From 5daee638dd9d6c1f367f41fece999953a23dd864 Mon Sep 17 00:00:00 2001
From: Fulvio Galeazzi <fulvio.galeazzi@garr.it>
Date: Fri, 27 Mar 2020 17:47:25 +0000
Subject: [PATCH] 2020-03-27: FG; Client certificate configuration is now
complete. README file complete.
---
README.md | 10 ++--
group_vars/openvpn | 26 +++++++++-
inventory.yml.sample | 18 ++++---
roles/clientvpn/tasks/main.yml | 37 +++++++-------
roles/setup/tasks/main.yml | 52 ++++++--------------
roles/setup/tasks/pkgInstall.yml | 30 +++++++++++
roles/setup/templates/openvpn.server.conf.j2 | 7 ++-
7 files changed, 107 insertions(+), 73 deletions(-)
create mode 100644 roles/setup/tasks/pkgInstall.yml
diff --git a/README.md b/README.md
index e30d425..b67d912 100644
--- a/README.md
+++ b/README.md
@@ -70,12 +70,12 @@ so it matches the generic user created during server installation):
Step 3: Installation and Configuration (execute once)
-----------------------------------------------------
-This step, too, will normally be ran just once: unless the configuration changes.
+This step, too, will normally be run just once: unless the configuration changes.
-Inspect file `group_vars/authca` and change relevant information, to match
-your organization (country, province, city, organization name, email, organization unit).
-
-Note that you won't be able to change those, afterwards.
+Create `inventory.yml` from `inventory.yml.samle` and check variables therein.
+Also, inspect and update files under `group_vars`, to match your organization
+(country, province, city, organization name, email, organization unit: you won't be
+able to change these for `authca`, afterwards.) and network configuration.
Execute the `setup.yml` playbook:
```
diff --git a/group_vars/openvpn b/group_vars/openvpn
index 668c18f..25e43a5 100644
--- a/group_vars/openvpn
+++ b/group_vars/openvpn
@@ -1,3 +1,23 @@
+openvpnDNstring: '"My org OpenVPN server"'
+vpnproto: tcp
+vpnport: 443
+
+#
+# Configure ufw firewall
+#
+fwrules:
+ - {name: "OpenSSH", rule: "allow"}
+
+#
+# Configurations to be passed to clients
+#
+pushtoclient:
+ - {param: "route", value: "{{ lannetwork }} {{ lannetmask }}"}
+ - {param: "redirect-gateway", value: "def1 bypass-dhcp"}
+ - {param: "dhcp-option", value: "DNS 208.67.222.222"}
+ - {param: "dhcp-option", value: "DNS 208.67.220.220"}
+
+
clientconfig:
cfghome: /home/ubuntu/client-configs
cfghomeusr: ubuntu
@@ -5,4 +25,8 @@ clientconfig:
clients:
- piopio:
nameshort: piopioSrv
- CommonName: '"Server di Piopio"'
\ No newline at end of file
+ CommonName: '"Server di Piopio"'
+ - newGen:
+ nameshort: nextGenSrv
+ CommonName: '"Server NextGeneration"'
+
diff --git a/inventory.yml.sample b/inventory.yml.sample
index 00cce97..111e16d 100644
--- a/inventory.yml.sample
+++ b/inventory.yml.sample
@@ -2,27 +2,29 @@
1.2.3.4
[openvpn:vars]
-ansible_user=ansible
-openvpnDNstring='"My org OpenVPN server"'
-vpnproto=tcp
-vpnport=443
+#
+# Check more configuration variables under: group_vars/openvpn
+#
+vpnpublicip=90.147.152.92
+# This network will be pushed to clients.
+# If you need to push more networks, please see group_vars/openvpn
lannetwork=10.111.0.0
lannetmask=255.255.0.0
+#
+vpninterface=ens3
vpnnetwork=10.10.10.0
vpnnetmask=255.255.255.0
-vpninterface=ens3
-vpnpublicip=1.2.3.4
+
[authca]
5.6.7.8
[authca:vars]
-ansible_user=ansible
authcaDNstring='"My org Root CA"'
[all:children]
openvpn
authca
-[dnsall:vars]
+[all:vars]
ansible_user=ansible
diff --git a/roles/clientvpn/tasks/main.yml b/roles/clientvpn/tasks/main.yml
index 6fca5a1..3891321 100644
--- a/roles/clientvpn/tasks/main.yml
+++ b/roles/clientvpn/tasks/main.yml
@@ -1,26 +1,28 @@
---
# tasks file for clientvpn
-# all variables are defined under group_vars and this role is meant to be executed on OpenVPN server only
+# Prepare request for a client, transfer to easyrca for signing,
+# transfer back and store locally
+
+- name: create directory to store client certificates
+ file:
+ state: directory
+ path: "{{ item }}"
+ mode: 01700
+ owner: "{{ clientconfig.cfghomeusr }}"
+ group: "{{ clientconfig.cfghomegrp }}"
+ with_items:
+ - "{{ clientconfig.cfghome }}"
+ - "{{ clientconfig.cfghome }}/reqs"
+ - "{{ clientconfig.cfghome }}/keys"
+ - "{{ clientconfig.cfghome }}/crts"
+ - "{{ clientconfig.cfghome }}/files"
+ delegate_to: localhost
+ run_once: True
- name: prepare request
block:
- - name: create directory to store client certificates
- file:
- state: directory
- path: "{{ item }}"
- mode: 01700
- owner: "{{ clientconfig.cfghomeusr }}"
- group: "{{ clientconfig.cfghomegrp }}"
- with_items:
- - "{{ clientconfig.cfghome }}"
- - "{{ clientconfig.cfghome }}/reqs"
- - "{{ clientconfig.cfghome }}/keys"
- - "{{ clientconfig.cfghome }}/crts"
- - "{{ clientconfig.cfghome }}/files"
- delegate_to: localhost
-
- name: copy ca.crt and ta.key to clientconfig
fetch:
src: /etc/openvpn/{{ item }}
@@ -48,7 +50,6 @@
fail_on_missing: yes
with_items:
- "{{ clientconfig.clients }}"
-
- name: transfer keys to localhost
fetch:
src: "{{ easyrsaBasedir }}/{{ easyrsaSubdir }}/pki/private/{{ item.nameshort }}.key"
@@ -116,6 +117,8 @@
when:
- inventory_hostname in groups['authca']
+###
+
- name: produce final configuration file
block:
diff --git a/roles/setup/tasks/main.yml b/roles/setup/tasks/main.yml
index 79b636f..19ae98e 100644
--- a/roles/setup/tasks/main.yml
+++ b/roles/setup/tasks/main.yml
@@ -1,54 +1,31 @@
---
# tasks file for setup
+
### get_distribution
- include: loadVariables.yml
+
### Install base repositories and packages
+- include: pkgInstall.yml
-- name: install Debian/Ubuntu repository keys, see under vars/
- apt_key:
- url: "{{ item }}"
- state: present
- with_items:
- - "{{ extrakeys }}"
- when: ansible_os_family == 'Debian' and (extrakeys is defined) and (extrakeys is not none) and (extrakeys | trim != '')
-
-- name: Debian/Ubuntu update package cache
- apt:
- update_cache: yes
- when: ansible_os_family == 'Debian'
-
-- name: install useful apt repositories, see under vars/
- apt_repository:
- repo: "{{ item }}"
- state: present
- update_cache: yes
- with_items:
- - "{{ extrarepos }}"
- when: ansible_os_family == 'Debian' and (extrarepos is defined) and (extrarepos is not none) and (extrarepos | trim != '')
-
-- name: install useful packages, see under vars/
- package: name={{ item }} state=latest
- with_items:
- - "{{ extrapackages }}"
### Install specific packages
-- name: install useful packages, see under vars/
+- name: install openvpn packages
package: name={{ item }} state=latest
with_items:
- openvpn
when:
- inventory_hostname in groups['openvpn']
+
### Install EasyRSA
- name: prepare destination directory
file:
state: directory
path: "{{ easyrsaBasedir }}"
-
- name: clone EasyRSA Git repository
git:
