ansible-role-openvpn

Ansible role for installing and configuring an OpenVPN server. This role also enables IPv4 NAT via ufw, although it does not set the default policy for routed packets in UFW, nor does it create any rules to allow them through. This is because there is no way to know a priori whether the user wants to deny all routed packets and create rules to allow them through or just default allow all routed packets; therefore, you must manage this part of the ufw configuration outside of this Ansible role.

Note that this role cannot perform every step necessary to set up NAT. Once an instance is started up, one must determine the NAT interface and add a nat table configuration to the top of /etc/ufw/before.rules:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward VPN client traffic
-A POSTROUTING -s <client_network_cidr> -o <interface_name> -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

Finally, one must activate the nat table rules:

ufw disable && ufw enable

These steps can be performed via cloud-init, as is done here.

Note

We cannot currently test any ARM64 platforms under QEMU because QEMU cannot currently support iptables.

Requirements

None.

Role Variables

None.

Dependencies

Installation

This role can be installed via the command:

ansible-galaxy install --role-file path/to/requirements.yml

where requirements.yml looks like:

---
- name: openvpn
  src: https://github.com/cisagov/ansible-role-openvpn

and may contain other roles as well.

For more information about installing Ansible roles via a YAML file, please see the ansible-galaxy documentation.

Example Playbook

Here's how to use it in a playbook:

- hosts: all
  become: true
  become_method: sudo
  tasks:
    - name: Install and configure OpenVPN
      ansible.builtin.include_role:
        name: openvpn

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Author Information

Mark Feldhousen - mark.feldhousen@gwe.cisa.dhs.gov

Name		Name	Last commit message	Last commit date
Latest commit History 1,187 Commits
.github		.github
files		files
meta		meta
molecule/default		molecule/default
tasks		tasks
vars		vars
.ansible-lint		.ansible-lint
.bandit.yml		.bandit.yml
.flake8		.flake8
.gitignore		.gitignore
.isort.cfg		.isort.cfg
.mdl_config.yaml		.mdl_config.yaml
.pre-commit-config.yaml		.pre-commit-config.yaml
.prettierignore		.prettierignore
.yamllint		.yamllint
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
requirements-dev.txt		requirements-dev.txt
requirements-test.txt		requirements-test.txt
requirements.txt		requirements.txt
setup-env		setup-env
update_molecule_images.sh		update_molecule_images.sh

License

cisagov/ansible-role-openvpn

Folders and files

Latest commit

History

Repository files navigation

ansible-role-openvpn

Requirements

Role Variables

Dependencies

Installation

Example Playbook

Contributing

License

Author Information

About

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Languages