From 780c8783db2f04b08422ac9eeb691b56f026a6ad Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 1 Jul 2018 15:14:23 -0500 Subject: [PATCH] roles/dch-openvpn-server: Deploy OpenVPN server The *dch-openvpn-server* role installs and configures OpenVPN and stunnel to provide both native OpenVPN service as well as OpenVPN-over-TLS. The latter uses stunnel, listening on TCP port 9876, to allow better firewall traversal and TCP port sharing via reverse proxy. --- roles/dch-openvpn-server/defaults/main.yml | 0 .../clients/dhatch-d4b.securepassage.com | 5 ++ roles/dch-openvpn-server/files/gw0.dh | 8 ++ roles/dch-openvpn-server/handlers/main.yml | 8 ++ roles/dch-openvpn-server/tasks/main.yml | 74 +++++++++++++++++++ .../templates/openvpn.stunnel.conf.j2 | 5 ++ .../templates/pyrocufflink.openvpn.conf.j2 | 20 +++++ 7 files changed, 120 insertions(+) create mode 100644 roles/dch-openvpn-server/defaults/main.yml create mode 100644 roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com create mode 100644 roles/dch-openvpn-server/files/gw0.dh create mode 100644 roles/dch-openvpn-server/handlers/main.yml create mode 100644 roles/dch-openvpn-server/tasks/main.yml create mode 100644 roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2 create mode 100644 roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2 diff --git a/roles/dch-openvpn-server/defaults/main.yml b/roles/dch-openvpn-server/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com b/roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com new file mode 100644 index 0000000..2909d37 --- /dev/null +++ b/roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com @@ -0,0 +1,5 @@ +ifconfig-push 172.30.0.210 255.255.255.240 +iroute 192.168.0.0 255.255.0.0 +iroute 172.16.0.0 255.255.240.0 +push "route 172.30.0.0 255.255.255.192" +push "route 172.31.0.0 255.255.255.224" diff --git a/roles/dch-openvpn-server/files/gw0.dh b/roles/dch-openvpn-server/files/gw0.dh new file mode 100644 index 0000000..28fc428 --- /dev/null +++ b/roles/dch-openvpn-server/files/gw0.dh @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAjGAb2uSjLYi5GTPl1Xe6Gk+ybwS2L/vk8YKJTwFm8fjt5diIwT3z +vEZ8D0EB8SJXsgkbCgAftQojj2dSll4V+3bDjnWT8Tzim2YrgDlShzKavnD8j9xI +2/9cHVlQv/og6Nyrsg4kAnL2JV+JtNTWQUsfJ4A/lciH7RwoeVulZwODPIrb+82L +Q+hTo/MDGn08Nyqg++AAsfdpp9Nkb6wAEBm6YyXdD3Ai9PVTGWRaYNjjYARIXu8g +xQzH84YTgW0WCeYn+JW11n8dWI83ZrkroNC1ec+9ZRoZsKBYyNFhM6yZNRq0Kv8v +ZbE+dh9vemhK+3ptEdqXF+Yl+kmVAvJpGwIBAg== +-----END DH PARAMETERS----- diff --git a/roles/dch-openvpn-server/handlers/main.yml b/roles/dch-openvpn-server/handlers/main.yml new file mode 100644 index 0000000..f4cb5ce --- /dev/null +++ b/roles/dch-openvpn-server/handlers/main.yml @@ -0,0 +1,8 @@ +- name: restart pyrocufflink openvpn server + service: + name=openvpn-server@pyrocufflink + state=restarted +- name: restart stunnel openvpn proxy + service: + name=stunnel@openvpn + state=restarted diff --git a/roles/dch-openvpn-server/tasks/main.yml b/roles/dch-openvpn-server/tasks/main.yml new file mode 100644 index 0000000..d4c6bdb --- /dev/null +++ b/roles/dch-openvpn-server/tasks/main.yml @@ -0,0 +1,74 @@ +- name: ensure required packages are installed + package: + name=openvpn,stunnel + state=present + tags: + - install + +- name: ensure stunnel configuration is set + template: + src=openvpn.stunnel.conf.j2 + dest=/etc/stunnel/openvpn.conf + mode=0644 + notify: restart stunnel openvpn proxy + +- name: ensure openvpn server configuration is set + template: + src=pyrocufflink.openvpn.conf.j2 + dest=/etc/openvpn/server/pyrocufflink.conf + mode=0644 + notify: restart pyrocufflink openvpn server +- name: ensure openvpn client config dir exists + file: + path=/etc/openvpn/server/clients + mode=0755 + state=directory +- name: ensure openvpn client config files are set + copy: + src={{ item }} + dest=/etc/openvpn/server/clients/{{ item|basename }} + mode=0640 + notify: restart pyrocufflink openvpn server + with_fileglob: 'clients/*' + +- name: ensure openvpn ca certificate is installed + copy: + src={{ item }} + dest=/etc/openvpn/server/ca.crt + mode=0644 + with_fileglob: '{{ inventory_hostname }}_ca.crt' +- name: ensure openvpn server certificate is installed + copy: + src={{ item }} + dest=/etc/pki/tls/certs/openvpn.cer + mode=0644 + with_fileglob: '{{ inventory_hostname }}.cer' +- name: ensure openvpn server private key is installed + copy: + src={{ item }} + dest=/etc/pki/tls/private/openvpn.key + mode=0600 + with_fileglob: '{{ inventory_hostname }}.key' +- name: ensure openvpn diffie-hellman parameters file is installed + copy: + src={{ item }} + dest=/etc/openvpn/server/dh2048.pem + mode=0600 + with_fileglob: '{{ inventory_hostname }}.dh' + +- name: ensure stunnel openvpn proxy starts at boot + service: + name=stunnel@openvpn + enabled=yes +- name: ensure stunnel openvpn proxy is running + service: + name=stunnel@openvpn + state=started +- name: ensure pyrocufflink openvpn server service starts at boot + service: + name=openvpn-server@pyrocufflink + enabled=yes +- name: ensure pyrocufflink openvpn server service is running + service: + name=openvpn-server@pyrocufflink + state=started diff --git a/roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2 b/roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2 new file mode 100644 index 0000000..dee28be --- /dev/null +++ b/roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2 @@ -0,0 +1,5 @@ +[openvpn] +accept = 0.0.0.0:9876 +connect = localhost:1194 +cert = /etc/pki/tls/certs/openvpn.cer +key = /etc/pki/tls/private/openvpn.key diff --git a/roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2 b/roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2 new file mode 100644 index 0000000..d39300e --- /dev/null +++ b/roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2 @@ -0,0 +1,20 @@ +dev tun +port 1194 +proto tcp-server +mode server +tls-server + +ca ca.crt +cert /etc/pki/tls/certs/openvpn.cer +key /etc/pki/tls/private/openvpn.key +dh dh2048.pem + +topology subnet +push "topology subnet" +ifconfig 172.30.0.208 255.255.255.240 +route 192.168.0.0 255.255.0.0 172.30.0.210 +route 172.16.0.0 255.255.240.0 172.30.0.210 +client-to-client +client-config-dir clients + +keepalive 10 120