From 4e7d776e77de7c8949e23fa3578844005974543c Mon Sep 17 00:00:00 2001 From: gregharvey Date: Thu, 21 Dec 2023 17:02:40 +0100 Subject: [PATCH 01/17] Removing old ovpn role. --- .../ce_provision/meta/requirements-10.yml | 1 - .../ce_provision/meta/requirements-11.yml | 1 - .../ce_provision/meta/requirements-12.yml | 1 - roles/debian/openvpn_config/README.md | 69 ------ roles/debian/openvpn_config/defaults/main.yml | 54 ----- roles/debian/openvpn_config/tasks/main.yml | 155 ------------ .../templates/auth-ldap.conf.j2 | 39 --- .../openvpn_config/templates/openvpn.j2 | 3 - roles/debian/openvpn_config/templates/vars.j2 | 222 ------------------ 9 files changed, 545 deletions(-) delete mode 100644 roles/debian/openvpn_config/README.md delete mode 100644 roles/debian/openvpn_config/defaults/main.yml delete mode 100644 roles/debian/openvpn_config/tasks/main.yml delete mode 100644 roles/debian/openvpn_config/templates/auth-ldap.conf.j2 delete mode 100644 roles/debian/openvpn_config/templates/openvpn.j2 delete mode 100644 roles/debian/openvpn_config/templates/vars.j2 diff --git a/roles/debian/ce_provision/meta/requirements-10.yml b/roles/debian/ce_provision/meta/requirements-10.yml index cf31f4253..2a7be9950 100644 --- a/roles/debian/ce_provision/meta/requirements-10.yml +++ b/roles/debian/ce_provision/meta/requirements-10.yml @@ -16,4 +16,3 @@ roles: - name: geerlingguy.firewall - name: geerlingguy.composer - name: geerlingguy.clamav - - name: robertdebock.openvpn diff --git a/roles/debian/ce_provision/meta/requirements-11.yml b/roles/debian/ce_provision/meta/requirements-11.yml index 24d9d02f7..dfaf710a3 100644 --- a/roles/debian/ce_provision/meta/requirements-11.yml +++ b/roles/debian/ce_provision/meta/requirements-11.yml @@ -14,4 +14,3 @@ roles: - name: geerlingguy.firewall - name: geerlingguy.composer - name: geerlingguy.clamav - - name: robertdebock.openvpn diff --git a/roles/debian/ce_provision/meta/requirements-12.yml b/roles/debian/ce_provision/meta/requirements-12.yml index 24d9d02f7..dfaf710a3 100644 --- a/roles/debian/ce_provision/meta/requirements-12.yml +++ b/roles/debian/ce_provision/meta/requirements-12.yml @@ -14,4 +14,3 @@ roles: - name: geerlingguy.firewall - name: geerlingguy.composer - name: geerlingguy.clamav - - name: robertdebock.openvpn diff --git a/roles/debian/openvpn_config/README.md b/roles/debian/openvpn_config/README.md deleted file mode 100644 index 02bbd8167..000000000 --- a/roles/debian/openvpn_config/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/openvpn_config/defaults/main.yml b/roles/debian/openvpn_config/defaults/main.yml deleted file mode 100644 index 6c711fe99..000000000 --- a/roles/debian/openvpn_config/defaults/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so diff --git a/roles/debian/openvpn_config/tasks/main.yml b/roles/debian/openvpn_config/tasks/main.yml deleted file mode 100644 index b07353521..000000000 --- a/roles/debian/openvpn_config/tasks/main.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -- name: "Ensure {{ openvpn_config.easyrsa_path }} exists." - ansible.builtin.file: - path: "{{ openvpn_config.easyrsa_path }}" - state: directory - owner: root - group: root - mode: "0755" - -# The Galaxy role creates the certs every time it runs using easy-rsa so we set a vars file: -# https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example -- name: Place easy-rsa vars file for SSL cert generation. - ansible.builtin.template: - src: vars.j2 - dest: "{{ openvpn_config.easyrsa_path }}/vars" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.install - -- name: Install OpenVPN server. - ansible.builtin.include_role: - name: robertdebock.openvpn - when: - - openvpn_config.install - -# Loop files from https://github.com/robertdebock/ansible-role-openvpn/blob/master/tasks/server.yml#L58 -- name: Ensure keys permission are correct. - ansible.builtin.file: - path: /etc/openvpn/server/{{ item | basename }} - mode: "0600" - loop: - - ca.crt - - dh.pem - - ta.key - - issued/client.crt - - issued/server.crt - - private/ca.key - - private/client.key - - private/server.key - -# Manipulate the server.conf file set by the OpenVPN role in Galaxy -- name: Prevent pushing DNS servers. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "dhcp-option DNS" - state: absent - -- name: Remove remote-cert-eku assumption. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "remote-cert-eku" - state: absent - -- name: Make forced redirect optional. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "redirect-gateway def1 bypass-dhcp" - state: absent - when: not openvpn_config.force_redirect_gateway - -- name: Enable VPN compression. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: comp-lzo - create: true - when: openvpn_config.compress - -- name: Set no client cert required. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: verify-client-cert none - create: true - when: openvpn_config.no_client_cert - -- name: Alter VPN IP range. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "server " - line: "{{ openvpn_config.server_ip_range }}" - -# Handle LDAP configuration -- name: Place LDAP CA cert. - ansible.builtin.copy: - src: "{{ openvpn_config.ldap.tls_cert_local }}" - dest: "{{ openvpn_config.ldap.tls_cert }}" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.ldap.tls_cert_local - - openvpn_config.ldap.install - -- name: Install OpenVPN LDAP auth package. - ansible.builtin.package: - name: openvpn-auth-ldap - state: present - when: openvpn_config.ldap.install - -- name: Ensure LDAP config directory exists. - ansible.builtin.file: - path: "{{ openvpn_config.configuration_directory }}/auth" - state: directory - mode: "0755" - when: openvpn_config.ldap.install - -- name: Place auth-ldap.conf file. - ansible.builtin.template: - src: auth-ldap.conf.j2 - dest: "{{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - owner: root - group: root - mode: "0644" - when: openvpn_config.ldap.install - -- name: Enable LDAP config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/openvpn/openvpn-auth-ldap.so {{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - create: true - when: openvpn_config.ldap.install - -# Handle PAM config -- name: Place openvpn PAM config. - ansible.builtin.template: - src: openvpn.j2 - dest: /etc/pam.d/openvpn - owner: root - group: root - mode: "0644" - when: openvpn_config.pam.install - -- name: Enable PAM config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" - create: true - when: openvpn_config.pam.install - -# Handle extra directives -- name: Create custom directives. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "{{ item }}" - create: true - loop: "{{ openvpn_config.custom_directives }}" - when: openvpn_config.custom_directives - -# @TODO this should be a handler if we change the LDAP config rather than a task -- name: Restart OpenVPN. - ansible.builtin.systemd: - name: "{{ openvpn_config.service }}" - state: restarted - daemon_reload: true diff --git a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 b/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 deleted file mode 100644 index bb3614af3..000000000 --- a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{{ ansible_managed | comment }} - - - # LDAP server URL - URL {{ openvpn_config.ldap.url }} - -{% if openvpn_config.ldap.tls %} - # Enable Start TLS - TLSEnable yes - # TLS CA Certificate File - TLSCACertFile {{ openvpn_config.ldap.tls_cert }} -{% else %} - # Enable Start TLS - TLSEnable no -{% endif %} - - # Network timeout (in seconds) - Timeout {{ openvpn_config.ldap.timeout }} - - - - # Base DN - BaseDN "{{ openvpn_config.ldap.basedn }}" - - # User Search Filter - SearchFilter "{{ openvpn_config.ldap.search_filter }}" - - # Require Group Membership - RequireGroup {{ openvpn_config.ldap.require_group }} - - - #RFC2307bis false - BaseDN "{{ openvpn_config.ldap.group_basedn }}" - SearchFilter "{{ openvpn_config.ldap.group_filter }}" - MemberAttribute memberUid - # Add group members to a PF table (disabled) - #PFTable ips_vpn_eng - - diff --git a/roles/debian/openvpn_config/templates/openvpn.j2 b/roles/debian/openvpn_config/templates/openvpn.j2 deleted file mode 100644 index 97a46ddd3..000000000 --- a/roles/debian/openvpn_config/templates/openvpn.