leap_platform.git/puppet/modules/site_openvpn/manifests, branch 0.6.0rc1 [leap_platform] Make sure openvpn is restarted when cert/key change (#6405) 2014-11-20T20:31:27+00:00 Micah Anderson micah@leap.se 2014-11-20T20:31:27+00:00 dff949811324215278ab7e4c2db5de63d8a6218b I reformatted the section below for consistency. Change-Id: I18f5e23850e0c1ab4b1f2ee467d5af54ae9ff303 
I reformatted the section below for consistency.

Change-Id: I18f5e23850e0c1ab4b1f2ee467d5af54ae9ff303
openvpn - support customizing --fragment, and set default to 1400 2014-11-11T04:43:24+00:00 elijah elijah@riseup.net 2014-11-11T04:43:24+00:00 b9d2030beb890e8dccbbe42bfcc430a2c2702a92 






fix unbound: configs in /etc/unbound/unbound.conf.d contained a syntax error and were missing .conf suffix
2014-06-02T18:03:56+00:00

elijah
elijah@riseup.net

2014-06-02T18:03:56+00:00

09916946f8eb0ab17689255fd626a52ef1808e6a












Implement #2328: unbound.conf: content changed on every puppetrun
2014-05-22T19:50:02+00:00

Micah Anderson
micah@leap.se

2014-05-22T19:21:06+00:00

a622e49c5df2150049afb6f6ed47177537b7e6da

This is done by using the include glob capability that is in the
wheezy-backports and newer unbound to include the
/etc/unbound/unbound.conf.d/* config files.

To do this, we need to transition from our /etc/unbound/conf.d directory
structure to use the one that the debian package uses.

This allows us to clean up the rather ugly way we were configuring the
resolver before.

Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c





This is done by using the include glob capability that is in the
wheezy-backports and newer unbound to include the
/etc/unbound/unbound.conf.d/* config files.

To do this, we need to transition from our /etc/unbound/conf.d directory
structure to use the one that the debian package uses.

This allows us to clean up the rather ugly way we were configuring the
resolver before.

Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c







openvpn server config: script-security should be "1", since we don't need "2"; add tcp-nodelay to tcp servers.
2014-05-13T09:22:05+00:00

elijah
elijah@riseup.net

2014-05-13T09:22:05+00:00

3ef044034b51d992d6952a9c6b9d16cba16abc30












openvpn package resource needs to be ensure => latest to accommodate upgrades
2014-05-07T17:32:00+00:00

Micah Anderson
micah@leap.se

2014-05-07T17:32:00+00:00

a980840e5752296c772ec079bbfc0ecb2c3d331f

Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14





Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14







set the ipv6 configuration options on the server
2014-05-06T20:33:02+00:00

Micah Anderson
micah@leap.se

2014-05-06T20:33:02+00:00

0265eb952691ee91405201836e19384ac2087507

some important things to note:

We are hard-coding the pushing of the ipv6 route '2000::/3' and
configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a
reserved ipv6 prefix that is used for documentation purposes
only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html),
and the route being pushed redirects all internet-bound traffic.

When LEAP fully supports ipv6, these network values should be turned
into variables, but for now, to make sure we are blocking any clients
that have functional ipv6, this will work.

Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5





some important things to note:

We are hard-coding the pushing of the ipv6 route '2000::/3' and
configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a
reserved ipv6 prefix that is used for documentation purposes
only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html),
and the route being pushed redirects all internet-bound traffic.

When LEAP fully supports ipv6, these network values should be turned
into variables, but for now, to make sure we are blocking any clients
that have functional ipv6, this will work.

Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5







install openvpn from wheezy-backports, this will bring in openvpn 2.3,
2014-05-06T20:32:28+00:00

Micah Anderson
micah@leap.se

2014-05-06T20:32:28+00:00

f63f302980d638633f0bdb1146f9d8a75e9eaed2

which will provide us with proper ipv6 support

Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07





which will provide us with proper ipv6 support

Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07







make sure concat fragments are put together before the openvpn service
2014-04-24T16:05:11+00:00

Micah Anderson
micah@leap.se

2014-04-24T16:05:11+00:00

b5245481bbc1fddfd1b8e6d97e8a07a20d35de6b

is run, otherwise the openvpn service is restarted before config files
are deployed (#4154)

Change-Id: Ide38615714c1978bb90237986baea530c54153c3





is run, otherwise the openvpn service is restarted before config files
are deployed (#4154)

Change-Id: Ide38615714c1978bb90237986baea530c54153c3







update indentation to be standard
2014-04-24T16:04:20+00:00

Micah Anderson
micah@leap.se

2014-04-24T16:04:20+00:00

98227ad8da45544ef97cb8647c377f399672a4a0

Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c





Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c