Externalize role
This commit is contained in:
commit
dbd8ed5949
GPG key ID:
DA7B27055C66D6DE
9 changed files with 272 additions and 0 deletions
9
defaults/main.yml
Normal file
9
defaults/main.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
openvpn_vpn_name: local
|
||||||
|
openvpn_bridge_type: bridge
|
||||||
|
openvpn_bridge: ovpn
|
||||||
|
openvpn_bridge_ip: 192.168.2.1/24
|
||||||
|
openvpn_port: 1194
|
||||||
|
openvpn_bridgemaster: "{{ openvswitch_interface }}"
|
||||||
|
openvpn_vlan: 405
|
||||||
|
|
||||||
7
handlers/main.yml
Normal file
7
handlers/main.yml
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Restart openvpn-server-udp
|
||||||
|
service: name=openvpn-server@{{ openvpn_vpn_name }}.udp state=restarted
|
||||||
|
|
||||||
|
- name: Restart openvpn-server-tcp
|
||||||
|
service: name=openvpn-server@{{ openvpn_vpn_name }}.tcp state=restarted
|
||||||
|
|
||||||
101
tasks/main.yml
Normal file
101
tasks/main.yml
Normal file
|
|
@ -0,0 +1,101 @@
|
||||||
|
---
|
||||||
|
- name: Include vars for {{ ansible_os_family }}
|
||||||
|
include_vars: "{{ ansible_os_family }}.yml"
|
||||||
|
|
||||||
|
- name: Install packages for openvpn
|
||||||
|
package: name="{{ openvpn_packages }}" state=latest update_cache=yes
|
||||||
|
|
||||||
|
- name: Install OpenVSwitch
|
||||||
|
include_role:
|
||||||
|
name: openvswitch
|
||||||
|
when:
|
||||||
|
- openvpn_bridge_type == "ovs"
|
||||||
|
|
||||||
|
#- openvswitch_bridge:
|
||||||
|
# bridge: "{{ openvpn_bridge }}"
|
||||||
|
# parent: "{{ openvpn_bridgemaster }}"
|
||||||
|
# vlan: "{{ openvpn_vlan }}"
|
||||||
|
# state: present
|
||||||
|
# when:
|
||||||
|
# - openvpn_bridge_type == "ovs"
|
||||||
|
|
||||||
|
# Doesn't work !!
|
||||||
|
#- name: try nmcli add bridge - conn_name only & ip4 gw4 mode
|
||||||
|
# nmcli:
|
||||||
|
# type: bridge
|
||||||
|
# conn_name: '{{ openvpn_bridge }}'
|
||||||
|
# ip4: '{{ openvpn_bridge_ip }}/24'
|
||||||
|
# state: present
|
||||||
|
# when:
|
||||||
|
# - openvpn_bridge_type == "bridge"
|
||||||
|
|
||||||
|
- name: Make server config directory
|
||||||
|
file: path=/etc/openvpn/server state=directory owner=root group=root mode=0750
|
||||||
|
|
||||||
|
- name: Install vpn-up.sh script
|
||||||
|
template: src=etc/openvpn/server/vpn-up-down.sh.j2 dest=/etc/openvpn/server/vpn-up.sh owner=root group=root mode=0755
|
||||||
|
- name: Install vpn-down.sh link
|
||||||
|
file: src=vpn-up.sh dest=/etc/openvpn/server/vpn-down.sh state=link force=yes
|
||||||
|
# setsebool openvpn_run_unconfined on
|
||||||
|
- name: Set boolean selinux flag for scripts
|
||||||
|
seboolean:
|
||||||
|
name: openvpn_run_unconfined
|
||||||
|
state: yes
|
||||||
|
persistent: yes
|
||||||
|
# chcon -t openvpn_unconfined_script_exec_t vpn-up.sh
|
||||||
|
- name: Set selinux context to vpn-up.sh script
|
||||||
|
sefcontext:
|
||||||
|
target: '/etc/openvpn/server/vpn-up.sh'
|
||||||
|
setype: openvpn_unconfined_script_exec_t
|
||||||
|
state: present
|
||||||
|
|
||||||
|
# openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
|
||||||
|
# openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
|
||||||
|
# openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
|
||||||
|
# openssl dhparam -out dh2048.pem 2048
|
||||||
|
# source vars
|
||||||
|
# ./pkitool Client1
|
||||||
|
|
||||||
|
# Need more step to generate certificat files
|
||||||
|
- name: Install Certificat files
|
||||||
|
copy: src=etc/openvpn/server/easy-rsa/2.0/keys/{{ item }} dest=/etc/openvpn/server/{{ item }} owner=root group=root mode=0600
|
||||||
|
with_items:
|
||||||
|
- ca.crt
|
||||||
|
- dh2048.pem
|
||||||
|
- server.crt
|
||||||
|
- server.key
|
||||||
|
- ta.key
|
||||||
|
|
||||||
|
- name: Install openvpn configuration files
|
||||||
|
