From: Sankar Palanivel Date: Mon, 11 Oct 2021 12:52:23 +0000 (+0000) Subject: Merge "Update ssh keys cleanup" X-Git-Url: https://gerrit.nordix.org/gitweb?a=commitdiff_plain;h=31b1cd508312d418802358f57d3dcb378c439ada;hp=2a38ae7ee9e01513553823f2bdacd8e0d8a89349;p=infra%2Ftools.git Merge "Update ssh keys cleanup" --- diff --git a/infra/configure_openvpn_client/deploy.sh b/infra/configure_openvpn_client/deploy.sh new file mode 100755 index 0000000..b6ecb38 --- /dev/null +++ b/infra/configure_openvpn_client/deploy.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o errexit +set -o nounset +set -o pipefail + +#------------------------------------------------------------------------------- +# Configure & Generate client .ovpn file +#------------------------------------------------------------------------------- +echo "Info: Configuring & Generating client .ovpn file" +echo "-------------------------------------------------------------------------" + +export INVENTORY_FILE="${INVENTORY_FILE:-/tmp/inventory.ini}" + +VERBOSITY="" +while getopts ":v" o; do + + case "${o}" in + v) VERBOSITY="${OPTARG}" ;; + *) echo "ERROR : Invalid option '-${OPTARG}'"; usage ;; + esac +done + +ansible-playbook -i "$INVENTORY_FILE" playbooks/openvpn_client_setup.yaml $VERBOSITY diff --git a/infra/configure_openvpn_client/inventory/group_vars/all/common_vars.yaml b/infra/configure_openvpn_client/inventory/group_vars/all/common_vars.yaml new file mode 100644 index 0000000..4d720cc --- /dev/null +++ b/infra/configure_openvpn_client/inventory/group_vars/all/common_vars.yaml @@ -0,0 +1,17 @@ +--- +# common: CA vars +network_cidr: 10.1.0.0 +vpn_server_public_ip: "{{ lookup('env','vpn_server_public_ip') }}" + +# common: vpn vars +openvpn_ca: /root/openvpn-ca +openvpn_server: "openvpn-server-{{ lookup('env','BOOKING_ID') }}" +country: BE +province: BRUSSELS +city: BRUSSELS +org: Nordix +orgunit: Nolabs +email: infra@nordix.org + +# user specific vars +user_name: "{{ lookup('env','user_name') }}" \ No newline at end of file diff --git a/infra/configure_openvpn_client/playbooks/openvpn_client_setup.yaml b/infra/configure_openvpn_client/playbooks/openvpn_client_setup.yaml new file mode 100644 index 0000000..c16af89 --- /dev/null +++ b/infra/configure_openvpn_client/playbooks/openvpn_client_setup.yaml @@ -0,0 +1,29 @@ +--- +- name: Prepare to create user ovpn file in OpenVPN server + hosts: localhost + gather_facts: false + vars_files: + - "{{ playbook_dir }}/../inventory/group_vars/all/common_vars.yaml" + + roles: + - {role: vpn-client-preflight} + +- name: Generate Certificates for vpn users + hosts: ca_server + become: true + gather_facts: false + vars_files: + - "{{ playbook_dir }}/../inventory/group_vars/all/common_vars.yaml" + + roles: + - {role: vpn-client-certs} + +- name: Generate user vpn config files + hosts: jumphost + become: true + gather_facts: false + vars_files: + - "{{ playbook_dir }}/../inventory/group_vars/all/common_vars.yaml" + + roles: + - {role: vpn-client} diff --git a/infra/configure_openvpn_client/playbooks/roles/vpn-client-certs/tasks/main.yml b/infra/configure_openvpn_client/playbooks/roles/vpn-client-certs/tasks/main.yml new file mode 100644 index 0000000..98bdd0b --- /dev/null +++ b/infra/configure_openvpn_client/playbooks/roles/vpn-client-certs/tasks/main.yml @@ -0,0 +1,53 @@ +--- +- name: Generate random password for User + set_fact: + random_password: "{{ lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=12') }}" + +- name: Generate User Private Key + openssl_privatekey: + path: "/root/CA/private/{{ user_name }}.key" + passphrase: "{{ random_password }}" + cipher: aes256 + type: RSA + size: 4096 + force: true + +- name: Generate CSR for user {{ user_name }} + openssl_csr: + path: "/root/CA/requests/{{ user_name }}.csr" + privatekey_path: "/root/CA/private/{{ user_name }}.key" + privatekey_passphrase: "{{ random_password }}" + digest: sha256 + country_name: "{{ country }}" + state_or_province_name: "{{ province }}" + organization_name: "{{ org }}" + organizational_unit_name: "{{ orgunit }}" + common_name: "{{ email }}" + force: true + +- name: Sign the CSR request for user {{ user_name }} + openssl_certificate: + path: "/root/CA/newcerts/{{ user_name }}.crt" + csr_path: "/root/CA/requests/{{ user_name }}.csr" + ownca_path: /root/CA/certs/ca.crt + ownca_privatekey_path: /root/CA/private/ca.key + provider: ownca + force: true + +- name: Fetch the CA, user {{ user_name }} cert and key + fetch: + src: "{{ item }}" + dest: "{{ hostvars['localhost']['vpn_user_files_location'] }}/" + flat: true + remote_src: true + force: true + with_items: + - "/root/CA/newcerts/{{ user_name }}.crt" + - "/root/CA/private/{{ user_name }}.key" + +- name: Keep User random password for temporary use + copy: + content: "{{ random_password }}" + dest: "{{ hostvars['localhost']['vpn_user_files_location'] }}/{{ user_name }}.pwd" + force: true + delegate_to: localhost diff --git a/infra/configure_openvpn_client/playbooks/roles/vpn-client-preflight/tasks/main.yaml b/infra/configure_openvpn_client/playbooks/roles/vpn-client-preflight/tasks/main.yaml new file mode 100644 index 0000000..ae99936 --- /dev/null +++ b/infra/configure_openvpn_client/playbooks/roles/vpn-client-preflight/tasks/main.yaml @@ -0,0 +1,23 @@ +--- +# tasks file for preflight +- name: Check user vpn directory existence + stat: + path: "{{ lookup('env','HOME') }}/{{ user_name }}" + register: uservpn_dir + +- name: Log user vpn directory status on console + debug: + msg: "The user vpn directory {{ lookup('env','HOME') }}/{{ user_name }} is already exist" + when: uservpn_dir.stat.exists + +- name: Create directory to user vpn files + file: + path: "{{ lookup('env','HOME') }}/{{ user_name }}" + state: directory + mode: "0700" + recurse: true + when: not uservpn_dir.stat.exists + +- name: Set fact for user vpn files directory + set_fact: + vpn_user_files_location: "{{ lookup('env','HOME') }}/{{ user_name }}" diff --git a/infra/configure_openvpn_client/playbooks/roles/vpn-client/files/make_config.sh b/infra/configure_openvpn_client/playbooks/roles/vpn-client/files/make_config.sh new file mode 100644 index 0000000..e10d2d1 --- /dev/null +++ b/infra/configure_openvpn_client/playbooks/roles/vpn-client/files/make_config.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +# First argument: Client identifier +if [ -z "$1" ] + then + echo "Please provide the client identifier." + echo " example: $0 ." + echo " example: $0 jsmith.onap" + exit 1 +fi + +KEY_DIR="/root/openvpn-ca/client_configs/keys" +OUTPUT_DIR="/root/openvpn-ca/client_configs/files" +BASE_CONFIG="/root/openvpn-ca/client_configs/base.conf" + +cat ${BASE_CONFIG} \ + <(echo -e '') \ + ${KEY_DIR}/ca.crt \ + <(echo -e '\n') \ + ${KEY_DIR}/"${1}".crt \ + <(echo -e '\n') \ + ${KEY_DIR}/"${1}".key \ + <(echo -e '\n') \ + ${KEY_DIR}/ta.key \ + <(echo -e '') \ + > ${OUTPUT_DIR}/"${1}".ovpn diff --git a/infra/configure_openvpn_client/playbooks/roles/vpn-client/tasks/main.yml b/infra/configure_openvpn_client/playbooks/roles/vpn-client/tasks/main.yml new file mode 100644 index 0000000..1ebef3a --- /dev/null +++ b/infra/configure_openvpn_client/playbooks/roles/vpn-client/tasks/main.yml @@ -0,0 +1,62 @@ +--- +# tasks file for vpn_client +- name: Create Directory for Client Config Files + file: + path: "{{ openvpn_ca }}/client_configs/{{ item }}" + state: directory + recurse: true + with_items: + - files + - keys + +- name: Copy