-# Creating OpenVPN files for users
+# Manually Creating & Removing OpenVPN access for users
## Prerequisites
-In order to follow the steps documented here, few things must be prepared
-in advance.
+In order to manually create/remove OpenVPN access for users, there are pre-requisites
+steps which should be fulfilled.
-* Access to required below Nordix OpenVPN/Jump servers with sudo access to infra user,
+* Access to below Nordix OpenVPN/Jump and CA servers with sudo access to infra user
+ from your local machine,
+----------------+---------------+--------------------------------------+
- | Nordix OpenVPN | IP ADDRESS | SSH ACCESS |
+ | Nordix OpenVPN | IP ADDRESS | SSH ACCESS |
+================+===============+======================================+
| ONAP-CityCloud | 77.81.6.42 | ssh <USER_ID>@77.81.6.42 -p 52413 |
+----------------+---------------+--------------------------------------+
+----------------+---------------+--------------------------------------+
| CCD | 188.212.109.53| ssh <USER_ID>@188.212.109.53 -p 52413|
+----------------+---------------+--------------------------------------+
-
-* Ensure SSH key based authentication enabled between Openvpn server and CA
-
-* Login to required Nordix OpenVPN/Jump server from your machine
+ | CA Server | 77.81.6.250 | ssh <USER_ID>@77.81.6.250 -p 52413 |
+ +----------------+---------------+--------------------------------------+
* Install virtualenv, python3-minimal, python3-dev, and python3-pip
-```bash
+```
sudo apt update
sudo apt install -y virtualenv python3-minimal python3-dev python3-pip
```
* Create and set virtualenv
-```bash
+```
virtualenv -p python3 .venv
-source .venv/bin/activate
+source ~/.venv/bin/activate
```
* Install Ansible 2.9.6
```
## Generate User ovpn file
-* Login to OpenVPN/Jump server with your credentials
-
* Clone infra/tools repository from Nordix Gerrit
-```bash
+```
git clone "https://gerrit.nordix.org/infra/tools"
```
You are now ready to create ovpn files for users in project specific OpenVPN server,
-* Switch to infra user in OpenVPN/Jump server
-
-* Change directory to you home directory from where repo cloned
-```bash
-cd <YOUR_HOME_DIR>/tools/infra/openvpn_automation
-source <YOUR_HOME_DIR>/.venv/bin/activate
-ansible-playbook -i inventory/inventory.ini openvpn_user_setup.yaml -e "client_name=<USERNAME_TO_CREATE_OVPN_CERT>"
+* Change directory in your computer where the repo cloned,
+```
+cd tools/infra/openvpn_automation
```
+* Export the `user_name` and `vpn_server_public_ip` as environment variable
+```
+export user_name=<Client_name>
+export vpn_server_public_ip=<PUBLIC_IP_OF_REQUIRED_OPENVPNSERVER>
+```
NOTE:
+* OpenVPN server public IP's can be taken from the table in the top of this file
* Client user ID should be user's username (first character of user firstname + lastname)
* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
+----------------+---------------+---------------------------+
| CCD | 10.4.0.0/24 | client_userid.ccd |
+----------------+---------------+---------------------------+
+* Update the invetory file to proceed,
+```
+cat >> inventory/inventory.ini <<EOF
+[jumphost]
+# Nordix OpenVPN server
+jumphost ansible_connection=ssh ansible_host=$vpn_server_public_ip ansible_user=infra ansible_port=52413 ansible_python_interpreter=/usr/bin/python3
+EOF
+```
+
+* Created user OpenVPN file by running the script,
+```
+./generate_openvpn_client.sh
+```
+
* Once user specific ovpn file is generated, this file should be shared with user's email with below instructions,
* Please install the openvpn on your laptop. Assuming you using Ubuntu:
## Revoke User ovpn file
-* Login to required Nordix OpenVPN/Jump server from your machine
-
* Clone infra/tools repository from Nordix Gerrit
-```bash
+```
git clone "ssh://<USERNAME>@gerrit.nordix.org:29418/infra/tools && scp -p -P 29418 <USERNAME>@gerrit.nordix.org:hooks/commit-msg "tools/.git/hooks/"
```
You are now ready to revoke Openvpn access for users in project specific OpenVPN server,
-* Switch to infra user in OpenVPN/Jump server
+* Change directory in your computer where the repo cloned,
+```
+cd tools/infra/openvpn_automation
+```
-* Change directory to you home directory from where repo cloned
-```bash
-cd <YOUR_HOME_DIR>/tools/infra/openvpn_automation
-source <YOUR_HOME_DIR>/.venv/bin/activate
-ansible-playbook -i inventory/inventory.ini openvpn_user_revoke.yaml -e "client_name=<USERNAME_TO_REVOKE_ACCESS>"
+* Export the `user_name` and `vpn_server_public_ip` as environment variable
+```
+export user_name=<Client_name>
+export vpn_server_public_ip=<PUBLIC_IP_OF_REQUIRED_OPENVPNSERVER>
```
NOTE:
+* OpenVPN server public IP's can be taken from the table in the top of this file
* Client user ID should be user's username (first character of user firstname + lastname)
* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
+----------------+---------------+---------------------------+
| CCD | 10.4.0.0/24 | client_userid.ccd |
+----------------+---------------+---------------------------+
+* Update the invetory file to proceed,
+```
+cat >> inventory/inventory.ini <<EOF
+[jumphost]
+# Nordix OpenVPN server
+jumphost ansible_connection=ssh ansible_host=$vpn_server_public_ip ansible_user=infra ansible_port=52413 ansible_python_interpreter=/usr/bin/python3
+EOF
+```
+
+* Delete user entries from OpenVPN server & Nordix CA servers by running the script,
+```
+./delete_openvpn_client.sh
+```
+
You are done!
--- /dev/null
+#!/bin/bash
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+#-------------------------------------------------------------------------------
+# Configure & Generate client .ovpn file
+#-------------------------------------------------------------------------------
+echo "-------------------------------------------------------------------------"
+echo "Info: Configuring & Generating client .ovpn file"
+echo "-------------------------------------------------------------------------"
+
+export INVENTORY_FILE="${INVENTORY_FILE:-inventory/inventory.ini}"
+
+VERBOSITY=""
+while getopts ":v" o; do
+
+ case "${o}" in
+ v) VERBOSITY="${OPTARG}" ;;
+ *) echo "ERROR : Invalid option '-${OPTARG}'"; usage ;;
+ esac
+done
+
+ansible-playbook -i $INVENTORY_FILE playbooks/openvpn_user_revoke.yaml $VERBOSITY
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+#-------------------------------------------------------------------------------
+# Configure & Generate client .ovpn file
+#-------------------------------------------------------------------------------
+echo "-------------------------------------------------------------------------"
+echo "Info: Configuring & Generating client .ovpn file"
+echo "-------------------------------------------------------------------------"
+
+export INVENTORY_FILE="${INVENTORY_FILE:-inventory/inventory.ini}"
+
+VERBOSITY=""
+while getopts ":v" o; do
+
+ case "${o}" in
+ v) VERBOSITY="${OPTARG}" ;;
+ *) echo "ERROR : Invalid option '-${OPTARG}'"; usage ;;
+ esac
+done
+
+ansible-playbook -i $INVENTORY_FILE playbooks/openvpn_user_setup.yaml $VERBOSITY
nordix_ca_easyrsa_path: "/home/infra/EasyRSA-v3.0.6"
nordix_openvpn_easyrsa_path: "/home/infra/OpenVPN/EasyRSA-v3.0.6"
nordix_openvpn_clientconfig: "/home/infra/OpenVPN/client-configs"
