Преглед изворни кода

* Completely refactored the VPN role

  * OpenVPN setup is now fully automated. No configuration changes
    are necessary (though the defaults can easily be modified) and
    all manual command line steps have been eliminated.

  * Removed the dependency on easy-rsa in favor of pure OpenSSL and
    OpenVPN commands that are executed by Ansible

  * Improved the security of the OpenVPN configuration
    * Increased the default key size to 2048
    * RSA keys are only readable by root
    * The cipher and authentication digest are now configurable. If
      your client supports it, you can use AES-256-CBC and SHA256
      instead of BF-CBC (Blowfish) and SHA1 which are the defaults.
      Or you can be a really cool, paranoid, crypto hipster and
      use CAMELLIA-256-CBC and SHA512 with an RSA key size of 4096.
    * Enabled "HMAC firewall" functionality using the tls-auth option
      and automated the generation of the 'ta' key that it depends on
    * The OpenVPN daemon becomes an unprivileged user after it starts

  * Automated the retrieval of the files that clients will need in
    order to connect to OpenVPN

  * A pause prompt outputs basic configuration information after the
    role has finished running

  * Variables are referenced using the new Ansible variable format
    (e.g. {{ var }} instead of $var)

  * Added a flush_handlers command to the role that ensures OpenVPN
    will restart prior to dnsmasq (fixes issue #63)

  * Fixed two bugs that were preventing packet forwarding for IPv4
    from being enabled correctly
Joshua Lund пре 11 година
родитељ
комит
93ebde0d95

+ 1
- 1
README.textile Прегледај датотеку

@@ -122,7 +122,7 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
122 122
 
123 123
 bc. ansible-playbook -i ./hosts --tags=ferm site.yml
124 124
 
125
-You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary. OpenVPN in particular requires a bunch of manual command line intervention to get running.
125
+You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary.
126 126
 
127 127
 h3. 6. Set up DNS
128 128
 

+ 98
- 29
roles/vpn/tasks/openvpn.yml Прегледај датотеку

@@ -3,50 +3,97 @@
3 3
 # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
4 4
 
5 5
 - name: Install OpenVPN and dependencies from apt
6
-  apt: pkg=$item state=installed
6
+  apt: pkg={{ item }} state=installed
7 7
   with_items:
8 8
     - openvpn
9 9
     - udev
10 10
     - dnsmasq
11 11
 
12
-- name: Copy setup scripts into place
13
-  command: cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
12
+- name: Generate RSA keys for the CA and Server
13
+  command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
14
+           chdir={{ openvpn_path }}
15
+           creates={{ item }}.key
16
+  with_items:
17
+    - ca
18
+    - server
14 19
 
15
-- name: Put easy-rsa parameter settings in place
16
-  template: src=etc_openvpn_easy-rsa_2.0_vars.j2 dest=/etc/openvpn/easy-rsa/2.0/vars
20
+- name: Generate RSA keys for the clients
21
+  command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
22
+           chdir={{ openvpn_path }}
23
+           creates={{ item }}.key
24
+  with_items: openvpn_clients
17 25
 
18
-###### manually:
19
-# cd /etc/openvpn/easy-rsa/2.0/
20
-# . /etc/openvpn/easy-rsa/2.0/vars
21
-# . /etc/openvpn/easy-rsa/2.0/clean-all
22
-# . /etc/openvpn/easy-rsa/2.0/build-ca
23
-# . /etc/openvpn/easy-rsa/2.0/build-key-server server
24
-#
25
-# for each client:
26
-# . /etc/openvpn/easy-rsa/2.0/build-key $client_name
27
-#####
26
+- name: Set the proper permissions on all RSA keys
27
+  file: path={{ openvpn_path }}
28
+        recurse=yes
29
+        state=directory
30
+        owner=root
31
+        group=root
32
+        mode=600
28 33
 
29
-- name: Generate Diffie-Hellman parameters
30
-  command: . /etc/openvpn/easy-rsa/2.0/build-dh creates=/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
34
+- name: Generate CA certificate
35
+  command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -subj "{{ openssl_request_subject }}/CN=ca-certificate"
36
+           creates={{ openvpn_ca }}.crt
31 37
 
32
-- name: Copy certificates and key files into place
33
-  command: cp /etc/openvpn/easy-rsa/2.0/keys/$item /etc/openvpn creates=/etc/openvpn/$item
34
-  with_items:
35
-    - ca.crt
36
-    - ca.key
37
-    - dh1024.pem
38
-    - server.crt
39
-    - server.key
38
+- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
39
+  # Properly sets the attributes that are described here:
40
+  # openvpn.net/index.php/open-source/documentation/howto.html#mitm
41
+  #
42
+  # This is required in order for the 'ns-cert-type server' option to
43
+  # work, which is enabled by default in most standard client.conf
44
+  # files.
45
+  template: src=openssl-server-certificate.cnf.j2
46
+            dest={{ openvpn_path }}/openssl-server-certificate.cnf
47
+
48
+- name: Seed a blank database file that will be used when generating the Server's certificate
49
+  command: touch {{ openvpn_path }}/index.txt
50
+           creates={{ openvpn_path }}/index.txt
51
+
52
+- name: Seed a serial file that will be used when generating the Server's certificate
53
+  shell: echo 01 > {{ openvpn_path }}/serial
54
+         creates={{ openvpn_path }}/serial
55
+
56
+- name: Generate CSR for the Server
57
+  command: openssl req -batch -extensions server -new -key server.key -out server.csr -config {{ openvpn_path }}/openssl-server-certificate.cnf
58
+           chdir={{ openvpn_path }}
59
+           creates=server.csr
60
+
61
+- name: Generate certificate for the Server
62
+  command: openssl ca -batch -extensions server -in server.csr -out server.crt -config openssl-server-certificate.cnf
63
+           chdir={{ openvpn_path }}
64
+           creates=server.crt
65
+
66
+- name: Generate CSRs for the clients
67
+  command: openssl req -new -key {{ item }}.key -out {{ item }}.csr -subj "{{ openssl_request_subject }}/CN={{ item }}" 
68
+           chdir={{ openvpn_path }}
69
+           creates={{ item }}.csr
70
+  with_items: openvpn_clients
71
+
72
+- name: Generate certificates for the clients
73
+  command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -in {{ item }}.csr -out {{ item }}.crt
74
+           chdir={{ openvpn_path }}
75
+           creates={{ item }}.crt
76
+  with_items: openvpn_clients
77
+
78
+- name: Generate HMAC firewall key
79
+  command: openvpn --genkey --secret {{ openvpn_hmac_firewall }}
80
+           creates={{ openvpn_hmac_firewall }}
81
+
82
+- name: Generate Diffie–Hellman parameters (this will take a while)
83
+  command: openssl dhparam -out {{ openvpn_dhparam }} {{ openvpn_key_size }}
84
+           creates={{ openvpn_dhparam }}
40 85
 
41 86
 - name: Copy rc.local with firewall and dnsmasq rules into place
42 87
   copy: src=etc_rc.local dest=/etc/rc.local
43 88
 
44 89
 - name: Enable IPv4 traffic forwarding
45
-  lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.ip_forward" line="net.ipv4.ip_forward=1"
46
-- command: echo 1 > /proc/sys/net/ipv4/ip_forward
90
+  lineinfile: dest=/etc/sysctl.conf
91
+              regexp="^#?net.ipv4.ip_forward"
92
+              line="net.ipv4.ip_forward=1"
93
+- shell: echo 1 > /proc/sys/net/ipv4/ip_forward
47 94
 
48
-- name: Allow OpenVPN through firewall
49
-  command: $item
95
+- name: Allow OpenVPN through the firewall
96
+  command: "{{ item }}"
50 97
   with_items:
51 98
     - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
52 99
     - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
@@ -57,7 +104,29 @@
57 104
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
58 105
   notify: restart openvpn
59 106
 
107
+# OpenVPN must restart first so the 10.8.0.0 interface is available
108
+# to dnsmasq
109
+- meta: flush_handlers
110
+
60 111
 - name: Copy dnsmasq configuration file into place
61 112
   copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
62 113
   notify: restart dnsmasq
63 114
 
115
+- name: Retrieve the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
116
+  fetch: src={{ openvpn_path }}/{{ item }}
117
+         dest=/tmp/sovereign-openvpn-files
118
+  with_items:
119
+    - ca.crt
120
+    - ta.key
121
+
122
+- name: Retrieve the certificates that clients will need in order to connect to the OpenVPN server
123
+  fetch: src={{ openvpn_path }}/{{ item }}.crt
124
+         dest=/tmp/sovereign-openvpn-files
125
+  with_items: openvpn_clients
126
+
127
+- name: Retrieve the keys that clients will need in order to connect to the OpenVPN server
128
+  fetch: src={{ openvpn_path }}/{{ item }}.key
129
+         dest=/tmp/sovereign-openvpn-files
130
+  with_items: openvpn_clients
131
+
132
+- pause: prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

+ 0
- 72
roles/vpn/templates/etc_openvpn_easy-rsa_2.0_vars.j2 Прегледај датотеку

@@ -1,72 +0,0 @@
1
-# easy-rsa parameter settings
2
-
3
-# NOTE: If you installed from an RPM,
4
-# don't edit this file in place in
5
-# /usr/share/openvpn/easy-rsa --
6
-# instead, you should copy the whole
7
-# easy-rsa directory to another location
8
-# (such as /etc/openvpn) so that your
9
-# edits will not be wiped out by a future
10
-# OpenVPN package upgrade.
11
-
12
-# This variable should point to
13
-# the top level of the easy-rsa
14
-# tree.
15
-export EASY_RSA="`pwd`"
16
-
17
-#
18
-# This variable should point to
19
-# the requested executables
20
-#
21
-export OPENSSL="openssl"
22
-export PKCS11TOOL="pkcs11-tool"
23
-export GREP="grep"
24
-
25
-# This variable should point to
26
-# the openssl.cnf file included
27
-# with easy-rsa.
28
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
29
-
30
-# Edit this variable to point to
31
-# your soon-to-be-created key
32
-# directory.
33
-#
34
-# WARNING: clean-all will do
35
-# a rm -rf on this directory
36
-# so make sure you define
37
-# it correctly!
38
-export KEY_DIR="$EASY_RSA/keys"
39
-
40
-# Issue rm -rf warning
41
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
42
-
43
-# PKCS11 fixes
44
-export PKCS11_MODULE_PATH="dummy"
45
-export PKCS11_PIN="dummy"
46
-
47
-# Increase this to 2048 if you
48
-# are paranoid.  This will slow
49
-# down TLS negotiation performance
50
-# as well as the one-time DH parms
51
-# generation process.
52
-export KEY_SIZE=1024
53
-
54
-# In how many days should the root CA key expire?
55
-export CA_EXPIRE=3650
56
-
57
-# In how many days should certificates expire?
58
-export KEY_EXPIRE=3650
59
-
60
-# These are the default values for fields
61
-# which will be placed in the certificate.
62
-# Don't leave any of these fields blank.
63
-export KEY_COUNTRY="{{ openvpn_key_country }}"
64
-export KEY_PROVINCE="{{ openvpn_key_province }}"
65
-export KEY_CITY="{{ openvpn_key_city }}"
66
-export KEY_ORG="{{ openvpn_key_org }}"
67
-export KEY_EMAIL="{{ openvpn_key_email }}"
68
-export KEY_CN={{ openvpn_key_cn }}
69
-export KEY_NAME={{ openvpn_key_name }}
70
-export KEY_OU={{ openvpn_key_ou }}
71
-export PKCS11_MODULE_PATH=changeme
72
-export PKCS11_PIN=1234

+ 6
- 4
roles/vpn/templates/etc_openvpn_server.conf.j2 Прегледај датотеку

@@ -84,7 +84,7 @@ key server.key  # This file should be kept secret
84 84
 #   openssl dhparam -out dh1024.pem 1024
85 85
 # Substitute 2048 for 1024 if you are using
86 86
 # 2048 bit keys. 
87
-dh dh1024.pem
87
+dh dh{{ openvpn_key_size }}.pem
88 88
 
89 89
 # Configure server mode and supply a VPN subnet
90 90
 # for OpenVPN to draw client addresses from.
@@ -238,7 +238,7 @@ keepalive 10 120
238 238
 # a copy of this key.
239 239
 # The second parameter should be '0'
240 240
 # on the server and '1' on the clients.
241
-;tls-auth ta.key 0 # This file is secret
241
+tls-auth ta.key 0 # This file is secret
242 242
 
243 243
 # Select a cryptographic cipher.
244 244
 # This config item must be copied to
@@ -246,6 +246,8 @@ keepalive 10 120
246 246
 ;cipher BF-CBC        # Blowfish (default)
247 247
 ;cipher AES-128-CBC   # AES
248 248
 ;cipher DES-EDE3-CBC  # Triple-DES
249
+cipher {{ openvpn_cipher }}
250
+auth {{ openvpn_auth_digest }}
249 251
 
250 252
 # Enable compression on the VPN link.
251 253
 # If you enable it here, you must also
@@ -261,8 +263,8 @@ comp-lzo
261 263
 #
262 264
 # You can uncomment this out on
263 265
 # non-Windows systems.
264
-;user nobody
265
-;group nogroup
266
+user nobody
267
+group nogroup
266 268
 
267 269
 # The persist options will try to avoid
268 270
 # accessing certain resources on restart

+ 66
- 0
roles/vpn/templates/openssl-server-certificate.cnf.j2 Прегледај датотеку

@@ -0,0 +1,66 @@
1
+[ ca ]
2
+default_ca = CA_default
3
+
4
+[ CA_default ]
5
+
6
+dir = {{ openvpn_path }}
7
+certs = $dir
8
+crl_dir = $dir
9
+database = $dir/index.txt
10
+new_certs_dir = $dir
11
+
12
+certificate = {{ openvpn_ca }}.crt
13
+serial = $dir/serial
14
+crl = $dir/crl.pem
15
+private_key = {{ openvpn_ca }}.key
16
+RANDFILE = $dir/.rand
17
+
18
+x509_extensions = server
19
+
20
+default_days = 3650
21
+default_crl_days= 30
22
+default_md = sha256
23
+preserve = no
24
+
25
+policy = policy_anything
26
+
27
+[ policy_anything ]
28
+countryName = optional
29
+stateOrProvinceName = optional
30
+localityName = optional
31
+organizationName = optional
32
+organizationalUnitName = optional
33
+commonName = supplied
34
+name = optional
35
+emailAddress = optional
36
+
37
+[ req ]
38
+distinguished_name = req_distinguished_name
39
+
40
+[ req_distinguished_name ]
41
+countryName = Country Name (2 letter code)
42
+countryName_default = {{ openvpn_key_country }}
43
+
44
+stateOrProvinceName = State or Province Name (full name)
45
+stateOrProvinceName_default = {{ openvpn_key_province }}
46
+
47
+localityName = Locality Name (eg, city)
48
+localityName_default = {{ openvpn_key_city }}
49
+
50
+0.organizationName = Organization Name (eg, company)
51
+0.organizationName_default = {{ openvpn_key_org }}
52
+
53
+organizationalUnitName = Organizational Unit Name (eg, section)
54
+organizationalUnitName_default = {{ openvpn_key_ou }}
55
+
56
+commonName = Common Name (eg, your name or your server\'s hostname)
57
+commonName_default = server
58
+
59
+[ server ]
60
+basicConstraints=CA:FALSE
61
+nsCertType = server
62
+nsComment = "Ansible Generated Server Certificate"
63
+subjectKeyIdentifier=hash
64
+authorityKeyIdentifier=keyid,issuer:always
65
+extendedKeyUsage=serverAuth
66
+keyUsage = digitalSignature, keyEncipherment

+ 17
- 8
vars/defaults.yml Прегледај датотеку

@@ -56,14 +56,23 @@ znc_version: 1.0
56 56
 tarsnap_version: 1.0.35
57 57
 
58 58
 # # vpn
59
-# openvpn_key_country: TODO
60
-# openvpn_key_province: TODO
61
-# openvpn_key_city: TODO
62
-# openvpn_key_org: TODO
63
-# openvpn_key_email: TODO
64
-# openvpn_key_ou: TODO
65
-# openvpn_key_cn: TODO
66
-# openvpn_key_name: TODO
59
+openvpn_key_country:  "US"
60
+openvpn_key_province: "California"
61
+openvpn_key_city: "Beverly Hills"
62
+openvpn_key_org: "ACME CORPORATION"
63
+openvpn_key_ou: "Anvil Department"
64
+openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
65
+openvpn_key_size: "2048"
66
+openvpn_cipher: "BF-CBC"
67
+openvpn_auth_digest: "SHA1"
68
+openvpn_path: "/etc/openvpn"
69
+openvpn_ca: "{{ openvpn_path }}/ca"
70
+openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
71
+openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
72
+openvpn_clients:
73
+  - laptop
74
+  - phone
75
+  - tablet
67 76
 
68 77
 # # webmail
69 78
 # webmail_domain: TODO.com

+ 17
- 8
vars/user.yml Прегледај датотеку

@@ -55,14 +55,23 @@
55 55
 # tarsnap_version: 1.0.35
56 56
 
57 57
 # # vpn
58
-# openvpn_key_country: TODO
59
-# openvpn_key_province: TODO
60
-# openvpn_key_city: TODO
61
-# openvpn_key_org: TODO
62
-# openvpn_key_email: TODO
63
-# openvpn_key_ou: TODO
64
-# openvpn_key_cn: TODO
65
-# openvpn_key_name: TODO
58
+# openvpn_key_country:  "US"
59
+# openvpn_key_province: "California"
60
+# openvpn_key_city: "Beverly Hills"
61
+# openvpn_key_org: "ACME CORPORATION"
62
+# openvpn_key_ou: "Anvil Department"
63
+# openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
64
+# openvpn_key_size: "2048"
65
+# openvpn_cipher: "BF-CBC"
66
+# openvpn_auth_digest: "SHA1"
67
+# openvpn_path: "/etc/openvpn"
68
+# openvpn_ca: "{{ openvpn_path }}/ca"
69
+# openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
70
+# openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
71
+# openvpn_clients:
72
+#   - laptop
73
+#   - phone
74
+#   - tablet
66 75
 
67 76
 # # webmail
68 77
 # webmail_domain: TODO.com

Loading…
Откажи
Сачувај