+This is deprecated and unmaintained in favor of the official module: https://forge.puppet.com/modules/openvpn/openvpnas/
+
+
+
- Description
- Setup - The basics of getting started with openvpn_as
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module installs and manages OpenVPN Access Server.
"OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control." -openvpn.net
Community Edition is the normal free/libre edition that most folks are used to. Access Server is a licensed version of OpenVPN with a web GUI that simplifies a lot of the configuration management.
- jq. You can let the module install it via the
jq_install
parameter, but it is required for the module to operate. - The openvpn-as package: https://openvpn.net/index.php/access-server/download-openvpn-as-sw/113.html
If you don't have a working openvpn_as cluster, you can use this module to install and initalize one.
Then it is recommended to configure them via the GUI and use the values it created in the config DB to manage the config profiles via this module.
Here are one-liners to turn your current config and user databases into yaml (to easily place it into hieradata)
/<openvpn_as directory>/scripts/confdba --show | ruby -e "require 'json'; require 'yaml'; print YAML.dump(JSON.load(ARGF.read()))"
/<openvpn_as directory>/scripts/confdba --show --userdb| ruby -e "require 'json'; require 'yaml'; print YAML.dump(JSON.load(ARGF.read()))"
The particulars of the configuration of the Access Server itself are beyond the scope of this document. For that, check the docs
This will by default install and initialize openvpn_as, assuming you have made the package openvpn-as
available in the system repos
include openvpn_as
Alternatively, you could specify the package url directly in the code
class { 'openvpn_as':
package_spource => 'https://swupdate.openvpn.org/as/openvpn-as-version.ext',
package_provider => 'rpm', # or dpkg, maybe
}
The bulk of your settings will be in the profiles
and userprops
databases. There is a suggestion for how to parameterize these configs above. Here is a pattern that may come in handy if you are combining your configuration from hieradata with sensitive values (say from hiera-eyaml) and maybe some files or templates into your configuration.
include stdlib
$profiles_hiera = hiera_hash('openvpn_as::profiles')
$profiles_files = {
'Default' => {
'auth.module.post_auth_script' => file('profile/openvpn/auth.module.post_auth_script'),
'cs.priv_key' => hiera('some:key'),
'cs.cert' => hiera('some::cert'),
'cs.ca_bundle' => hiera('some::bundle'),
}
}
$profiles = deep_merge($profiles_hiera, $profiles_files)
class { 'openvpn_as':
# ...
profiles => $profiles,
}
String. Default: Default
Hash. Default: {}
Boolean. Default: false
String. Default: /usr/local/openvpn_as/scripts:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/usr/local/openvpn_as/bin
String. Default: /usr/local/openvpn_as
Boolean. Default: true
Boolean. Default: false
Variant[Hash, Undef]. Default: {}
Variant[Hash, Undef. Default: {}
Boolean. Default: false
Boolean. Default: false
Variant[Boolean, String]. Default: installed
String. Default: openvpn-as
Variant[String, Undef]. Default: undef
Variant[String, Undef. Default: undef
Variant[Boolean, Enum[stopped
, running
]]. Default: running
Boolean. Default: true
String. Default: openvpnas
This has only been tested on EL7, but it was designed with generality in mind and will probably work just fine on Debian-based distros as well. If you try it, please let us know!
Taking pull requests at https://github.com/theias/openvpn_as.git