Not currently being used in production.
Is developed for Debian Jessie.
Configures OpenVPN using good crypto, with faster options chosen when the security benefits would be negligible (eg. AES-128-CBC instead of AES-256-CBC).
An OpenSSL CA generates certificates on the server, and are available for download via nginx with https and password protection.
Safe handling of file and program permissions. Certificates aren't world readable, daemons drop permissions to their own unprivileged users/groups, etc.
Runs dnsmasq, a lightweight caching DNS server, using google's DNS as the upstream provider.
Uses static IP addresses and injects DNS entries, allowing
*.vpnaddresses to refer to hosts on the virtual LAN.
*.ovpnfiles and shell scripts for use with network-manager, which can't use inline certificates in
*.ovpnfiles. Deployment on Debian and Android clients is tested and easy.
Automatic updates with unattended-upgrade. This may cause reboots, but they're set to occur at 5AM to minimize issues.
All testing and deployment happens within
vagrant, requiring minimal mucking with system settings, while avoiding the general bugginess of
Vagrant setup is done using libvirt/kvm and uses snapshots and aggressive filesystem caching, which is significantly faster and more reliable than the virtualbox provider.
Prerequisites and Dependencies
- A functioning gpg-agent configuration on your host with a private key
Clone git submodules:
$ git submodule update --init --recursive
libvirtand make sure you can run a libvirt kvm guest as your current user (this usually involves adding yourself to a group).
virt-manageris good for testing this.
vagrant(get it from here) and
Install the needed vagrant plugins:
$ vagrant plugin install vagrant-libvirt $ vagrant plugin install vagrant-cachier # optional, but highly recommended
Generate the cryptographic keys needed:
Run vagrant up:
If NFS fails to mount, this may because the nfs server isn't actually running. It might not start when
/etc/exportsis initially empty. Restart it with
$ sudo service nfs-kernel-server restart
The vagrant documentation on nfs mounts is helpful here too, especially the section on modifying
/etc/sudoersto whitelist the nfs setup commands.
10.20.0.0/24 is used for private networking between the minion and master. If you're already using that IP space for real hosts, you may want to modify the IP addresses in the Vagrantfile.