From dbd8ed5949ad3c64b2c7bacf06684a3fc7297b4e Mon Sep 17 00:00:00 2001 From: Adrien Date: Mon, 8 Oct 2018 19:35:16 +0200 Subject: [PATCH] Externalize role --- defaults/main.yml | 9 ++ handlers/main.yml | 7 ++ tasks/main.yml | 101 ++++++++++++++++++ templates/etc/firewalld/services/openvpn.xml | 7 ++ templates/etc/openvpn/server/config.conf.j2 | 59 ++++++++++ .../etc/openvpn/server/vpn-up-down.sh.j2 | 21 ++++ .../sysconfig/network-scripts/ifcfg-ovpn.j2 | 22 ++++ .../usr/local/bin/openvpn-gen_conf_client.sh | 37 +++++++ vars/RedHat.yml | 9 ++ 9 files changed, 272 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/etc/firewalld/services/openvpn.xml create mode 100644 templates/etc/openvpn/server/config.conf.j2 create mode 100644 templates/etc/openvpn/server/vpn-up-down.sh.j2 create mode 100644 templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2 create mode 100644 templates/usr/local/bin/openvpn-gen_conf_client.sh create mode 100644 vars/RedHat.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..faf7994 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,9 @@ +--- +openvpn_vpn_name: local +openvpn_bridge_type: bridge +openvpn_bridge: ovpn +openvpn_bridge_ip: 192.168.2.1/24 +openvpn_port: 1194 +openvpn_bridgemaster: "{{ openvswitch_interface }}" +openvpn_vlan: 405 + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..0153370 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Restart openvpn-server-udp + service: name=openvpn-server@{{ openvpn_vpn_name }}.udp state=restarted + +- name: Restart openvpn-server-tcp + service: name=openvpn-server@{{ openvpn_vpn_name }}.tcp state=restarted + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..8ca6c92 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,101 @@ +--- +- name: Include vars for {{ ansible_os_family }} + include_vars: "{{ ansible_os_family }}.yml" + +- name: Install packages for openvpn + package: name="{{ openvpn_packages }}" state=latest update_cache=yes + +- name: Install OpenVSwitch + include_role: + name: openvswitch + when: + - openvpn_bridge_type == "ovs" + +#- openvswitch_bridge: +# bridge: "{{ openvpn_bridge }}" +# parent: "{{ openvpn_bridgemaster }}" +# vlan: "{{ openvpn_vlan }}" +# state: present +# when: +# - openvpn_bridge_type == "ovs" + +# Doesn't work !! +#- name: try nmcli add bridge - conn_name only & ip4 gw4 mode +# nmcli: +# type: bridge +# conn_name: '{{ openvpn_bridge }}' +# ip4: '{{ openvpn_bridge_ip }}/24' +# state: present +# when: +# - openvpn_bridge_type == "bridge" + +- name: Make server config directory + file: path=/etc/openvpn/server state=directory owner=root group=root mode=0750 + +- name: Install vpn-up.sh script + template: src=etc/openvpn/server/vpn-up-down.sh.j2 dest=/etc/openvpn/server/vpn-up.sh owner=root group=root mode=0755 +- name: Install vpn-down.sh link + file: src=vpn-up.sh dest=/etc/openvpn/server/vpn-down.sh state=link force=yes +# setsebool openvpn_run_unconfined on +- name: Set boolean selinux flag for scripts + seboolean: + name: openvpn_run_unconfined + state: yes + persistent: yes +# chcon -t openvpn_unconfined_script_exec_t vpn-up.sh +- name: Set selinux context to vpn-up.sh script + sefcontext: + target: '/etc/openvpn/server/vpn-up.sh' + setype: openvpn_unconfined_script_exec_t + state: present + +# openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem +# openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem +# openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem +# openssl dhparam -out dh2048.pem 2048 +# source vars +# ./pkitool Client1 + +# Need more step to generate certificat files +- name: Install Certificat files + copy: src=etc/openvpn/server/easy-rsa/2.0/keys/{{ item }} dest=/etc/openvpn/server/{{ item }} owner=root group=root mode=0600 + with_items: + - ca.crt + - dh2048.pem + - server.crt + - server.key + - ta.key + +- name: Install openvpn configuration files + template: src=etc/openvpn/server/config.conf.j2 dest=/etc/openvpn/server/{{ openvpn_vpn_name }}.{{ item.proto }}.conf owner=root group=root mode=0644 + with_items: + - '{{ openvpn_subnets }}' + notify: Restart openvpn-server-{{ item.proto }} + +- name: Enable openvpn services + service: name="openvpn-server@{{ openvpn_vpn_name }}.{{ item.proto }}" enabled=yes + with_items: + - '{{ openvpn_subnets }}' + +- name: Install Personnal OpenVPN config file for firewalld + template: src=etc/firewalld/services/openvpn.xml dest=/etc/firewalld/services/openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}.xml owner=root group=root mode=0644 + register: result + +- name: reload firewalld to refresh service list + command: firewall-cmd --reload + when: result is changed + +- name: Open Firewalld + firewalld: + service: openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }} + permanent: true + state: enabled + immediate: true + +# firewall-cmd --reload +# firewall-cmd --add-service openvpn --permanent +# firewall-cmd --add-service openvpn-tcp --permanent +# firewall-cmd --zone=external --change-interface=eth0 +# firewall-cmd --add-service=openvpn --zone=external --permanent +# firewall-cmd --add-service=openvpn-tcp --zone=external --permanent + diff --git a/templates/etc/firewalld/services/openvpn.xml b/templates/etc/firewalld/services/openvpn.xml new file mode 100644 index 0000000..68b77c0 --- /dev/null +++ b/templates/etc/firewalld/services/openvpn.xml @@ -0,0 +1,7 @@ + + + OpenVPN TCP and UDP + OpenVPN is a virtual private network (VPN) solution. It is used to create encrypted point-to-point tunnels between computers. If you plan to provide a VPN service, enable this option. + + + diff --git a/templates/etc/openvpn/server/config.conf.j2 b/templates/etc/openvpn/server/config.conf.j2 new file mode 100644 index 0000000..ef80fcb --- /dev/null +++ b/templates/etc/openvpn/server/config.conf.j2 @@ -0,0 +1,59 @@ +port {{ item.port }} +{% if item.proto == "udp" %} +proto {{ item.proto }} +{% elif item.proto == "tcp" %} +proto tcp-server +{% endif %} +dev tap +ca ca.crt +cert server.crt +key server.key +dh dh2048.pem +mode server +tls-server +#user nobody +#group nobody +push "route-gateway {{ item.ip_server }}" +push "redirect-gateway def1" +#push "redirect-gateway def1 bypass-dhcp" +{% if item.dns is defined %} +push "dhcp-option DNS {{ item.dns }}" +{% endif %} +{% if item.domains is defined %} +{% for vpndomain in item.domains %} +push "dhcp-option DOMAIN {{ vpndomain }}" +{% endfor %} +{% endif %} +{% if item.routes is defined %} +{% for vpnroute in item.routes %} +push "route {{ vpnroute }}" +{% endfor %} +#push "route 0.0.0.0 128.0.0.0" +#push "route 128.0.0.0 128.0.0.0" +{% endif %} +client-to-client +keepalive 10 60 +tls-auth ta.key 0 +cipher AES-256-CBC +compress lz4-v2 +push "compress lz4-v2" +#comp-lzo +persist-key +persist-tun +{% if item.dhcp_range is defined %} +server-bridge {{ item.ip_server }} {{ item.netmask }} {{ item.dhcp_range}} +{% endif %} +status openvpn-status.log +#log-append openvpn.log +script-security 2 +up /etc/openvpn/server/vpn-up.sh +down /etc/openvpn/server/vpn-down.sh + +#cd /etc/openvpn/ +#secret key +#ping-timer-rem +#replay-persist antireplay-{{ openvpn_vpn_name }} +verb 3 +#route 172.16.0.0 255.255.255.0 172.16.255.2 +#route 172.16.2.0 255.255.255.0 172.16.255.3 +#ifconfig 172.16.100.10 255.255.255.0 diff --git a/templates/etc/openvpn/server/vpn-up-down.sh.j2 b/templates/etc/openvpn/server/vpn-up-down.sh.j2 new file mode 100644 index 0000000..b3f7e0b --- /dev/null +++ b/templates/etc/openvpn/server/vpn-up-down.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash +if [ $(echo "$0" | grep -c up) -eq 1 ]; then + while [ $(ip link show {{ openvpn_bridge }} | grep -c {{ openvpn_bridge }}) -eq 0 ]; do + sleep 5 + done + /usr/sbin/ip link set up $1 +{% if openvpn_bridge_type == "bridge" %} + /usr/sbin/brctl addif {{ openvpn_bridge }} $1 +{% elif openvpn_bridge_type == "ovs" %} + /usr/bin/ovs-vsctl add-port {{ openvpn_bridge }} $1 tag={{ openvpn_vlan }} vlan_mode=native-tagged +{% endif %} +elif [ $(echo "$0" | grep -c down) -eq 1 ]; then +{% if openvpn_bridge_type == "bridge" %} + /usr/sbin/brctl delif {{ openvpn_bridge }} $1 +{% elif openvpn_bridge_type == "ovs" %} + /usr/bin/ovs-vsctl del-port {{ openvpn_bridge }} $1 +{% endif %} + /usr/sbin/ip link set down $1 +fi + +exit 0 diff --git a/templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2 b/templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2 new file mode 100644 index 0000000..17e5156 --- /dev/null +++ b/templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2 @@ -0,0 +1,22 @@ +DEVICE={{ openvpn_vpn_name }} +STP=yes +BRIDGING_OPTS=priority=32768 +TYPE=Bridge +BOOTPROTO=static +DEFROUTE=no +PEERDNS=no +PEERROUTES=no +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_PEERDNS=yes +IPV6_PEERROUTES=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME={{ openvpn_vpn_name }} +UUID=da77c911-c141-4273-bb39-4ef98146236b +ONBOOT=yes +IPADDR=172.16.100.1 +PREFIX=24 +ZONE=trusted diff --git a/templates/usr/local/bin/openvpn-gen_conf_client.sh b/templates/usr/local/bin/openvpn-gen_conf_client.sh new file mode 100644 index 0000000..8759207 --- /dev/null +++ b/templates/usr/local/bin/openvpn-gen_conf_client.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# First argument: Client identifier + +KEY_DIR=/etc/openvpn/server/easy-rsa/2.0/keys +cat <') \ + ${KEY_DIR}/ca.crt \ + <(echo -e '\n') \ + ${KEY_DIR}/${1}.crt \ + <(echo -e '\n') \ + ${KEY_DIR}/${1}.key \ + <(echo -e '\n') \ + ${KEY_DIR}/ta.key \ + <(echo -e '') + + diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..9981bb5 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,9 @@ +--- +openvpn_packages: + - openvpn +# - easy-rsa # Not need + - bridge-utils + - NetworkManager-glib + - libsemanage-python + - policycoreutils-python +