commit - /dev/null
commit + 9b940e5a9f2dccbf439db224b0935f53bc70dde6
blob - /dev/null
blob + 36bbf6208cfd42ac91bfbe7f9126bc9044e186c6 (mode 644)
--- /dev/null
+++ .travis.yml
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+ apt:
+ packages:
+ - python-pip
+
+install:
+ # Install ansible
+ - pip install ansible
+
+ # Check ansible version
+ - ansible --version
+
+ # Create ansible.cfg with correct roles_path
+ - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+ # Basic role syntax check
+ - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+ webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
blob - /dev/null
blob + 02add5e7c7de84db20898836ad5c7eefe516875b (mode 644)
--- /dev/null
+++ LICENSE
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
blob - /dev/null
blob + 33c3e33d13ff8d60aa9a662e79ed0a8e3cb7b037 (mode 644)
--- /dev/null
+++ README.md
+Ansible role for a VPN with OpenVPN & OpenBSD
+=============================================
+
+Ansible role to create a VPN server on OpenBSD (>6.0) with OpenVPN.
+
+Requirements
+------------
+
+OpenBSD, Python 2.7 (on client machine) and 5 minutes.
+
+Example pf.conf
+---------------
+
+The VPN port on this playbook is 443 udp, so you need something like
+this:
+
+```
+...
+# openvpn
+pass in quick log on egress proto udp from any \
+ to (egress) port 443
+pass in quick on tun0
+pass out quick on egress from 10.100.0.0/24 to any nat-to (egress)
+...
+```
+
+Example Ansible
+---------------
+
+This example is for a remote setup, so ,,test'' is your future vpn server, you
+already put your ssh key on ,,test'' and this server already have python2.7
+installed.
+
+```
+$ doas pkg_add ansible
+...
+$ cd /tmp && mkdir ansible && cd ansible
+$ git clone https://github.com/gonzalo-/ansible-role-openvpn
+Cloning into 'ansible-role-openvpn'...
+remote: Counting objects: 143, done.
+remote: Compressing objects: 100% (35/35), done.
+remote: Total 143 (delta 26), reused 42 (delta 18), pack-reused 86
+Receiving objects: 100% (143/143), 28.24 KiB | 148.00 KiB/s, done.
+Resolving deltas: 100% (53/53), done.
+$ mv ansible-role-openvpn gonzalo-.openvpn
+$ cat hosts
+test ansible_python_interpreter=/usr/local/bin/python2.7
+$ cat openvpn.yml
+---
+- hosts: test
+ roles:
+ - role: gonzalo-.openvpn
+ become: yes
+ become_method: doas
+
+ vars:
+ client: 'client'
+ server_vpn: 'vpn.fucknsa.org'
+ openvpn_dir: '/etc/openvpn'
+ release: '6.3'
+ arch: 'amd64'
+ installurl_mirror: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/'
+ pkg_path: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/'
+ packages_list:
+ - openvpn
+ - easy-rsa
+$ ansible-playbook -i hosts openvpn.yml
+...MAGIC...
+$
+```
+
+Client .ovpn
+------------
+
+If the playbook succeed, you might find the client.ovpn for your devices on ,,/etc/openvpn/client''
+
+```
+# ls -al /etc/openvpn/client
+-rw-r--r-- 1 root wheel 5971 Apr 18 18:03 /etc/openvpn/client/client.ovpn
+```
+
+You can copy this file to your devices and import it on your openvpn client.
+
+You can create later more clients by running:
+
+```
+# /etc/openvpn/client/create-client
+Enter a name for a new client (Ex.: iphone): android
+Generating a 2048 bit RSA private key
+.........................................+++
+............................................+++
+writing new private key to '/usr/local/share/easy-rsa/pki/private/android.key.aZVsBL43mm'
+-----
+Using configuration from ./openssl-easyrsa.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+commonName :ASN.1 12:'android'
+Certificate is to be certified until Apr 20 08:45:38 2028 GMT (3650 days)
+
+Write out database with 1 new entries
+Data Base Updated
+```
+
+And the final ,,.ovpn'' file is on /etc/openvpn/client/.
+
+
+Example Playbook
+----------------
+```
+---
+- hosts: test
+ roles:
+ - role: gonzalo-.openvpn
+ become: yes
+ become_method: doas
+
+ vars:
+ client: 'client'
+ server_vpn: 'vpn.fucknsa.org'
+ openvpn_dir: '/etc/openvpn'
+ release: '6.3'
+ arch: 'amd64'
+ installurl_mirror: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/'
+ pkg_path: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/'
+ packages_list:
+ - openvpn
+ - easy-rsa
+```
+
+License
+-------
+
+ISC
+
+Author Information
+------------------
+
+https://x61.sh/
blob - /dev/null
blob + 7545e31caf38a69d5bac62942543a1bb5a55c76b (mode 644)
--- /dev/null
+++ defaults/main.yml
+---
+easyrsa_user: root
+easyrsa_dir: "/usr/local/share"
+easyrsa_use_tls_auth: True
+easyrsa_key_country: "DE"
+easyrsa_key_province: "FuckNSAProvince"
+easyrsa_key_city: "FuckNSACity"
+easyrsa_key_org: "FuckNSA"
+easyrsa_key_email: "vpn@fucknsa.org"
+easyrsa_key_cn: "{{ server_vpn }}"
+easyrsa_key_name: "fucknsa"
+easyrsa_key_ou: "fucknsa"
+easyrsa_key_size: 4096
+easyrsa_key_expire: 3650
+easyrsa_ca_expire: 3650
+easyrsa_clients: []
+...
blob - /dev/null
blob + 4ab7657b81c86c3ec8d96b426a2b6b75464d7568 (mode 644)
--- /dev/null
+++ handlers/main.yml
+---
+# handlers file for ansible-role-openvpn
\ No newline at end of file
blob - /dev/null
blob + e3a56d33deb74eadd0cee2e665bf42c2371f2d20 (mode 644)
--- /dev/null
+++ meta/main.yml
+---
+galaxy_info:
+ author: gonzalo-
+ description: Role to setup a vpn-gw with openvpn over openbsd.
+ license: BSD
+ min_ansible_version: 1.9
+ galaxy_tags:
+ - openbsd
+ - system
+ - openvpn
+ - security
+ - privacy
+ platforms:
+ - name: OpenBSD
+ versions:
+ - 6.3
+ - 6.2
+ - 6.1
+ - 6.0
+ - 5.9
+dependencies: []
blob - /dev/null
blob + 5281fba8491903d984c87d663231a756b81612a8 (mode 644)
--- /dev/null
+++ tasks/client.yml
+---
+
+# Block start add client
+- block:
+
+ - name: check for existing client certificate
+ stat:
+ path: "{{ easyrsa_dir }}/easy-rsa/pki/issued/{{ client.name }}.crt"
+ register: _client_crt
+
+ - name: add client
+ shell: |
+ source ./vars
+ export EASY_RSA="${EASY_RSA:-.}"
+ "$EASY_RSA/pkitool" {{ client.name }}
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+ executable: /bin/sh
+
+# Block end add client
+
+# Block start remove client
+- block:
+
+ - name: remove client
+ shell: |
+ source ./vars
+ export EASY_RSA="${EASY_RSA:-.}"
+ "$EASY_RSA/revoke-full" {{ client.name }}
+ export CLIENT={{ client.name }}
+ rm -rf $KEY_DIR/$CLIENT*
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+ executable: /bin/sh
+
+# Block end remove client
+
+...
blob - /dev/null
blob + ec5eb20c8833d349331d738c737a22fe22021b09 (mode 644)
--- /dev/null
+++ tasks/edit_vars.yml
+---
+
+- name: update EASY_RSA director
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export EASY_RSA="
+ line: "export EASY_RSA=\"{{ easyrsa_dir }}/easy-rsa\""
+ state: present
+
+- name: update KEY_SIZE
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_SIZE="
+ line: "export KEY_SIZE=\"{{ easyrsa_key_size }}\""
+ state: present
+
+- name: update KEY_EXPIRE
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_EXPIRE="
+ line: "export KEY_EXPIRE=\"{{ easyrsa_key_expire }}\""
+ state: present
+
+- name: update CA_EXPIRE
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export CA_EXPIRE="
+ line: "export CA_EXPIRE=\"{{ easyrsa_ca_expire }}\""
+ state: present
+
+- name: update KEY_COUNTRY
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_COUNTRY="
+ line: "export KEY_COUNTRY=\"{{ easyrsa_key_country }}\""
+ state: present
+
+- name: update KEY_PROVINCE
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_PROVINCE="
+ line: "export KEY_PROVINCE=\"{{ easyrsa_key_province }}\""
+ state: present
+
+- name: update KEY_CITY
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_CITY="
+ line: "export KEY_CITY=\"{{ easyrsa_key_city }}\""
+ state: present
+
+- name: update KEY_ORG
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_ORG="
+ line: "export KEY_ORG=\"{{ easyrsa_key_org }}\""
+ state: present
+
+- name: update KEY_EMAIL
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_EMAIL="
+ line: "export KEY_EMAIL=\"{{ easyrsa_key_email }}\""
+ state: present
+
+- name: update KEY_OU
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_OU="
+ line: "export KEY_OU=\"{{ easyrsa_key_ou }}\""
+ state: present
+
+- name: update KEY_NAME
+ lineinfile:
+ path: "{{ easyrsa_dir }}/easy-rsa/vars"
+ regexp: "^export KEY_NAME="
+ line: "export KEY_NAME=\"{{ easyrsa_key_name }}\""
+ state: present
+
+...
blob - /dev/null
blob + 59ed66ec7a05a5bab98d8e201ebfbb8be58d206b (mode 644)
--- /dev/null
+++ tasks/main.yml
+---
+
+- name: set installurl
+ lineinfile:
+ dest=/etc/installurl
+ line="{{ installurl_mirror }}"
+ insertafter=EOF
+ create=True
+
+- name: set forwarding
+ lineinfile:
+ dest=/etc/sysctl.conf
+ line="net.inet.ip.forwarding=1"
+ insertafter=EOF
+ create=True
+
+- openvpn:
+ name: openvpn-etc
+ file: path={{ openvpn_dir }} state=directory
+
+- openvpn-client:
+ name: openvpn-client
+ file: path={{ openvpn_dir }}/client state=directory
+
+- openvpn-chroot:
+ name: openvpn-chroot
+ file: path=/var/empty/tmp state=directory
+
+- name: Installing packages
+ openbsd_pkg: name={{ item }} state=present
+ with_items: "{{ packages_list }}"
+
+- template: src=ipp.txt.j2 dest="{{ openvpn_dir }}/ipp.txt" owner="root" group="wheel" mode="0644"
+- template: src=hostname.tun0.j2 dest="/etc/hostname.tun0" owner="root" group="wheel" mode="0644"
+- template: src=openvpn.conf.j2 dest="{{ openvpn_dir }}/openvpn.conf" owner="root" group="wheel" mode="0644"
+- template: src=openssl-easyrsa.cnf.j2 dest="/usr/local/share/easy-rsa/openssl-easyrsa.cnf" owner="root" group="bin" mode="0644"
+- template: src=vars.j2 dest="/usr/local/share/easy-rsa/vars" owner="root" group="bin" mode="0755"
+- template: src=client.ovpn.j2 dest="{{ openvpn_dir }}/client/client.ovpn" owner="root" group="wheel" mode="0644"
+- template: src=create-client.j2 dest="{{ openvpn_dir }}/client/create-client" owner="root" group="wheel" mode="755"
+
+- name: check for easy_rsa existence
+ stat:
+ path: "{{ easyrsa_dir }}/easy-rsa"
+ register: easy_rsa
+
+# Block start initialize easy-rsa
+- block:
+ - name: init-pki
+ shell: |
+ ./easyrsa init-pki
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+
+ - name: gen-dh
+ shell: |
+ ./easyrsa gen-dh
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+
+ - name: build-ca
+ shell: |
+ source ./vars
+ ./easyrsa build-ca nopass
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+
+ - name: build-key-server
+ shell: |
+ ./easyrsa build-server-full server nopass
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+
+ - name: build-client-full
+ shell: |
+ ./easyrsa build-client-full {{ client }} nopass
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+
+ - name: generate client.ovpn
+ shell: |
+ cat pki/ca.crt >> {{ openvpn_dir }}/client/client.ovpn && \
+ printf "</ca>\n<cert>\n" >> {{ openvpn_dir }}/client/client.ovpn && \
+ cat pki/issued/client.crt >> {{ openvpn_dir }}/client/client.ovpn && \
+ printf "</cert>\n" >> {{ openvpn_dir }}/client/client.ovpn && \
+ printf "<key>\n" >> {{ openvpn_dir }}/client/client.ovpn && \
+ cat pki/private/client.key >> {{ openvpn_dir }}/client/client.ovpn && \
+ printf "</key>\n" >> {{ openvpn_dir }}/client/client.ovpn
+ args:
+ chdir: "{{ easyrsa_dir }}/easy-rsa/"
+
+- name: iterate clients
+ include_tasks: client.yml
+ with_items: "{{ easyrsa_clients }}"
+ loop_control:
+ loop_var: client
+
+- name: Enable tun0
+ command: sh /etc/netstart tun0
blob - /dev/null
blob + a7de1823519bc6dc1981fbd90ee4e6456d5c17be (mode 644)
--- /dev/null
+++ templates/client.ovpn.j2
+cipher AES-256-CBC # AES 256 bits
+tls-version-min 1.2 # Only allow TLS 1.2
+tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+auth SHA512 # HMAC-SHA512 (default is SHA1)
+remote-cert-tls server
+client
+dev tun
+proto udp
+resolv-retry infinite
+nobind
+comp-lzo yes
+remote {{ server_vpn }} 443
+remote-cert-tls server
+persist-key
+persist-tun
+verb 3
+explicit-exit-notify 5
+<ca>
blob - /dev/null
blob + 1c9abc60f6b461ab23590eccda899e11825da64f (mode 644)
--- /dev/null
+++ templates/create-client.j2
+#!/bin/sh
+
+if test $(whoami) != root; then
+ doas "$0" "$@"
+ exit $?
+fi
+
+printf "Enter a name for a new client (Ex.: iphone): "
+read _CLIENT
+
+cd /usr/local/share/easy-rsa && \
+./easyrsa build-client-full ${_CLIENT} nopass || break
+
+cat <<EOF >/etc/openvpn/client/${_CLIENT}.ovpn
+cipher AES-256-CBC # AES 256 bits
+tls-version-min 1.2 # Only allow TLS 1.2
+tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+auth SHA512 # HMAC-SHA512 (default is SHA1)
+remote-cert-tls server
+client
+dev tun
+proto udp
+resolv-retry infinite
+nobind
+comp-lzo yes
+remote {{ server_vpn }} 443
+remote-cert-tls server
+persist-key
+persist-tun
+verb 3
+explicit-exit-notify 5
+<ca>
+EOF
+
+cat pki/ca.crt >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \
+printf "</ca>\n<cert>\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \
+cat pki/issued/${_CLIENT}.crt >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \
+printf "</cert>\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \
+printf "<key>\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \
+cat pki/private/${_CLIENT}.key >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \
+printf "</key>\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn
+
blob - /dev/null
blob + bd26e9773977d1cd8e5bc806741f62495da63a8e (mode 644)
--- /dev/null
+++ templates/hostname.tun0.j2
+## OpenVPN-Ansible-Role
+up
+group _openvpn
+description "OpenVPN as GW"
+!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openvpn.conf & false
+
blob - /dev/null
blob + 30eb6de96f9e8853252f684edf62576a633c0977 (mode 644)
--- /dev/null
+++ templates/ipp.txt.j2
+{{ client }},10.100.0.4
blob - /dev/null
blob + 0e9ae059b0543ad621b9128e194fff4523c712a2 (mode 644)
--- /dev/null
+++ templates/openssl-easyrsa.cnf.j2
+# For use with Easy-RSA 3.0 and OpenSSL 1.0.*
+
+RANDFILE = $ENV::EASYRSA_PKI/.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = $ENV::EASYRSA_PKI # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/certs_by_serial # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = basic_exts # The extentions to add to the cert
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions = crl_ext
+
+default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
+default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
+default_md = $ENV::EASYRSA_DIGEST # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits = $ENV::EASYRSA_KEY_SIZE
+default_keyfile = privkey.pem
+default_md = $ENV::EASYRSA_DIGEST
+distinguished_name = $ENV::EASYRSA_DN
+x509_extensions = easyrsa_ca # The extentions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default = $ENV::EASYRSA_REQ_CN
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName = {{ easyrsa_key_country }}
+countryName_default = $ENV::EASYRSA_REQ_COUNTRY
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = {{ easyrsa_key_province }}
+stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
+
+localityName = {{ easyrsa_key_city }}
+localityName_default = $ENV::EASYRSA_REQ_CITY
+
+0.organizationName = {{ easyrsa_key_org }}
+0.organizationName_default = $ENV::EASYRSA_REQ_ORG
+
+organizationalUnitName = {{ easyrsa_key_ou }}
+organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
+
+commonName = {{ easyrsa_key_cn }}
+commonName_max = 64
+commonName_default = $ENV::EASYRSA_REQ_CN
+
+emailAddress = {{ easyrsa_key_email }}
+emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
+emailAddress_max = 64
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
blob - /dev/null
blob + eb7f3c4bd91e88aecdf58026a9af9765d9020545 (mode 644)
--- /dev/null
+++ templates/openvpn.conf.j2
+## default is 1194 but 443 udp is
+## a little better IMHO over
+## firewalls with closed ports
+port 443
+proto udp
+dev tun
+cert /usr/local/share/easy-rsa/pki/issued/{{ client }}.crt
+key /usr/local/share/easy-rsa/pki/private/{{ client }}.key
+ca /usr/local/share/easy-rsa/pki/ca.crt
+dh /usr/local/share/easy-rsa/pki/dh.pem
+cipher AES-256-CBC # AES 256 bits
+tls-version-min 1.2 # Only allow TLS 1.2
+tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+auth SHA512 # HMAC-SHA512 (default is SHA1)
+auth-nocache
+server 10.100.0.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+push "redirect-gateway def1 bypass-dhcp"
+## just for phessler@
+push "dhcp-option DNS 1.1.1.1"
+push "dhcp-option DNS 1.0.0.1"
+##
+keepalive 10 120
+comp-lzo
+user _openvpn
+group _openvpn
+persist-key
+persist-tun
+persist-local-ip
+chroot /var/empty
+status openvpn-status.log
+verb 3
blob - /dev/null
blob + 286f9f97b11a0d655b6922868d5162eeb20deb16 (mode 644)
--- /dev/null
+++ templates/vars.j2
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades don't wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file 'vars' if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the 'vars' file.
+#
+# All of the editable settings are shown commented and start with the command
+# 'set_var' -- this means any set_var command that is uncommented has been
+# modified by the user. If you're happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped
+# backslashes (single forward slashes are recommended.) This means your path to
+# the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DON'T EDIT THIS SECTION
+#
+# Easy-RSA 3.x doesn't source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+ echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
+ echo "This is no longer necessary and is disallowed. See the section called" >&2
+ echo "'How to use this file' near the top comments for more details." >&2
+ return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable is used as the base location of configuration files needed by
+# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
+
+#set_var EASYRSA "${0%/*}"
+
+# If your OpenSSL command is not in the system PATH, you will need to define the
+# path to it here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+
+#set_var EASYRSA_OPENSSL "openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory. By
+# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
+# directory you are currently in).
