Merge pull request #66 from jlund/openvpn-refactor

Completely refactored the VPN role

README.textile

@@ -122,7 +122,7 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
 
 bc. ansible-playbook -i ./hosts --tags=ferm site.yml
 
-You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary. OpenVPN in particular requires a bunch of manual command line intervention to get running.
+You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary.
 
 h3. 6. Set up DNS
 

roles/vpn/tasks/openvpn.yml

@@ -3,50 +3,97 @@
 # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
 
 - name: Install OpenVPN and dependencies from apt
-  apt: pkg=$item state=installed
+  apt: pkg={{ item }} state=installed
   with_items:
     - openvpn
     - udev
     - dnsmasq
 
-- name: Copy setup scripts into place
-  command: cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
+- name: Generate RSA keys for the CA and Server
+  command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
+           chdir={{ openvpn_path }}
+           creates={{ item }}.key
+  with_items:
+    - ca
+    - server
 
-- name: Put easy-rsa parameter settings in place
-  template: src=etc_openvpn_easy-rsa_2.0_vars.j2 dest=/etc/openvpn/easy-rsa/2.0/vars
+- name: Generate RSA keys for the clients
+  command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
+           chdir={{ openvpn_path }}
+           creates={{ item }}.key
+  with_items: openvpn_clients
 
-###### manually:
-# cd /etc/openvpn/easy-rsa/2.0/
-# . /etc/openvpn/easy-rsa/2.0/vars
-# . /etc/openvpn/easy-rsa/2.0/clean-all
-# . /etc/openvpn/easy-rsa/2.0/build-ca
-# . /etc/openvpn/easy-rsa/2.0/build-key-server server
-#
-# for each client:
-# . /etc/openvpn/easy-rsa/2.0/build-key $client_name
-#####
+- name: Set the proper permissions on all RSA keys
+  file: path={{ openvpn_path }}
+        recurse=yes
+        state=directory
+        owner=root
+        group=root
+        mode=600
 
-- name: Generate Diffie-Hellman parameters
-  command: . /etc/openvpn/easy-rsa/2.0/build-dh creates=/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
+- name: Generate CA certificate
+  command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -subj "{{ openssl_request_subject }}/CN=ca-certificate"
+           creates={{ openvpn_ca }}.crt
 
-- name: Copy certificates and key files into place
-  command: cp /etc/openvpn/easy-rsa/2.0/keys/$item /etc/openvpn creates=/etc/openvpn/$item
-  with_items:
-    - ca.crt
-    - ca.key
-    - dh1024.pem
-    - server.crt
-    - server.key
+- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
+  # Properly sets the attributes that are described here:
+  # openvpn.net/index.php/open-source/documentation/howto.html#mitm
+  #
+  # This is required in order for the 'ns-cert-type server' option to
+  # work, which is enabled by default in most standard client.conf
+  # files.
+  template: src=openssl-server-certificate.cnf.j2
+            dest={{ openvpn_path }}/openssl-server-certificate.cnf
+
+- name: Seed a blank database file that will be used when generating the Server's certificate
+  command: touch {{ openvpn_path }}/index.txt
+           creates={{ openvpn_path }}/index.txt
+
+- name: Seed a serial file that will be used when generating the Server's certificate
+  shell: echo 01 > {{ openvpn_path }}/serial
+         creates={{ openvpn_path }}/serial
+
+- name: Generate CSR for the Server
+  command: openssl req -batch -extensions server -new -key server.key -out server.csr -config {{ openvpn_path }}/openssl-server-certificate.cnf
+           chdir={{ openvpn_path }}
+           creates=server.csr
+
+- name: Generate certificate for the Server
+  command: openssl ca -batch -extensions server -in server.csr -out server.crt -config openssl-server-certificate.cnf
+           chdir={{ openvpn_path }}
+           creates=server.crt
+
+- name: Generate CSRs for the clients
+  command: openssl req -new -key {{ item }}.key -out {{ item }}.csr -subj "{{ openssl_request_subject }}/CN={{ item }}" 
+           chdir={{ openvpn_path }}
+           creates={{ item }}.csr
+  with_items: openvpn_clients
+
+- name: Generate certificates for the clients
+  command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -in {{ item }}.csr -out {{ item }}.crt
+           chdir={{ openvpn_path }}
+           creates={{ item }}.crt
+  with_items: openvpn_clients
+
+- name: Generate HMAC firewall key
+  command: openvpn --genkey --secret {{ openvpn_hmac_firewall }}
+           creates={{ openvpn_hmac_firewall }}
+
+- name: Generate Diffie–Hellman parameters (this will take a while)
+  command: openssl dhparam -out {{ openvpn_dhparam }} {{ openvpn_key_size }}
+           creates={{ openvpn_dhparam }}
 
 - name: Copy rc.local with firewall and dnsmasq rules into place
   copy: src=etc_rc.local dest=/etc/rc.local
 
 - name: Enable IPv4 traffic forwarding
-  lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.ip_forward" line="net.ipv4.ip_forward=1"
-- command: echo 1 > /proc/sys/net/ipv4/ip_forward
+  lineinfile: dest=/etc/sysctl.conf
+              regexp="^#?net.ipv4.ip_forward"
+              line="net.ipv4.ip_forward=1"
+- shell: echo 1 > /proc/sys/net/ipv4/ip_forward
 
-- name: Allow OpenVPN through firewall
-  command: $item
+- name: Allow OpenVPN through the firewall
+  command: "{{ item }}"
   with_items:
     - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
     - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
@@ -57,7 +104,29 @@
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
   notify: restart openvpn
 
+# OpenVPN must restart first so the 10.8.0.0 interface is available
+# to dnsmasq
+- meta: flush_handlers
+
 - name: Copy dnsmasq configuration file into place
   copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
   notify: restart dnsmasq
 
+- name: Retrieve the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
+  fetch: src={{ openvpn_path }}/{{ item }}
+         dest=/tmp/sovereign-openvpn-files
+  with_items:
+    - ca.crt
+    - ta.key
+
+- name: Retrieve the certificates that clients will need in order to connect to the OpenVPN server
+  fetch: src={{ openvpn_path }}/{{ item }}.crt
+         dest=/tmp/sovereign-openvpn-files
+  with_items: openvpn_clients
+
+- name: Retrieve the keys that clients will need in order to connect to the OpenVPN server
+  fetch: src={{ openvpn_path }}/{{ item }}.key
+         dest=/tmp/sovereign-openvpn-files
+  with_items: openvpn_clients
+
+- pause: prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

roles/vpn/templates/etc_openvpn_easy-rsa_2.0_vars.j2

@@ -1,72 +0,0 @@
-# easy-rsa parameter settings
-
-# NOTE: If you installed from an RPM,
-# don't edit this file in place in
-# /usr/share/openvpn/easy-rsa --
-# instead, you should copy the whole
-# easy-rsa directory to another location
-# (such as /etc/openvpn) so that your
-# edits will not be wiped out by a future
-# OpenVPN package upgrade.
-
-# This variable should point to
-# the top level of the easy-rsa
-# tree.
-export EASY_RSA="`pwd`"
-
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
-# This variable should point to
-# the openssl.cnf file included
-# with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
-
-# Edit this variable to point to
-# your soon-to-be-created key
-# directory.
-#
-# WARNING: clean-all will do
-# a rm -rf on this directory
-# so make sure you define
-# it correctly!
-export KEY_DIR="$EASY_RSA/keys"
-
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
-# PKCS11 fixes
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-
-# Increase this to 2048 if you
-# are paranoid.  This will slow
-# down TLS negotiation performance
-# as well as the one-time DH parms
-# generation process.
-export KEY_SIZE=1024
-
-# In how many days should the root CA key expire?
-export CA_EXPIRE=3650
-
-# In how many days should certificates expire?
-export KEY_EXPIRE=3650
-
-# These are the default values for fields
-# which will be placed in the certificate.
-# Don't leave any of these fields blank.
-export KEY_COUNTRY="{{ openvpn_key_country }}"
-export KEY_PROVINCE="{{ openvpn_key_province }}"
-export KEY_CITY="{{ openvpn_key_city }}"
-export KEY_ORG="{{ openvpn_key_org }}"
-export KEY_EMAIL="{{ openvpn_key_email }}"
-export KEY_CN={{ openvpn_key_cn }}
-export KEY_NAME={{ openvpn_key_name }}
-export KEY_OU={{ openvpn_key_ou }}
-export PKCS11_MODULE_PATH=changeme
-export PKCS11_PIN=1234

roles/vpn/templates/etc_openvpn_server.conf.j2

@@ -84,7 +84,7 @@ key server.key  # This file should be kept secret
 #   openssl dhparam -out dh1024.pem 1024
 # Substitute 2048 for 1024 if you are using
 # 2048 bit keys. 
-dh dh1024.pem
+dh dh{{ openvpn_key_size }}.pem
 
 # Configure server mode and supply a VPN subnet
 # for OpenVPN to draw client addresses from.
@@ -238,7 +238,7 @@ keepalive 10 120
 # a copy of this key.
 # The second parameter should be '0'
 # on the server and '1' on the clients.
-;tls-auth ta.key 0 # This file is secret
+tls-auth ta.key 0 # This file is secret
 
 # Select a cryptographic cipher.
 # This config item must be copied to
@@ -246,6 +246,8 @@ keepalive 10 120
 ;cipher BF-CBC        # Blowfish (default)
 ;cipher AES-128-CBC   # AES
 ;cipher DES-EDE3-CBC  # Triple-DES
+cipher {{ openvpn_cipher }}
+auth {{ openvpn_auth_digest }}
 
 # Enable compression on the VPN link.
 # If you enable it here, you must also
@@ -261,8 +263,8 @@ comp-lzo
 #
 # You can uncomment this out on
 # non-Windows systems.
-;user nobody
-;group nogroup
+user nobody
+group nogroup
 
 # The persist options will try to avoid
 # accessing certain resources on restart

roles/vpn/templates/openssl-server-certificate.cnf.j2

@@ -0,0 +1,66 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+
+dir = {{ openvpn_path }}
+certs = $dir
+crl_dir = $dir
+database = $dir/index.txt
+new_certs_dir = $dir
+
+certificate = {{ openvpn_ca }}.crt
+serial = $dir/serial
+crl = $dir/crl.pem
+private_key = {{ openvpn_ca }}.key
+RANDFILE = $dir/.rand
+
+x509_extensions = server
+
+default_days = 3650
+default_crl_days= 30
+default_md = sha256
+preserve = no
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = {{ openvpn_key_country }}
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = {{ openvpn_key_province }}
+
+localityName = Locality Name (eg, city)
+localityName_default = {{ openvpn_key_city }}
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = {{ openvpn_key_org }}
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = {{ openvpn_key_ou }}
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_default = server
+
+[ server ]
+basicConstraints=CA:FALSE
+nsCertType = server
+nsComment = "Ansible Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment

vars/defaults.yml

@@ -56,14 +56,23 @@ znc_version: 1.0
 tarsnap_version: 1.0.35
 
 # # vpn
-# openvpn_key_country: TODO
-# openvpn_key_province: TODO
-# openvpn_key_city: TODO
-# openvpn_key_org: TODO
-# openvpn_key_email: TODO
-# openvpn_key_ou: TODO
-# openvpn_key_cn: TODO
-# openvpn_key_name: TODO
+openvpn_key_country:  "US"
+openvpn_key_province: "California"
+openvpn_key_city: "Beverly Hills"
+openvpn_key_org: "ACME CORPORATION"
+openvpn_key_ou: "Anvil Department"
+openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
+openvpn_key_size: "2048"
+openvpn_cipher: "BF-CBC"
+openvpn_auth_digest: "SHA1"
+openvpn_path: "/etc/openvpn"
+openvpn_ca: "{{ openvpn_path }}/ca"
+openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
+openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
+openvpn_clients:
+  - laptop
+  - phone
+  - tablet
 
 # # webmail
 # webmail_domain: TODO.com

vars/user.yml

@@ -55,14 +55,23 @@
 # tarsnap_version: 1.0.35
 
 # # vpn
-# openvpn_key_country: TODO
-# openvpn_key_province: TODO
-# openvpn_key_city: TODO
-# openvpn_key_org: TODO
-# openvpn_key_email: TODO
-# openvpn_key_ou: TODO
-# openvpn_key_cn: TODO
-# openvpn_key_name: TODO
+# openvpn_key_country:  "US"
+# openvpn_key_province: "California"
+# openvpn_key_city: "Beverly Hills"
+# openvpn_key_org: "ACME CORPORATION"
+# openvpn_key_ou: "Anvil Department"
+# openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
+# openvpn_key_size: "2048"
+# openvpn_cipher: "BF-CBC"
+# openvpn_auth_digest: "SHA1"
+# openvpn_path: "/etc/openvpn"
+# openvpn_ca: "{{ openvpn_path }}/ca"
+# openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
+# openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
+# openvpn_clients:
+#   - laptop
+#   - phone
+#   - tablet
 
 # # webmail
 # webmail_domain: TODO.com