commit 9b940e5a9f2dccbf439db224b0935f53bc70dde6 from: gonzalo date: Wed Jul 25 23:43:31 2018 UTC initial ansible-role-openvpn commit - /dev/null commit + 9b940e5a9f2dccbf439db224b0935f53bc70dde6 blob - /dev/null blob + 36bbf6208cfd42ac91bfbe7f9126bc9044e186c6 (mode 644) --- /dev/null +++ .travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file blob - /dev/null blob + 02add5e7c7de84db20898836ad5c7eefe516875b (mode 644) --- /dev/null +++ LICENSE @@ -0,0 +1,11 @@ +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. blob - /dev/null blob + 33c3e33d13ff8d60aa9a662e79ed0a8e3cb7b037 (mode 644) --- /dev/null +++ README.md @@ -0,0 +1,139 @@ +Ansible role for a VPN with OpenVPN & OpenBSD +============================================= + +Ansible role to create a VPN server on OpenBSD (>6.0) with OpenVPN. + +Requirements +------------ + +OpenBSD, Python 2.7 (on client machine) and 5 minutes. + +Example pf.conf +--------------- + +The VPN port on this playbook is 443 udp, so you need something like +this: + +``` +... +# openvpn +pass in quick log on egress proto udp from any \ + to (egress) port 443 +pass in quick on tun0 +pass out quick on egress from 10.100.0.0/24 to any nat-to (egress) +... +``` + +Example Ansible +--------------- + +This example is for a remote setup, so ,,test'' is your future vpn server, you +already put your ssh key on ,,test'' and this server already have python2.7 +installed. + +``` +$ doas pkg_add ansible +... +$ cd /tmp && mkdir ansible && cd ansible +$ git clone https://github.com/gonzalo-/ansible-role-openvpn +Cloning into 'ansible-role-openvpn'... +remote: Counting objects: 143, done. +remote: Compressing objects: 100% (35/35), done. +remote: Total 143 (delta 26), reused 42 (delta 18), pack-reused 86 +Receiving objects: 100% (143/143), 28.24 KiB | 148.00 KiB/s, done. +Resolving deltas: 100% (53/53), done. +$ mv ansible-role-openvpn gonzalo-.openvpn +$ cat hosts +test ansible_python_interpreter=/usr/local/bin/python2.7 +$ cat openvpn.yml +--- +- hosts: test + roles: + - role: gonzalo-.openvpn + become: yes + become_method: doas + + vars: + client: 'client' + server_vpn: 'vpn.fucknsa.org' + openvpn_dir: '/etc/openvpn' + release: '6.3' + arch: 'amd64' + installurl_mirror: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/' + pkg_path: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/' + packages_list: + - openvpn + - easy-rsa +$ ansible-playbook -i hosts openvpn.yml +...MAGIC... +$ +``` + +Client .ovpn +------------ + +If the playbook succeed, you might find the client.ovpn for your devices on ,,/etc/openvpn/client'' + +``` +# ls -al /etc/openvpn/client +-rw-r--r-- 1 root wheel 5971 Apr 18 18:03 /etc/openvpn/client/client.ovpn +``` + +You can copy this file to your devices and import it on your openvpn client. + +You can create later more clients by running: + +``` +# /etc/openvpn/client/create-client +Enter a name for a new client (Ex.: iphone): android +Generating a 2048 bit RSA private key +.........................................+++ +............................................+++ +writing new private key to '/usr/local/share/easy-rsa/pki/private/android.key.aZVsBL43mm' +----- +Using configuration from ./openssl-easyrsa.cnf +Check that the request matches the signature +Signature ok +The Subject's Distinguished Name is as follows +commonName :ASN.1 12:'android' +Certificate is to be certified until Apr 20 08:45:38 2028 GMT (3650 days) + +Write out database with 1 new entries +Data Base Updated +``` + +And the final ,,.ovpn'' file is on /etc/openvpn/client/. + + +Example Playbook +---------------- +``` +--- +- hosts: test + roles: + - role: gonzalo-.openvpn + become: yes + become_method: doas + + vars: + client: 'client' + server_vpn: 'vpn.fucknsa.org' + openvpn_dir: '/etc/openvpn' + release: '6.3' + arch: 'amd64' + installurl_mirror: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/' + pkg_path: 'https://fastly.cdn.openbsd.org/pub/OpenBSD/{{ release }}/packages/{{ arch }}/' + packages_list: + - openvpn + - easy-rsa +``` + +License +------- + +ISC + +Author Information +------------------ + +https://x61.sh/ blob - /dev/null blob + 7545e31caf38a69d5bac62942543a1bb5a55c76b (mode 644) --- /dev/null +++ defaults/main.yml @@ -0,0 +1,17 @@ +--- +easyrsa_user: root +easyrsa_dir: "/usr/local/share" +easyrsa_use_tls_auth: True +easyrsa_key_country: "DE" +easyrsa_key_province: "FuckNSAProvince" +easyrsa_key_city: "FuckNSACity" +easyrsa_key_org: "FuckNSA" +easyrsa_key_email: "vpn@fucknsa.org" +easyrsa_key_cn: "{{ server_vpn }}" +easyrsa_key_name: "fucknsa" +easyrsa_key_ou: "fucknsa" +easyrsa_key_size: 4096 +easyrsa_key_expire: 3650 +easyrsa_ca_expire: 3650 +easyrsa_clients: [] +... blob - /dev/null blob + 4ab7657b81c86c3ec8d96b426a2b6b75464d7568 (mode 644) --- /dev/null +++ handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for ansible-role-openvpn \ No newline at end of file blob - /dev/null blob + e3a56d33deb74eadd0cee2e665bf42c2371f2d20 (mode 644) --- /dev/null +++ meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: gonzalo- + description: Role to setup a vpn-gw with openvpn over openbsd. + license: BSD + min_ansible_version: 1.9 + galaxy_tags: + - openbsd + - system + - openvpn + - security + - privacy + platforms: + - name: OpenBSD + versions: + - 6.3 + - 6.2 + - 6.1 + - 6.0 + - 5.9 +dependencies: [] blob - /dev/null blob + 5281fba8491903d984c87d663231a756b81612a8 (mode 644) --- /dev/null +++ tasks/client.yml @@ -0,0 +1,38 @@ +--- + +# Block start add client +- block: + + - name: check for existing client certificate + stat: + path: "{{ easyrsa_dir }}/easy-rsa/pki/issued/{{ client.name }}.crt" + register: _client_crt + + - name: add client + shell: | + source ./vars + export EASY_RSA="${EASY_RSA:-.}" + "$EASY_RSA/pkitool" {{ client.name }} + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + executable: /bin/sh + +# Block end add client + +# Block start remove client +- block: + + - name: remove client + shell: | + source ./vars + export EASY_RSA="${EASY_RSA:-.}" + "$EASY_RSA/revoke-full" {{ client.name }} + export CLIENT={{ client.name }} + rm -rf $KEY_DIR/$CLIENT* + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + executable: /bin/sh + +# Block end remove client + +... blob - /dev/null blob + ec5eb20c8833d349331d738c737a22fe22021b09 (mode 644) --- /dev/null +++ tasks/edit_vars.yml @@ -0,0 +1,80 @@ +--- + +- name: update EASY_RSA director + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export EASY_RSA=" + line: "export EASY_RSA=\"{{ easyrsa_dir }}/easy-rsa\"" + state: present + +- name: update KEY_SIZE + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_SIZE=" + line: "export KEY_SIZE=\"{{ easyrsa_key_size }}\"" + state: present + +- name: update KEY_EXPIRE + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_EXPIRE=" + line: "export KEY_EXPIRE=\"{{ easyrsa_key_expire }}\"" + state: present + +- name: update CA_EXPIRE + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export CA_EXPIRE=" + line: "export CA_EXPIRE=\"{{ easyrsa_ca_expire }}\"" + state: present + +- name: update KEY_COUNTRY + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_COUNTRY=" + line: "export KEY_COUNTRY=\"{{ easyrsa_key_country }}\"" + state: present + +- name: update KEY_PROVINCE + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_PROVINCE=" + line: "export KEY_PROVINCE=\"{{ easyrsa_key_province }}\"" + state: present + +- name: update KEY_CITY + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_CITY=" + line: "export KEY_CITY=\"{{ easyrsa_key_city }}\"" + state: present + +- name: update KEY_ORG + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_ORG=" + line: "export KEY_ORG=\"{{ easyrsa_key_org }}\"" + state: present + +- name: update KEY_EMAIL + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_EMAIL=" + line: "export KEY_EMAIL=\"{{ easyrsa_key_email }}\"" + state: present + +- name: update KEY_OU + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_OU=" + line: "export KEY_OU=\"{{ easyrsa_key_ou }}\"" + state: present + +- name: update KEY_NAME + lineinfile: + path: "{{ easyrsa_dir }}/easy-rsa/vars" + regexp: "^export KEY_NAME=" + line: "export KEY_NAME=\"{{ easyrsa_key_name }}\"" + state: present + +... blob - /dev/null blob + 59ed66ec7a05a5bab98d8e201ebfbb8be58d206b (mode 644) --- /dev/null +++ tasks/main.yml @@ -0,0 +1,98 @@ +--- + +- name: set installurl + lineinfile: + dest=/etc/installurl + line="{{ installurl_mirror }}" + insertafter=EOF + create=True + +- name: set forwarding + lineinfile: + dest=/etc/sysctl.conf + line="net.inet.ip.forwarding=1" + insertafter=EOF + create=True + +- openvpn: + name: openvpn-etc + file: path={{ openvpn_dir }} state=directory + +- openvpn-client: + name: openvpn-client + file: path={{ openvpn_dir }}/client state=directory + +- openvpn-chroot: + name: openvpn-chroot + file: path=/var/empty/tmp state=directory + +- name: Installing packages + openbsd_pkg: name={{ item }} state=present + with_items: "{{ packages_list }}" + +- template: src=ipp.txt.j2 dest="{{ openvpn_dir }}/ipp.txt" owner="root" group="wheel" mode="0644" +- template: src=hostname.tun0.j2 dest="/etc/hostname.tun0" owner="root" group="wheel" mode="0644" +- template: src=openvpn.conf.j2 dest="{{ openvpn_dir }}/openvpn.conf" owner="root" group="wheel" mode="0644" +- template: src=openssl-easyrsa.cnf.j2 dest="/usr/local/share/easy-rsa/openssl-easyrsa.cnf" owner="root" group="bin" mode="0644" +- template: src=vars.j2 dest="/usr/local/share/easy-rsa/vars" owner="root" group="bin" mode="0755" +- template: src=client.ovpn.j2 dest="{{ openvpn_dir }}/client/client.ovpn" owner="root" group="wheel" mode="0644" +- template: src=create-client.j2 dest="{{ openvpn_dir }}/client/create-client" owner="root" group="wheel" mode="755" + +- name: check for easy_rsa existence + stat: + path: "{{ easyrsa_dir }}/easy-rsa" + register: easy_rsa + +# Block start initialize easy-rsa +- block: + - name: init-pki + shell: | + ./easyrsa init-pki + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + + - name: gen-dh + shell: | + ./easyrsa gen-dh + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + + - name: build-ca + shell: | + source ./vars + ./easyrsa build-ca nopass + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + + - name: build-key-server + shell: | + ./easyrsa build-server-full server nopass + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + + - name: build-client-full + shell: | + ./easyrsa build-client-full {{ client }} nopass + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + + - name: generate client.ovpn + shell: | + cat pki/ca.crt >> {{ openvpn_dir }}/client/client.ovpn && \ + printf "\n\n" >> {{ openvpn_dir }}/client/client.ovpn && \ + cat pki/issued/client.crt >> {{ openvpn_dir }}/client/client.ovpn && \ + printf "\n" >> {{ openvpn_dir }}/client/client.ovpn && \ + printf "\n" >> {{ openvpn_dir }}/client/client.ovpn && \ + cat pki/private/client.key >> {{ openvpn_dir }}/client/client.ovpn && \ + printf "\n" >> {{ openvpn_dir }}/client/client.ovpn + args: + chdir: "{{ easyrsa_dir }}/easy-rsa/" + +- name: iterate clients + include_tasks: client.yml + with_items: "{{ easyrsa_clients }}" + loop_control: + loop_var: client + +- name: Enable tun0 + command: sh /etc/netstart tun0 blob - /dev/null blob + a7de1823519bc6dc1981fbd90ee4e6456d5c17be (mode 644) --- /dev/null +++ templates/client.ovpn.j2 @@ -0,0 +1,18 @@ +cipher AES-256-CBC # AES 256 bits +tls-version-min 1.2 # Only allow TLS 1.2 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 +auth SHA512 # HMAC-SHA512 (default is SHA1) +remote-cert-tls server +client +dev tun +proto udp +resolv-retry infinite +nobind +comp-lzo yes +remote {{ server_vpn }} 443 +remote-cert-tls server +persist-key +persist-tun +verb 3 +explicit-exit-notify 5 + blob - /dev/null blob + 1c9abc60f6b461ab23590eccda899e11825da64f (mode 644) --- /dev/null +++ templates/create-client.j2 @@ -0,0 +1,42 @@ +#!/bin/sh + +if test $(whoami) != root; then + doas "$0" "$@" + exit $? +fi + +printf "Enter a name for a new client (Ex.: iphone): " +read _CLIENT + +cd /usr/local/share/easy-rsa && \ +./easyrsa build-client-full ${_CLIENT} nopass || break + +cat </etc/openvpn/client/${_CLIENT}.ovpn +cipher AES-256-CBC # AES 256 bits +tls-version-min 1.2 # Only allow TLS 1.2 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 +auth SHA512 # HMAC-SHA512 (default is SHA1) +remote-cert-tls server +client +dev tun +proto udp +resolv-retry infinite +nobind +comp-lzo yes +remote {{ server_vpn }} 443 +remote-cert-tls server +persist-key +persist-tun +verb 3 +explicit-exit-notify 5 + +EOF + +cat pki/ca.crt >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \ +printf "\n\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \ +cat pki/issued/${_CLIENT}.crt >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \ +printf "\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \ +printf "\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \ +cat pki/private/${_CLIENT}.key >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn && \ +printf "\n" >> {{ openvpn_dir }}/client/${_CLIENT}.ovpn + blob - /dev/null blob + bd26e9773977d1cd8e5bc806741f62495da63a8e (mode 644) --- /dev/null +++ templates/hostname.tun0.j2 @@ -0,0 +1,6 @@ +## OpenVPN-Ansible-Role +up +group _openvpn +description "OpenVPN as GW" +!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openvpn.conf & false + blob - /dev/null blob + 30eb6de96f9e8853252f684edf62576a633c0977 (mode 644) --- /dev/null +++ templates/ipp.txt.j2 @@ -0,0 +1 @@ +{{ client }},10.100.0.4 blob - /dev/null blob + 0e9ae059b0543ad621b9128e194fff4523c712a2 (mode 644) --- /dev/null +++ templates/openssl-easyrsa.cnf.j2 @@ -0,0 +1,137 @@ +# For use with Easy-RSA 3.0 and OpenSSL 1.0.* + +RANDFILE = $ENV::EASYRSA_PKI/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::EASYRSA_PKI # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/certs_by_serial # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = basic_exts # The extentions to add to the cert + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL +default_md = $ENV::EASYRSA_DIGEST # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = $ENV::EASYRSA_KEY_SIZE +default_keyfile = privkey.pem +default_md = $ENV::EASYRSA_DIGEST +distinguished_name = $ENV::EASYRSA_DN +x509_extensions = easyrsa_ca # The extentions to add to the self signed cert + +# A placeholder to handle the $EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +# Easy-RSA DN for org support: +[ org ] +countryName = {{ easyrsa_key_country }} +countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = {{ easyrsa_key_province }} +stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE + +localityName = {{ easyrsa_key_city }} +localityName_default = $ENV::EASYRSA_REQ_CITY + +0.organizationName = {{ easyrsa_key_org }} +0.organizationName_default = $ENV::EASYRSA_REQ_ORG + +organizationalUnitName = {{ easyrsa_key_ou }} +organizationalUnitName_default = $ENV::EASYRSA_REQ_OU + +commonName = {{ easyrsa_key_cn }} +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +emailAddress = {{ easyrsa_key_email }} +emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_max = 64 + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + blob - /dev/null blob + eb7f3c4bd91e88aecdf58026a9af9765d9020545 (mode 644) --- /dev/null +++ templates/openvpn.conf.j2 @@ -0,0 +1,32 @@ +## default is 1194 but 443 udp is +## a little better IMHO over +## firewalls with closed ports +port 443 +proto udp +dev tun +cert /usr/local/share/easy-rsa/pki/issued/{{ client }}.crt +key /usr/local/share/easy-rsa/pki/private/{{ client }}.key +ca /usr/local/share/easy-rsa/pki/ca.crt +dh /usr/local/share/easy-rsa/pki/dh.pem +cipher AES-256-CBC # AES 256 bits +tls-version-min 1.2 # Only allow TLS 1.2 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 +auth SHA512 # HMAC-SHA512 (default is SHA1) +auth-nocache +server 10.100.0.0 255.255.255.0 +ifconfig-pool-persist ipp.txt +push "redirect-gateway def1 bypass-dhcp" +## just for phessler@ +push "dhcp-option DNS 1.1.1.1" +push "dhcp-option DNS 1.0.0.1" +## +keepalive 10 120 +comp-lzo +user _openvpn +group _openvpn +persist-key +persist-tun +persist-local-ip +chroot /var/empty +status openvpn-status.log +verb 3 blob - /dev/null blob + 286f9f97b11a0d655b6922868d5162eeb20deb16 (mode 644) --- /dev/null +++ templates/vars.j2 @@ -0,0 +1,206 @@ +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades don't wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file 'vars' if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the 'vars' file. +# +# All of the editable settings are shown commented and start with the command +# 'set_var' -- this means any set_var command that is uncommented has been +# modified by the user. If you're happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DON'T EDIT THIS SECTION +# +# Easy-RSA 3.x doesn't source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "'How to use this file' near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. + +#set_var EASYRSA "${0%/*}" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +#set_var EASYRSA_PKI "$PWD/pki" + +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below aren't used. +# +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +#set_var EASYRSA_DN "cn_only" + +# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) +# These are the default values for fields which will be placed in the +# certificate. Don't leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +#set_var EASYRSA_REQ_COUNTRY "US" +#set_var EASYRSA_REQ_PROVINCE "California" +#set_var EASYRSA_REQ_CITY "San Francisco" +#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +#set_var EASYRSA_REQ_EMAIL "me@example.net" +#set_var EASYRSA_REQ_OU "My Organizational Unit" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. Only used when the crypto alg is rsa (see below.) + +#set_var EASYRSA_KEY_SIZE 2048 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec + +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec mode only: + +#set_var EASYRSA_CURVE secp384r1 + +# In how many days should the root CA key expire? + +#set_var EASYRSA_CA_EXPIRE 3650 + +# In how many days should certificates expire? + +#set_var EASYRSA_CERT_EXPIRE 3650 + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. + +#set_var EASYRSA_CRL_DAYS 180 + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a 'command not found' error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you're doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named 'COMMON' is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the 'x509-types' dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the +# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +set_var EASYRSA_SSL_CONF "{{ easyrsa_dir }}/easy-rsa/openssl-easyrsa.cnf" + +# Default CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +set_var EASYRSA_REQ_CN "{{ server_vpn }}" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +#set_var EASYRSA_DIGEST "sha256" + +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. + +set_var EASYRSA_BATCH "1" + blob - /dev/null blob + 878877b0776c44f55fc4e458f70840f31da5bb01 (mode 644) --- /dev/null +++ tests/inventory @@ -0,0 +1,2 @@ +localhost + blob - /dev/null blob + 5649dcc4f710964ba3b55cde7fc12015010a9d6f (mode 644) --- /dev/null +++ tests/test.yml @@ -0,0 +1,7 @@ +--- +- hosts: localhost + gather_facts: true + become: True + become_method: doas + roles: + - ansible-rol-openvpn blob - /dev/null blob + 060bb952467efa4e7a4d437ecdcd22dfbe31c7f1 (mode 644) --- /dev/null +++ vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for ansible-role-openvpn \ No newline at end of file