Client Sample Config file + template: + src: base.conf.j2 + dest: "{{ openvpn_ca }}/client_configs/base.conf" + force: true + +- name: Client certs and keys to client_configs + copy: + src: "{{ item }}" + dest: "{{ openvpn_ca }}/client_configs/keys" + with_items: + - "{{ hostvars['localhost']['vpn_user_files_location'] }}/{{ user_name }}.crt" + - "{{ hostvars['localhost']['vpn_user_files_location'] }}/{{ user_name }}.key" + +- name: Copy ta & Client certs and keys to client_configs + copy: + remote_src: true + src: "{{ item }}" + dest: "{{ openvpn_ca }}/client_configs/keys" + with_items: + - "/etc/openvpn/ta.key" + - "/etc/openvpn/ca.crt" + +- name: Create Client .ovpn file + script: make_config.sh "{{ user_name }}" + args: + chdir: "{{ openvpn_ca }}/client_configs/" + executable: /bin/bash + +- name: Fetch Client .ovpn file + fetch: + src: "{{ openvpn_ca }}/client_configs/files/{{ item|basename }}" + dest: "{{ hostvars['localhost']['vpn_user_files_location'] }}/" + flat: true + with_items: + - "{{ user_name }}.ovpn" + +- name: Start and Enable Openvpn Service + systemd: + name: openvpn@server + state: restarted + daemon_reload: true + enabled: true + +- name: Log user specific ovpn files location on the console + debug: + msg: + - +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + - zone specific user ovpn files are located in {{ hostvars['localhost']['vpn_user_files_location'] }} + - +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + - '' diff --git a/infra/configure_openvpn_client/playbooks/roles/vpn-client/templates/base.conf.j2 b/infra/configure_openvpn_client/playbooks/roles/vpn-client/templates/base.conf.j2 new file mode 100644 index 0000000..0f74cb9 --- /dev/null +++ b/infra/configure_openvpn_client/playbooks/roles/vpn-client/templates/base.conf.j2 @@ -0,0 +1,129 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +proto tcp +;proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote "{{ vpn_server_public_ip }}" 1194 +;remote my-server-2 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +user nobody +group nogroup + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +ca ca.crt +cert "{{ openvpn_server }}.crt" +key "{{ openvpn_server }}.key" + +# Verify server certificate by checking that the +# certicate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +#remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +tls-auth ta.key 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the ncp-cipher option in the manpage +cipher AES-256-CBC +auth SHA256 +key-direction 1 + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +#comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/infra/configure_openvpn_server/deploy.sh b/infra/configure_openvpn_server/deploy.sh new file mode 100755 index 0000000..a15622f --- /dev/null +++ b/infra/configure_openvpn_server/deploy.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o errexit +set -o nounset +set -o pipefail + +#------------------------------------------------------------------------------- +# Configure Openvpn Server +#------------------------------------------------------------------------------- +echo "Info: Configuring Openvpn Server" +echo "-------------------------------------------------------------------------" + +export INVENTORY_FILE="${INVENTORY_FILE:-/tmp/inventory.ini}" + +VERBOSITY="" +while getopts ":v" o; do + + case "${o}" in + v) VERBOSITY="${OPTARG}" ;; + *) echo "ERROR : Invalid option '-${OPTARG}'"; usage ;; + esac +done + +ansible-playbook -i "$INVENTORY_FILE" playbooks/openvpn_server_setup.yaml $VERBOSITY diff --git a/infra/configure_openvpn_server/inventory/group_vars/all/common_vars.yaml b/infra/configure_openvpn_server/inventory/group_vars/all/common_vars.yaml