Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: nabeken/tknetworks-cookbooks
base: d04cbf6b4c
...
head fork: nabeken/tknetworks-cookbooks
compare: 9fa9fbfbd0
Checking mergeability… Don't worry, you can still create the pull request.
  • 3 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
View
85 openvpn/definitions/default.rb
@@ -17,7 +17,7 @@
:local_ip => nil,
:port => 1194,
:proto => "udp",
- :dev_type => "tun",
+ :dev_type => "tap",
:dev => nil,
:use_tls => true,
:ca => nil,
@@ -63,11 +63,84 @@
end
end
+define :openvpn_client,
+ :remote => nil,
+ :port => 1194,
+ :proto => "udp",
+ :dev_type => "tap",
+ :dev => nil,
+ :ifconfig => nil,
+ :use_tls => true,
+ :ca => nil,
+ :cert => nil,
+ :key => nil,
+ :routes => [] do
+ if params[:remote].nil?
+ raise "remote is required"
+ end
+
+ is_key_nil = [:ca, :cert, :key].any? { |n| params[n].nil? }
+ if params[:use_tls] && is_key_nil
+ raise "ca, cert, key are required."
+ end
+
+ if !params[:use_tls]
+ # retrive secret key from encryped databag
+ ovpn_databag = Chef::EncryptedDataBagItem.load('openvpn', params[:name])
+ secret = "#{node[:openvpn][:dir]}/#{params[:name]}.key"
+ file secret do
+ owner node[:openvpn][:uid]
+ group node[:openvpn][:gid]
+ mode 0600
+ content ovpn_databag["key"]
+ backup false
+ end
+ end
+
+ # retrive a parameter for ifconfig from databag
+ if params[:ifconfig] == :databag
+ ifconfig = data_bag_item('openvpn', 'ifconfig')[node[:fqdn]]
+ else
+ ifconfig = params[:ifconfig]
+ end
+
+ # merge routes from params[:routes] and databag
+ routes = []
+ begin
+ ovpn_routes = data_bag_item('openvpn', 'routes')
+ if ovpn_routes.has_key?(params[:name])
+ routes += params[:routes] + ovpn_routes[params[:name]]
+ end
+ rescue Net::HTTPServerException
+ Chef::Log.info("routes for #{params[:name]} is not found.")
+ routes += params[:routes]
+ end
+
+ begin
+ t = resources("template[#{node[:openvpn][:dir]}/#{params[:name]}-client.conf]")
+ rescue
+ t = template "#{node[:openvpn][:dir]}/#{params[:name]}-client.conf" do
+ owner node[:openvpn][:uid]
+ group node[:openvpn][:gid]
+ mode 0600
+ cookbook "openvpn"
+ variables({
+ :params => params,
+ :secret => secret,
+ :ifconfig => ifconfig,
+ :routes => routes
+ })
+ source "client_openvpn.conf"
+ #notifies :restart, "service[#{node[:openvpn][:service]}]"
+ end
+ end
+end
+
define :openvpn_interface,
:inet => nil,
:inet6 => nil,
:dev => nil,
- :extra_commands => nil do
+ :extra_commands => [] do
if node[:platform] != "openbsd"
raise "openvpn_interface is only for OpenBSD"
@@ -81,12 +154,6 @@
raise "dev is required"
end
- if params[:extra_commands].nil?
- extra_commands = []
- else
- extra_commands = params[:extra_commands]
- end
-
begin
t = resources("template[/etc/hostname.#{params[:dev]}")
rescue
@@ -99,7 +166,7 @@
:config => "#{node[:openvpn][:dir]}/#{params[:name]}.conf",
:inet => params[:inet],
:inet6 => params[:inet6],
- :extra_commands => extra_commands
+ :extra_commands => params[:extra_commands]
})
source "hostname.tun"
end
View
76 openvpn/templates/default/client_openvpn.conf
@@ -0,0 +1,76 @@
+fragment 1280
+mssfix
+
+remote <%= @params[:remote] %>
+port <%= @params[:port] %>
+proto <%= @params[:proto] %>
+dev-type <%= @params[:dev_type] %>
+<% if !@params[:dev].nil? %>
+dev <%= @params[:dev] %>
+<% end %>
+
+<% if !@params[:ifconfig].nil? %>
+ifconfig <%= @ifconfig %>
+<% end %>
+
+<% @routes.each do |rt| %>
+<%= rt %>
+<% end %>
+
+<% if @params[:use_tls] %>
+tls-client
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key). Each client
+# and the server must have their own cert and
+# key file. The server and all clients will
+# use the same ca file.
+
+ca <%= @params[:ca] %>
+cert <%= @params[:cert] %>
+key <%= @params[:key] %>
+dh <%= node[:openvpn][:ssl][:dh] %>
+
+<% else %>
+secret <%= @secret %>
+<% end %>
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user <%= node[:openvpn][:uid] %>
+group <%= node[:openvpn][:gid] %>
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status /var/log/openvpn-status-<%= @params[:name] %>.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4

No commit comments for this range

Something went wrong with that request. Please try again.