Installs and configures OpenVPN.
- Ubuntu
- RHEL
- CentOS
- knife-openvpn
node['openvpn']['server_name']- Defaults to"default".node['openvpn']['install_epel']- Defaults totrue.node['openvpn']['default']['remote_host']- Defaults to"vpn.example.com".node['openvpn']['default']['server_ip']- Defaults to"127.0.0.1".node['openvpn']['default']['port']- Defaults to"1194".node['openvpn']['default']['proto']- Defaults to"udp".node['openvpn']['default']['dev']- Defaults to"tun".node['openvpn']['default']['mode']- Defaults to"routed".node['openvpn']['default']['netmask']- Defaults to"255.255.255.0".node['openvpn']['default']['subnet']- Defaults to"127.0.1.0".node['openvpn']['default']['network_bridge']- Defaults to"br0".node['openvpn']['default']['network_interface']- Defaults to"eth0".node['openvpn']['default']['dhcp_start']- Defaults to"127.0.0.100".node['openvpn']['default']['dhcp_end']- Defaults to"127.0.0.150".node['openvpn']['default']['verb']- Defaults to"3".node['openvpn']['default']['push']- Defaults to"[ ... ]".node['openvpn']['default']['duplicate_cn']- Defaults to"false".node['openvpn']['default']['client_to_client']- Defaults to"false".node['openvpn']['default']['keepalive_interval']- Defaults to"10".node['openvpn']['default']['keepalive_timeout']- Defaults to"60".node['openvpn']['default']['comp_lzo']- Defaults to"true".node['openvpn']['default']['link_mtu']- Defaults to"nil".node['openvpn']['default']['tun_mtu']- Defaults to"nil".node['openvpn']['default']['cipher']- Defaults to"false".node['openvpn']['default']['redirect_gateway']- Defaults to"false".node['openvpn']['default']['push_dns_server']- Defaults to"false".node['openvpn']['default']['script_security']- Defaults to"1".node['openvpn']['default']['use_tls_auth']- Defaults to"true".node['openvpn']['default']['chroot']- Defaults to"false".node['openvpn']['default']['client_config_dir']- Defaults to"false".node['openvpn']['default']['ccd_exclusive']- Defaults to"false".node['openvpn']['default']['users']- Defaults to"[ ... ]".node['openvpn']['default']['revoked_users']- Defaults to"[ ... ]".node['openvpn']['default']['ifconfig_pool_persist']- Defaults to"true".node['openvpn']['client']['remote_servers']- Defaults to"[ ... ]".
node['openvpn']['iptables']['postrouting']- Defaults totrue.node['openvpn']['iptables']['interface']- Defaults toeth0.
node['openvpn']['ip_forward']- Defaults totrue.
- openvpn::default - Installs and configures OpenVPN.
- openvpn::sysctl - Configures IP forwarding via sysctl
- openvpn::iptables - Configures postrouting via iptables
- openvpn::client - Configures client connection to server
- Routed
For routed network you must define vpn subnet, like in previous example
- Bridged
Bridged setup need more configuration and configured network bridge on your server
"default_attributes": {
"openvpn": {
"server_name": "office",
"office": {
"remote_host": "vpn.example.com",
"server_ip": "10.90.5.5",
"port": "443",
"proto": "tcp",
"dev": "tap",
"verb": "3",
"mode": "bridged",
"script_security": "2",
"dhcp_start": "10.90.5.100",
"dhcp_end": "10.90.5.240",
"network_bridge": "br0",
"network_interface": "eth0"
}
}
}
See fixture cookbook in tests/fixtures/cookbooks.
- Revoke access
- Import existing certs/keys
- Add support for client recipe-friendly config generation
For example you want to setup vpn server and call it office
-
Ensure that you have
.chef/encrypted_data_bag_secret. Otherwise you can generate one withopenssl rand -base64 512 > .chef/encrypted_data_bag_secret -
Install knife plugin:
gem install knife-openvpn -
Create server certificate authority, server cert/key, DH params:
knife openvpn server create officeoffice- is a name of vpn-server, there is some limitations on this: no dots, no commas, no spaces, no special symbols for reasons. -
Great, now check
data_bagsdirectory, you will find new databagopenvpn-officewith few items for ca, dh, cert/key pair and some openssl config. Now it is time to upload it to Chef server:knife data bag create openvpn-office --secret-file=.chef/encrypted_data_bag_secret knife data bag from file openvpn-office data_bags/openvpn-office/* -
Add
recipe[openvpn]to node run_list, and override default attributes:"run_list": [ "recipe[openvpn]" ], "default_attributes": { "openvpn": { "server_name": "office", "office": { "remote_host": "vpn.example.com", "server_ip": "10.90.5.5", "subnet": "10.200.1.0", "port": "443", "proto": "tcp", "dev": "tun", "verb": "3", "push": [ "route 10.90.0.0 255.255.255.0", "route 10.90.1.0 255.255.255.0" ] } } } -
Add
recipe[openvpn::sysctl]if you need to setup net.ipv4.ip_forward with this cookbook.node['openvpn']['ip_forward']should be set totrue(it'strueby default). -
Add
recipe[openvpn::iptables]if you need to setup nat postrouting with this cookbook.Chef, run!
-
When server is up and running we can add some users to start use it. No moar certificate management pain:
knife openvpn user create office john knife data bag from file openvpn-office data_bags/openvpn-office/john.json -
Export vpn-client data and send it to John:
knife openvpn user export office john
resulting archive contains config (.ovpn), ca cert, John's cert and key
- Revokation of user certificate is also possible:
knife openvpn user revoke office john knife data bag from file openvpn-office data_bags/openvpn-office/openvpn-crl.json
-
Add
recipe[openvpn::client]to run_list -
Add data bag item for each server in
node['openvpn']['client']['remote_servers']containing next elements (replace new lines with '\n'):"ca" - contents of ca.crt generated with knife-openvpn "crt" - contents of client's certificate "key" - contents of client's private key "conf" - contents of client's configuration
Maintainer:: LLC Express 42 (cookbooks@express42.com)
License:: MIT