forked from ISTI-ansible-roles/ansible-roles
openvpn: better user ccd management, option that enables the management interface, option to force the presence of a ccd entry.
This commit is contained in:
parent
8331f98490
commit
c5f0ee75ef
|
|
@ -1,6 +1,11 @@
|
|||
---
|
||||
openvpn_enabled: True
|
||||
openvpn_enable_system_forward: True
|
||||
openvpn_management_enabled: False
|
||||
openvpn_management_ip: 127.0.0.1
|
||||
openvpn_management_port: 1195
|
||||
openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt'
|
||||
# openvpn_management_password: 'set into a vault file'
|
||||
openvpn_pkg_state: latest
|
||||
openvpn_pkgs:
|
||||
- openvpn
|
||||
|
|
@ -22,7 +27,7 @@ openvpn_ldap_perl_auth: False
|
|||
openvpn_perl_pkg:
|
||||
- libnet-ldap-perl
|
||||
|
||||
# Server con parameters
|
||||
# Server conf parameters
|
||||
openvpn_conf_dir: /etc/openvpn
|
||||
openvpn_conf_name: openvpn.conf
|
||||
|
||||
|
|
@ -39,8 +44,9 @@ openvpn_server_net: '192.168.254.0 255.255.255.0'
|
|||
|
||||
#openvpn_remote_servers: []
|
||||
|
||||
openvpn_force_ccd: False
|
||||
# openvpn_users_customizations:
|
||||
# - { user: '', config: '', route: '' }
|
||||
# - { cn: 'Joe Bar', ip: '<Client IP>', netmask: '<openvpn_server_net netmask>', routes: [ '192.168.253.0 255.255.255.0' ] }
|
||||
|
||||
openvpn_tls_server: True
|
||||
openvpn_dh: /etc/openvpn/dh2048.pem
|
||||
|
|
@ -64,7 +70,8 @@ openvpn_max_clients: 100
|
|||
openvpn_run_unprivileged: True
|
||||
openvpn_unprivileged_user: nobody
|
||||
openvpn_unprivileged_group: nogroup
|
||||
openvpn_letsencrypt_managed: True
|
||||
# Not recommended. Use a private CA if possible
|
||||
openvpn_letsencrypt_managed: False
|
||||
|
||||
openvpn_verbosity_log: 3
|
||||
openvpn_mute_after: 20
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
- import_tasks: openvpn.yml
|
||||
- import_tasks: letsencrypt-openvpn.yml
|
||||
when: openvpn_letsencrypt_managed
|
||||
when: openvpn_letsencrypt_managed | bool
|
||||
|
|
|
|||
|
|
@ -11,16 +11,23 @@
|
|||
- auth
|
||||
- ccd
|
||||
|
||||
when: openvpn_enabled
|
||||
when: openvpn_enabled | bool
|
||||
tags: openvpn
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN radius auth plugin package
|
||||
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
when: openvpn_radius_auth
|
||||
when: openvpn_radius_auth | bool
|
||||
tags: [ 'openvpn', 'openvpn_radius' ]
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN radius auth plugin package
|
||||
template: src=management.txt.j2 dest={{ openvpn_management_file }}owner=root group=root mode=0400
|
||||
|
||||
when: openvpn_management_enabled | bool
|
||||
tags: [ 'openvpn', 'openvpn_management' ]
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN ldap auth plugin package
|
||||
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
|
@ -54,17 +61,18 @@
|
|||
- name: Install the main OpenVPN configuration file on the servers
|
||||
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
notify: Restart OpenVPN
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file' ]
|
||||
|
||||
- name: Install the custom configuration for specific OpenVPN users in the servers
|
||||
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.user }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
with_items: '{{ openvpn_users_customizations | default([]) }}'
|
||||
notify: Reload OpenVPN
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ]
|
||||
|
||||
- name: Install the easy-rsa package on servers when we use the certificate authentication
|
||||
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
when:
|
||||
- openvpn_cert_auth_enabled
|
||||
- openvpn_is_master_host
|
||||
- openvpn_cert_auth_enabled | bool
|
||||
- openvpn_is_master_host | bool
|
||||
|
||||
when: openvpn_mode == 'server'
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
|
@ -103,7 +111,7 @@
|
|||
- name: Fix the ta.key file permissions
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
|
||||
when: openvpn_is_master_host or not openvpn_ha
|
||||
when: openvpn_is_master_host | bool or not openvpn_ha | bool
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
- block:
|
||||
|
|
@ -137,8 +145,8 @@
|
|||
ignore_errors: True
|
||||
|
||||
when:
|
||||
- openvpn_ha
|
||||
- not openvpn_is_master_host
|
||||
- openvpn_ha | bool
|
||||
- not openvpn_is_master_host | bool
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
||||
|
||||
- block:
|
||||
|
|
@ -179,8 +187,8 @@
|
|||
- net.ipv4.ip_forward
|
||||
# - net.ipv6.conf.all.forwarding
|
||||
when:
|
||||
- openvpn_enable_system_forward
|
||||
- openvpn_enabled
|
||||
- openvpn_enable_system_forward | bool
|
||||
- openvpn_enabled | bool
|
||||
|
||||
- name: Disable kernel forwarding
|
||||
sysctl: name={{ item }} value=0 reload=yes state=present
|
||||
|
|
@ -191,11 +199,11 @@
|
|||
|
||||
- name: Ensure that the OpenVPN service is enabled and running
|
||||
service: name=openvpn state=started enabled=yes
|
||||
when: openvpn_enabled
|
||||
when: openvpn_enabled | bool
|
||||
|
||||
- name: Ensure that the OpenVPN service is stopped and disabled
|
||||
service: name=openvpn state=stopped enabled=no
|
||||
when: not openvpn_enabled
|
||||
when: not openvpn_enabled | bool
|
||||
|
||||
tags: openvpn
|
||||
|
||||
|
|
|
|||
|
|
@ -63,9 +63,7 @@
|
|||
<Group>
|
||||
BaseDN "{{ openvpn_ldap_group_base }}"
|
||||
SearchFilter "{{ openvpn_ldap_group_filter }}"
|
||||
{% if openvpn_ldap_without_posix_groups %}
|
||||
RFC2307bis {{ openvpn_ldap_without_posix_groups }}
|
||||
{% endif %}
|
||||
MemberAttribute {{ openvpn_ldap_group_member_attr }}
|
||||
# Add group members to a PF table (disabled)
|
||||
# #PFTable ips_vpn_eng
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
{{ openvpn_management_password }}
|
||||
|
|
@ -1,11 +1,21 @@
|
|||
mode {{ openvpn_mode }}
|
||||
{% if openvpn_management_enabled %}
|
||||
management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }}
|
||||
{% endif %}
|
||||
dev {{ openvpn_dev }}
|
||||
port {{ openvpn_port }}
|
||||
proto {{ openvpn_protocol }}
|
||||
topology subnet
|
||||
server {{ openvpn_server_net }}
|
||||
{% if openvpn_ifconfig_pool is defined %}
|
||||
# Works in bridge mode only
|
||||
#ifconfig-pool {{ openvpn_ifconfig_pool }}
|
||||
{% endif %}
|
||||
ifconfig-pool-persist ipp/ipp.txt
|
||||
client-config-dir ccd
|
||||
{% if openvpn_force_ccd %}
|
||||
ccd-exclusive
|
||||
{% endif %}
|
||||
{% if openvpn_client_routes is defined %}
|
||||
{% for route in openvpn_client_routes %}
|
||||
route {{ route }}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{ item.config }}
|
||||
{% if item.route is defined %}}
|
||||
{{ item.route }}
|
||||
{% endif %}
|
||||
ifconfig-push {{ item.ip }} {{ item.netmask }}
|
||||
{% for net in item.routes %}
|
||||
push "route {{ net }}"
|
||||
{% endfor %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue