configuration file on the servers
      template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
      notify: Restart OpenVPN
      tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file' ]
    - name: Install the custom configuration for specific OpenVPN users in the servers
-      template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.user }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
+      template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
      with_items: '{{ openvpn_users_customizations | default([]) }}'
-      notify: Reload OpenVPN
+      tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ]
    - name: Install the easy-rsa package on servers when we use the certificate authentication
      apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
      when:
-        - openvpn_cert_auth_enabled
+        - openvpn_cert_auth_enabled | bool
-        - openvpn_is_master_host
+        - openvpn_is_master_host | bool
  when: openvpn_mode == 'server'
  tags: [ 'openvpn', 'openvpn_conf' ]
@ -103,7 +111,7 @@
    - name: Fix the ta.key file permissions
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
-  when: openvpn_is_master_host or not openvpn_ha
+  when: openvpn_is_master_host | bool or not openvpn_ha | bool
  tags: [ 'openvpn', 'openvpn_conf' ]
 - block:
@ -137,8 +145,8 @@
      ignore_errors: True
  when:
-    - openvpn_ha
+    - openvpn_ha | bool
-    - not openvpn_is_master_host
+    - not openvpn_is_master_host | bool
  tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
 - block:
@ -179,8 +187,8 @@
        - net.ipv4.ip_forward
        # - net.ipv6.conf.all.forwarding
      when:
-        - openvpn_enable_system_forward
+        - openvpn_enable_system_forward | bool
-        - openvpn_enabled
+        - openvpn_enabled | bool
    - name: Disable kernel forwarding
      sysctl: name={{ item }} value=0 reload=yes state=present
@ -191,11 +199,11 @@
    - name: Ensure that the OpenVPN service is enabled and running
      service: name=openvpn state=started enabled=yes
-      when: openvpn_enabled
+      when: openvpn_enabled | bool
    - name: Ensure that the OpenVPN service is stopped and disabled
      service: name=openvpn state=stopped enabled=no
-      when: not openvpn_enabled
+      when: not openvpn_enabled | bool
  tags: openvpn
--- a/library/roles/openvpn/templates/auth-ldap.conf.j2
+++ b/library/roles/openvpn/templates/auth-ldap.conf.j2
@ -63,9 +63,7 @@
        <Group>
               BaseDN          "{{ openvpn_ldap_group_base }}"
               SearchFilter    "{{ openvpn_ldap_group_filter }}"
 {% if openvpn_ldap_without_posix_groups %}
               RFC2307bis      {{ openvpn_ldap_without_posix_groups }}
 {% endif %}
               MemberAttribute {{ openvpn_ldap_group_member_attr }}
               # Add group members to a PF table (disabled)
        #       #PFTable        ips_vpn_eng
--- a/library/roles/openvpn/templates/management.txt.j2
+++ b/library/roles/openvpn/templates/management.txt.j2
@ -0,0 +1 @@
 {{ openvpn_management_password }}
--- a/library/roles/openvpn/templates/server.conf.j2
+++ b/library/roles/openvpn/templates/server.conf.j2
@ -1,11 +1,21 @@
 mode {{ openvpn_mode }}
 {% if openvpn_management_enabled %}
 management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }}
 {% endif %}
 dev {{ openvpn_dev }}
 port {{ openvpn_port }}
 proto {{ openvpn_protocol }}
 topology subnet
 server {{ openvpn_server_net }}
 {% if openvpn_ifconfig_pool is defined %}
 # Works in bridge mode only
 #ifconfig-pool {{ openvpn_ifconfig_pool }}
 {% endif %}
 ifconfig-pool-persist ipp/ipp.txt
 client-config-dir ccd
 {% if openvpn_force_ccd %}
 ccd-exclusive
 {% endif %}
 {% if openvpn_client_routes is defined %}
 {% for route in openvpn_client_routes %}
 route {{ route }}
--- a/library/roles/openvpn/templates/user-ccd.conf.j2
+++ b/library/roles/openvpn/templates/user-ccd.conf.j2
@ -1,4 +1,4 @@
-{{ item.config }}
+ifconfig-push {{ item.ip }} {{ item.netmask }}
-{% if item.route is defined %}}
+{% for net in item.routes %}
-{{ item.route }}
+push "route {{ net }}"
-{% endif %}
+{% endfor %}