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ ansible_managed | comment }} - -{{ openvpn_config.pam.pam_config }} diff --git a/roles/debian/openvpn_config/templates/vars.j2 b/roles/debian/openvpn_config/templates/vars.j2 deleted file mode 100644 index d19baead5..000000000 --- a/roles/debian/openvpn_config/templates/vars.j2 +++ /dev/null @@ -1,222 +0,0 @@ -{{ ansible_managed | comment }} - -# Easy-RSA 3 parameter settings - -# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit -# this file in place -- instead, you should copy the entire easy-rsa directory -# to another location so future upgrades don't wipe out your changes. - -# HOW TO USE THIS FILE -# -# vars.example contains built-in examples to Easy-RSA settings. You MUST name -# this file 'vars' if you want it to be used as a configuration file. If you do -# not, it WILL NOT be automatically read when you call easyrsa commands. -# -# It is not necessary to use this config file unless you wish to change -# operational defaults. These defaults should be fine for many uses without the -# need to copy and edit the 'vars' file. -# -# All of the editable settings are shown commented and start with the command -# 'set_var' -- this means any set_var command that is uncommented has been -# modified by the user. If you're happy with a default, there is no need to -# define the value to its default. - -# NOTES FOR WINDOWS USERS -# -# Paths for Windows *MUST* use forward slashes, or optionally double-escaped -# backslashes (single forward slashes are recommended.) This means your path to -# the openssl binary might look like this: -# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# A little housekeeping: DON'T EDIT THIS SECTION -# -# Easy-RSA 3.x doesn't source into the environment directly. -# Complain if a user tries to do this: -if [ -z "$EASYRSA_CALLER" ]; then - echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 - echo "This is no longer necessary and is disallowed. See the section called" >&2 - echo "'How to use this file' near the top comments for more details." >&2 - return 1 -fi - -# DO YOUR EDITS BELOW THIS POINT - -# This variable is used as the base location of configuration files needed by -# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) -# may override this default. -# -# The default value of this variable is the location of the easyrsa script -# itself, which is also where the configuration files are located in the -# easy-rsa tree. - -#set_var EASYRSA "${0%/*}" - -# If your OpenSSL command is not in the system PATH, you will need to define the -# path to it here. Normally this means a full path to the executable, otherwise -# you could have left it undefined here and the shown default would be used. -# -# Windows users, remember to use paths with forward-slashes (or escaped -# back-slashes.) Windows users should declare the full path to the openssl -# binary here if it is not in their system PATH. - -#set_var EASYRSA_OPENSSL "openssl" -# -# This sample is in Windows syntax -- edit it for your path if not using PATH: -#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# Edit this variable to point to your soon-to-be-created key directory. By -# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the -# directory you are currently in). -# -# WARNING: init-pki will do a rm -rf on this directory so make sure you define -# it correctly! (Interactive mode will prompt before acting.) - -#set_var EASYRSA_PKI "$PWD/pki" - -# Define directory for temporary subdirectories. - -#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" - -# Define X509 DN mode. -# This is used to adjust what elements are included in the Subject field as the DN -# (this is the "Distinguished Name.") -# Note that in cn_only mode the Organizational fields further below aren't used. -# -# Choices are: -# cn_only - use just a CN value -# org - use the "traditional" Country/Province/City/Org/OU/email/CN format - -set_var EASYRSA_DN "{{ openvpn_config.certs.dn_mode }}" - -# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) -# These are the default values for fields which will be placed in the -# certificate. Don't leave any of these fields blank, although interactively -# you may omit any specific field by typing the "." symbol (not valid for -# email.) - -set_var EASYRSA_REQ_COUNTRY "{{ openvpn_config.certs.country }}" -set_var EASYRSA_REQ_PROVINCE "{{ openvpn_config.certs.province }}" -set_var EASYRSA_REQ_CITY "{{ openvpn_config.certs.city }}" -set_var EASYRSA_REQ_ORG "{{ openvpn_config.certs.org }}" -set_var EASYRSA_REQ_EMAIL "{{ openvpn_config.certs.email }}" -set_var EASYRSA_REQ_OU "{{ openvpn_config.certs.org_unit }}" - -# Choose a size in bits for your keypairs. The recommended value is 2048. Using -# 2048-bit keys is considered more than sufficient for many years into the -# future. Larger keysizes will slow down TLS negotiation and make key/DH param -# generation take much longer. Values up to 4096 should be accepted by most -# software. Only used when the crypto alg is rsa (see below.) - -#set_var EASYRSA_KEY_SIZE 2048 - -# The default crypto mode is rsa; ec can enable elliptic curve support. -# Note that not all software supports ECC, so use care when enabling it. -# Choices for crypto alg are: (each in lower-case) -# * rsa -# * ec -# * ed - -#set_var EASYRSA_ALGO rsa - -# Define the named curve, used in ec & ed modes: - -#set_var EASYRSA_CURVE secp384r1 - -# In how many days should the root CA key expire? - -#set_var EASYRSA_CA_EXPIRE 3650 - -# In how many days should certificates expire? - -#set_var EASYRSA_CERT_EXPIRE 825 - -# How many days until the next CRL publish date? Note that the CRL can still be -# parsed after this timeframe passes. It is only used for an expected next -# publication date. -#set_var EASYRSA_CRL_DAYS 180 - -# How many days before its expiration date a certificate is allowed to be -# renewed? -#set_var EASYRSA_CERT_RENEW 30 - -# Random serial numbers by default, set to no for the old incremental serial numbers -# -#set_var EASYRSA_RAND_SN "yes" - -# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default -# is "no" to discourage use of deprecated extensions. If you require this -# feature to use with --ns-cert-type, set this to "yes" here. This support -# should be replaced with the more modern --remote-cert-tls feature. If you do -# not use --ns-cert-type in your configs, it is safe (and recommended) to leave -# this defined to "no". When set to "yes", server-signed certs get the -# nsCertType=server attribute, and also get any NS_COMMENT defined below in the -# nsComment field. - -#set_var EASYRSA_NS_SUPPORT "no" - -# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. -# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. - -#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" - -# A temp file used to stage cert extensions during signing. The default should -# be fine for most users; however, some users might want an alternative under a -# RAM-based FS, such as /dev/shm or /tmp on some systems. - -#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" - -# !! -# NOTE: ADVANCED OPTIONS BELOW THIS POINT -# PLAY WITH THEM AT YOUR OWN RISK -# !! - -# Broken shell command aliases: If you have a largely broken shell that is -# missing any of these POSIX-required commands used by Easy-RSA, you will need -# to define an alias to the proper path for the command. The symptom will be -# some form of a 'command not found' error from your shell. This means your -# shell is BROKEN, but you can hack around it here if you really need. These -# shown values are not defaults: it is up to you to know what you're doing if -# you touch these. -# -#alias awk="/alt/bin/awk" -#alias cat="/alt/bin/cat" - -# X509 extensions directory: -# If you want to customize the X509 extensions used, set the directory to look -# for extensions here. Each cert type you sign must have a matching filename, -# and an optional file named 'COMMON' is included first when present. Note that -# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then -# fallback to $EASYRSA for the 'x509-types' dir. You may override this -# detection with an explicit dir here. -# -#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" - -# If you want to generate KDC certificates, you need to set the realm here. -#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - -# OpenSSL config file: -# If you need to use a specific openssl config file, you can reference it here. -# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the -# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA -# specific and you cannot just use a standard config file, so this is an -# advanced feature. - -#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" - -# Default CN: -# This is best left alone. Interactively you will set this manually, and BATCH -# callers are expected to set this themselves. - -set_var EASYRSA_REQ_CN "{{ openvpn_config.certs.cn }}" - -# Cryptographic digest to use. -# Do not change this default unless you understand the security implications. -# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 - -#set_var EASYRSA_DIGEST "sha256" - -# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly -# in batch mode without any user input, confirmation on dangerous operations, -# or most output. Setting this to any non-blank string enables batch mode. - -#set_var EASYRSA_BATCH "" From 8fdf8f03a9225dd4e0b258327b5be43e3e80b66e Mon Sep 17 00:00:00 2001 From: gregharvey Date: Thu, 21 Dec 2023 18:19:16 +0100 Subject: [PATCH 02/17] Adding a first pass at a new openvpn role. --- roles/debian/openvpn/README.md | 10 ++++ roles/debian/openvpn/defaults/main.yml | 22 +++++++ roles/debian/openvpn/tasks/main.yml | 57 +++++++++++++++++++ .../templates/headless-openvpn-install.sh.j2 | 21 +++++++ roles/debian/openvpn/templates/openvpn.pam.j2 | 5 ++ 5 files changed, 115 insertions(+) create mode 100644 roles/debian/openvpn/README.md create mode 100644 roles/debian/openvpn/defaults/main.yml create mode 100644 roles/debian/openvpn/tasks/main.yml create mode 100644 roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 create mode 100644 roles/debian/openvpn/templates/openvpn.pam.j2 diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md new file mode 100644 index 000000000..6ef02329a --- /dev/null +++ b/roles/debian/openvpn/README.md @@ -0,0 +1,10 @@ +# OpenVPN +This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. + +## Hardcoded values +At the moment we do not support headless customisation of encryption settings. This seems possible [by setting the right variables](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L392-L401) and we'll add it later if we can. The defaults are sane, but please note the default cipher is `AES-128-GCM`. We have allowed for finding and replacing this value as part of our role. + +[The client config directory is set to `/etc/openvpn/ccd`.](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L900C19-L900C35) + + + diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml new file mode 100644 index 000000000..ecba47d92 --- /dev/null +++ b/roles/debian/openvpn/defaults/main.yml @@ -0,0 +1,22 @@ +--- +openvpn: + script_install_path: "/home/{{ user_provision.username }}" + auto_install: true + ldap_integration: false # this cannot work without running the pam_ldap role first + name: vpn.example.com + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + customize_enc: "n" + pass: "1" + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install + push_routes_ipv4: [] # list of VPN push routes for ipv4 networks + # Examples: + # - 192.168.1.0 # push range 192.168.1.0/24 + # - 1.2.3.4 # push specific IP 1.2.3.4 + # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml new file mode 100644 index 000000000..abac3de14 --- /dev/null +++ b/roles/debian/openvpn/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Download latest openvpn-install script. + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh + dest: "{{ openvpn.script_install_path }}/openvpn-install.sh" + mode: '0750' + owner: "{{ user_provision.username }}" + group: "{{ user_provision.username }}" + force: true + +- name: Place the headless installer script. + ansible.builtin.template: + src: headless-openvpn-install.sh.j2 + dest: "{{ openvpn.script_install_path }}/headless-openvpn-install.sh" + mode: "0750" + owner: "{{ user_provision.username }}" + group: "{{ user_provision.username }}" + +- name: Attempt to install OpenVPN in headless mode. + ansible.builtin.command: + cmd: "{{ openvpn.script_install_path }}/headless-openvpn-install.sh" + when: openvpn.auto_install + +# @TODO handle adding push routes to config +# @TODO look into the duplicate-cn and float values in our config +# @TODO find and replace replace IP range - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L785 +# @TODO find and replace the cipher - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L895-L896 + +# LDAP integration +- name: Install OpenVPN plugin for PAM. + ansible.builtin.apt: + pkg: openvpn-auth-ldap + state: present + when: openvpn.ldap_integration + +- name: Ensure the OpenVPN PAM config is in place. + ansible.builtin.template: + src: openvpn.pam.j2 + dest: /etc/pam.d/openvpn + mode: "0644" + owner: root + group: root + when: openvpn.ldap_integration + +# @TODO add line to config file for LDAP integration +# plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn + +- name: Restart OpenVPN. + ansible.builtin.service: + name: "openvpn@server" + state: restarted + when: openvpn.ldap_integration + +# Installation complete - provide user information +- name: Service notice. + ansible.builtin.debug: + msg: "OpenVPN is ready to use, to manage the server run {{ openvpn.script_install_path }}/openvpn-install.sh as root." diff --git a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 new file mode 100644 index 000000000..1d9d8aeef --- /dev/null +++ b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash + +# Set headless defaults +export AUTO_INSTALL=y +export APPROVE_INSTALL=y +export APPROVE_IP={{ openvpn.approve_ip }} +export IPV6_SUPPORT={{ openvpn.ipv6_support }} +export PORT_CHOICE={{ openvpn.port_choice }} +export PROTOCOL_CHOICE={{ openvpn.protocol_choice }} +export DNS={{ openvpn.dns }} +export COMPRESSION_ENABLED={{ openvpn.compression_enabled }} +export COMPRESSION_CHOICE={{ openvpn.compression_choice }} +export CUSTOMIZE_ENC=n +export CLIENT={{ openvpn.name }} +export PASS={{ openvpn.pass }} +{% if openvpn.nat_endpoint is defined and openvpn.nat_endpoint | length %} +export ENDPOINT={{ openvpn.nat_endpoint }} +{% endif %} + +# Execute installer +{{ openvpn.script_install_path }}/openvpn-install.sh \ No newline at end of file diff --git a/roles/debian/openvpn/templates/openvpn.pam.j2 b/roles/debian/openvpn/templates/openvpn.pam.j2 new file mode 100644 index 000000000..c6128ebe2 --- /dev/null +++ b/roles/debian/openvpn/templates/openvpn.pam.j2 @@ -0,0 +1,5 @@ +auth sufficient pam_ldap.so config=/etc/openvpn/ldap/ldap +auth required pam_deny.so + +account required pam_ldap.so config=/etc/openvpn/ldap/ldap +account required pam_permit.so From 409f81b6c81b5a080b618c282ddf4266b0816c89 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Thu, 21 Dec 2023 18:26:24 +0100 Subject: [PATCH 03/17] Adding new line at end of script. --- roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 index 1d9d8aeef..e12d97e02 100644 --- a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 +++ b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 @@ -18,4 +18,4 @@ export ENDPOINT={{ openvpn.nat_endpoint }} {% endif %} # Execute installer -{{ openvpn.script_install_path }}/openvpn-install.sh \ No newline at end of file +{{ openvpn.script_install_path }}/openvpn-install.sh From f7d718b118594a9f114cbd41644de10bf576461e Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 11:13:02 +0100 Subject: [PATCH 04/17] Adding push route handling. --- roles/debian/openvpn/defaults/main.yml | 4 ++-- roles/debian/openvpn/tasks/main.yml | 31 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index ecba47d92..de4339ec8 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -16,7 +16,7 @@ openvpn: #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: - # - 192.168.1.0 # push range 192.168.1.0/24 - # - 1.2.3.4 # push specific IP 1.2.3.4 + # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" + # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 # - www.google-analytics.com # push any IP resolving to www.google-analytics.com push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index abac3de14..ab9f92d31 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -21,6 +21,37 @@ cmd: "{{ openvpn.script_install_path }}/headless-openvpn-install.sh" when: openvpn.auto_install +# Push routes +- name: Add ipv4 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "# ipv4 push routes" + when: openvpn.push_routes_ipv4 | length > 0 + +- name: Add ipv4 push routes to the VPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: 'push "route {{ item }}"' + with_items: "{{ openvpn.push_routes_ipv4 }}" + when: openvpn.push_routes_ipv4 | length > 0 + +- name: Add ipv6 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "# ipv6 push routes" + when: + - openvpn.push_routes_ipv6 | length > 0 + - openvpn.ipv6_support == "y" + +- name: Add ipv6 push routes to the VPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: 'push "route-ipv6 {{ item }}"' + with_items: "{{ openvpn.push_routes_ipv6 }}" + when: + - openvpn.push_routes_ipv6 | length > 0 + - openvpn.ipv6_support == "y" + # @TODO handle adding push routes to config # @TODO look into the duplicate-cn and float values in our config # @TODO find and replace replace IP range - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L785 From 5f5517a7efd30b1286596c523b56ea1faf815e7e Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 11:21:27 +0100 Subject: [PATCH 05/17] Handle duplicate-cn and float OpenVPN options. --- roles/debian/openvpn/defaults/main.yml | 2 ++ roles/debian/openvpn/handlers/main.yml | 6 ++++++ roles/debian/openvpn/tasks/main.yml | 26 ++++++++++++++++++++++---- 3 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 roles/debian/openvpn/handlers/main.yml diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index de4339ec8..d824f9ae9 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -4,6 +4,8 @@ openvpn: auto_install: true ldap_integration: false # this cannot work without running the pam_ldap role first name: vpn.example.com + allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) + multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) approve_ip: "y" ipv6_support: "n" port_choice: "1" # 1 = use default 1194, 3 means use a random port diff --git a/roles/debian/openvpn/handlers/main.yml b/roles/debian/openvpn/handlers/main.yml new file mode 100644 index 000000000..2319ae016 --- /dev/null +++ b/roles/debian/openvpn/handlers/main.yml @@ -0,0 +1,6 @@ +--- +# handlers file for OpenVPN +- name: Restart OpenVPN. + ansible.builtin.service: + name: "openvpn@server" + state: restarted diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index ab9f92d31..7d98f24a8 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -21,6 +21,20 @@ cmd: "{{ openvpn.script_install_path }}/headless-openvpn-install.sh" when: openvpn.auto_install +- name: Allow multiple simultaneous VPN connections. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: duplicate-cn + when: openvpn.multiple_connections + notify: Restart OpenVPN. + +- name: Add ipv4 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: float + when: openvpn.allow_floating_client_ip + notify: Restart OpenVPN. + # Push routes - name: Add ipv4 push routes comment for readability. ansible.builtin.lineinfile: @@ -34,6 +48,7 @@ line: 'push "route {{ item }}"' with_items: "{{ openvpn.push_routes_ipv4 }}" when: openvpn.push_routes_ipv4 | length > 0 + notify: Restart OpenVPN. - name: Add ipv6 push routes comment for readability. ansible.builtin.lineinfile: @@ -51,9 +66,8 @@ when: - openvpn.push_routes_ipv6 | length > 0 - openvpn.ipv6_support == "y" + notify: Restart OpenVPN. -# @TODO handle adding push routes to config -# @TODO look into the duplicate-cn and float values in our config # @TODO find and replace replace IP range - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L785 # @TODO find and replace the cipher - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L895-L896 @@ -73,8 +87,12 @@ group: root when: openvpn.ldap_integration -# @TODO add line to config file for LDAP integration -# plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn +- name: Add LDAP integration config to OpenVPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" + when: openvpn.ldap_integration + notify: Restart OpenVPN. - name: Restart OpenVPN. ansible.builtin.service: From 27a79fd3ebe1b112176769aef75945f54b2565a7 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 12:39:21 +0100 Subject: [PATCH 06/17] Sorting out LDAP and PAM integration. --- roles/debian/openvpn/README.md | 5 ++ roles/debian/openvpn/defaults/main.yml | 17 ++++++- roles/debian/openvpn/tasks/main.yml | 48 +++++++++++-------- .../debian/openvpn/templates/openvpn.ldap.j2 | 34 +++++++++++++ roles/debian/openvpn/templates/openvpn.pam.j2 | 9 ++-- .../openvpn/templates/openvpn.pam.ldap.j2 | 7 +++ 6 files changed, 96 insertions(+), 24 deletions(-) create mode 100644 roles/debian/openvpn/templates/openvpn.ldap.j2 create mode 100644 roles/debian/openvpn/templates/openvpn.pam.ldap.j2 diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 6ef02329a..35d391069 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -1,6 +1,11 @@ # OpenVPN This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. +## PAM authentication +There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks. + +The LDAP integration ships with a default configuration for PAM which, as above, can be overridden. It assumes the use of [our `pam_ldap` role](https://github.com/codeenigma/ce-provision/tree/2.x/roles/debian/pam_ldap) for the LDAP variables and defaults to those values, but they can be set explicitly if required. + ## Hardcoded values At the moment we do not support headless customisation of encryption settings. This seems possible [by setting the right variables](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L392-L401) and we'll add it later if we can. The defaults are sane, but please note the default cipher is `AES-128-GCM`. We have allowed for finding and replacing this value as part of our role. diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index d824f9ae9..73bf7852a 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -2,7 +2,6 @@ openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - ldap_integration: false # this cannot work without running the pam_ldap role first name: vpn.example.com allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) @@ -22,3 +21,19 @@ openvpn: # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 # - www.google-analytics.com # push any IP resolving to www.google-analytics.com push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + pam: + enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian + module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path + config_template: openvpn.pam.j2 # allow override of PAM config template + ldap: + enabled: false # if true we assume the pam_ldap role is also being used on this server + config_template: openvpn.pam.ldap.j2 # allow override of PAM config template for LDAP + endpoints: "{{ pam_ldap.endpoints | default('[]') }}" + lookup_base: "{{ pam_ldap.lookup_base | default('') }}" + lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups + login_attribute: uid # the LDAP attribute to check the OpenVPN username against + group_base: "" # e.g. ou=Groups,dc=example,dc=com + group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com + group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against + ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" + ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 7d98f24a8..56ffb1b1d 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -71,35 +71,45 @@ # @TODO find and replace replace IP range - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L785 # @TODO find and replace the cipher - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L895-L896 -# LDAP integration -- name: Install OpenVPN plugin for PAM. - ansible.builtin.apt: - pkg: openvpn-auth-ldap - state: present - when: openvpn.ldap_integration - +# PAM integration - name: Ensure the OpenVPN PAM config is in place. ansible.builtin.template: - src: openvpn.pam.j2 + src: "{{ openvpn.pam.config_template }}" dest: /etc/pam.d/openvpn mode: "0644" owner: root group: root - when: openvpn.ldap_integration + when: openvpn.pam.enabled -- name: Add LDAP integration config to OpenVPN. - ansible.builtin.lineinfile: +# PAM integration using LDAP +- name: Ensure the OpenVPN PAM config for LDAP is in place. + ansible.builtin.template: + src: "{{ openvpn.ldap.config_template }}" + dest: /etc/pam.d/openvpn + mode: "0644" + owner: root + group: root + when: openvpn.ldap.enabled + +- name: Ensure the pam-ldap config for OpenVPN is in place. + ansible.builtin.template: + src: openvpn.ldap.j2 + dest: /etc/openvpn/ldap/ldap + mode: "0644" + owner: root + group: root + when: openvpn.ldap.enabled + +# Enable PAM in OpenVPN +- name: Add PAM integration config to OpenVPN. + ansible.builtin.blockinfile: path: /etc/openvpn/server.conf - line: "plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" - when: openvpn.ldap_integration + block: | + # Let OpenVPN use PAM for authentication + plugin {{ openvpn.pam.module_path }} openvpn + when: openvpn.pam.enabled || openvpn.ldap.enabled notify: Restart OpenVPN. -- name: Restart OpenVPN. - ansible.builtin.service: - name: "openvpn@server" - state: restarted - when: openvpn.ldap_integration - # Installation complete - provide user information - name: Service notice. ansible.builtin.debug: diff --git a/roles/debian/openvpn/templates/openvpn.ldap.j2 b/roles/debian/openvpn/templates/openvpn.ldap.j2 new file mode 100644 index 000000000..8001245d8 --- /dev/null +++ b/roles/debian/openvpn/templates/openvpn.ldap.j2 @@ -0,0 +1,34 @@ +uri {{ openvpn.ldap.endpoints | join(' ') }} +base {{ openvpn.ldap.lookup_base }} +scope one +timelimit 5 +bind_timelimit 2 +bind_policy soft +idle_timelimit 6 + +#pam_min_uid 1000 +#pam_max_uid 2000 +pam_password crypt + +pam_filter {{ openvpn.ldap.lookup_filter }} +pam_login_attribute {{ openvpn.ldap.login_attribute }} + +{% if openvpn.ldap.group_dn is defined and openvpn.ldap.group_dn %} +pam_groupdn {{ openvpn.ldap.group_dn }} +pam_member_attribute {{ openvpn.ldap.group_attribute }} +{% endif %} + +nss_base_passwd {{ openvpn.ldap.lookup_base }} +nss_base_shadow {{ openvpn.ldap.lookup_base }} +nss_base_group {{ openvpn.ldap.group_base }} + +nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm + +{% if openvpn.ldap.ssl_certificate is defined and openvpn.ldap.ssl_certificate %} +ssl start_tls +ssl on +{% if openvpn.ldap.ssl_certificate_check is defined and not openvpn.ldap.ssl_certificate_check %} +tls_checkpeer no +{% endif %} +tls_cacertfile /etc/ldap/ssl/{{ openvpn.ldap.ssl_certificate }} +{% endif %} diff --git a/roles/debian/openvpn/templates/openvpn.pam.j2 b/roles/debian/openvpn/templates/openvpn.pam.j2 index c6128ebe2..32c21e2c5 100644 --- a/roles/debian/openvpn/templates/openvpn.pam.j2 +++ b/roles/debian/openvpn/templates/openvpn.pam.j2 @@ -1,5 +1,6 @@ -auth sufficient pam_ldap.so config=/etc/openvpn/ldap/ldap -auth required pam_deny.so +# {{ ansible_managed }} +# Basic config taken from +# https://wiki.ipfire.org/configuration/services/openvpn/extensions/auth/auth-pam -account required pam_ldap.so config=/etc/openvpn/ldap/ldap -account required pam_permit.so +auth required pam_unix.so shadow nodelay +account required pam_unix.so diff --git a/roles/debian/openvpn/templates/openvpn.pam.ldap.j2 b/roles/debian/openvpn/templates/openvpn.pam.ldap.j2 new file mode 100644 index 000000000..0ffcecf4f --- /dev/null +++ b/roles/debian/openvpn/templates/openvpn.pam.ldap.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +auth sufficient pam_ldap.so config=/etc/openvpn/ldap/ldap +auth required pam_deny.so + +account required pam_ldap.so config=/etc/openvpn/ldap/ldap +account required pam_permit.so From d8552a90a6f53aa37070b29da71d93301e154236 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 12:56:15 +0100 Subject: [PATCH 07/17] Allowing setting of cipher and client IP range. --- roles/debian/openvpn/defaults/main.yml | 2 ++ roles/debian/openvpn/tasks/main.yml | 33 ++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 73bf7852a..7489aedbc 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -3,6 +3,8 @@ openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true name: vpn.example.com + ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" + cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) approve_ip: "y" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 56ffb1b1d..55186fef1 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -68,8 +68,37 @@ - openvpn.ipv6_support == "y" notify: Restart OpenVPN. -# @TODO find and replace replace IP range - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L785 -# @TODO find and replace the cipher - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L895-L896 +- name: Replace OpenVPN client IP range. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + search_string: 'server 10.8.0.0 255.255.255.0' + line: "server {{ openvpn.ipv4_settings }}" + owner: root + group: root + mode: '0644' + when: openvpn.ipv4_settings | length > 0 + notify: Restart OpenVPN. + +- name: Replace OpenVPN cipher. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + search_string: 'cipher AES-128-GCM' + line: "cipher {{ openvpn.cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.cipher | length > 0 + +- name: Replace OpenVPN ncp-ciphers. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + search_string: 'ncp-ciphers AES-128-GCM' + line: "ncp-ciphers {{ openvpn.cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.cipher | length > 0 + notify: Restart OpenVPN. # PAM integration - name: Ensure the OpenVPN PAM config is in place. From 591f6e25e7463c4b58a5d33f9a03aaa9409e8a91 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 12:58:18 +0100 Subject: [PATCH 08/17] Updating docs. --- docs/_Sidebar.md | 2 +- docs/roles/debian/nginx.md | 1 + docs/roles/debian/openvpn.md | 61 +++++++++++++++++++++++++ docs/roles/debian/openvpn_config.md | 69 ----------------------------- roles/debian/nginx/README.md | 1 + roles/debian/openvpn/README.md | 46 +++++++++++++++++++ 6 files changed, 110 insertions(+), 70 deletions(-) create mode 100644 docs/roles/debian/openvpn.md delete mode 100644 docs/roles/debian/openvpn_config.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 3a0de5514..d025e418c 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -60,7 +60,7 @@ - [MySQL Server - Oracle Community Edition](/roles/debian/mysql_server_oracle_ce) - [NGINX](/roles/debian/nginx) - [NodeJS](/roles/debian/nodejs) - - [OpenVPN Config](/roles/debian/openvpn_config) + - [OpenVPN](/roles/debian/openvpn) - [OSSEC](/roles/debian/ossec) - [Packer](/roles/debian/packer) - [PHP Composer](/roles/debian/php_composer) diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index e09f93b50..9e7de8dcf 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -69,6 +69,7 @@ nginx: # reload_command: restart # reload: # - nginx + # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true basic_auth: diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md new file mode 100644 index 000000000..61ef449e9 --- /dev/null +++ b/docs/roles/debian/openvpn.md @@ -0,0 +1,61 @@ +# OpenVPN +This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. + +## PAM authentication +There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks. + +The LDAP integration ships with a default configuration for PAM which, as above, can be overridden. It assumes the use of [our `pam_ldap` role](https://github.com/codeenigma/ce-provision/tree/2.x/roles/debian/pam_ldap) for the LDAP variables and defaults to those values, but they can be set explicitly if required. + +## Hardcoded values +At the moment we do not support headless customisation of encryption settings. This seems possible [by setting the right variables](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L392-L401) and we'll add it later if we can. The defaults are sane, but please note the default cipher is `AES-128-GCM`. We have allowed for finding and replacing this value as part of our role. + +[The client config directory is set to `/etc/openvpn/ccd`.](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L900C19-L900C35) + + +## Default variables +```yaml +--- +openvpn: + script_install_path: "/home/{{ user_provision.username }}" + auto_install: true + name: vpn.example.com + ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" + cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 + allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) + multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + customize_enc: "n" + pass: "1" + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install + push_routes_ipv4: [] # list of VPN push routes for ipv4 networks + # Examples: + # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" + # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 + # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + pam: + enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian + module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path + config_template: openvpn.pam.j2 # allow override of PAM config template + ldap: + enabled: false # if true we assume the pam_ldap role is also being used on this server + config_template: openvpn.pam.ldap.j2 # allow override of PAM config template for LDAP + endpoints: "{{ pam_ldap.endpoints | default('[]') }}" + lookup_base: "{{ pam_ldap.lookup_base | default('') }}" + lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups + login_attribute: uid # the LDAP attribute to check the OpenVPN username against + group_base: "" # e.g. ou=Groups,dc=example,dc=com + group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com + group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against + ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" + ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + +``` + + diff --git a/docs/roles/debian/openvpn_config.md b/docs/roles/debian/openvpn_config.md deleted file mode 100644 index 02bbd8167..000000000 --- a/docs/roles/debian/openvpn_config.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index e09f93b50..9e7de8dcf 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -69,6 +69,7 @@ nginx: # reload_command: restart # reload: # - nginx + # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true basic_auth: diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 35d391069..61ef449e9 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -12,4 +12,50 @@ At the moment we do not support headless customisation of encryption settings. T [The client config directory is set to `/etc/openvpn/ccd`.](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L900C19-L900C35) +## Default variables +```yaml +--- +openvpn: + script_install_path: "/home/{{ user_provision.username }}" + auto_install: true + name: vpn.example.com + ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" + cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 + allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) + multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + customize_enc: "n" + pass: "1" + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install + push_routes_ipv4: [] # list of VPN push routes for ipv4 networks + # Examples: + # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" + # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 + # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + pam: + enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian + module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path + config_template: openvpn.pam.j2 # allow override of PAM config template + ldap: + enabled: false # if true we assume the pam_ldap role is also being used on this server + config_template: openvpn.pam.ldap.j2 # allow override of PAM config template for LDAP + endpoints: "{{ pam_ldap.endpoints | default('[]') }}" + lookup_base: "{{ pam_ldap.lookup_base | default('') }}" + lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups + login_attribute: uid # the LDAP attribute to check the OpenVPN username against + group_base: "" # e.g. ou=Groups,dc=example,dc=com + group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com + group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against + ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" + ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + +``` + From ad4303b72d43effe1cf2e25d06833e726e9d32a6 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 13:40:19 +0100 Subject: [PATCH 09/17] Fixing some defaults. --- docs/roles/debian/openvpn.md | 3 +-- roles/debian/openvpn/README.md | 3 +-- roles/debian/openvpn/defaults/main.yml | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 61ef449e9..68159de00 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -30,14 +30,13 @@ openvpn: dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - customize_enc: "n" pass: "1" #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 61ef449e9..68159de00 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -30,14 +30,13 @@ openvpn: dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - customize_enc: "n" pass: "1" #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 7489aedbc..3754b905c 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -14,14 +14,13 @@ openvpn: dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - customize_enc: "n" pass: "1" #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian From 63316d62d2a19af9d9b634ea8e1b7114a03f7ace Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 14:17:19 +0100 Subject: [PATCH 10/17] Ensuring the OpenVPN LDAP config directory exists. --- roles/debian/openvpn/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 55186fef1..ba3cefc29 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -120,6 +120,12 @@ group: root when: openvpn.ldap.enabled +- name: Ensure the OpenVPN LDAP config directory exists. + ansible.builtin.file: + path: /etc/openvpn/ldap + state: directory + mode: '0755' + - name: Ensure the pam-ldap config for OpenVPN is in place. ansible.builtin.template: src: openvpn.ldap.j2 From 9318f02b8b59db6b0d9fa846e133317dc11b3bb5 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 14:19:14 +0100 Subject: [PATCH 11/17] Erroneous extra line. --- roles/debian/php-fpm/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/debian/php-fpm/tasks/main.yml b/roles/debian/php-fpm/tasks/main.yml index 4858bbb55..e965e8458 100644 --- a/roles/debian/php-fpm/tasks/main.yml +++ b/roles/debian/php-fpm/tasks/main.yml @@ -16,7 +16,6 @@ loop_control: loop_var: version - - name: Copy default pool configuration for a single, fixed port PHP version. ansible.builtin.template: dest: "/etc/php/{{ php.version[0] }}/fpm/pool.d/www.conf" From fea006b1940b2e7ad483dddeadf052098141095d Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 15:47:29 +0100 Subject: [PATCH 12/17] Fixing syntax error in 'or'. --- roles/debian/openvpn/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index ba3cefc29..b94df4a78 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -142,7 +142,7 @@ block: | # Let OpenVPN use PAM for authentication plugin {{ openvpn.pam.module_path }} openvpn - when: openvpn.pam.enabled || openvpn.ldap.enabled + when: openvpn.pam.enabled or openvpn.ldap.enabled notify: Restart OpenVPN. # Installation complete - provide user information From af78c01ba502dc56b55bdec1dac2b32c80ed9a4b Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 15:47:41 +0100 Subject: [PATCH 13/17] More docs updates. --- docs/roles/debian/nginx.md | 7 +++---- roles/debian/nginx/README.md | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 9e7de8dcf..c3cb22c08 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -34,10 +34,9 @@ nginx: # Group prefix. Useful for grouping by environments. log_group_prefix: "" # Main log stream for nginx (Cloudwatch). - log_stream_name: example - # We can only have one backend, due to the way we use "common" templates. - # Moving this per domain means instead having templates per project type. - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" + log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. + # See php.fpm.unix_socket, if true use a socket here: + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 9e7de8dcf..c3cb22c08 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -34,10 +34,9 @@ nginx: # Group prefix. Useful for grouping by environments. log_group_prefix: "" # Main log stream for nginx (Cloudwatch). - log_stream_name: example - # We can only have one backend, due to the way we use "common" templates. - # Moving this per domain means instead having templates per project type. - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" + log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. + # See php.fpm.unix_socket, if true use a socket here: + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 From 028fe5f0fff6336c210015ad7a89695b5fb2390b Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 16:12:50 +0100 Subject: [PATCH 14/17] Need the LDAP SSL cert basename in config. --- roles/debian/openvpn/templates/openvpn.ldap.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/openvpn/templates/openvpn.ldap.j2 b/roles/debian/openvpn/templates/openvpn.ldap.j2 index 8001245d8..a769548ab 100644 --- a/roles/debian/openvpn/templates/openvpn.ldap.j2 +++ b/roles/debian/openvpn/templates/openvpn.ldap.j2 @@ -30,5 +30,5 @@ ssl on {% if openvpn.ldap.ssl_certificate_check is defined and not openvpn.ldap.ssl_certificate_check %} tls_checkpeer no {% endif %} -tls_cacertfile /etc/ldap/ssl/{{ openvpn.ldap.ssl_certificate }} +tls_cacertfile /etc/ldap/ssl/{{ openvpn.ldap.ssl_certificate | basename }} {% endif %} From e405374e9f4b67693c24e8d7c7525c04d3f0513a Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 16:24:19 +0100 Subject: [PATCH 15/17] Some tweaks to config. --- docs/roles/debian/openvpn.md | 6 ++++-- roles/debian/openvpn/README.md | 6 ++++-- roles/debian/openvpn/defaults/main.yml | 3 +-- .../debian/openvpn/templates/headless-openvpn-install.sh.j2 | 4 ++-- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 68159de00..1f696aa51 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -1,6 +1,9 @@ # OpenVPN This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. +## Server address +This will be detected automatically as the IP address of the server. If the server is configured with only internal addressing then the script will attempt to look up the public IP. To specify a value use `openvpn.nat_endpoint`. + ## PAM authentication There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks. @@ -18,7 +21,7 @@ At the moment we do not support headless customisation of encryption settings. T openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - name: vpn.example.com + test_username: example # this will be used to create a client config in the `script_install_path` location ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) @@ -30,7 +33,6 @@ openvpn: dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - pass: "1" #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 68159de00..1f696aa51 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -1,6 +1,9 @@ # OpenVPN This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. +## Server address +This will be detected automatically as the IP address of the server. If the server is configured with only internal addressing then the script will attempt to look up the public IP. To specify a value use `openvpn.nat_endpoint`. + ## PAM authentication There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks. @@ -18,7 +21,7 @@ At the moment we do not support headless customisation of encryption settings. T openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - name: vpn.example.com + test_username: example # this will be used to create a client config in the `script_install_path` location ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) @@ -30,7 +33,6 @@ openvpn: dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - pass: "1" #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 3754b905c..5c4473761 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -2,7 +2,7 @@ openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - name: vpn.example.com + test_username: example # this will be used to create a client config in the `script_install_path` location ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) @@ -14,7 +14,6 @@ openvpn: dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - pass: "1" #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: diff --git a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 index e12d97e02..f621f7e2d 100644 --- a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 +++ b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 @@ -11,8 +11,8 @@ export DNS={{ openvpn.dns }} export COMPRESSION_ENABLED={{ openvpn.compression_enabled }} export COMPRESSION_CHOICE={{ openvpn.compression_choice }} export CUSTOMIZE_ENC=n -export CLIENT={{ openvpn.name }} -export PASS={{ openvpn.pass }} +export CLIENT={{ openvpn.test_username }} +export PASS=1 {% if openvpn.nat_endpoint is defined and openvpn.nat_endpoint | length %} export ENDPOINT={{ openvpn.nat_endpoint }} {% endif %} From d622b7d899b0551924bc915b0e87f3e03748684b Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 16:39:50 +0100 Subject: [PATCH 16/17] Reordering variables and adding some client config options. --- docs/roles/debian/openvpn.md | 28 +++++++++++++++++--------- roles/debian/openvpn/README.md | 28 +++++++++++++++++--------- roles/debian/openvpn/defaults/main.yml | 28 +++++++++++++++++--------- roles/debian/openvpn/tasks/main.yml | 23 +++++++++++++++++++++ 4 files changed, 77 insertions(+), 30 deletions(-) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 1f696aa51..dd84a04b8 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -21,25 +21,19 @@ At the moment we do not support headless customisation of encryption settings. T openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - test_username: example # this will be used to create a client config in the `script_install_path` location + # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" + # Alter cipher with care, you must alter the client_tls_cipher to match, do not set them to incompatible values cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) - approve_ip: "y" - ipv6_support: "n" - port_choice: "1" # 1 = use default 1194, 3 means use a random port - protocol_choice: "1" # 1 = udp, 2 = tcp - dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 - compression_enabled: "n" - compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path @@ -56,6 +50,20 @@ openvpn: group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + # post install client config tweaks + client_tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) + auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication + # headless script variables + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + test_username: example # this will be used to create a client config in the `script_install_path` location + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install ``` diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 1f696aa51..dd84a04b8 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -21,25 +21,19 @@ At the moment we do not support headless customisation of encryption settings. T openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - test_username: example # this will be used to create a client config in the `script_install_path` location + # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" + # Alter cipher with care, you must alter the client_tls_cipher to match, do not set them to incompatible values cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) - approve_ip: "y" - ipv6_support: "n" - port_choice: "1" # 1 = use default 1194, 3 means use a random port - protocol_choice: "1" # 1 = udp, 2 = tcp - dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 - compression_enabled: "n" - compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path @@ -56,6 +50,20 @@ openvpn: group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + # post install client config