Sin descripción
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openvpn.yml 6.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183
  1. ---
  2. # Installs the OpenVPN virtual private network server.
  3. # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
  4. - name: Install OpenVPN and dependencies
  5. apt:
  6. name: "{{ packages }}"
  7. state: present
  8. vars:
  9. packages:
  10. - dnsmasq
  11. - openvpn
  12. - udev
  13. tags:
  14. - dependencies
  15. - name: Generate RSA keys for the CA and Server
  16. command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
  17. chdir={{ openvpn_path }}
  18. creates={{ item }}.key
  19. with_items:
  20. - ca
  21. - server
  22. - name: Create directories for clients
  23. file: path={{ openvpn_path}}/{{ item }} state=directory
  24. with_items: "{{ openvpn_clients }}"
  25. - name: Generate RSA keys for the clients
  26. command: openssl genrsa -out client.key {{ openvpn_key_size }}
  27. chdir={{ openvpn_path }}/{{ item }}
  28. creates=client.key
  29. with_items: "{{ openvpn_clients }}"
  30. - name: Set the proper permissions on all RSA keys
  31. file: path={{ openvpn_path }}
  32. recurse=yes
  33. state=directory
  34. owner=root
  35. group=root
  36. mode=0600
  37. - name: Generate CA certificate
  38. command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=sovereign-ca-certificate"
  39. creates={{ openvpn_ca }}.crt
  40. # Properly sets the attributes that are described here:
  41. # openvpn.net/index.php/open-source/documentation/howto.html#mitm
  42. #
  43. # This is required in order for the 'ns-cert-type server' option to
  44. # work, which is enabled by default in most standard client.conf
  45. # files.
  46. - name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
  47. template: src=openssl-server-certificate.cnf.j2
  48. dest={{ openvpn_path }}/openssl-server-certificate.cnf
  49. - name: Seed a blank database file that will be used when generating the Server's certificate
  50. file: path={{ openvpn_path }}/index.txt
  51. state=touch
  52. - name: Seed a serial file that will be used when generating the Server's certificate
  53. copy: content="01"
  54. dest={{ openvpn_path }}/serial
  55. - name: Generate CSR for the Server
  56. command: openssl req -batch -extensions server -new -key server.key -out server.csr -config {{ openvpn_path }}/openssl-server-certificate.cnf
  57. chdir={{ openvpn_path }}
  58. creates=server.csr
  59. - name: Generate certificate for the Server
  60. command: openssl ca -batch -extensions server -in server.csr -out server.crt -config openssl-server-certificate.cnf
  61. chdir={{ openvpn_path }}
  62. creates=server.crt
  63. - name: Generate CSRs for the clients
  64. command: openssl req -new -key client.key -out client.csr -subj "{{ openssl_request_subject }}/CN={{ item }}"
  65. chdir={{ openvpn_path }}/{{ item }}
  66. creates=client.csr
  67. with_items: "{{ openvpn_clients }}"
  68. - name: Generate certificates for the clients
  69. command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -days {{ openvpn_days_valid }} -in client.csr -out client.crt
  70. chdir={{ openvpn_path }}/{{ item }}
  71. creates=client.crt
  72. with_items: "{{ openvpn_clients }}"
  73. - name: Generate HMAC firewall key
  74. command: openvpn --genkey --secret {{ openvpn_hmac_firewall }}
  75. creates={{ openvpn_hmac_firewall }}
  76. - name: Register CA certificate contents
  77. command: cat ca.crt
  78. chdir={{ openvpn_path }}
  79. register: openvpn_ca_contents
  80. - name: Register client certificate contents
  81. command: cat client.crt
  82. chdir={{ openvpn_path }}/{{ item }}
  83. with_items: "{{ openvpn_clients }}"
  84. register: openvpn_client_certificates
  85. - name: Register client key contents
  86. command: cat client.key
  87. chdir={{ openvpn_path }}/{{ item }}
  88. with_items: "{{ openvpn_clients }}"
  89. register: openvpn_client_keys
  90. - name: Register HMAC firewall contents
  91. command: cat ta.key
  92. chdir={{ openvpn_path }}
  93. register: openvpn_hmac_firewall_contents
  94. - name: Create the client configs
  95. template: src=client.cnf.j2
  96. dest={{ openvpn_path }}/{{ item[0] }}/{{ openvpn_server }}.ovpn
  97. with_together:
  98. - "{{ openvpn_clients }}"
  99. - "{{ openvpn_client_certificates.results }}"
  100. - "{{ openvpn_client_keys.results }}"
  101. - name: Generate Diffie-Hellman parameters (this will take a while)
  102. command: openssl dhparam -out {{ openvpn_dhparam }} {{ openvpn_key_size }}
  103. creates={{ openvpn_dhparam }}
  104. - name: Add empty rc.local if it doesn't exist
  105. copy: src=rc.local dest=/etc/rc.local mode=0700 owner=root group=root force=no
  106. - name: custom rc.local file with iptables rules
  107. template: src=rc.local_ansible_openvpn dest=/etc/rc.local_ansible_openvpn mode=0700 owner=root group=root
  108. - name: Ensure custom rc.local file is included in rc.local
  109. lineinfile: dest=/etc/rc.local line='bash /etc/rc.local_ansible_openvpn' insertbefore='exit 0'
  110. - name: Run custom rc file
  111. command: bash /etc/rc.local_ansible_openvpn
  112. changed_when: False
  113. - name: Enable IPv4 traffic forwarding
  114. sysctl: name=net.ipv4.ip_forward value=1
  115. - name: Allow OpenVPN through ufw
  116. ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
  117. tags: ufw
  118. - name: Copy OpenVPN configuration file into place
  119. template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
  120. notify: restart openvpn
  121. - name: Create client specific config directory
  122. file: state=directory path=/etc/openvpn/ccd owner=root group=root
  123. when: openvpn_enable_sub_routing == 1
  124. - name: Copy OpenVPN configuration file into place
  125. template: src=etc_openvpn_ccd_{{ openvpn_sub_routing_client }}.j2 dest=/etc/openvpn/ccd/{{ openvpn_sub_routing_client }} owner=root group=root mode=0666
  126. notify: restart openvpn
  127. when: openvpn_enable_sub_routing == 1
  128. - name: Enable OpenVPN server systemd service unit
  129. service: name=openvpn@server enabled=yes
  130. # OpenVPN must restart first so the VPN interface is available
  131. # to dnsmasq
  132. - meta: flush_handlers
  133. - name: Copy dnsmasq configuration file into place
  134. template: src=etc_dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
  135. notify: restart dnsmasq
  136. - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
  137. command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }}
  138. tags:
  139. - skip_ansible_lint
  140. with_nested:
  141. - "{{ openvpn_clients }}"
  142. - ["ca.crt", "ta.key"]
  143. - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
  144. fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
  145. dest="{{ secret }}/sovereign-openvpn-files"
  146. fail_on_missing=yes
  147. with_nested:
  148. - "{{ openvpn_clients }}"
  149. - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]