Skip to content
OpenVPN module for puppet including client config/cert creation
Ruby Puppet HTML Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github modulesync 2.8.0 Jul 27, 2019
.travis modulesync 2.5.1 Jan 15, 2019
data
lib/facter rework fact easyrsa, enable acceptance in travis matrix Sep 10, 2018
manifests Merge pull request #343 from Bluewind/manage-logfile-dir Aug 6, 2019
spec Merge pull request #343 from Bluewind/manage-logfile-dir Aug 6, 2019
templates
vagrant remove files in .gitignore Oct 5, 2017
.editorconfig modulesync 2.3.1 Dec 15, 2018
.fixtures.yml purge obsolete symlink setting in fixtures Oct 13, 2018
.gitignore modulesync 1.6.0 Jan 4, 2018
.msync.yml modulesync 2.8.0 Jul 27, 2019
.overcommit.yml modulesync 2.0.0 Sep 5, 2018
.pmtignore modulesync 2.3.1 Dec 15, 2018
.rspec Initial modulesync stuff, v1.2.0 Oct 5, 2017
.rspec_parallel Initial modulesync stuff, v1.2.0 Oct 5, 2017
.rubocop.yml modulesync 1.6.0 Jan 4, 2018
.sync.yml drop unneeded mock_with option Apr 6, 2019
.travis.yml modulesync 2.8.0 Jul 27, 2019
.yardopts Initial modulesync stuff, v1.2.0 Oct 5, 2017
CHANGELOG.md release 8.2.0 Jul 19, 2019
Dockerfile modulesync 2.7.0 Apr 7, 2019
Gemfile modulesync 2.8.0 Jul 27, 2019
HISTORY.md Updates in prep for a 4.1.0 release Oct 6, 2017
LICENSE remove boilerplate Jan 25, 2013
README.md drop puppet 4 Jan 15, 2019
REFERENCE.md updated documentation to conform with REFERENCE.md standard for forge Oct 26, 2018
Rakefile modulesync 2.7.0 Apr 7, 2019
Vagrantfile remove files in .gitignore Oct 5, 2017
hiera.yaml * Add defaults for unsupported OS Oct 21, 2018
metadata.json [blacksmith] Bump version to 8.2.1-rc0 Jul 19, 2019

README.md

OpenVPN Puppet module

License Build Status Code Coverage Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores

Puppet module to manage OpenVPN servers and clients.

Features

  • Client-specific rules and access policies
  • Generated client configurations and SSL-Certificates
  • Downloadable client configurations and SSL-Certificates for easy client configuration
  • Support for multiple server instances
  • Support for LDAP-Authentication
  • Support for server instance in client mode
  • Support for TLS

Supported OS

  • Ubuntu
  • Debian
  • CentOS
  • RedHat

Dependencies

Puppet

The supported Puppet versions are listed in the metadata.json

REFERENCES

Please see REFERENCE for more details.

Example with hiera

---
classes:
  - openvpn

openvpn::servers:
  'winterthur':
    country: 'CH'
    province: 'ZH'
    city: 'Winterthur'
    organization: 'example.org'
    email: 'root@example.org'
    server: '10.200.200.0 255.255.255.0'

openvpn::client_defaults:
  server: 'winterthur'

openvpn::clients:
  'client1': {}
  'client2': {}
  'client3': {}

openvpn::client_specific_configs:
  'client1':
    server: 'winterthur'
    ifconfig: '10.200.200.50 10.200.200.51'

openvpn::revokes:
  'client3':
    server: 'winterthur'

Don't forget the sysctl directive net.ipv4.ip_forward!

Encryption Choices

This module provides certain default parameters for the openvpn encryption settings.

These settings have been applied in line with current "best practices" but no guarantee is given for their saftey and they could change in future.

You should double check these settings yourself to make sure they are suitable for your needs and in line with current best practices.

Example for automating client deployment to nodes managed by Puppet

Exporting the configurations for a client in the VPN server manifest:

  openvpn::deploy::export { 'client1':
    server => 'winterthur',
  }

Installation, configuration and starting the OpenVPN client in a configured node manifest:

  openvpn::deploy::client { 'client1':
    server => 'winterthur',
  }
References

ssl_key_size

The default key size is now set to 2048 bits. This setting also affects the size of the dhparam file.

Why

2048 bits is OK, but both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.

Cipher

The default data channel cipher is now set to AES-256-CBC

Why

OpenVPN was setting its default value to BF-CBC. In newer versions of OpenVPN it warns that this is no longer a secure cipher. The OpenVPN documentation recommends using this setting.

tls_cipher

The default tls_cipher option is now set to: TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Why

Details of these ciphers and their uses can be found in the documentation links above.

Note : TLS ciphers suites shipped with OSes ubuntu14.04 and debian8 are too old compared to our default values. If the openvpn server is running on these OSes with clients on more modern OSes, you will probably have to use custom value for option tls_cipher.

Contributions

This module is maintained by Vox Pupuli. Voxpupuli welcomes new contributions to this module, especially those that include documentation and rspec tests. We are happy to provide guidance if necessary.

Please see CONTRIBUTING for more details.

Authors

You can’t perform that action at this time.