ISTI-ansible-roles
/
ansible-role-openvpn
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove an obsolete template. Disable the tcp syn cookies. Move the status file in the correct place.

This commit is contained in:
Andrea Dell'Amico 2020-05-08 15:13:51 +02:00
parent 3d6ed788a2
commit ae1b190337
5 changed files with 32 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml
View File

@ -1,6 +1,8 @@
--- ---
openvpn_enabled: True openvpn_enabled: True
openvpn_enable_system_forward: True openvpn_enable_system_forward: True
# Only set when the protocol is tcp, anyway
openvpn_disable_tcp_syn_cookie: True
openvpn_management_enabled: False openvpn_management_enabled: False
openvpn_management_ip: 127.0.0.1 openvpn_management_ip: 127.0.0.1
openvpn_management_port: 1195 openvpn_management_port: 1195
@ -35,6 +37,7 @@ openvpn_mode: server
openvpn_dev: tun openvpn_dev: tun
openvpn_port: 1194 openvpn_port: 1194
openvpn_protocol: udp openvpn_protocol: udp
openvpn_status_dir: '/run/openvpn'
openvpn_server_net: '192.168.254.0 255.255.255.0' openvpn_server_net: '192.168.254.0 255.255.255.0'
#openvpn_push_routes: [] #openvpn_push_routes: []
# - '192.168.253.0 255.255.255.0' # - '192.168.253.0 255.255.255.0'

34
tasks/openvpn.yml
View File

@ -123,6 +123,17 @@
- not openvpn_is_master_host | bool - not openvpn_is_master_host | bool
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ] tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
- block:
- name: Ensure that the OpenVPN service is enabled and running
service: name=openvpn state=started enabled=yes
when: openvpn_enabled | bool
- name: Ensure that the OpenVPN service is stopped and disabled
service: name=openvpn state=stopped enabled=no
when: not openvpn_enabled | bool
tags: [ 'openvpn', 'openvpn_service' ]
- block: - block:
- name: Enable kernel forwarding - name: Enable kernel forwarding
sysctl: name={{ item }} value=1 reload=yes state=present sysctl: name={{ item }} value=1 reload=yes state=present
@ -139,14 +150,23 @@
- net.ipv4.ip_forward - net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding # - net.ipv6.conf.all.forwarding
when: not openvpn_enable_system_forward when: not openvpn_enable_system_forward
tags: [ 'openvpn', 'openvpn_kernel_forwarding' ]
- name: Ensure that the OpenVPN service is enabled and running - block:
service: name=openvpn state=started enabled=yes - name: Disable tcp syn cookies
when: openvpn_enabled | bool sysctl: name={{ item }} value=0 reload=yes state=present
with_items:
- net.ipv4.tcp_syncookies
when:
- openvpn_disable_tcp_syn_cookie | bool
- openvpn_protocol == 'tcp'
- name: Ensure that the OpenVPN service is stopped and disabled - name: Enable tcp syn cookies
service: name=openvpn state=stopped enabled=no sysctl: name={{ item }} value=1 reload=yes state=present
when: not openvpn_enabled | bool with_items:
- net.ipv4.tcp_syncookies
when:
- not openvpn_disable_tcp_syn_cookie | bool or openvpn_protocol == 'udp'
tags: openvpn tags: [ 'openvpn', 'openvpn_kernel_syn_cookies' ]

1
templates/client.conf.j2
View File

@ -29,6 +29,7 @@ tls-auth {{ openvpn_tls_auth }} 1
key-direction 1 key-direction 1
cipher AES-256-CBC cipher AES-256-CBC
keepalive {{ openvpn_keepalive }} keepalive {{ openvpn_keepalive }}
status {{ openvpn_status_dir }}/openvpn-status.log
# Set log file verbosity. # Set log file verbosity.
verb {{ openvpn_verbosity_log }} verb {{ openvpn_verbosity_log }}
# Silence repeating messages # Silence repeating messages

126
templates/openvpn.conf.j2
View File

@ -1,126 +0,0 @@
mode {{ openvpn_mode }}
dev {{ openvpn_dev }}
port {{ openvpn_port }}
proto {{ openvpn_protocol }}
{% if openvpn_tls_server %}
tls-server
{% endif %}
dh {{ openvpn_dh }}
ca {{ openvpn_ca }}
cert {{ openvpn_cert }}
key {{ openvpn_key }}
topology subnet
server {{ openvpn_server_net }}
ifconfig-pool-persist ipp/ipp.txt
client-config-dir ccd
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}
{% if openvpn_push_settings is defined %}
{% for dhcp_opt in openvpn_push_settings %}
push "{{ dhcp_opt }}"
{% endfor %}
{% endif %}
tls-auth {{ openvpn_tls_auth }}
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
{% if openvpn_compression_enabled %}
compress lz4-v2
push "compress lz4-v2"
{% endif %}
keepalive {{ openvpn_keepalive }}
{% if not openvpn_cert_auth_enabled %}
# Disable cert-auth
client-cert-not-required
{% endif %}
{% if openvpn_username_pam_auth %}
username-as-common-name
# PAM login
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
{% endif %}
{% if openvpn_ldap_auth %}
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% endif %}
{% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
#script-security 3 execve
{% endif %}
max-clients {{ openvpn_max_clients }}
persist-tun
persist-key
status status/openvpn-status.log
{% if openvpn_run_unprivileged %}
user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }}
{% endif %}
verb {{ openvpn_verbosity_log }}
mute {{ openvpn_mute_after }}
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

2
templates/server.conf.j2
View File

@ -70,7 +70,7 @@ persist-key
{% if openvpn_persist_tun %} {% if openvpn_persist_tun %}
persist-tun persist-tun
{% endif %} {% endif %}
status status/openvpn-status.log status {{ openvpn_status_dir }}/openvpn-status.log
{% if openvpn_run_unprivileged %} {% if openvpn_run_unprivileged %}
user {{ openvpn_unprivileged_user }} user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }} group {{ openvpn_unprivileged_group }}