tweaks + client_tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) + auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication + # headless script variables + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + test_username: example # this will be used to create a client config in the `script_install_path` location + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install ``` diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 5c4473761..5558fc565 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -2,25 +2,19 @@ openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - test_username: example # this will be used to create a client config in the `script_install_path` location + # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" + # Alter cipher with care, you must alter the client_tls_cipher to match, do not set them to incompatible values cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) - approve_ip: "y" - ipv6_support: "n" - port_choice: "1" # 1 = use default 1194, 3 means use a random port - protocol_choice: "1" # 1 = udp, 2 = tcp - dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 - compression_enabled: "n" - compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path @@ -37,3 +31,17 @@ openvpn: group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + # post install client config tweaks + client_tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) + auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication + # headless script variables + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + test_username: example # this will be used to create a client config in the `script_install_path` location + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index b94df4a78..0e3f72597 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -145,6 +145,29 @@ when: openvpn.pam.enabled or openvpn.ldap.enabled notify: Restart OpenVPN. +# Tweak client config template +- name: Replace OpenVPN client tls-cipher. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' + line: "tls-cipher {{ openvpn.client_tls_cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.client_tls_cipher | length > 0 + +- name: Allow FQDN push routes. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + line: allow-pull-fqdn + when: openvpn.allow_pull_fqdn + +- name: Enforce username and password authentication. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + line: auth-user-pass + when: openvpn.auth_user_pass + # Installation complete - provide user information - name: Service notice. ansible.builtin.debug: From fa3c7a0ba4e6636fc062dc0db4653ab2406cf421 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 16:59:36 +0100 Subject: [PATCH 17/17] Reordering for clarity and allowing setting of server TLS cipher. --- docs/roles/debian/openvpn.md | 3 +- roles/debian/openvpn/README.md | 3 +- roles/debian/openvpn/defaults/main.yml | 3 +- roles/debian/openvpn/tasks/main.yml | 76 +++++++++++++++----------- 4 files changed, 47 insertions(+), 38 deletions(-) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index dd84a04b8..54fa885b6 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -23,7 +23,6 @@ openvpn: auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" - # Alter cipher with care, you must alter the client_tls_cipher to match, do not set them to incompatible values cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) @@ -51,7 +50,7 @@ openvpn: ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" # post install client config tweaks - client_tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication # headless script variables diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index dd84a04b8..54fa885b6 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -23,7 +23,6 @@ openvpn: auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" - # Alter cipher with care, you must alter the client_tls_cipher to match, do not set them to incompatible values cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) @@ -51,7 +50,7 @@ openvpn: ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" # post install client config tweaks - client_tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication # headless script variables diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 5558fc565..21ad4bc44 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -4,7 +4,6 @@ openvpn: auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" - # Alter cipher with care, you must alter the client_tls_cipher to match, do not set them to incompatible values cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) @@ -32,7 +31,7 @@ openvpn: ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" # post install client config tweaks - client_tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication # headless script variables diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 0e3f72597..4943530c0 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -21,6 +21,7 @@ cmd: "{{ openvpn.script_install_path }}/headless-openvpn-install.sh" when: openvpn.auto_install +# Tweak server config - name: Allow multiple simultaneous VPN connections. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf @@ -28,44 +29,22 @@ when: openvpn.multiple_connections notify: Restart OpenVPN. -- name: Add ipv4 push routes comment for readability. +- name: Allow client IP to float without disconnecting. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf line: float when: openvpn.allow_floating_client_ip notify: Restart OpenVPN. -# Push routes -- name: Add ipv4 push routes comment for readability. - ansible.builtin.lineinfile: - path: /etc/openvpn/server.conf - line: "# ipv4 push routes" - when: openvpn.push_routes_ipv4 | length > 0 - -- name: Add ipv4 push routes to the VPN. - ansible.builtin.lineinfile: - path: /etc/openvpn/server.conf - line: 'push "route {{ item }}"' - with_items: "{{ openvpn.push_routes_ipv4 }}" - when: openvpn.push_routes_ipv4 | length > 0 - notify: Restart OpenVPN. - -- name: Add ipv6 push routes comment for readability. - ansible.builtin.lineinfile: - path: /etc/openvpn/server.conf - line: "# ipv6 push routes" - when: - - openvpn.push_routes_ipv6 | length > 0 - - openvpn.ipv6_support == "y" - -- name: Add ipv6 push routes to the VPN. +- name: Replace OpenVPN server tls-cipher. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf - line: 'push "route-ipv6 {{ item }}"' - with_items: "{{ openvpn.push_routes_ipv6 }}" - when: - - openvpn.push_routes_ipv6 | length > 0 - - openvpn.ipv6_support == "y" + search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' + line: "tls-cipher {{ openvpn.tls_cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.tls_cipher | length > 0 notify: Restart OpenVPN. - name: Replace OpenVPN client IP range. @@ -100,6 +79,39 @@ when: openvpn.cipher | length > 0 notify: Restart OpenVPN. +# Push routes +- name: Add ipv4 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "# ipv4 push routes" + when: openvpn.push_routes_ipv4 | length > 0 + +- name: Add ipv4 push routes to the VPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: 'push "route {{ item }}"' + with_items: "{{ openvpn.push_routes_ipv4 }}" + when: openvpn.push_routes_ipv4 | length > 0 + notify: Restart OpenVPN. + +- name: Add ipv6 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "# ipv6 push routes" + when: + - openvpn.push_routes_ipv6 | length > 0 + - openvpn.ipv6_support == "y" + +- name: Add ipv6 push routes to the VPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: 'push "route-ipv6 {{ item }}"' + with_items: "{{ openvpn.push_routes_ipv6 }}" + when: + - openvpn.push_routes_ipv6 | length > 0 + - openvpn.ipv6_support == "y" + notify: Restart OpenVPN. + # PAM integration - name: Ensure the OpenVPN PAM config is in place. ansible.builtin.template: @@ -150,11 +162,11 @@ ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' - line: "tls-cipher {{ openvpn.client_tls_cipher }}" + line: "tls-cipher {{ openvpn.tls_cipher }}" owner: root group: root mode: '0644' - when: openvpn.client_tls_cipher | length > 0 + when: openvpn.tls_cipher | length > 0 - name: Allow FQDN push routes. ansible.builtin.lineinfile: