Dustin C. Hatch
780c8783db
The *dch-openvpn-server* role installs and configures OpenVPN and stunnel to provide both native OpenVPN service as well as OpenVPN-over-TLS. The latter uses stunnel, listening on TCP port 9876, to allow better firewall traversal and TCP port sharing via reverse proxy.
75 lines
2.0 KiB
YAML
75 lines
2.0 KiB
YAML
- name: ensure required packages are installed
|
|
package:
|
|
name=openvpn,stunnel
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure stunnel configuration is set
|
|
template:
|
|
src=openvpn.stunnel.conf.j2
|
|
dest=/etc/stunnel/openvpn.conf
|
|
mode=0644
|
|
notify: restart stunnel openvpn proxy
|
|
|
|
- name: ensure openvpn server configuration is set
|
|
template:
|
|
src=pyrocufflink.openvpn.conf.j2
|
|
dest=/etc/openvpn/server/pyrocufflink.conf
|
|
mode=0644
|
|
notify: restart pyrocufflink openvpn server
|
|
- name: ensure openvpn client config dir exists
|
|
file:
|
|
path=/etc/openvpn/server/clients
|
|
mode=0755
|
|
state=directory
|
|
- name: ensure openvpn client config files are set
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/openvpn/server/clients/{{ item|basename }}
|
|
mode=0640
|
|
notify: restart pyrocufflink openvpn server
|
|
with_fileglob: 'clients/*'
|
|
|
|
- name: ensure openvpn ca certificate is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/openvpn/server/ca.crt
|
|
mode=0644
|
|
with_fileglob: '{{ inventory_hostname }}_ca.crt'
|
|
- name: ensure openvpn server certificate is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/pki/tls/certs/openvpn.cer
|
|
mode=0644
|
|
with_fileglob: '{{ inventory_hostname }}.cer'
|
|
- name: ensure openvpn server private key is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/pki/tls/private/openvpn.key
|
|
mode=0600
|
|
with_fileglob: '{{ inventory_hostname }}.key'
|
|
- name: ensure openvpn diffie-hellman parameters file is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/openvpn/server/dh2048.pem
|
|
mode=0600
|
|
with_fileglob: '{{ inventory_hostname }}.dh'
|
|
|
|
- name: ensure stunnel openvpn proxy starts at boot
|
|
service:
|
|
name=stunnel@openvpn
|
|
enabled=yes
|
|
- name: ensure stunnel openvpn proxy is running
|
|
service:
|
|
name=stunnel@openvpn
|
|
state=started
|
|
- name: ensure pyrocufflink openvpn server service starts at boot
|
|
service:
|
|
name=openvpn-server@pyrocufflink
|
|
enabled=yes
|
|
- name: ensure pyrocufflink openvpn server service is running
|
|
service:
|
|
name=openvpn-server@pyrocufflink
|
|
state=started
|