new file mode 100644 index 0000000..a23b311 --- /dev/null +++ b/infra/configure_openvpn_server/inventory/group_vars/all/common_vars.yaml @@ -0,0 +1,14 @@ +--- +# common: CA vars +network_cidr: 10.1.0.0 +vpn_server_public_ip: "{{ lookup('env','vpn_server_public_ip') }}" + +# common: vpn vars +openvpn_ca: /root/openvpn-ca +openvpn_server: "openvpn-server-{{ lookup('env','BOOKING_ID') }}" +country: BE +province: BRUSSELS +city: BRUSSELS +org: Nordix +orgunit: Nolabs +email: infra@nordix.org \ No newline at end of file diff --git a/infra/configure_openvpn_server/playbooks/openvpn_server_setup.yaml b/infra/configure_openvpn_server/playbooks/openvpn_server_setup.yaml new file mode 100644 index 0000000..610db22 --- /dev/null +++ b/infra/configure_openvpn_server/playbooks/openvpn_server_setup.yaml @@ -0,0 +1,30 @@ +--- +- name: Prepare Setup for OpenVPN server + hosts: localhost + gather_facts: false + vars_files: + - "{{ playbook_dir }}/../inventory/group_vars/all/common_vars.yaml" + + roles: + - {role: vpn-server-preflight} + +- name: Generate Certificates + hosts: ca_server + become: true + gather_facts: false + vars_files: + - "{{ playbook_dir }}/../inventory/group_vars/all/common_vars.yaml" + + roles: + - {role: vpn-server-certs} + +- name: Setup OpenVPN Server & Client configuration + hosts: jumphost + become: true + gather_facts: false + vars_files: + - "{{ playbook_dir }}/../inventory/group_vars/all/common_vars.yaml" + + roles: + - {role: vpn-server} + diff --git a/infra/configure_openvpn_server/playbooks/roles/vpn-server-certs/tasks/main.yml b/infra/configure_openvpn_server/playbooks/roles/vpn-server-certs/tasks/main.yml new file mode 100644 index 0000000..23f69bf --- /dev/null +++ b/infra/configure_openvpn_server/playbooks/roles/vpn-server-certs/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Generate server key + openssl_privatekey: + path: /root/CA/private/{{ openvpn_server }}.key + type: RSA + size: 4096 + force: true + +- name: Generate CSR for the Openvpn server + openssl_csr: + path: /root/CA/requests/{{ openvpn_server }}.csr + privatekey_path: /root/CA/private/{{ openvpn_server }}.key + digest: sha256 + country_name: "{{ country }}" + state_or_province_name: "{{ province }}" + organization_name: "{{ org }}" + organizational_unit_name: "{{ orgunit }}" + common_name: "{{ email }}" + force: true + +- name: Sign the CSR request for Openvpn server + openssl_certificate: + path: /root/CA/newcerts/{{ openvpn_server }}.crt + csr_path: /root/CA/requests/{{ openvpn_server }}.csr + ownca_path: /root/CA/certs/ca.crt + ownca_privatekey_path: /root/CA/private/ca.key + provider: ownca + force: true + +- name: Fetch the CA signed Openvpn server certificate + fetch: + src: "{{ item }}" + dest: "{{ hostvars['localhost']['vpn_files_location'] }}/" + flat: true + remote_src: true + force: true + with_items: + - /root/CA/newcerts/{{ openvpn_server }}.crt + - /root/CA/private/{{ openvpn_server }}.key + - /root/CA/certs/ca.crt + diff --git a/infra/configure_openvpn_server/playbooks/roles/vpn-server-preflight/tasks/main.yaml b/infra/configure_openvpn_server/playbooks/roles/vpn-server-preflight/tasks/main.yaml new file mode 100644 index 0000000..0e25ec2 --- /dev/null +++ b/infra/configure_openvpn_server/playbooks/roles/vpn-server-preflight/tasks/main.yaml @@ -0,0 +1,17 @@ +--- +# tasks file for preflight +- name: Create temporary directory + tempfile: + path: "{{ lookup('env','HOME') }}" + state: directory + prefix: vpn_setup_ + suffix: _files + register: temp_dir + +- name: Set fact for temp directory + set_fact: + vpn_files_location: "{{ temp_dir.path }}" + +- name: Debug vpn_files_location + debug: + msg: "{{ vpn_files_location }}" diff --git