summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-03-17 13:15:51 -0700
committerelijah <elijah@riseup.net>2013-03-17 13:15:51 -0700
commitad62cfdad04c8f8ed9d6454f716c92e850ac53ba (patch)
treec4321297d2b60edc37ca10501340cb865d95bfa5
parent4ec32a1f773918b2c7a42c117fbad110c07df458 (diff)
added support for "limited" service levels (although vpn is not yet actually rate limited).
-rw-r--r--provider_base/files/service-definitions/eip-service.json.erb40
-rw-r--r--provider_base/files/service-definitions/provider.json.erb2
-rw-r--r--provider_base/provider.json29
-rw-r--r--provider_base/services/openvpn.json12
-rw-r--r--provider_base/services/webapp.json4
-rw-r--r--provider_base/test/openvpn/client.ovpn.erb6
-rw-r--r--puppet/modules/site_openvpn/README20
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp150
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp90
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp9
-rw-r--r--puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb (renamed from puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb)6
-rw-r--r--puppet/modules/site_shorewall/manifests/dnat_rule.pp40
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp61
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb13
14 files changed, 301 insertions, 181 deletions
diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb
index 09b65bbb..ca42bef5 100644
--- a/provider_base/files/service-definitions/eip-service.json.erb
+++ b/provider_base/files/service-definitions/eip-service.json.erb
@@ -6,41 +6,39 @@
words
end
- def gateway_definition(node)
+ def add_gateway(node, locations, options={})
+ return nil if options[:ip] == 'REQUIRED'
gateway = {}
gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns)
gateway["capabilities"]["transport"] = ["openvpn"]
gateway["host"] = node.domain.full
- gateway["cluster"] = underscore(node.openvpn.location)
+ gateway["ip_address"] = options[:ip]
+ gateway["capabilities"]["limited"] = options[:limited]
+ if node.location
+ location_name = underscore(node.location.name)
+ gateway["location"] = location_name
+ locations[location_name] ||= node.location
+ end
gateway
end
hsh = {}
hsh["serial"] = 1
hsh["version"] = 1
- clusters = {}
+ locations = {}
gateways = []
nodes_like_me[:services => 'openvpn'].each_node do |node|
- if node.openvpn.gateway_address
- gateway = gateway_definition(node)
- gateway["ip_address"] = node.openvpn.gateway_address
- gateway["capabilities"]["free"] = false
- gateways << gateway
- end
- if node.openvpn.free_gateway_address && node.openvpn.free_gateway_address != "REQUIRED"
- gateway = gateway_definition(node)
- gateway["ip_address"] = node.openvpn.free_gateway_address
- gateway["capabilities"]["free"] = true
- gateway["capabilities"]["rate_limit"] = node.openvpn.free_rate_limit
- gateways << gateway
+ if node.openvpn.allow_limited && node.openvpn.allow_unlimited
+ gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+ gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true)
+ elsif node.openvpn.allow_unlimited
+ gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+ elsif node.openvpn.allow_limited
+ gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
end
- clusters[gateway["cluster"]] ||= {
- "name" => gateway["cluster"],
- "label" => {"en" => node.openvpn.location}
- }
end
- hsh["gateways"] = gateways
- hsh["clusters"] = clusters.values
+ hsh["gateways"] = gateways.compact
+ hsh["locations"] = locations
hsh["openvpn_configuration"] = {
"tls-cipher" => "DHE-RSA-AES128-SHA",
"auth" => "SHA1",
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index 2ca34548..54919898 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -4,7 +4,7 @@
# grab some fields from provider.json
hsh = global.provider.pick(
:languages, :description, :name,
- :enrollment_policy, :default_language, :domain
+ :enrollment_policy, :default_language, :domain, :service
)
# advertise services that are 'user services'
diff --git a/provider_base/provider.json b/provider_base/provider.json
index 14eabdc2..cf1baac6 100644
--- a/provider_base/provider.json
+++ b/provider_base/provider.json
@@ -13,21 +13,31 @@
"languages": ["en"],
"default_language": "en",
"enrollment_policy": "open",
- "service_levels": [
- {"name": "free", "bandwidth":102400, "storage":50},
- {"name": "basic", "bandwidth":null, "storage":1000},
- {"name": "premium", "bandwidth":null, "storage":10000}
- ],
- "service_allow_free": false,
+ "service": {
+ "levels": [
+ // bandwidth limit is in Bytes, storage limit is in MB.
+ {"id": 1, "name": "free", "bandwidth":"limited", "storage":50},
+ {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]},
+ {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]}
+ ],
+ "default_service_level": 1,
+ "bandwidth_limit": 102400,
+ "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?",
+ "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?",
+ "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
+ "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
+ "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
+ "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
+ },
"ca": {
"name": "= global.provider.ca.organization + ' Root CA'",
"organization": "= global.provider.name[global.provider.default_language]",
- "organizational_unit": "= 'https://' + global.common.domain.full_suffix",
+ "organizational_unit": "= 'https://' + global.provider.domain",
"bit_size": 4096,
"digest": "SHA256",
"life_span": "10y",
"server_certificates": {
- "bit_size": 3248,
+ "bit_size": 2024,
"digest": "SHA256",
"life_span": "1y"
},
@@ -35,7 +45,8 @@
"bit_size": 2024,
"digest": "SHA256",
"life_span": "2m",
- "free_prefix": "FREE"
+ "limited_prefix": "LIMITED",
+ "unlimited_prefix": "UNLIMITED"
}
},
"hiera_sync_destination": "/etc/leap"
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index e78a02ac..5d77f946 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -5,17 +5,19 @@
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'"
},
+ "location": null,
"openvpn": {
- "location": "Location Unknown",
"gateway_address": "REQUIRED",
- "free_gateway_address": "= openvpn.allow_free ? 'REQUIRED' : nil",
+ "second_gateway_address": "= openvpn.allow_limited && openvpn.allow_unlimited ? 'REQUIRED' : nil",
"ports": ["80", "443", "53", "1194"],
"protocols": ["tcp", "udp"],
"filter_dns": false,
"adblock": false,
"user_ips": false,
- "allow_free": "= global.provider.service_allow_free",
- "free_prefix": "= global.provider.ca.client_certificates.free_prefix",
- "free_rate_limit": "= openvpn.allow_free ? global.provider.service_levels.detect{|level| level['name'] == 'free'}['bandwidth'] : nil"
+ "allow_limited": "= global.provider.service.allow_limited_bandwidth",
+ "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth",
+ "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix",
+ "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix",
+ "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil"
}
}
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 5e7260a6..477d5f17 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -10,7 +10,9 @@
"head_scss": "= file_path 'branding/head.scss'",
"img_dir": "= file_path 'branding/img'",
"client_certificates": "= global.provider.ca.client_certificates",
- "allow_free": "= global.provider.service_allow_free"
+ "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth",
+ "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth",
+ "allow_anonymous_certs": "= global.provider.service.allow_anonymous"
},
"definition_files": {
"provider": "= file :provider_json_template",
diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb
index a0bdd307..af183ef4 100644
--- a/provider_base/test/openvpn/client.ovpn.erb
+++ b/provider_base/test/openvpn/client.ovpn.erb
@@ -18,9 +18,11 @@ tls-cipher DHE-RSA-AES128-SHA
</ca>
<cert>
-<%= read_file! :test_client_cert -%>
+<%# read_file! :test_client_cert -%>
+<%= cert -%>
</cert>
<key>
-<%= read_file! :test_client_key -%>
+<%# read_file! :test_client_key -%>
+<%= key -%>
</key>
diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README
new file mode 100644
index 00000000..cef5be23
--- /dev/null
+++ b/puppet/modules/site_openvpn/README
@@ -0,0 +1,20 @@
+Place to look when debugging problems
+========================================
+
+Log files:
+
+ openvpn: /var/log/syslog
+ shorewall: /var/log/syslog
+ shorewall startup: /var/log/shorewall-init.log
+
+Check NAT masq:
+
+ iptables -t nat --list-rules
+
+Check interfaces:
+
+ ip addr ls
+
+Scripts:
+
+ /usr/local/bin/add_gateway_ips.sh \ No newline at end of file
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 0c9f1795..c54bb782 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,84 +1,128 @@
+#
+# An openvpn gateway can support three modes:
+#
+# (1) limited and unlimited
+# (2) unlimited only
+# (3) limited only
+#
+# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix',
+# and 'limited' gateways only allow certs that match the 'limited_prefix'.
