Ei kuvausta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openvpn.yml 6.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167
  1. ---
  2. # Installs the OpenVPN virtual private network server.
  3. # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
  4. - name: Install OpenVPN and dependencies from apt
  5. apt: pkg={{ item }} state=installed
  6. with_items:
  7. - dnsmasq
  8. - openvpn
  9. - udev
  10. - name: Generate RSA keys for the CA and Server
  11. command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
  12. chdir={{ openvpn_path }}
  13. creates={{ item }}.key
  14. with_items:
  15. - ca
  16. - server
  17. - name: Create directories for clients
  18. file: path={{ openvpn_path}}/{{ item }} state=directory
  19. with_items: openvpn_clients
  20. - name: Generate RSA keys for the clients
  21. command: openssl genrsa -out client.key {{ openvpn_key_size }}
  22. chdir={{ openvpn_path }}/{{ item }}
  23. creates=client.key
  24. with_items: openvpn_clients
  25. - name: Set the proper permissions on all RSA keys
  26. file: path={{ openvpn_path }}
  27. recurse=yes
  28. state=directory
  29. owner=root
  30. group=root
  31. mode=600
  32. - name: Generate CA certificate
  33. command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=ca-certificate"
  34. creates={{ openvpn_ca }}.crt
  35. - name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
  36. # Properly sets the attributes that are described here:
  37. # openvpn.net/index.php/open-source/documentation/howto.html#mitm
  38. #
  39. # This is required in order for the 'ns-cert-type server' option to
  40. # work, which is enabled by default in most standard client.conf
  41. # files.
  42. template: src=openssl-server-certificate.cnf.j2
  43. dest={{ openvpn_path }}/openssl-server-certificate.cnf
  44. - name: Seed a blank database file that will be used when generating the Server's certificate
  45. file: path={{ openvpn_path }}/index.txt
  46. state=touch
  47. - name: Seed a serial file that will be used when generating the Server's certificate
  48. copy: content="01"
  49. dest={{ openvpn_path }}/serial
  50. - name: Generate CSR for the Server
  51. command: openssl req -batch -extensions server -new -key server.key -out server.csr -config {{ openvpn_path }}/openssl-server-certificate.cnf
  52. chdir={{ openvpn_path }}
  53. creates=server.csr
  54. - name: Generate certificate for the Server
  55. command: openssl ca -batch -extensions server -in server.csr -out server.crt -config openssl-server-certificate.cnf
  56. chdir={{ openvpn_path }}
  57. creates=server.crt
  58. - name: Generate CSRs for the clients
  59. command: openssl req -new -key client.key -out client.csr -subj "{{ openssl_request_subject }}/CN={{ item }}"
  60. chdir={{ openvpn_path }}/{{ item }}
  61. creates=client.csr
  62. with_items: openvpn_clients
  63. - name: Generate certificates for the clients
  64. command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -days {{ openvpn_days_valid }} -in client.csr -out client.crt
  65. chdir={{ openvpn_path }}/{{ item }}
  66. creates=client.crt
  67. with_items: openvpn_clients
  68. - name: Generate HMAC firewall key
  69. command: openvpn --genkey --secret {{ openvpn_hmac_firewall }}
  70. creates={{ openvpn_hmac_firewall }}
  71. - name: Register CA certificate contents
  72. command: cat ca.crt
  73. chdir={{ openvpn_path }}
  74. register: openvpn_ca_contents
  75. - name: Register client certificate contents
  76. command: cat client.crt
  77. chdir={{ openvpn_path }}/{{ item }}
  78. with_items: openvpn_clients
  79. register: openvpn_client_certificates
  80. - name: Register client key contents
  81. command: cat client.key
  82. chdir={{ openvpn_path }}/{{ item }}
  83. with_items: openvpn_clients
  84. register: openvpn_client_keys
  85. - name: Register HMAC firewall contents
  86. command: cat ta.key
  87. chdir={{ openvpn_path }}
  88. register: openvpn_hmac_firewall_contents
  89. - name: Create the client configs
  90. template: src=client.cnf.j2
  91. dest={{ openvpn_path }}/{{ item[0] }}/{{ openvpn_server }}.ovpn
  92. with_together:
  93. - openvpn_clients
  94. - openvpn_client_certificates.results
  95. - openvpn_client_keys.results
  96. - name: Generate Diffie-Hellman parameters (this will take a while)
  97. command: openssl dhparam -out {{ openvpn_dhparam }} {{ openvpn_key_size }}
  98. creates={{ openvpn_dhparam }}
  99. - name: Copy rc.local with firewall and dnsmasq rules into place
  100. template: src=etc_rc.local dest=/etc/rc.local
  101. - name: Enable IPv4 traffic forwarding
  102. sysctl: name=net.ipv4.ip_forward value=1
  103. - name: Allow OpenVPN through the firewall
  104. command: "{{ item }}"
  105. with_items:
  106. - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  107. - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
  108. - iptables -A FORWARD -j REJECT
  109. - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
  110. - name: Allow OpenVPN through ufw
  111. ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
  112. - name: Copy OpenVPN configuration file into place
  113. template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
  114. notify: restart openvpn
  115. # OpenVPN must restart first so the 10.8.0.0 interface is available
  116. # to dnsmasq
  117. - meta: flush_handlers
  118. - name: Copy dnsmasq configuration file into place
  119. copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
  120. notify: restart dnsmasq
  121. - name: Copy OpenVPN PAM configuration file into place
  122. copy: src=etc_pam.d_openvpn dest=/etc/pam.d/openvpn
  123. notify: restart openvpn
  124. - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
  125. command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }}
  126. with_nested:
  127. - openvpn_clients
  128. - ["ca.crt", "ta.key"]
  129. - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
  130. fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
  131. dest=/tmp/sovereign-openvpn-files
  132. with_nested:
  133. - openvpn_clients
  134. - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
  135. - pause: seconds=5
  136. prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."