roles/dch-openvpn-server: Deploy OpenVPN server

The *dch-openvpn-server* role installs and configures OpenVPN and stunnel to provide both native OpenVPN service as well as OpenVPN-over-TLS. The latter uses stunnel, listening on TCP port 9876, to allow better firewall traversal and TCP port sharing via reverse proxy.
2018-07-01 15:14:23 -05:00 · 2018-07-01 15:14:23 -05:00 · 780c8783db
parent b13f28f505
commit 780c8783db
7 changed files with 120 additions and 0 deletions
--- a/roles/dch-openvpn-server/defaults/main.yml
+++ b/roles/dch-openvpn-server/defaults/main.yml
--- a/roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com
+++ b/roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com
@ -0,0 +1,5 @@
 ifconfig-push 172.30.0.210 255.255.255.240
 iroute 192.168.0.0 255.255.0.0
 iroute 172.16.0.0 255.255.240.0
 push "route 172.30.0.0 255.255.255.192"
 push "route 172.31.0.0 255.255.255.224"
--- a/roles/dch-openvpn-server/files/gw0.dh
+++ b/roles/dch-openvpn-server/files/gw0.dh
@ -0,0 +1,8 @@
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEAjGAb2uSjLYi5GTPl1Xe6Gk+ybwS2L/vk8YKJTwFm8fjt5diIwT3z
 vEZ8D0EB8SJXsgkbCgAftQojj2dSll4V+3bDjnWT8Tzim2YrgDlShzKavnD8j9xI
 2/9cHVlQv/og6Nyrsg4kAnL2JV+JtNTWQUsfJ4A/lciH7RwoeVulZwODPIrb+82L
 Q+hTo/MDGn08Nyqg++AAsfdpp9Nkb6wAEBm6YyXdD3Ai9PVTGWRaYNjjYARIXu8g
 xQzH84YTgW0WCeYn+JW11n8dWI83ZrkroNC1ec+9ZRoZsKBYyNFhM6yZNRq0Kv8v
 ZbE+dh9vemhK+3ptEdqXF+Yl+kmVAvJpGwIBAg==
 -----END DH PARAMETERS-----
--- a/roles/dch-openvpn-server/handlers/main.yml
+++ b/roles/dch-openvpn-server/handlers/main.yml
@ -0,0 +1,8 @@
 - name: restart pyrocufflink openvpn server
  service:
    name=openvpn-server@pyrocufflink
    state=restarted
 - name: restart stunnel openvpn proxy
  service:
    name=stunnel@openvpn
    state=restarted
--- a/roles/dch-openvpn-server/tasks/main.yml
+++ b/roles/dch-openvpn-server/tasks/main.yml
@ -0,0 +1,74 @@
 - name: ensure required packages are installed
  package:
    name=openvpn,stunnel
    state=present
  tags:
  - install
 - name: ensure stunnel configuration is set
  template:
    src=openvpn.stunnel.conf.j2
    dest=/etc/stunnel/openvpn.conf
    mode=0644
  notify: restart stunnel openvpn proxy
 - name: ensure openvpn server configuration is set
  template:
    src=pyrocufflink.openvpn.conf.j2
    dest=/etc/openvpn/server/pyrocufflink.conf
    mode=0644
  notify: restart pyrocufflink openvpn server
 - name: ensure openvpn client config dir exists
  file:
    path=/etc/openvpn/server/clients
    mode=0755
    state=directory
 - name: ensure openvpn client config files are set
  copy:
    src={{ item }}
    dest=/etc/openvpn/server/clients/{{ item|basename }}
    mode=0640
  notify: restart pyrocufflink openvpn server
  with_fileglob: 'clients/*'
 - name: ensure openvpn ca certificate is installed
  copy:
    src={{ item }}
    dest=/etc/openvpn/server/ca.crt
    mode=0644
  with_fileglob: '{{ inventory_hostname }}_ca.crt'
 - name: ensure openvpn server certificate is installed
  copy:
    src={{ item }}
    dest=/etc/pki/tls/certs/openvpn.cer
    mode=0644
  with_fileglob: '{{ inventory_hostname }}.cer'
 - name: ensure openvpn server private key is installed
  copy:
    src={{ item }}
    dest=/etc/pki/tls/private/openvpn.key
    mode=0600
  with_fileglob: '{{ inventory_hostname }}.key'
 - name: ensure openvpn diffie-hellman parameters file is installed
  copy:
    src={{ item }}
    dest=/etc/openvpn/server/dh2048.pem
    mode=0600
  with_fileglob: '{{ inventory_hostname }}.dh'
 - name: ensure stunnel openvpn proxy starts at boot
  service:
    name=stunnel@openvpn
    enabled=yes
 - name: ensure stunnel openvpn proxy is running
  service:
    name=stunnel@openvpn
    state=started
 - name: ensure pyrocufflink openvpn server service starts at boot
  service: 
    name=openvpn-server@pyrocufflink
    enabled=yes
 - name: ensure pyrocufflink openvpn server service is running
  service: 
    name=openvpn-server@pyrocufflink
    state=started
--- a/roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2
+++ b/roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2
@ -0,0 +1,5 @@
 [openvpn]
 accept = 0.0.0.0:9876
 connect = localhost:1194
 cert = /etc/pki/tls/certs/openvpn.cer
 key = /etc/pki/tls/private/openvpn.key
--- a/roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2
+++ b/roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2
@ -0,0 +1,20 @@
 dev tun
 port 1194
 proto tcp-server
 mode server
 tls-server
 ca ca.crt
 cert /etc/pki/tls/certs/openvpn.cer
 key /etc/pki/tls/private/openvpn.key
 dh dh2048.pem
 topology subnet
 push "topology subnet"
 ifconfig 172.30.0.208 255.255.255.240
 route 192.168.0.0 255.255.0.0 172.30.0.210
 route 172.16.0.0 255.255.240.0 172.30.0.210
 client-to-client
 client-config-dir clients
 keepalive 10 120