roles/dch-openvpn-server: Deploy OpenVPN server

The *dch-openvpn-server* role installs and configures OpenVPN and
stunnel to provide both native OpenVPN service as well as
OpenVPN-over-TLS. The latter uses stunnel, listening on TCP port 9876,
to allow better firewall traversal and TCP port sharing via reverse
proxy.

roles/dch-openvpn-server/files/clients/dhatch-d4b.securepassage.com

@@ -0,0 +1,5 @@
+ifconfig-push 172.30.0.210 255.255.255.240
+iroute 192.168.0.0 255.255.0.0
+iroute 172.16.0.0 255.255.240.0
+push "route 172.30.0.0 255.255.255.192"
+push "route 172.31.0.0 255.255.255.224"

roles/dch-openvpn-server/files/gw0.dh

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAjGAb2uSjLYi5GTPl1Xe6Gk+ybwS2L/vk8YKJTwFm8fjt5diIwT3z
+vEZ8D0EB8SJXsgkbCgAftQojj2dSll4V+3bDjnWT8Tzim2YrgDlShzKavnD8j9xI
+2/9cHVlQv/og6Nyrsg4kAnL2JV+JtNTWQUsfJ4A/lciH7RwoeVulZwODPIrb+82L
+Q+hTo/MDGn08Nyqg++AAsfdpp9Nkb6wAEBm6YyXdD3Ai9PVTGWRaYNjjYARIXu8g
+xQzH84YTgW0WCeYn+JW11n8dWI83ZrkroNC1ec+9ZRoZsKBYyNFhM6yZNRq0Kv8v
+ZbE+dh9vemhK+3ptEdqXF+Yl+kmVAvJpGwIBAg==
+-----END DH PARAMETERS-----

roles/dch-openvpn-server/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: restart pyrocufflink openvpn server
+  service:
+    name=openvpn-server@pyrocufflink
+    state=restarted
+- name: restart stunnel openvpn proxy
+  service:
+    name=stunnel@openvpn
+    state=restarted

roles/dch-openvpn-server/tasks/main.yml

@@ -0,0 +1,74 @@
+- name: ensure required packages are installed
+  package:
+    name=openvpn,stunnel
+    state=present
+  tags:
+  - install
+
+- name: ensure stunnel configuration is set
+  template:
+    src=openvpn.stunnel.conf.j2
+    dest=/etc/stunnel/openvpn.conf
+    mode=0644
+  notify: restart stunnel openvpn proxy
+
+- name: ensure openvpn server configuration is set
+  template:
+    src=pyrocufflink.openvpn.conf.j2
+    dest=/etc/openvpn/server/pyrocufflink.conf
+    mode=0644
+  notify: restart pyrocufflink openvpn server
+- name: ensure openvpn client config dir exists
+  file:
+    path=/etc/openvpn/server/clients
+    mode=0755
+    state=directory
+- name: ensure openvpn client config files are set
+  copy:
+    src={{ item }}
+    dest=/etc/openvpn/server/clients/{{ item|basename }}
+    mode=0640
+  notify: restart pyrocufflink openvpn server
+  with_fileglob: 'clients/*'
+
+- name: ensure openvpn ca certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/openvpn/server/ca.crt
+    mode=0644
+  with_fileglob: '{{ inventory_hostname }}_ca.crt'
+- name: ensure openvpn server certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/pki/tls/certs/openvpn.cer
+    mode=0644
+  with_fileglob: '{{ inventory_hostname }}.cer'
+- name: ensure openvpn server private key is installed
+  copy:
+    src={{ item }}
+    dest=/etc/pki/tls/private/openvpn.key
+    mode=0600
+  with_fileglob: '{{ inventory_hostname }}.key'
+- name: ensure openvpn diffie-hellman parameters file is installed
+  copy:
+    src={{ item }}
+    dest=/etc/openvpn/server/dh2048.pem
+    mode=0600
+  with_fileglob: '{{ inventory_hostname }}.dh'
+
+- name: ensure stunnel openvpn proxy starts at boot
+  service:
+    name=stunnel@openvpn
+    enabled=yes
+- name: ensure stunnel openvpn proxy is running
+  service:
+    name=stunnel@openvpn
+    state=started
+- name: ensure pyrocufflink openvpn server service starts at boot
+  service: 
+    name=openvpn-server@pyrocufflink
+    enabled=yes
+- name: ensure pyrocufflink openvpn server service is running
+  service: 
+    name=openvpn-server@pyrocufflink
+    state=started

roles/dch-openvpn-server/templates/openvpn.stunnel.conf.j2

@@ -0,0 +1,5 @@
+[openvpn]
+accept = 0.0.0.0:9876
+connect = localhost:1194
+cert = /etc/pki/tls/certs/openvpn.cer
+key = /etc/pki/tls/private/openvpn.key

roles/dch-openvpn-server/templates/pyrocufflink.openvpn.conf.j2

@@ -0,0 +1,20 @@
+dev tun
+port 1194
+proto tcp-server
+mode server
+tls-server
+
+ca ca.crt
+cert /etc/pki/tls/certs/openvpn.cer
+key /etc/pki/tls/private/openvpn.key
+dh dh2048.pem
+
+topology subnet
+push "topology subnet"
+ifconfig 172.30.0.208 255.255.255.240
+route 192.168.0.0 255.255.0.0 172.30.0.210
+route 172.16.0.0 255.255.240.0 172.30.0.210
+client-to-client
+client-config-dir clients
+
+keepalive 10 120