---
- block:
- name: Install the OpenVPN main packages
apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Create the auth, ipp, ccd and status subdirs
file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770
with_items:
- ipp
- status
- auth
- ccd
when: openvpn_enabled | bool
tags: openvpn
- block:
- name: Install the OpenVPN radius auth plugin package
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
when: openvpn_radius_auth | bool
tags: [ 'openvpn', 'openvpn_radius' ]
- block:
- name: Install the OpenVPN radius auth plugin package
template: src=management.txt.j2 dest={{ openvpn_management_file }}owner=root group=root mode=0400
when: openvpn_management_enabled | bool
tags: [ 'openvpn', 'openvpn_management' ]
- block:
- name: Install the OpenVPN ldap auth plugin package
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Install the LDAP auth configuration file
template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Reload OpenVPN
when: openvpn_ldap_auth
tags: [ 'openvpn', 'openvpn_ldap' ]
- block:
- name: Remove the LDAP auth configuration file if LDAP is not used
file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent
notify: Reload OpenVPN
when: not openvpn_ldap_auth
tags: [ 'openvpn', 'openvpn_ldap' ]
- block:
- name: Install the perl libraries needed by the LDAP client authentication script
apt: pkg={{ openvpn_perl_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Install the perl LDAP auth script
template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550
when: openvpn_ldap_perl_auth
tags: [ 'openvpn', 'openvpn_ldap' ]
- block:
- name: Install the main OpenVPN configuration file on the servers
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Restart OpenVPN
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file' ]
- name: Install the custom configuration for specific OpenVPN users in the servers
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
with_items: '{{ openvpn_users_customizations | default([]) }}'
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ]
- name: Install the easy-rsa package on servers when we use the certificate authentication
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
when:
- openvpn_cert_auth_enabled | bool
- openvpn_is_master_host | bool
when: openvpn_mode == 'server'
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Install the main OpenVPN configuration file on the clients
template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Restart OpenVPN
when: openvpn_mode != 'server'
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Install the OpenVPN init defaults
template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444
notify:
- Restart OpenVPN
- Reload systemd
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Create the dh file
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
args:
creates: '{{ openvpn_conf_dir }}/dh2048.pem'
- name: Fix the dh file permissions
file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444
- name: Create the ta key
shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
args:
creates: '{{ openvpn_conf_dir }}/ta.key'
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
when: openvpn_is_master_host | bool or not openvpn_ha | bool
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Get the dh file from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/dh2048.pem'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Relax the ta.key file permissions so that it can be copied around
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Get the ta key from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/ta.key'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
dest: '/{{ openvpn_conf_dir }}/ta.key'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
- name: Fix the ta.key file permissions on the master host
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
when:
- openvpn_ha | bool
- not openvpn_is_master_host | bool
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
- block:
- name: Get the dh file from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/dh2048.pem'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
delegate_to: '{{ openvpn_master_host }}'
- name: Relax the ta.key file permissions so that it can be copied around
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
delegate_to: '{{ openvpn_master_host }}'
- name: Get the ta key from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/ta.key'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
dest: '/{{ openvpn_conf_dir }}/ta.key'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
- name: Fix the ta.key file permissions on the master host
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
delegate_to: '{{ openvpn_master_host }}'
when: openvpn_mode != 'server'
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
- block:
- name: Enable kernel forwarding
sysctl: name={{ item }} value=1 reload=yes state=present
with_items:
- net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding
when:
- openvpn_enable_system_forward | bool
- openvpn_enabled | bool
- name: Disable kernel forwarding
sysctl: name={{ item }} value=0 reload=yes state=present
with_items:
- net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding
when: not openvpn_enable_system_forward
- name: Ensure that the OpenVPN service is enabled and running
service: name=openvpn state=started enabled=yes
when: openvpn_enabled | bool
- name: Ensure that the OpenVPN service is stopped and disabled
service: name=openvpn state=stopped enabled=no
when: not openvpn_enabled | bool
tags: openvpn