Merge branch 'master' of https://github.com/perurbis/sovereign

roles/vpn/tasks/openvpn.yml

@@ -17,10 +17,14 @@
     - ca
     - server
 
+- name: Create directories for clients
+  file: path={{ openvpn_path}}/{{ item }} state=directory
+  with_items: openvpn_clients
+
 - name: Generate RSA keys for the clients
-  command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
-           chdir={{ openvpn_path }}
-           creates={{ item }}.key
+  command: openssl genrsa -out client.key {{ openvpn_key_size }}
+           chdir={{ openvpn_path }}/{{ item }}
+           creates=client.key
   with_items: openvpn_clients
 
 - name: Set the proper permissions on all RSA keys
@@ -64,15 +68,20 @@
            creates=server.crt
 
 - name: Generate CSRs for the clients
-  command: openssl req -new -key {{ item }}.key -out {{ item }}.csr -subj "{{ openssl_request_subject }}/CN={{ item }}" 
-           chdir={{ openvpn_path }}
-           creates={{ item }}.csr
+  command: openssl req -new -key client.key -out client.csr -subj "{{ openssl_request_subject }}/CN={{ item }}"
+           chdir={{ openvpn_path }}/{{ item }}
+           creates=client.csr
   with_items: openvpn_clients
 
 - name: Generate certificates for the clients
-  command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -days {{ openvpn_days_valid }} -in {{ item }}.csr -out {{ item }}.crt
-           chdir={{ openvpn_path }}
-           creates={{ item }}.crt
+  command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -days {{ openvpn_days_valid }} -in client.csr -out client.crt
+           chdir={{ openvpn_path }}/{{ item }}
+           creates=client.crt
+  with_items: openvpn_clients
+
+- name: Create the client configs
+  template: src=client.cnf.j2
+            dest={{ openvpn_path }}/{{ item }}/{{ openvpn_server }}.ovpn
   with_items: openvpn_clients
 
 - name: Generate HMAC firewall key
@@ -109,22 +118,18 @@
   copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
   notify: restart dnsmasq
 
-- name: Retrieve the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
-  fetch: src={{ openvpn_path }}/{{ item }}
-         dest=/tmp/sovereign-openvpn-files
-  with_items:
-    - ca.crt
-    - ta.key
+- name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
+  command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }}
+  with_nested:
+    - openvpn_clients
+    - ["ca.crt", "ta.key"]
 
-- name: Retrieve the certificates that clients will need in order to connect to the OpenVPN server
-  fetch: src={{ openvpn_path }}/{{ item }}.crt
+- name: Retrieve the files that clients will need in order to connect to the OpenVPN server
+  fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
          dest=/tmp/sovereign-openvpn-files
-  with_items: openvpn_clients
-
-- name: Retrieve the keys that clients will need in order to connect to the OpenVPN server
-  fetch: src={{ openvpn_path }}/{{ item }}.key
-         dest=/tmp/sovereign-openvpn-files
-  with_items: openvpn_clients
+  with_nested:
+    - openvpn_clients
+    - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
 
 - pause: seconds=5
          prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

roles/vpn/templates/client.cnf.j2

@@ -0,0 +1,16 @@
+client
+dev tun
+proto udp
+remote {{ openvpn_server }} 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+
+ca ca.crt
+cert client.crt
+key client.key
+ns-cert-type server
+tls-auth ta.key 1
+comp-lzo
+verb 3

vars/defaults.yml

@@ -51,6 +51,7 @@ openvpn_path: "/etc/openvpn"
 openvpn_ca: "{{ openvpn_path }}/ca"
 openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
 openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
+openvpn_server: "{{ domain }}"
 # openvpn_clients: (required)
 
 # webmail