ansible-roles/openvpn/templates/openvpn.conf.j2

mode {{ openvpn_mode }}
dev {{ openvpn_dev }}

server {{ openvpn_server_net }}
ifconfig-pool-persist ipp/ipp.txt
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}

{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}

{% if openvpn_push_settings is defined %}
{% for dhcp_opt in openvpn_push_settings %}
push "{{ dhcp_opt }}"
{% endfor %}
{% endif %}

port {{ openvpn_port }}
proto {{ openvpn_protocol }}

{% if openvpn_tls_server %}
tls-server
{% endif %}

dh {{ openvpn_dh }}
ca {{ openvpn_ca }}
cert {{ openvpn_cert }}
key {{ openvpn_key }}
tls-auth {{ openvpn_tls_auth }}

{% if openvpn_compression_enabled %}
comp-lzo
{% endif %}

keepalive {{ openvpn_keepalive }}

{% if not openvpn_cert_auth_enabled %}
# Disable cert-auth
client-cert-not-required
{% endif %}

{% if openvpn_username_pam_auth %}
username-as-common-name
# PAM login
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
{% endif %}

{% if openvpn_ldap_auth %}
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% endif %}

{% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
script-security 3 execve
{% endif %}

max-clients {{ openvpn_max_clients }}

persist-tun
persist-key

status status/openvpn-status.log

{% if openvpn_run_unprivileged %}
user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }}
{% endif %}

verb {{ openvpn_verbosity_log }}
mute {{ openvpn_mute_after }}
library/roles/openvpn: Installs and configure a openvpn service. 2016-06-11 16:57:29 +02:00			`mode {{ openvpn_mode }}`
			`dev {{ openvpn_dev }}`

			`server {{ openvpn_server_net }}`
			`ifconfig-pool-persist ipp/ipp.txt`
			`{% for route in openvpn_push_routes %}`
			`push "route {{ route }}"`
			`{% endfor %}`

library/roles/openvpn: support pushing dhcp properties to the clients. infrastructure-services/group_vars/vpn/vpn.yml: Push the internal DNS IP address. 2016-06-15 19:31:27 +02:00			`{% for route in openvpn_push_routes %}`
			`push "route {{ route }}"`
			`{% endfor %}`

			`{% if openvpn_push_settings is defined %}`
			`{% for dhcp_opt in openvpn_push_settings %}`
			`push "{{ dhcp_opt }}"`
			`{% endfor %}`
			`{% endif %}`

library/roles/openvpn: Installs and configure a openvpn service. 2016-06-11 16:57:29 +02:00			`port {{ openvpn_port }}`
			`proto {{ openvpn_protocol }}`

			`{% if openvpn_tls_server %}`
			`tls-server`
			`{% endif %}`

			`dh {{ openvpn_dh }}`
			`ca {{ openvpn_ca }}`
			`cert {{ openvpn_cert }}`
			`key {{ openvpn_key }}`
			`tls-auth {{ openvpn_tls_auth }}`

			`{% if openvpn_compression_enabled %}`
			`comp-lzo`
			`{% endif %}`

			`keepalive {{ openvpn_keepalive }}`

			`{% if not openvpn_cert_auth_enabled %}`
			`# Disable cert-auth`
			`client-cert-not-required`
			`{% endif %}`

			`{% if openvpn_username_pam_auth %}`
			`username-as-common-name`
			`# PAM login`
library/roles/openvpn: Support to two different kinds of ldap authentication: Via the openvpn-ldap-auth module (no posix groups support, and it crashes on ubuntu 14.04), and via an external perl script. 2016-09-07 17:23:51 +02:00			`plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login`
			`{% endif %}`

			`{% if openvpn_ldap_auth %}`
			`plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf`
			`{% endif %}`

			`{% if openvpn_ldap_perl_auth %}`
			`auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env`
			`script-security 3 execve`
library/roles/openvpn: Installs and configure a openvpn service. 2016-06-11 16:57:29 +02:00			`{% endif %}`

			`max-clients {{ openvpn_max_clients }}`

			`persist-tun`
			`persist-key`

			`status status/openvpn-status.log`

			`{% if openvpn_run_unprivileged %}`
			`user {{ openvpn_unprivileged_user }}`
			`group {{ openvpn_unprivileged_group }}`
			`{% endif %}`

			`verb {{ openvpn_verbosity_log }}`
			`mute {{ openvpn_mute_after }}`