modified vpn role to allow routing to private net

roles/vpn/README.md

@@ -0,0 +1,57 @@
+# OpenVPN
+
+This is the standard 'upstream' sovereign OpenVPN stuff.
+The files that you need are now in secret/sovereign-openvpn-files.
+Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'.
+
+The one major change is the option of enabling 'openvpn_enable_sub_routing' in your config.
+See the defaults in here for the available settings.
+
+This then looks something like:
+
+       ----------
+      | VPS      |
+      | 10.8.0.1 |
+       ----------
+         |
+         | Internet
+         | VPN
+         |            -----------
+         |-----------| Phone     |
+         |           | 10.8.0.42 |
+         |            -----------
+         |
+       --|------------------------------------------
+      |  |                                     Home |
+      |  |                                          |
+      |  |      -------------       -------------   |
+      |  |     | Router      |     | Bridge      |  |
+      |   -----| 192.168.0.1 |-----| 192.168.0.2 |  |
+      |        |             |     | 10.8.0.2    |  |
+      |         -------------       -------------   |
+      |               |                             |
+      |               |                             |
+      |         -------------                       |
+      |        | Server      |                      |
+      |        | 192.168.0.3 |                      |
+      |         -------------                       |
+       ---------------------------------------------
+
+In this scenario, your devices 'on the go', like the Phone above, want to connect to devices in your home network, like the Server, via the VPN connection over our sovereign VPS.
+This can easily accomplished with these configs.
+For the devices in your home network to be able to reach the devices on the VPN network, you need to add a static route to the Router above, that routes all traffic for 10.8.0.0/24 via 192.168.0.2, the Bridge.
+
+On the Bridge, do something like this, after installing eg. Ubuntu Server on the machine:
+
+    ssh-copy-id -i ~/.ssh/id_ecdsa thomas@vpn-bridge
+    scp sovereign/secret/sovereign-openvpn-files/eddie.xythobuz.de/etc/openvpn/nas/xythobuz.de.ovpn bridge:~/client.ovpn
+    ssh bridge
+    sudo apt-get install openvpn
+    sudo cp client.ovpn /etc/openvpn/client_vpn.conf
+    
+    sudo vim /etc/sysctl.conf
+    # uncomment line net.ipv4.ip_forward=1
+    
+    sudo reboot
+
+This will then allow devices connected to the VPN to just reach the 192.168.0.X devices without any further configuration.

roles/vpn/defaults/main.yml

@@ -1,8 +1,6 @@
 # Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
 # Check privacy: http://witch.valdikss.org.ru/
 
-openvpn_ip_start: "10.8.0"
-
 openvpn_key_country:  "US"
 openvpn_key_province: "California"
 openvpn_key_city: "Beverly Hills"
@@ -26,3 +24,9 @@ openvpn_verb: "3" # "0" for anonymity
 openvpn_tls_version_min: "tls-version-min 1.2"
 openvpn_tls_cipher: "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 openvpn_clients: []
+openvpn_ip_start: "10.8.0" # VPN Net XX.XX.XX.ZZ, server is always XX.XX.XX.1. Enter XX.XX.XX here. using /24
+openvpn_enable_sub_routing: 0
+openvpn_sub_routing_client: "nas"
+openvpn_sub_routing_network: "192.168.0.0"
+openvpn_enable_custom_dns: 0
+openvpn_custom_dns: ""

roles/vpn/tasks/openvpn.yml

@@ -146,6 +146,15 @@
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
   notify: restart openvpn
 
+- name: Create client specific config directory
+  file: state=directory path=/etc/openvpn/ccd owner=root group=root
+  when: openvpn_enable_sub_routing == 1
+
+- name: Copy OpenVPN configuration file into place
+  template: src=etc_openvpn_ccd_{{ openvpn_sub_routing_client }}.j2 dest=/etc/openvpn/ccd/{{ openvpn_sub_routing_client }} owner=root group=root mode=0666
+  notify: restart openvpn
+  when: openvpn_enable_sub_routing == 1
+
 - name: Enable OpenVPN server systemd service unit
   service: name=openvpn@server enabled=yes
 
@@ -172,7 +181,3 @@
   with_nested:
     - "{{ openvpn_clients }}"
     - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
-
-- name: Pause 5s seconds for OpenVPN ready
-  pause: seconds=5
-         prompt="You are ready to set up your OpenVPN clients. The files that you need are in {{ secret }}/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

roles/vpn/templates/etc_openvpn_ccd_nas.j2

@@ -0,0 +1,2 @@
+iroute {{ openvpn_sub_routing_network }} 255.255.255.0
+ifconfig-push {{ openvpn_ip_start }}.2 255.255.255.0

roles/vpn/templates/etc_openvpn_server.conf.j2

@@ -96,8 +96,27 @@ dh dh{{ openvpn_key_size }}.pem
 # Each client will be able to reach the server
 # on 10.8.0.1. Comment this line out if you are
 # ethernet bridging. See the man page for more info.
+
+{% if openvpn_enable_sub_routing == 1 %}
+
+mode server
+tls-server
+topology "subnet"
+push "topology subnet"
+
+ifconfig {{ openvpn_ip_start }}.1 255.255.255.0
+push "route-gateway {{ openvpn_ip_start }}.1"
+ifconfig-pool {{ openvpn_ip_start }}.50 {{ openvpn_ip_start }}.250 255.255.255.0
+
+client-config-dir /etc/openvpn/ccd
+route {{ openvpn_sub_routing_network }} 255.255.255.0
+
+{% else %}
+
 server {{ openvpn_ip_start }}.0 255.255.255.0
 
+{% endif %}
+
 # Maintain a record of client <-> virtual IP address
 # associations in this file.  If OpenVPN goes down or
 # is restarted, reconnecting clients can be assigned
@@ -188,8 +207,18 @@ ifconfig-pool-persist ipp.txt
 # or bridge the TUN/TAP interface to the internet
 # in order for this to work properly).
 push "redirect-gateway def1"
+
+
+{% if openvpn_enable_custom_dns == 1 %}
+
+push "dhcp-option DNS {{ openvpn_custom_dns }}"
+
+{% else %}
+
 push "dhcp-option DNS {{ openvpn_ip_start }}.1"
 
+{% endif %}
+
 # Certain Windows-specific network settings
 # can be pushed to clients, such as DNS
 # or WINS server addresses.  CAVEAT:
@@ -265,8 +294,8 @@ comp-lzo
 #
 # You can uncomment this out on
 # non-Windows systems.
-user nobody
-group nogroup
+#user nobody
+#group nogroup
 
 # The persist options will try to avoid
 # accessing certain resources on restart

site.yml

@@ -14,8 +14,9 @@
     - mailserver
     - webmail
     - gitea
-  #  - vpn
-    - monitoring
+    - vpn
+    - backup
+    - monitoring # Monitoring role should be last. See roles/monitoring/README.md
 
   # These are all roles in one
   #roles: