Updated the OpenVPN role so certificate expiration is handled
correctly. The number of days that a certificate will be considered
valid is now a user-controlled variable and is set to five years by
default. (Fixes Issue #87)
* Add an openvpn_server variable
* Move ${openvpn_client}.{key,csr,crt} to
${openvpn_client}/client.{key,csr,crt}
* Generate ${openvpn_client}/${openvpn_server}.ovpn config file
* Copy over a self contained directory of file per client that can be
imported by networkmanager in ubuntu or run directly with `sudo
openvpn ${openvpn_server}.ovpn
Scripts used to rotate tarsnap backups exit when a command fails
Cron will catch that return code is not zero and will send message to root
No more silent failure
* OpenVPN setup is now fully automated. No configuration changes
are necessary (though the defaults can easily be modified) and
all manual command line steps have been eliminated.
* Removed the dependency on easy-rsa in favor of pure OpenSSL and
OpenVPN commands that are executed by Ansible
* Improved the security of the OpenVPN configuration
* Increased the default key size to 2048
* RSA keys are only readable by root
* The cipher and authentication digest are now configurable. If
your client supports it, you can use AES-256-CBC and SHA256
instead of BF-CBC (Blowfish) and SHA1 which are the defaults.
Or you can be a really cool, paranoid, crypto hipster and
use CAMELLIA-256-CBC and SHA512 with an RSA key size of 4096.
* Enabled "HMAC firewall" functionality using the tls-auth option
and automated the generation of the 'ta' key that it depends on
* The OpenVPN daemon becomes an unprivileged user after it starts
* Automated the retrieval of the files that clients will need in
order to connect to OpenVPN
* A pause prompt outputs basic configuration information after the
role has finished running
* Variables are referenced using the new Ansible variable format
(e.g. {{ var }} instead of $var)
* Added a flush_handlers command to the role that ensures OpenVPN
will restart prior to dnsmasq (fixes issue #63)
* Fixed two bugs that were preventing packet forwarding for IPv4
from being enabled correctly
Instead of sending email to {{ admin_email }} we send them to root user.
These emails will be redirected to the appropriate user via
mail_virtual_aliases variables