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly! (Interactive mode will prompt before acting.)
+
+#set_var EASYRSA_PKI "$PWD/pki"
+
+# Define X509 DN mode.
+# This is used to adjust what elements are included in the Subject field as the DN
+# (this is the "Distinguished Name.")
+# Note that in cn_only mode the Organizational fields further below aren't used.
+#
+# Choices are:
+# cn_only - use just a CN value
+# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
+
+#set_var EASYRSA_DN "cn_only"
+
+# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
+# These are the default values for fields which will be placed in the
+# certificate. Don't leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+
+#set_var EASYRSA_REQ_COUNTRY "US"
+#set_var EASYRSA_REQ_PROVINCE "California"
+#set_var EASYRSA_REQ_CITY "San Francisco"
+#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL "me@example.net"
+#set_var EASYRSA_REQ_OU "My Organizational Unit"
+
+# Choose a size in bits for your keypairs. The recommended value is 2048. Using
+# 2048-bit keys is considered more than sufficient for many years into the
+# future. Larger keysizes will slow down TLS negotiation and make key/DH param
+# generation take much longer. Values up to 4096 should be accepted by most
+# software. Only used when the crypto alg is rsa (see below.)
+
+#set_var EASYRSA_KEY_SIZE 2048
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+# * rsa
+# * ec
+
+#set_var EASYRSA_ALGO rsa
+
+# Define the named curve, used in ec mode only:
+
+#set_var EASYRSA_CURVE secp384r1
+
+# In how many days should the root CA key expire?
+
+#set_var EASYRSA_CA_EXPIRE 3650
+
+# In how many days should certificates expire?
+
+#set_var EASYRSA_CERT_EXPIRE 3650
+
+# How many days until the next CRL publish date? Note that the CRL can still be
+# parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+
+#set_var EASYRSA_CRL_DAYS 180
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
+# is "no" to discourage use of deprecated extensions. If you require this
+# feature to use with --ns-cert-type, set this to "yes" here. This support
+# should be replaced with the more modern --remote-cert-tls feature. If you do
+# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
+# this defined to "no". When set to "yes", server-signed certs get the
+# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
+# nsComment field.
+
+#set_var EASYRSA_NS_SUPPORT "no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+
+#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
+
+# A temp file used to stage cert extensions during signing. The default should
+# be fine for most users; however, some users might want an alternative under a
+# RAM-based FS, such as /dev/shm or /tmp on some systems.
+
+#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command. The symptom will be
+# some form of a 'command not found' error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you're doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named 'COMMON' is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the 'x509-types' dir. You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
+# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
+# specific and you cannot just use a standard config file, so this is an
+# advanced feature.
+
+set_var EASYRSA_SSL_CONF "{{ easyrsa_dir }}/easy-rsa/openssl-easyrsa.cnf"
+
+# Default CN:
+# This is best left alone. Interactively you will set this manually, and BATCH
+# callers are expected to set this themselves.
+
+set_var EASYRSA_REQ_CN "{{ server_vpn }}"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+
+#set_var EASYRSA_DIGEST "sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+
+set_var EASYRSA_BATCH "1"
+
blob - /dev/null
blob + 878877b0776c44f55fc4e458f70840f31da5bb01 (mode 644)
--- /dev/null
+++ tests/inventory
+localhost
+
blob - /dev/null
blob + 5649dcc4f710964ba3b55cde7fc12015010a9d6f (mode 644)
--- /dev/null
+++ tests/test.yml
+---
+- hosts: localhost
+ gather_facts: true
+ become: True
+ become_method: doas
+ roles:
+ - ansible-rol-openvpn
blob - /dev/null
blob + 060bb952467efa4e7a4d437ecdcd22dfbe31c7f1 (mode 644)
--- /dev/null
+++ vars/main.yml
+---
+# vars file for ansible-role-openvpn
\ No newline at end of file