+
+# user specific vars
+user_name: "{{ lookup('env','user_name') }}"
[localhost]
127.0.0.1 ansible_connection=local ansible_user=infra
+[nordix_ca]
# Nordix CA server used to sign CSR's generated for user ovpn files
nordix_ca ansible_connection=ssh ansible_host=77.81.6.250 ansible_user=infra ansible_port=52413 ansible_python_interpreter=/usr/bin/python
+++ /dev/null
----
-- name: Revoke user Openvpn config files
- hosts: nordix_ca
- become: false
- gather_facts: false
-
- pre_tasks:
- - name: Check user ovpn file existence
- stat:
- path: "{{ nordix_openvpn_clientconfig }}/files/{{ client_name }}.ovpn"
- register: user_ovpn_file
- delegate_to: localhost
-
- - name: Fail the deployment
- fail:
- msg:
- - "{{ client_name }}.ovpn file not exist under '{{ nordix_openvpn_clientconfig }}/files/{{ client_name }}.ovpn' or Client name is not defined"
- when: client_name is not defined and client_name | length > 0 or user_ovpn_file.stat.exists == false
-
- roles:
- - {role: revoke-user-ovpn, when: client_name is defined and client_name | length > 0}
+++ /dev/null
----
-- name: Generate user vpn config files
- hosts: nordix_ca
- become: false
- gather_facts: false
-
- pre_tasks:
- - name: Check user ovpn file existence
- stat:
- path: "{{ nordix_openvpn_clientconfig }}/files/{{ client_name }}.ovpn"
- register: user_ovpn_file
- delegate_to: localhost
-
- - name: Fail the deployment
- fail:
- msg:
- - "{{ client_name }}.ovpn file already exist under '{{ nordix_openvpn_clientconfig }}/files/{{ client_name }}.ovpn' or Client name is not defined"
- when: client_name is not defined and client_name | length > 0 or user_ovpn_file.stat.exists
-
- roles:
- - {role: generate-user-ovpn, when: client_name is defined and client_name | length > 0}
--- /dev/null
+---
+- name: Revoke user Openvpn config files
+ hosts: nordix_ca
+ become: false
+ gather_facts: false
+
+ roles:
+ - {role: revoke-user-ovpn}
\ No newline at end of file
--- /dev/null
+---
+- name: Prepare to create user ovpn file in OpenVPN server
+ hosts: localhost
+ gather_facts: false
+ vars_files:
+ - "{{ playbook_dir }}/../inventory/group_vars/all/vars.yaml"
+
+ roles:
+ - {role: vpn-client-preflight}
+
+- name: Generate Certificates for vpn users
+ hosts: jumphost
+ become: false
+ gather_facts: false
+ vars_files:
+ - "{{ playbook_dir }}/../inventory/group_vars/all/vars.yaml"
+
+ roles:
+ - {role: vpn-client-certs}
+
+- name: Generate user vpn config files
+ hosts: nordix_ca
+ become: false
+ gather_facts: false
+ vars_files:
+ - "{{ playbook_dir }}/../inventory/group_vars/all/vars.yaml"
+
+ roles:
+ - {role: generate-user-ovpn}
\ No newline at end of file
---
-- name: Check {{ client_name }} key existence
- stat:
- path: "{{ nordix_openvpn_easyrsa_path }}/pki/private/{{ client_name }}.key"
- register: client_privatekey
- delegate_to: localhost
-
-- name: Create client cert and csr
- command: ./easyrsa --batch --req-cn={{ client_name }} gen-req {{ client_name }} nopass
- args:
- chdir: "{{ nordix_openvpn_easyrsa_path }}"
- when: client_privatekey.stat.exists == false
- delegate_to: localhost
-
-- name: Copy client key to client_config directory
- copy:
- src: "{{ nordix_openvpn_easyrsa_path }}/pki/private/{{ client_name }}.key"
- dest: "{{ nordix_openvpn_clientconfig }}/keys/"
- changed_when: true
- delegate_to: localhost
-
- name: Copy client csr to nordix CA
copy:
- src: "{{ nordix_openvpn_easyrsa_path }}/pki/reqs/{{ client_name }}.req"
+ src: "{{ hostvars['localhost']['vpn_user_files_location'] }}/{{ user_name }}.req"
dest: /tmp
+ owner: "infra"
+ group: "infra"
changed_when: true
+ become: true
-- name: Check {{ client_name }} csr existence in CA
+- name: Check {{ user_name }} csr existence in CA
stat:
- path: "{{ nordix_ca_easyrsa_path }}/pki/reqs/{{ client_name }}.req"
+ path: "{{ nordix_ca_easyrsa_path }}/pki/reqs/{{ user_name }}.req"
register: client_csr
- name: Import client csr
- command: ./easyrsa --batch import-req /tmp/{{ client_name }}.req {{ client_name }}
+ command: ./easyrsa --batch import-req /tmp/{{ user_name }}.req {{ user_name }}
args:
chdir: "{{ nordix_ca_easyrsa_path }}"
when: client_csr.stat.exists == false
changed_when: true
-- name: Check {{ client_name }} crt existence in CA
+- name: Check {{ user_name }} crt existence in CA
stat:
- path: "{{ nordix_ca_easyrsa_path }}/pki/issued/{{ client_name }}.crt"
+ path: "{{ nordix_ca_easyrsa_path }}/pki/issued/{{ user_name }}.crt"
register: client_crt
- name: Sign client csr
- command: ./easyrsa --batch sign-req client {{ client_name }}
+ command: ./easyrsa --batch sign-req client {{ user_name }}
args:
chdir: "{{ nordix_ca_easyrsa_path }}"
when: client_crt.stat.exists == false
- name: Fetch client cert to client-configs/keys/ dir
fetch:
- src: "{{ nordix_ca_easyrsa_path }}/pki/issued/{{ client_name }}.crt"
- dest: "{{ nordix_openvpn_clientconfig }}/keys/"
+ src: "{{ nordix_ca_easyrsa_path }}/pki/issued/{{ user_name }}.crt"
+ dest: "{{ hostvars['localhost']['vpn_user_files_location'] }}/"
flat: true
changed_when: true
+- name: Copy client cert file to OpenVPN server
+ copy:
+ src: "{{ hostvars['localhost']['vpn_user_files_location'] }}/{{ user_name }}.crt"
+ dest: "{{ nordix_openvpn_clientconfig }}/keys/"
+ changed_when: true
+ delegate_to: jumphost
+
- name: Generate Client .ovpn file
- script: make_config.sh "{{ client_name }}"
+ script: make_config.sh "{{ user_name }}"
args:
chdir: "{{ nordix_openvpn_clientconfig }}/"
executable: /bin/bash
- delegate_to: localhost
+ delegate_to: jumphost
+ become: false
+
+- name: Fetch Client .ovpn file
+ fetch:
+ src: "{{ nordix_openvpn_clientconfig }}/files/{{ item|basename }}"
+ dest: "{{ hostvars['localhost']['vpn_user_files_location'] }}/"
+ flat: true
+ with_items:
+ - "{{ user_name }}.ovpn"
+ delegate_to: jumphost
+ become: false
- name: Log user specific ovpn files location on the console
debug:
msg:
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- - "The ovpn file {{ client_name }}.ovpn is located in {{ nordix_openvpn_clientconfig }}/files/{{ client_name }}.ovpn"
- - "Please share the newly generated {{ client_name }}.ovpn file with user over email with below instructions,"
+ - "The ovpn file {{ user_name }}.ovpn is located in {{ nordix_openvpn_clientconfig }}/files/{{ user_name }}.ovpn"
+ - "Please share the newly generated {{ user_name }}.ovpn file with user over email with below instructions,"
- "1. Please install the openvpn on your laptop. Assuming you using Ubuntu:"
- "#sudo apt install openvpn"
- "2. Then you need to open the VPN connection using the .ovpn file which contain all the required certificates:"
- - "#sudo openvpn --config {{ client_name }}.ovpn &"
+ - "#sudo openvpn --config {{ user_name }}.ovpn &"
- "3. Now, user should have access to all the VMs directly from your laptop"
- "4. In case you use Windows 10 OS, please use the community version of OpenVPN client:"
- "https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe"
---
-- name: Check {{ client_name }} cert existence in CA
+- name: Check {{ user_name }} cert existence in CA
stat:
- path: "{{ nordix_ca_easyrsa_path }}/pki/issued//{{ client_name }}.crt"
+ path: "{{ nordix_ca_easyrsa_path }}/pki/issued//{{ user_name }}.crt"
register: client_cert
-- name: Revoke {{ client_name }} cert in CA
- command: ./easyrsa --batch revoke {{ client_name }}
+- name: Revoke {{ user_name }} cert in CA
+ command: ./easyrsa --batch revoke {{ user_name }}
args:
chdir: "{{ nordix_ca_easyrsa_path }}"
when: client_cert.stat.exists == true
changed_when: true
- name: Move updated crl to /etc/openvpn/ dir
- command: mv /tmp/crl.pem /etc/openvpn/
- delegate_to: localhost
+ copy:
+ src: /tmp/crl.pem
+ dest: /etc/openvpn/
+ delegate_to: jumphost
register: updated_crl
changed_when: true
become: true
state: restarted
daemon_reload: true
enabled: true
- delegate_to: localhost
- when: updated_crl.rc == 0
+ delegate_to: jumphost
become: true
-- name: Remove {{ client_name }} files from OpenVPN server
+- name: Remove {{ user_name }} files from OpenVPN server
file:
path: "{{ item }}"
state: absent
with_items:
- - "{{ nordix_openvpn_easyrsa_path }}/pki/private/{{ client_name }}.key"
- - "{{ nordix_openvpn_easyrsa_path }}/pki/reqs/{{ client_name }}.req"
- - "{{ nordix_openvpn_clientconfig }}/keys/{{ client_name }}.crt"
- - "{{ nordix_openvpn_clientconfig }}/keys/{{ client_name }}.key"
- - "{{ nordix_openvpn_clientconfig }}/files/{{ client_name }}.ovpn"
- delegate_to: localhost
+ - "{{ nordix_openvpn_easyrsa_path }}/pki/private/{{ user_name }}.key"
+ - "{{ nordix_openvpn_easyrsa_path }}/pki/reqs/{{ user_name }}.req"
+ - "{{ nordix_openvpn_clientconfig }}/keys/{{ user_name }}.crt"
+ - "{{ nordix_openvpn_clientconfig }}/keys/{{ user_name }}.key"
+ - "{{ nordix_openvpn_clientconfig }}/files/{{ user_name }}.ovpn"
+ delegate_to: jumphost
register: user_files_removal
- name: Log user specific ovpn files location on the console
debug:
msg:
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- - "The OpenVPN access has been revoked for the user {{ client_name }}"
+ - "The OpenVPN access has been revoked for the user {{ user_name }}"
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ''
when: '"All items completed" in user_files_removal.msg'
--- /dev/null
+---
+- name: Check {{ user_name }} key existence
+ stat:
+ path: "{{ nordix_openvpn_easyrsa_path }}/pki/private/{{ user_name }}.key"
+ register: client_privatekey
+
+- name: Create client cert and csr
+ command: ./easyrsa --batch --req-cn={{ user_name }} gen-req {{ user_name }} nopass
+ args:
+ chdir: "{{ nordix_openvpn_easyrsa_path }}"
+ when: client_privatekey.stat.exists == false
+
+- name: Copy client key to client_config directory
+ copy:
+ src: "{{ nordix_openvpn_easyrsa_path }}/pki/private/{{ user_name }}.key"
+ dest: "{{ nordix_openvpn_clientconfig }}/keys/"
+ remote_src: true
+ owner: "infra"
+ group: "infra"
+ changed_when: true
+ become: true
+
+- name: Fetch the CA, user {{ user_name }} cert and key
+ fetch:
+ src: "{{ nordix_openvpn_easyrsa_path }}/pki/reqs/{{ user_name }}.req"
+ dest: "{{ hostvars['localhost']['vpn_user_files_location'] }}/"
+ flat: true
+ remote_src: true
+ force: true
+ become: true
--- /dev/null
+---
+# tasks file for preflight
+- name: Check user vpn directory existence
+ stat:
+ path: "{{ lookup('env','HOME') }}/{{ user_name }}"
+ register: uservpn_dir
+
+- name: Log user vpn directory status on console
+ debug:
+ msg: "The user vpn directory {{ lookup('env','HOME') }}/{{ user_name }} is already exist"
+ when: uservpn_dir.stat.exists
+
+- name: Create directory to user vpn files
+ file:
+ path: "{{ lookup('env','HOME') }}/{{ user_name }}"
+ state: directory
+ mode: "0700"
+ recurse: true
+ when: not uservpn_dir.stat.exists
+
+- name: Set fact for user vpn files directory
+ set_fact:
+ vpn_user_files_location: "{{ lookup('env','HOME') }}/{{ user_name }}"
\ No newline at end of file