Externalize role

templates/etc/firewalld/services/openvpn.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>OpenVPN TCP and UDP</short>
+  <description>OpenVPN is a virtual private network (VPN) solution. It is used to create encrypted point-to-point tunnels between computers. If you plan to provide a VPN service, enable this option.</description>
+  <port protocol="tcp" port="{{ openvpn_port }}"/>
+  <port protocol="udp" port="{{ openvpn_port }}"/>
+</service>

templates/etc/openvpn/server/config.conf.j2

@@ -0,0 +1,59 @@
+port {{ item.port }}
+{% if item.proto == "udp" %}
+proto {{ item.proto }}
+{% elif item.proto == "tcp" %}
+proto tcp-server
+{% endif %}
+dev tap
+ca ca.crt
+cert server.crt
+key server.key
+dh dh2048.pem
+mode server
+tls-server
+#user nobody
+#group nobody
+push "route-gateway {{ item.ip_server }}"
+push "redirect-gateway def1"
+#push "redirect-gateway def1 bypass-dhcp"
+{% if item.dns is defined %}
+push "dhcp-option DNS {{ item.dns }}"
+{% endif %}
+{% if item.domains is defined %}
+{% for vpndomain in item.domains %}
+push "dhcp-option DOMAIN {{ vpndomain }}"
+{% endfor %}
+{% endif %}
+{% if item.routes is defined %}
+{% for vpnroute in item.routes %}
+push "route {{ vpnroute }}"
+{% endfor %}
+#push "route 0.0.0.0 128.0.0.0"
+#push "route 128.0.0.0 128.0.0.0"
+{% endif %}
+client-to-client
+keepalive 10 60
+tls-auth ta.key 0
+cipher AES-256-CBC
+compress lz4-v2
+push "compress lz4-v2"
+#comp-lzo
+persist-key
+persist-tun
+{% if item.dhcp_range is defined %}
+server-bridge {{ item.ip_server }} {{ item.netmask }} {{ item.dhcp_range}}
+{% endif %}
+status openvpn-status.log
+#log-append  openvpn.log
+script-security 2
+up /etc/openvpn/server/vpn-up.sh
+down /etc/openvpn/server/vpn-down.sh
+
+#cd /etc/openvpn/
+#secret key
+#ping-timer-rem
+#replay-persist antireplay-{{ openvpn_vpn_name }}
+verb 3
+#route 172.16.0.0 255.255.255.0 172.16.255.2
+#route 172.16.2.0 255.255.255.0 172.16.255.3
+#ifconfig 172.16.100.10 255.255.255.0

templates/etc/openvpn/server/vpn-up-down.sh.j2

@@ -0,0 +1,21 @@
+#!/bin/bash
+if [ $(echo "$0" | grep -c up) -eq 1 ]; then
+	while [ $(ip link show {{ openvpn_bridge }} | grep -c {{ openvpn_bridge }}) -eq 0 ]; do
+		sleep 5
+	done
+	/usr/sbin/ip link set up $1
+{% if openvpn_bridge_type == "bridge" %}
+	/usr/sbin/brctl addif {{ openvpn_bridge }} $1
+{% elif openvpn_bridge_type == "ovs" %}
+	/usr/bin/ovs-vsctl add-port {{ openvpn_bridge }} $1 tag={{ openvpn_vlan }} vlan_mode=native-tagged
+{% endif %}
+elif [ $(echo "$0" | grep -c down) -eq 1 ]; then
+{% if openvpn_bridge_type == "bridge" %}
+	/usr/sbin/brctl delif {{ openvpn_bridge }} $1
+{% elif openvpn_bridge_type == "ovs" %}
+	/usr/bin/ovs-vsctl del-port {{ openvpn_bridge }} $1
+{% endif %}
+	/usr/sbin/ip link set down $1
+fi
+
+exit 0

templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2

@@ -0,0 +1,22 @@
+DEVICE={{ openvpn_vpn_name }}
+STP=yes
+BRIDGING_OPTS=priority=32768
+TYPE=Bridge
+BOOTPROTO=static
+DEFROUTE=no
+PEERDNS=no
+PEERROUTES=no
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_PEERDNS=yes
+IPV6_PEERROUTES=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME={{ openvpn_vpn_name }}
+UUID=da77c911-c141-4273-bb39-4ef98146236b
+ONBOOT=yes
+IPADDR=172.16.100.1
+PREFIX=24
+ZONE=trusted

templates/usr/local/bin/openvpn-gen_conf_client.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# First argument: Client identifier
+
+KEY_DIR=/etc/openvpn/server/easy-rsa/2.0/keys
+cat <<EOF
+client
+dev tap
+proto tcp
+remote xxxxxx 1194
+resolv-retry infinite
+keepalive 10 60
+#explicit-exit-notify 2
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+#ns-cert-type server
+key-direction 1
+cipher AES-256-CBC
+comp-lzo
+compress lz4-v2
+verb 1
+
+EOF
+
+cat <(echo -e '<ca>') \
+    ${KEY_DIR}/ca.crt \
+    <(echo -e '</ca>\n<cert>') \
+    ${KEY_DIR}/${1}.crt \
+    <(echo -e '</cert>\n<key>') \
+    ${KEY_DIR}/${1}.key \
+    <(echo -e '</key>\n<tls-auth>') \
+    ${KEY_DIR}/ta.key \
+    <(echo -e '</tls-auth>')
+
+