+#
+# We potentially create four openvpn config files (thus four daemons):
+#
+# (1) unlimited + tcp => tcp_config.conf
+# (2) unlimited + udp => udp_config.conf
+# (3) limited + tcp => limited_tcp_config.conf
+# (4) limited + udp => limited_udp_config.conf
+#
+
class site_openvpn {
tag 'leap_service'
- # parse hiera config
- $ip_address = hiera('ip_address')
- $interface = getvar("interface_${ip_address}")
- $openvpn_config = hiera('openvpn')
- $openvpn_gateway_address = $openvpn_config['gateway_address']
- $openvpn_tcp_network_prefix = '10.1.0'
- $openvpn_tcp_netmask = '255.255.248.0'
- $openvpn_tcp_cidr = '21'
- $openvpn_udp_network_prefix = '10.2.0'
- $openvpn_udp_netmask = '255.255.248.0'
- $openvpn_udp_cidr = '21'
- $openvpn_allow_free = $openvpn_config['allow_free']
- $openvpn_free_gateway_address = $openvpn_config['free_gateway_address']
- $openvpn_free_rate_limit = $openvpn_config['free_rate_limit']
- $openvpn_free_prefix = $openvpn_config['free_prefix']
- $x509_config = hiera('x509')
+ $openvpn_config = hiera('openvpn')
+ $x509_config = hiera('x509')
+ $ip_address = hiera('ip_address')
+ $interface = getvar("interface_${ip_address}")
+ $openvpn_ports = $openvpn_config['ports']
+ $openvpn_gateway_address = $openvpn_config['gateway_address']
+ $openvpn_second_gateway_address = undef
+ if $openvpn_config['second_gateway_address'] {
+ $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+ }
+
+ $openvpn_allow_unlimited = $openvpn_config['allow_unlimited']
+ $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix']
+ $openvpn_unlimited_tcp_network_prefix = '10.41.0'
+ $openvpn_unlimited_tcp_netmask = '255.255.248.0'
+ $openvpn_unlimited_tcp_cidr = '21'
+ $openvpn_unlimited_udp_network_prefix = '10.42.0'
+ $openvpn_unlimited_udp_netmask = '255.255.248.0'
+ $openvpn_unlimited_udp_cidr = '21'
+
+ $openvpn_allow_limited = $openvpn_config['allow_limited']
+ $openvpn_limited_prefix = $openvpn_config['limited_prefix']
+ $openvpn_rate_limit = $openvpn_config['rate_limit']
+ $openvpn_limited_tcp_network_prefix = '10.43.0'
+ $openvpn_limited_tcp_netmask = '255.255.248.0'
+ $openvpn_limited_tcp_cidr = '21'
+ $openvpn_limited_udp_network_prefix = '10.44.0'
+ $openvpn_limited_udp_netmask = '255.255.248.0'
+ $openvpn_limited_udp_cidr = '21'
# deploy ca + server keys
include site_openvpn::keys
- # create 2 openvpn config files, one for tcp, one for udp
- site_openvpn::server_config { 'tcp_config':
- port => '1194',
- proto => 'tcp',
- local => $openvpn_gateway_address,
- server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1000'
+ if $openvpn_allow_unlimited and $openvpn_allow_limited {
+ $unlimited_gateway_address = $openvpn_gateway_address
+ $limited_gateway_address = $openvpn_second_gateway_address
+ } elsif $openvpn_allow_unlimited {
+ $unlimited_gateway_address = $openvpn_gateway_address
+ $limited_gateway_address = undef
+ } elsif $openvpn_allow_limited {
+ $unlimited_gateway_address = undef
+ $limited_gateway_address = $openvpn_gateway_address
}
- site_openvpn::server_config { 'udp_config':
- port => '1194',
- proto => 'udp',
- local => $openvpn_gateway_address,
- server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
- management => '127.0.0.1 1001'
+ if $openvpn_allow_unlimited {
+ site_openvpn::server_config { 'tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $unlimited_gateway_address,
+ tls_remote => "\"${openvpn_unlimited_prefix}\"",
+ server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
+ management => '127.0.0.1 1000'
+ }
+ site_openvpn::server_config { 'udp_config':
+ port => '1194',
+ proto => 'udp',
+ local => $unlimited_gateway_address,
+ tls_remote => "\"${openvpn_unlimited_prefix}\"",
+ server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
+ management => '127.0.0.1 1001'
+ }
+ } else {
+ tidy { "/etc/openvpn/tcp_config.conf": }
+ tidy { "/etc/openvpn/udp_config.conf": }
}
- if $openvpn_allow_free {
- site_openvpn::server_config { 'free_tcp_config':
+ if $openvpn_allow_limited {
+ site_openvpn::server_config { 'limited_tcp_config':
port => '1194',
proto => 'tcp',
- local => $openvpn_free_gateway_address,
- tls_remote => "\"${openvpn_free_prefix}\"",
- shaper => $openvpn_free_rate_limit,
- server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
+ local => $limited_gateway_address,
+ tls_remote => "\"${openvpn_limited_prefix}\"",
+ server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
management => '127.0.0.1 1002'
}
- site_openvpn::server_config { 'free_udp_config':
+ site_openvpn::server_config { 'limited_udp_config':
port => '1194',
proto => 'udp',
- local => $openvpn_free_gateway_address,
- tls_remote => "\"${openvpn_free_prefix}\"",
- shaper => $openvpn_free_rate_limit,
- server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
+ local => $limited_gateway_address,
+ tls_remote => "\"${openvpn_limited_prefix}\"",
+ server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
management => '127.0.0.1 1003'
}
} else {
- tidy { "/etc/openvpn/free_tcp_config.conf": }
- tidy { "/etc/openvpn/free_udp_config.conf": }
+ tidy { "/etc/openvpn/limited_tcp_config.conf": }
+ tidy { "/etc/openvpn/limited_udp_config.conf": }
}
- # add second IP on given interface
file {
- '/usr/local/bin/leap_add_second_ip.sh':
- content => template('site_openvpn/leap_add_second_ip.sh.erb'),
+ '/usr/local/bin/add_gateway_ips.sh':
+ content => template('site_openvpn/add_gateway_ips.sh.erb'),
mode => '0755';
}
- exec { '/usr/local/bin/leap_add_second_ip.sh':
- subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
+ exec { '/usr/local/bin/add_gateway_ips.sh':
+ subscribe => File['/usr/local/bin/add_gateway_ips.sh'],
}
- cron { 'leap_add_second_ip.sh':
- command => '/usr/local/bin/leap_add_second_ip.sh',
+ cron { 'add_gateway_ips.sh':
+ command => '/usr/local/bin/add_gateway_ips.sh',
user => 'root',
special => 'reboot',
}
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index 26785edb..dc31767c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,53 @@
class site_openvpn::resolver {
+ if $site_openvpn::openvpn_allow_unlimited {
+ $ensure_unlimited = 'present'
+ file {
+ '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ }
+ } else {
+ $ensure_unlimited = 'absent'
+ tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ }
+
+ if $site_openvpn::openvpn_allow_limited {
+ $ensure_limited = 'present'
+ file {
+ '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ }
+ } else {
+ $ensure_limited = 'absent'
+ tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ }
+
# this is an unfortunate way to get around the fact that the version of
# unbound we are working with does not accept a wildcard include directive
# (/etc/unbound/conf.d/*), when it does, these line definitions should
@@ -7,36 +55,30 @@ class site_openvpn::resolver {
# include: /etc/unbound/conf.d/*
line {
- 'add_tcp_resolver':
- ensure => present,
+ 'add_unlimited_tcp_resolver':
+ ensure => $ensure_unlimited,
file => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
+ line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
notify => Service['unbound'],
require => Package['unbound'];
-
- 'add_udp_resolver':
- ensure => present,
+ 'add_unlimited_udp_resolver':
+ ensure => $ensure_unlimited,
file => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
+ line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_limited_tcp_resolver':
+ ensure => $ensure_limited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_limited_udp_resolver':
+ ensure => $ensure_limited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
notify => Service['unbound'],
require => Package['unbound']
}
- file {
- '/etc/unbound/conf.d/vpn_udp_resolver':
- content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n",
- owner => root,
- group => root,
- mode => '0644',
- require => Service['openvpn'],
- notify => Service['unbound'];
-
- '/etc/unbound/conf.d/vpn_tcp_resolver':
- content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n",
- owner => root,
- group => root,
- mode => '0644',
- require => Service['openvpn'],
- notify => Service['unbound'];
- }
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 1f42400a..a2e769e1 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -54,7 +54,7 @@
define site_openvpn::server_config(
$port, $proto, $local, $server, $push,
- $management, $tls_remote = undef, $shaper = undef) {
+ $management, $tls_remote = undef) {
$openvpn_configname = $name
@@ -68,13 +68,8 @@ define site_openvpn::server_config(
notify => Service['openvpn'];
}
- # special options for the "free" gateway daemons
- if $shaper != undef {
+ if $tls_remote != undef {
openvpn::option {
- "shaper $openvpn_configname":
- key => 'shaper',
- value => $shaper,
- server => $openvpn_configname;
"tls-remote $openvpn_configname":
key => 'tls-remote',
value => $tls_remote,
diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
index 40866116..ed06a95e 100644
--- a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -3,9 +3,9 @@
ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 ||
ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %>
-<% if @openvpn_allow_free %>
-ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 ||
- ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %>
+<% if @openvpn_second_gateway_address %>
+ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 ||
+ ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %>
<% end %>
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
index 0b4370df..e1ea86ec 100644
--- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -2,30 +2,32 @@ define site_shorewall::dnat_rule {
$port = $name
if $port != 1194 {
- shorewall::rule {
- "dnat_tcp_port_$port":
- action => 'DNAT',
- source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
- proto => 'tcp',
- destinationport => $port,
- order => 100;
- }
- shorewall::rule {
- "dnat_udp_port_$port":
- action => 'DNAT',
- source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
- proto => 'udp',
- destinationport => $port,
- order => 100;
+ if $site_openvpn::openvpn_allow_paid {
+ shorewall::rule {
+ "dnat_tcp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::paid_gateway_address}:1194",
+ proto => 'tcp',
+ destinationport => $port,
+ order => 100;
+ }
+ shorewall::rule {
+ "dnat_udp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::paid_gateway_address}:1194",
+ proto => 'udp',
+ destinationport => $port,
+ order => 100;
+ }
}
if $site_openvpn::openvpn_allow_free {
shorewall::rule {
"dnat_free_tcp_port_$port":
action => 'DNAT',
source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194",
+ destination => "\$FW:${site_openvpn::free_gateway_address}:1194",
proto => 'tcp',
destinationport => $port,
order => 100;
@@ -34,7 +36,7 @@ define site_shorewall::dnat_rule {
"dnat_free_udp_port_$port":
action => 'DNAT',
source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194",
+ destination => "\$FW:${site_openvpn::free_gateway_address}:1194",
proto => 'udp',
destinationport => $port,
order => 100;
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index d2bf3c4c..95c3920e 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -3,10 +3,6 @@ class site_shorewall::eip {
include site_shorewall::defaults
include site_shorewall::ip_forward
- $openvpn_config = hiera('openvpn')
- $openvpn_ports = $openvpn_config['ports']
- $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
-
# define macro for incoming services
file { '/etc/shorewall/macro.leap_eip':
content => "PARAM - - tcp 1194
@@ -16,41 +12,45 @@ PARAM - - udp 1194
require => Package['shorewall']
}
-
shorewall::interface {
'tun0':
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs';
'tun1':
zone => 'eip',
- options => 'tcpflags,blacklist,nosmurfs'
+ options => 'tcpflags,blacklist,nosmurfs';
+ 'tun2':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs';
+ 'tun3':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs';
}
+ shorewall::zone {
+ 'eip':
+ type => 'ipv4';
+ }
- shorewall::zone {'eip':
- type => 'ipv4'; }
-
- case $::virtual {
- 'virtualbox': {
- shorewall::masq {
- 'eth0_tcp':
- interface => 'eth0',
- source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
- 'eth0_udp':
- interface => 'eth0',
- source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
- }
- default: {
- $interface = $site_shorewall::defaults::interface
- shorewall::masq {
- "${interface}_tcp":
- interface => $interface,
- source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
+ if $::virtual == 'virtualbox' {
+ $interface = 'eth0'
+ } else {
+ $interface = $site_shorewall::defaults::interface
+ }
- "${interface}_udp":
- interface => $interface,
- source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
- }
+ shorewall::masq {
+ "${interface}_unlimited_tcp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}";
+ "${interface}_unlimited_udp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}";
+ "${interface}_limited_tcp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}";
+ "${interface}_limited_udp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}";
}
shorewall::policy {
@@ -70,7 +70,6 @@ PARAM - - udp 1194
}
# create dnat rule for each port
- #create_resources('site_shorewall::dnat_rule', $openvpn_ports)
- site_shorewall::dnat_rule { $openvpn_ports: }
+ site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: }
}
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index cd67d1fd..af778212 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -6,8 +6,11 @@ production:
client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
cert_options:
- client_cert_lifespan: <%= cert_options['life_span'].to_i %>
- client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
- client_cert_hash: <%= cert_options['digest'] %>
- free_certs_enabled: <%= @webapp['allow_free'].inspect %>
- free_cert_prefix: "<%= cert_options['free_prefix'] %>"
+ client_cert_lifespan: <%= cert_options['life_span'].to_i %>
+ client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
+ client_cert_hash: <%= cert_options['digest'] %>
+ allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
+ allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
+ allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
+ limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
+ unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"