a/infra/configure_openvpn_server/playbooks/roles/vpn-server/tasks/main.yml b/infra/configure_openvpn_server/playbooks/roles/vpn-server/tasks/main.yml new file mode 100644 index 0000000..8401671 --- /dev/null +++ b/infra/configure_openvpn_server/playbooks/roles/vpn-server/tasks/main.yml @@ -0,0 +1,122 @@ +--- +# tasks file for vpn_server +- name: Update the system packages + apt: + update_cache: true + +- name: Install Python, Openvpn & Easy-rsa + package: + name: "{{ item }}" + state: present + with_items: + - python-pip + - openvpn + - easy-rsa + +- name: Remove CA directory + file: + state: absent + path: "{{ openvpn_ca }}" + +- name: Create CA directory + command: make-cadir "{{ openvpn_ca }}" + changed_when: false + +- name: Customize CA variable configuration + template: + src: vars.j2 + dest: "{{ openvpn_ca }}/vars" + force: true + changed_when: false + +- name: Create keys directory under {{ openvpn_ca }} + file: + path: "{{ openvpn_ca }}/keys" + state: directory + +- name: Build Diffie-Hellman parameters and key generation + shell: > + source vars; + sh "{{ openvpn_ca }}"/clean-all; + sh "{{ openvpn_ca }}"/build-dh; + openvpn --genkey --secret keys/ta.key; + args: + chdir: "{{ openvpn_ca }}" + executable: /bin/bash + changed_when: false + +- name: Copy key and certificates + copy: + src: "{{ hostvars['localhost']['vpn_files_location'] }}/{{ item }}" + dest: "{{ openvpn_ca }}/keys" + with_items: + - "{{ openvpn_server }}.crt" + - "{{ openvpn_server }}.key" + - ca.crt + +- name: Copy key and certificates to /etc/openvpn + copy: + src: "{{ hostvars['localhost']['vpn_files_location'] }}/{{ item }}" + dest: "/etc/openvpn/" + with_items: + - "{{ openvpn_server }}.crt" + - "{{ openvpn_server }}.key" + - ca.crt + +- name: Copy DH cert and key to /etc/openvpn + copy: + src: "{{ openvpn_ca }}/keys/{{ item }}" + dest: "/etc/openvpn/" + remote_src: true + with_items: + - "ta.key" + - "dh2048.pem" + +- name: Adjust OpenVPN Server Configuration + template: + src: server.conf.j2 + dest: "/etc/openvpn/server.conf" + force: true + +- name: Configuration IP forwarding + sysctl: + name: net.ipv4.ip_forward + value: "1" + state: present + reload: true + +- name: Updating iptables for incoming + iptables: + chain: FORWARD + jump: ACCEPT + in_interface: tun+ + +- name: Updating iptables for outgoing + iptables: + chain: FORWARD + jump: ACCEPT + out_interface: tun+ + +- name: Setup the MASQUERADE + lineinfile: + path: /lib/systemd/system/openvpn@.service + insertafter: 'ExecStart=' + line: "ExecStartPost=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d {{ network_cidr }}/24 -j MASQUERADE" + +- name: Systemd to reread configuration + systemd: + daemon_reload: true + +- name: Start and Enable Openvpn Service + systemd: + name: openvpn@server + state: started + daemon_reload: true + enabled: true + +- name: Cleanup vpn files in localhost + file: + path: "{{ hostvars['localhost']['vpn_files_location'] }}" + state: absent + delegate_to: localhost + become: false diff --git a/infra/configure_openvpn_server/playbooks/roles/vpn-server/templates/server.conf.j2 b/infra/configure_openvpn_server/playbooks/roles/vpn-server/templates/server.conf.j2 new file mode 100644 index 0000000..fb015cf --- /dev/null +++ b/infra/configure_openvpn_server/playbooks/roles/vpn-server/templates/server.conf.j2 @@ -0,0 +1,317 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port 1194 + +# TCP or UDP server? +proto tcp +;proto udp + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca ca.crt +cert "{{ openvpn_server }}.crt" +key "{{ openvpn_server }}.key" # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh2048.pem 2048 +dh dh2048.pem + +# Network topology +# Should be subnet (addressing via IP) +# unless Windows clients v2.0.9 and lower have to +# be supported (then net30, i.e. a /30 per client) +# Defaults to net30 (not recommended) +;topology subnet + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 10.8.0.0 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist /var/log/openvpn/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Configure server mode for ethernet bridging +# using a DHCP-proxy, where clients talk +# to the OpenVPN server-side DHCP server +# to receive their IP address allocation +# and DNS server addresses. You must first use +# your OS's bridging capability to bridge the TAP +# interface with the ethernet NIC interface. +# Note: this mode only works on clients (such as +# Windows), where the client-side TAP adapter is +# bound to a DHCP client. +;server-bridge + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +push "route {{ network_cidr }} 255.255.255.0" +;push "route 192.168.20.0 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir ccd +;route 192.168.40.128 255.255.255.248 +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. + +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 + +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# or bridge the TUN/TAP interface to the internet +# in order for this to work properly). +;push "redirect-gateway def1 bypass-dhcp" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +# The addresses below refer to the public +# DNS servers provided by opendns.com. +;push "dhcp-option DNS 208.67.222.222" +;push "dhcp-option DNS 208.67.220.220" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +;client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +tls-auth ta.key 0 # This file is secret +key-direction 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the ncp-cipher option in the manpage +cipher AES-256-CBC +auth SHA256 + +# Enable compression on the VPN link and push the +# option to the client (v2.4+ only, for earlier +# versions see below) +;compress lz4-v2 +;push "compress lz4-v2" + +# For compression compatible with older clients use comp-lzo +# If you enable it here, you must also +# enable it in the client config file. +;comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status /var/log/openvpn/openvpn-status.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log /var/log/openvpn/openvpn.log +log-append /var/log/openvpn/openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 4 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +# Notify the client that when the server restarts so it +# can automatically reconnect. +explicit-exit-notify 0 diff --git a/infra/configure_openvpn_server/playbooks/roles/vpn-server/templates/vars.j2 b/infra/configure_openvpn_server/playbooks/roles/vpn-server/templates/vars.j2 new file mode 100644 index 0000000..8f4863b --- /dev/null +++ b/infra/configure_openvpn_server/playbooks/roles/vpn-server/templates/vars.j2 @@ -0,0 +1,80 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG="{{ openvpn_ca }}/openssl-1.0.0.cnf" + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="{{ openvpn_ca }}/keys" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=2048 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="{{ country }}" +export KEY_PROVINCE="{{ province }}" +export KEY_CITY="{{ city }}" +export KEY_ORG="{{ org }}" +export KEY_EMAIL="{{ email }}" +export KEY_OU="{{ orgunit }}" + +# X509 Subject Field +export KEY_NAME="{{ openvpn_server }}" + +# PKCS11 Smart Card +# export PKCS11_MODULE_PATH="/usr/lib/changeme.so" +# export PKCS11_PIN=1234 + +# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below +# You will also need to make sure your OpenVPN server config has the duplicate-cn option set +# export KEY_CN="CommonName"