Merge pull request 'openvpn: better user ccd management, option that enables the management interface, option to force the presence of a ccd entry.' (#165) from adellam/ansible-roles:master into master

This commit is contained in:
Andrea Dell'Amico 2020-03-22 15:16:01 +01:00
commit 03cd53ff21
7 changed files with 47 additions and 23 deletions

View File

@ -1,6 +1,11 @@
---
openvpn_enabled: True
openvpn_enable_system_forward: True
openvpn_management_enabled: False
openvpn_management_ip: 127.0.0.1
openvpn_management_port: 1195
openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt'
# openvpn_management_password: 'set into a vault file'
openvpn_pkg_state: latest
openvpn_pkgs:
- openvpn
@ -22,7 +27,7 @@ openvpn_ldap_perl_auth: False
openvpn_perl_pkg:
- libnet-ldap-perl
# Server con parameters
# Server conf parameters
openvpn_conf_dir: /etc/openvpn
openvpn_conf_name: openvpn.conf
@ -39,8 +44,9 @@ openvpn_server_net: '192.168.254.0 255.255.255.0'
#openvpn_remote_servers: []
openvpn_force_ccd: False
# openvpn_users_customizations:
# - { user: '', config: '', route: '' }
# - { cn: 'Joe Bar', ip: '<Client IP>', netmask: '<openvpn_server_net netmask>', routes: [ '192.168.253.0 255.255.255.0' ] }
openvpn_tls_server: True
openvpn_dh: /etc/openvpn/dh2048.pem
@ -64,7 +70,8 @@ openvpn_max_clients: 100
openvpn_run_unprivileged: True
openvpn_unprivileged_user: nobody
openvpn_unprivileged_group: nogroup
openvpn_letsencrypt_managed: True
# Not recommended. Use a private CA if possible
openvpn_letsencrypt_managed: False
openvpn_verbosity_log: 3
openvpn_mute_after: 20

View File

@ -1,4 +1,4 @@
---
- import_tasks: openvpn.yml
- import_tasks: letsencrypt-openvpn.yml
when: openvpn_letsencrypt_managed
when: openvpn_letsencrypt_managed | bool

View File

@ -11,16 +11,23 @@
- auth
- ccd
when: openvpn_enabled
when: openvpn_enabled | bool
tags: openvpn
- block:
- name: Install the OpenVPN radius auth plugin package
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
when: openvpn_radius_auth
when: openvpn_radius_auth | bool
tags: [ 'openvpn', 'openvpn_radius' ]
- block:
- name: Install the OpenVPN radius auth plugin package
template: src=management.txt.j2 dest={{ openvpn_management_file }}owner=root group=root mode=0400
when: openvpn_management_enabled | bool
tags: [ 'openvpn', 'openvpn_management' ]
- block:
- name: Install the OpenVPN ldap auth plugin package
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
@ -54,17 +61,18 @@
- name: Install the main OpenVPN configuration file on the servers
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Restart OpenVPN
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file' ]
- name: Install the custom configuration for specific OpenVPN users in the servers
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.user }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
with_items: '{{ openvpn_users_customizations | default([]) }}'
notify: Reload OpenVPN
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ]
- name: Install the easy-rsa package on servers when we use the certificate authentication
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
when:
- openvpn_cert_auth_enabled
- openvpn_is_master_host
- openvpn_cert_auth_enabled | bool
- openvpn_is_master_host | bool
when: openvpn_mode == 'server'
tags: [ 'openvpn', 'openvpn_conf' ]
@ -103,7 +111,7 @@
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
when: openvpn_is_master_host or not openvpn_ha
when: openvpn_is_master_host | bool or not openvpn_ha | bool
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
@ -137,8 +145,8 @@
ignore_errors: True
when:
- openvpn_ha
- not openvpn_is_master_host
- openvpn_ha | bool
- not openvpn_is_master_host | bool
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
- block:
@ -179,8 +187,8 @@
- net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding
when:
- openvpn_enable_system_forward
- openvpn_enabled
- openvpn_enable_system_forward | bool
- openvpn_enabled | bool
- name: Disable kernel forwarding
sysctl: name={{ item }} value=0 reload=yes state=present
@ -191,11 +199,11 @@
- name: Ensure that the OpenVPN service is enabled and running
service: name=openvpn state=started enabled=yes
when: openvpn_enabled
when: openvpn_enabled | bool
- name: Ensure that the OpenVPN service is stopped and disabled
service: name=openvpn state=stopped enabled=no
when: not openvpn_enabled
when: not openvpn_enabled | bool
tags: openvpn

View File

@ -63,9 +63,7 @@
<Group>
BaseDN "{{ openvpn_ldap_group_base }}"
SearchFilter "{{ openvpn_ldap_group_filter }}"
{% if openvpn_ldap_without_posix_groups %}
RFC2307bis {{ openvpn_ldap_without_posix_groups }}
{% endif %}
MemberAttribute {{ openvpn_ldap_group_member_attr }}
# Add group members to a PF table (disabled)
# #PFTable ips_vpn_eng

View File

@ -0,0 +1 @@
{{ openvpn_management_password }}

View File

@ -1,11 +1,21 @@
mode {{ openvpn_mode }}
{% if openvpn_management_enabled %}
management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }}
{% endif %}
dev {{ openvpn_dev }}
port {{ openvpn_port }}
proto {{ openvpn_protocol }}
topology subnet
server {{ openvpn_server_net }}
{% if openvpn_ifconfig_pool is defined %}
# Works in bridge mode only
#ifconfig-pool {{ openvpn_ifconfig_pool }}
{% endif %}
ifconfig-pool-persist ipp/ipp.txt
client-config-dir ccd
{% if openvpn_force_ccd %}
ccd-exclusive
{% endif %}
{% if openvpn_client_routes is defined %}
{% for route in openvpn_client_routes %}
route {{ route }}

View File

@ -1,4 +1,4 @@
{{ item.config }}
{% if item.route is defined %}}
{{ item.route }}
{% endif %}
ifconfig-push {{ item.ip }} {{ item.netmask }}
{% for net in item.routes %}
push "route {{ net }}"
{% endfor %}