template: src=etc/openvpn/server/config.conf.j2 dest=/etc/openvpn/server/{{ openvpn_vpn_name }}.{{ item.proto }}.conf owner=root group=root mode=0644
|
||||||
|
with_items:
|
||||||
|
- '{{ openvpn_subnets }}'
|
||||||
|
notify: Restart openvpn-server-{{ item.proto }}
|
||||||
|
|
||||||
|
- name: Enable openvpn services
|
||||||
|
service: name="openvpn-server@{{ openvpn_vpn_name }}.{{ item.proto }}" enabled=yes
|
||||||
|
with_items:
|
||||||
|
- '{{ openvpn_subnets }}'
|
||||||
|
|
||||||
|
- name: Install Personnal OpenVPN config file for firewalld
|
||||||
|
template: src=etc/firewalld/services/openvpn.xml dest=/etc/firewalld/services/openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}.xml owner=root group=root mode=0644
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: reload firewalld to refresh service list
|
||||||
|
command: firewall-cmd --reload
|
||||||
|
when: result is changed
|
||||||
|
|
||||||
|
- name: Open Firewalld
|
||||||
|
firewalld:
|
||||||
|
service: openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}
|
||||||
|
permanent: true
|
||||||
|
state: enabled
|
||||||
|
immediate: true
|
||||||
|
|
||||||
|
# firewall-cmd --reload
|
||||||
|
# firewall-cmd --add-service openvpn --permanent
|
||||||
|
# firewall-cmd --add-service openvpn-tcp --permanent
|
||||||
|
# firewall-cmd --zone=external --change-interface=eth0
|
||||||
|
# firewall-cmd --add-service=openvpn --zone=external --permanent
|
||||||
|
# firewall-cmd --add-service=openvpn-tcp --zone=external --permanent
|
||||||
|
|
||||||
7
templates/etc/firewalld/services/openvpn.xml
Normal file
7
templates/etc/firewalld/services/openvpn.xml
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<service>
|
||||||
|
<short>OpenVPN TCP and UDP</short>
|
||||||
|
<description>OpenVPN is a virtual private network (VPN) solution. It is used to create encrypted point-to-point tunnels between computers. If you plan to provide a VPN service, enable this option.</description>
|
||||||
|
<port protocol="tcp" port="{{ openvpn_port }}"/>
|
||||||
|
<port protocol="udp" port="{{ openvpn_port }}"/>
|
||||||
|
</service>
|
||||||
59
templates/etc/openvpn/server/config.conf.j2
Normal file
59
templates/etc/openvpn/server/config.conf.j2
Normal file
|
|
@ -0,0 +1,59 @@
|
||||||
|
port {{ item.port }}
|
||||||
|
{% if item.proto == "udp" %}
|
||||||
|
proto {{ item.proto }}
|
||||||
|
{% elif item.proto == "tcp" %}
|
||||||
|
proto tcp-server
|
||||||
|
{% endif %}
|
||||||
|
dev tap
|
||||||
|
ca ca.crt
|
||||||
|
cert server.crt
|
||||||
|
key server.key
|
||||||
|
dh dh2048.pem
|
||||||
|
mode server
|
||||||
|
tls-server
|
||||||
|
#user nobody
|
||||||
|
#group nobody
|
||||||
|
push "route-gateway {{ item.ip_server }}"
|
||||||
|
push "redirect-gateway def1"
|
||||||
|
#push "redirect-gateway def1 bypass-dhcp"
|
||||||
|
{% if item.dns is defined %}
|
||||||
|
push "dhcp-option DNS {{ item.dns }}"
|
||||||
|
{% endif %}
|
||||||
|
{% if item.domains is defined %}
|
||||||
|
{% for vpndomain in item.domains %}
|
||||||
|
push "dhcp-option DOMAIN {{ vpndomain }}"
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.routes is defined %}
|
||||||
|
{% for vpnroute in item.routes %}
|
||||||
|
push "route {{ vpnroute }}"
|
||||||
|
{% endfor %}
|
||||||
|
#push "route 0.0.0.0 128.0.0.0"
|
||||||
|
#push "route 128.0.0.0 128.0.0.0"
|
||||||
|
{% endif %}
|
||||||
|
client-to-client
|
||||||
|
keepalive 10 60
|
||||||
|
tls-auth ta.key 0
|
||||||
|
cipher AES-256-CBC
|
||||||
|
compress lz4-v2
|
||||||
|
push "compress lz4-v2"
|
||||||
|
#comp-lzo
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
{% if item.dhcp_range is defined %}
|
||||||
|
server-bridge {{ item.ip_server }} {{ item.netmask }} {{ item.dhcp_range}}
|
||||||
|
{% endif %}
|
||||||
|
status openvpn-status.log
|
||||||
|
#log-append openvpn.log
|
||||||
|
script-security 2
|
||||||
|
up /etc/openvpn/server/vpn-up.sh