repo: https://github.com/OpenVPN/easy-rsa.git
@@ -60,6 +37,7 @@
- name: configure variables for EasyRSA
block:
+
- name: create vars file from example
shell: cp -p vars.example vars
args:
@@ -100,10 +78,11 @@
when:
- inventory_hostname in groups['authca']
-#####
+### Create openvpn certificate and sign it
- name: generate openvpn certificate
block:
+
- name: create CA request on openvpn
shell: ./easyrsa gen-req server nopass
args:
@@ -171,6 +150,7 @@
when:
- inventory_hostname in groups['authca']
+### Copy signed certificate back to openvpn, create dh.pem, tl.key, configure sysctl and ufw firewall
- name: final configuration for openvpn files, server.conf, sysctl
block:
@@ -187,7 +167,7 @@
chdir: "{{ easyrsaBasedir }}/{{ easyrsaSubdir }}"
creates: "{{ easyrsaBasedir }}/{{ easyrsaSubdir }}/pki/dh.pem"
- name: move dh.pem to /etc/openvpn/
- shell: mv "{{ easyrsaBasedir }}/{{ easyrsaSubdir }}/pki/dh.pem" /etc/openvpn/
+ shell: cp -p "{{ easyrsaBasedir }}/{{ easyrsaSubdir }}/pki/dh.pem" /etc/openvpn/
args:
creates: /etc/openvpn/dh.pem
- name: execute openvpn --genkey --secret ta.key
@@ -218,8 +198,6 @@
-A POSTROUTING -s {{ vpnnetwork }} -o {{ vpninterface }} -j MASQUERADE
COMMIT
# END OPENVPN RULES
-
-
- name: update /etc/default/ufw file
lineinfile:
path: /etc/default/ufw
@@ -229,19 +207,18 @@
backrefs: yes
with_items:
- { state: "present", line: 'DEFAULT_FORWARD_POLICY="ACCEPT"', regex: 'DEFAULT_FORWARD_POLICY'}
-
- name: add ufw rule for OpenSSH
ufw:
- rule: allow
- name: OpenSSH
-
+ rule: "{{ item.rule }}"
+ name: "{{ item.name }}"
+ with_items:
+ - "{{ fwrules }}"
- name: add ufw rule for VPN traffic
ufw:
rule: allow
proto: "{{ vpnproto }}"
port: "{{ vpnport }}"
state: enabled
-
- name: start openvpn service
service:
name: openvpn@server
@@ -250,4 +227,3 @@
when:
- inventory_hostname in groups['openvpn']
-
diff --git a/roles/setup/tasks/pkgInstall.yml b/roles/setup/tasks/pkgInstall.yml
new file mode 100644
index 0000000..9c2b210
--- /dev/null
+++ b/roles/setup/tasks/pkgInstall.yml
@@ -0,0 +1,30 @@
+---
+# install some repos and packages
+
+- name: install Debian/Ubuntu repository keys, see under vars/
+ apt_key:
+ url: "{{ item }}"
+ state: present
+ with_items:
+ - "{{ extrakeys }}"
+ when: ansible_os_family == 'Debian' and (extrakeys is defined) and (extrakeys is not none) and (extrakeys | trim != '')
+
+- name: Debian/Ubuntu update package cache
+ apt:
+ update_cache: yes
+ when: ansible_os_family == 'Debian'
+
+- name: install useful apt repositories, see under vars/
+ apt_repository:
+ repo: "{{ item }}"
+ state: present
+ update_cache: yes
+ with_items:
+ - "{{ extrarepos }}"
+ when: ansible_os_family == 'Debian' and (extrarepos is defined) and (extrarepos is not none) and (extrarepos | trim != '')
+
+- name: install useful packages, see under vars/
+ package: name={{ item }} state=latest
+ with_items:
+ - "{{ extrapackages }}"
+
diff --git a/roles/setup/templates/openvpn.server.conf.j2 b/roles/setup/templates/openvpn.server.conf.j2
index a84d05e..11c448e 100644
--- a/roles/setup/templates/openvpn.server.conf.j2
+++ b/roles/setup/templates/openvpn.server.conf.j2
@@ -1,7 +1,6 @@
port {{ vpnport }}
proto {{ vpnproto }}
server {{ vpnnetwork }} {{ vpnnetmask }}
-push "route {{ lannetwork }} {{ lannetmask }}"
# ifconfig
explicit-exit-notify {{ "0" if vpnproto == "tcp" else "1" }}
@@ -21,7 +20,7 @@ persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
ifconfig-pool-persist /var/log/openvpn/ipp.txt
-push "redirect-gateway def1 bypass-dhcp"
-push "dhcp-option DNS 208.67.222.222"
-push "dhcp-option DNS 208.67.220.220"
+{% for pushelement in pushtoclient %}
+push "{{ pushelement.param }} {{ pushelement.value }}"
+{% endfor %}
--
GitLab