From c5f0ee75ef2b23829092c51aa2eb11f6c8b71cd0 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Sun, 22 Mar 2020 15:14:33 +0100 Subject: [PATCH] openvpn: better user ccd management, option that enables the management interface, option to force the presence of a ccd entry. --- library/roles/openvpn/defaults/main.yml | 13 +++++-- library/roles/openvpn/tasks/main.yml | 2 +- library/roles/openvpn/tasks/openvpn.yml | 34 ++++++++++++------- .../roles/openvpn/templates/auth-ldap.conf.j2 | 2 -- .../roles/openvpn/templates/management.txt.j2 | 1 + .../roles/openvpn/templates/server.conf.j2 | 10 ++++++ .../roles/openvpn/templates/user-ccd.conf.j2 | 8 ++--- 7 files changed, 47 insertions(+), 23 deletions(-) create mode 100644 library/roles/openvpn/templates/management.txt.j2 diff --git a/library/roles/openvpn/defaults/main.yml b/library/roles/openvpn/defaults/main.yml index 13fe23ec..074033f1 100644 --- a/library/roles/openvpn/defaults/main.yml +++ b/library/roles/openvpn/defaults/main.yml @@ -1,6 +1,11 @@ --- openvpn_enabled: True openvpn_enable_system_forward: True +openvpn_management_enabled: False +openvpn_management_ip: 127.0.0.1 +openvpn_management_port: 1195 +openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt' +# openvpn_management_password: 'set into a vault file' openvpn_pkg_state: latest openvpn_pkgs: - openvpn @@ -22,7 +27,7 @@ openvpn_ldap_perl_auth: False openvpn_perl_pkg: - libnet-ldap-perl -# Server con parameters +# Server conf parameters openvpn_conf_dir: /etc/openvpn openvpn_conf_name: openvpn.conf @@ -39,8 +44,9 @@ openvpn_server_net: '192.168.254.0 255.255.255.0' #openvpn_remote_servers: [] +openvpn_force_ccd: False # openvpn_users_customizations: - # - { user: '', config: '', route: '' } +# - { cn: 'Joe Bar', ip: '', netmask: '', routes: [ '192.168.253.0 255.255.255.0' ] } openvpn_tls_server: True openvpn_dh: /etc/openvpn/dh2048.pem @@ -64,7 +70,8 @@ openvpn_max_clients: 100 openvpn_run_unprivileged: True openvpn_unprivileged_user: nobody openvpn_unprivileged_group: nogroup -openvpn_letsencrypt_managed: True +# Not recommended. Use a private CA if possible +openvpn_letsencrypt_managed: False openvpn_verbosity_log: 3 openvpn_mute_after: 20 diff --git a/library/roles/openvpn/tasks/main.yml b/library/roles/openvpn/tasks/main.yml index 04cd35f8..a736d5d2 100644 --- a/library/roles/openvpn/tasks/main.yml +++ b/library/roles/openvpn/tasks/main.yml @@ -1,4 +1,4 @@ --- - import_tasks: openvpn.yml - import_tasks: letsencrypt-openvpn.yml - when: openvpn_letsencrypt_managed + when: openvpn_letsencrypt_managed | bool diff --git a/library/roles/openvpn/tasks/openvpn.yml b/library/roles/openvpn/tasks/openvpn.yml index 8c56a4dd..f74fc281 100644 --- a/library/roles/openvpn/tasks/openvpn.yml +++ b/library/roles/openvpn/tasks/openvpn.yml @@ -11,16 +11,23 @@ - auth - ccd - when: openvpn_enabled + when: openvpn_enabled | bool tags: openvpn - block: - name: Install the OpenVPN radius auth plugin package apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - when: openvpn_radius_auth + when: openvpn_radius_auth | bool tags: [ 'openvpn', 'openvpn_radius' ] +- block: + - name: Install the OpenVPN radius auth plugin package + template: src=management.txt.j2 dest={{ openvpn_management_file }}owner=root group=root mode=0400 + + when: openvpn_management_enabled | bool + tags: [ 'openvpn', 'openvpn_management' ] + - block: - name: Install the OpenVPN ldap auth plugin package apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 @@ -54,17 +61,18 @@ - name: Install the main OpenVPN configuration file on the servers template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 notify: Restart OpenVPN + tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file' ] - name: Install the custom configuration for specific OpenVPN users in the servers - template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.user }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 + template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 with_items: '{{ openvpn_users_customizations | default([]) }}' - notify: Reload OpenVPN + tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ] - name: Install the easy-rsa package on servers when we use the certificate authentication apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 when: - - openvpn_cert_auth_enabled - - openvpn_is_master_host + - openvpn_cert_auth_enabled | bool + - openvpn_is_master_host | bool when: openvpn_mode == 'server' tags: [ 'openvpn', 'openvpn_conf' ] @@ -103,7 +111,7 @@ - name: Fix the ta.key file permissions file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - when: openvpn_is_master_host or not openvpn_ha + when: openvpn_is_master_host | bool or not openvpn_ha | bool tags: [ 'openvpn', 'openvpn_conf' ] - block: @@ -137,8 +145,8 @@ ignore_errors: True when: - - openvpn_ha - - not openvpn_is_master_host + - openvpn_ha | bool + - not openvpn_is_master_host | bool tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ] - block: @@ -179,8 +187,8 @@ - net.ipv4.ip_forward # - net.ipv6.conf.all.forwarding when: - - openvpn_enable_system_forward - - openvpn_enabled + - openvpn_enable_system_forward | bool + - openvpn_enabled | bool - name: Disable kernel forwarding sysctl: name={{ item }} value=0 reload=yes state=present @@ -191,11 +199,11 @@ - name: Ensure that the OpenVPN service is enabled and running service: name=openvpn state=started enabled=yes - when: openvpn_enabled + when: openvpn_enabled | bool - name: Ensure that the OpenVPN service is stopped and disabled service: name=openvpn state=stopped enabled=no - when: not openvpn_enabled + when: not openvpn_enabled | bool tags: openvpn diff --git a/library/roles/openvpn/templates/auth-ldap.conf.j2 b/library/roles/openvpn/templates/auth-ldap.conf.j2 index de6b4fd1..3c83a1fb 100644 --- a/library/roles/openvpn/templates/auth-ldap.conf.j2 +++ b/library/roles/openvpn/templates/auth-ldap.conf.j2 @@ -63,9 +63,7 @@ BaseDN "{{ openvpn_ldap_group_base }}" SearchFilter "{{ openvpn_ldap_group_filter }}" -{% if openvpn_ldap_without_posix_groups %} RFC2307bis {{ openvpn_ldap_without_posix_groups }} -{% endif %} MemberAttribute {{ openvpn_ldap_group_member_attr }} # Add group members to a PF table (disabled) # #PFTable ips_vpn_eng diff --git a/library/roles/openvpn/templates/management.txt.j2 b/library/roles/openvpn/templates/management.txt.j2 new file mode 100644 index 00000000..de14389c --- /dev/null +++ b/library/roles/openvpn/templates/management.txt.j2 @@ -0,0 +1 @@ +{{ openvpn_management_password }} diff --git a/library/roles/openvpn/templates/server.conf.j2 b/library/roles/openvpn/templates/server.conf.j2 index 2cf43661..37a8d65a 100644 --- a/library/roles/openvpn/templates/server.conf.j2 +++ b/library/roles/openvpn/templates/server.conf.j2 @@ -1,11 +1,21 @@ mode {{ openvpn_mode }} +{% if openvpn_management_enabled %} +management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }} +{% endif %} dev {{ openvpn_dev }} port {{ openvpn_port }} proto {{ openvpn_protocol }} topology subnet server {{ openvpn_server_net }} +{% if openvpn_ifconfig_pool is defined %} +# Works in bridge mode only +#ifconfig-pool {{ openvpn_ifconfig_pool }} +{% endif %} ifconfig-pool-persist ipp/ipp.txt client-config-dir ccd +{% if openvpn_force_ccd %} +ccd-exclusive +{% endif %} {% if openvpn_client_routes is defined %} {% for route in openvpn_client_routes %} route {{ route }} diff --git a/library/roles/openvpn/templates/user-ccd.conf.j2 b/library/roles/openvpn/templates/user-ccd.conf.j2 index acb8ebf4..0ca993a7 100644 --- a/library/roles/openvpn/templates/user-ccd.conf.j2 +++ b/library/roles/openvpn/templates/user-ccd.conf.j2 @@ -1,4 +1,4 @@ -{{ item.config }} -{% if item.route is defined %}} -{{ item.route }} -{% endif %} +ifconfig-push {{ item.ip }} {{ item.netmask }} +{% for net in item.routes %} +push "route {{ net }}" +{% endfor %}