|
||||||
|
down /etc/openvpn/server/vpn-down.sh
|
||||||
|
|
||||||
|
#cd /etc/openvpn/
|
||||||
|
#secret key
|
||||||
|
#ping-timer-rem
|
||||||
|
#replay-persist antireplay-{{ openvpn_vpn_name }}
|
||||||
|
verb 3
|
||||||
|
#route 172.16.0.0 255.255.255.0 172.16.255.2
|
||||||
|
#route 172.16.2.0 255.255.255.0 172.16.255.3
|
||||||
|
#ifconfig 172.16.100.10 255.255.255.0
|
||||||
21
templates/etc/openvpn/server/vpn-up-down.sh.j2
Normal file
21
templates/etc/openvpn/server/vpn-up-down.sh.j2
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
if [ $(echo "$0" | grep -c up) -eq 1 ]; then
|
||||||
|
while [ $(ip link show {{ openvpn_bridge }} | grep -c {{ openvpn_bridge }}) -eq 0 ]; do
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
/usr/sbin/ip link set up $1
|
||||||
|
{% if openvpn_bridge_type == "bridge" %}
|
||||||
|
/usr/sbin/brctl addif {{ openvpn_bridge }} $1
|
||||||
|
{% elif openvpn_bridge_type == "ovs" %}
|
||||||
|
/usr/bin/ovs-vsctl add-port {{ openvpn_bridge }} $1 tag={{ openvpn_vlan }} vlan_mode=native-tagged
|
||||||
|
{% endif %}
|
||||||
|
elif [ $(echo "$0" | grep -c down) -eq 1 ]; then
|
||||||
|
{% if openvpn_bridge_type == "bridge" %}
|
||||||
|
/usr/sbin/brctl delif {{ openvpn_bridge }} $1
|
||||||
|
{% elif openvpn_bridge_type == "ovs" %}
|
||||||
|
/usr/bin/ovs-vsctl del-port {{ openvpn_bridge }} $1
|
||||||
|
{% endif %}
|
||||||
|
/usr/sbin/ip link set down $1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
22
templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2
Normal file
22
templates/etc/sysconfig/network-scripts/ifcfg-ovpn.j2
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
DEVICE={{ openvpn_vpn_name }}
|
||||||
|
STP=yes
|
||||||
|
BRIDGING_OPTS=priority=32768
|
||||||
|
TYPE=Bridge
|
||||||
|
BOOTPROTO=static
|
||||||
|
DEFROUTE=no
|
||||||
|
PEERDNS=no
|
||||||
|
PEERROUTES=no
|
||||||
|
IPV4_FAILURE_FATAL=no
|
||||||
|
IPV6INIT=yes
|
||||||
|
IPV6_AUTOCONF=yes
|
||||||
|
IPV6_DEFROUTE=yes
|
||||||
|
IPV6_PEERDNS=yes
|
||||||
|
IPV6_PEERROUTES=yes
|
||||||
|
IPV6_FAILURE_FATAL=no
|
||||||
|
IPV6_ADDR_GEN_MODE=stable-privacy
|
||||||
|
NAME={{ openvpn_vpn_name }}
|
||||||
|
UUID=da77c911-c141-4273-bb39-4ef98146236b
|
||||||
|
ONBOOT=yes
|
||||||
|
IPADDR=172.16.100.1
|
||||||
|
PREFIX=24
|
||||||
|
ZONE=trusted
|
||||||
37
templates/usr/local/bin/openvpn-gen_conf_client.sh
Normal file
37
templates/usr/local/bin/openvpn-gen_conf_client.sh
Normal file
|
|
@ -0,0 +1,37 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# First argument: Client identifier
|
||||||
|
|
||||||
|
KEY_DIR=/etc/openvpn/server/easy-rsa/2.0/keys
|
||||||
|
cat <<EOF
|
||||||
|
client
|
||||||
|
dev tap
|
||||||
|
proto tcp
|
||||||
|
remote xxxxxx 1194
|
||||||
|
resolv-retry infinite
|
||||||
|
keepalive 10 60
|
||||||
|
#explicit-exit-notify 2
|
||||||
|
nobind
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
remote-cert-tls server
|
||||||
|
#ns-cert-type server
|
||||||
|
key-direction 1
|
||||||
|
cipher AES-256-CBC
|
||||||
|
comp-lzo
|
||||||
|
compress lz4-v2
|
||||||
|
verb 1
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <(echo -e '<ca>') \
|
||||||
|
${KEY_DIR}/ca.crt \
|
||||||
|
<(echo -e '</ca>\n<cert>') \
|
||||||
|
${KEY_DIR}/${1}.crt \
|
||||||
|
<(echo -e '</cert>\n<key>') \
|
||||||
|
${KEY_DIR}/${1}.key \
|
||||||
|
<(echo -e '</key>\n<tls-auth>') \
|
||||||
|
${KEY_DIR}/ta.key \
|
||||||
|
<(echo -e '</tls-auth>')
|
||||||
|
|
||||||
|
|
||||||
9
vars/RedHat.yml
Normal file
9
vars/RedHat.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
openvpn_packages:
|
||||||
|
- openvpn
|
||||||
|
# - easy-rsa # Not need
|
||||||
|
- bridge-utils
|
||||||
|
- NetworkManager-glib
|
||||||
|
- libsemanage-python
|
||||||
|
- policycoreutils-python
|
||||||
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue