diff options
author | elijah <elijah@riseup.net> | 2013-02-27 23:46:58 -0800 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2013-02-27 23:46:58 -0800 |
commit | ffb88e54c5e4e30fa61ea1009f3eee62f98ab17c (patch) | |
tree | 0d28846e9de15d7580b3b232aac16e2f4e8cb6e4 /puppet/modules/site_openvpn/manifests | |
parent | 5f8b63892ec9d08471a43ac642ed8f291d27c4f5 (diff) |
openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name.
Diffstat (limited to 'puppet/modules/site_openvpn/manifests')
-rw-r--r-- | puppet/modules/site_openvpn/manifests/init.pp | 45 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 18 |
2 files changed, 54 insertions, 9 deletions
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 165ba96e..0c9f1795 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,9 +1,9 @@ class site_openvpn { tag 'leap_service' + # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") - #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' @@ -12,6 +12,10 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $openvpn_allow_free = $openvpn_config['allow_free'] + $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] + $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] + $openvpn_free_prefix = $openvpn_config['free_prefix'] $x509_config = hiera('x509') # deploy ca + server keys @@ -26,22 +30,47 @@ class site_openvpn { push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } + site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + local => $openvpn_gateway_address, server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - local => $openvpn_gateway_address, management => '127.0.0.1 1001' } + if $openvpn_allow_free { + site_openvpn::server_config { 'free_tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002' + } + site_openvpn::server_config { 'free_udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + management => '127.0.0.1 1003' + } + } else { + tidy { "/etc/openvpn/free_tcp_config.conf": } + tidy { "/etc/openvpn/free_udp_config.conf": } + } + # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -", - mode => '0755', + file { + '/usr/local/bin/leap_add_second_ip.sh': + content => template('site_openvpn/leap_add_second_ip.sh.erb'), + mode => '0755'; } exec { '/usr/local/bin/leap_add_second_ip.sh': diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 436dd272..1f42400a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -52,7 +52,9 @@ # note: the default is BF-CBC (blowfish) # -define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { +define site_openvpn::server_config( + $port, $proto, $local, $server, $push, + $management, $tls_remote = undef, $shaper = undef) { $openvpn_configname = $name @@ -66,6 +68,20 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana notify => Service['openvpn']; } + # special options for the "free" gateway daemons + if $shaper != undef { + openvpn::option { + "shaper $openvpn_configname": + key => 'shaper', + value => $shaper, + server => $openvpn_configname; + "tls-remote $openvpn_configname": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; + } + } + openvpn::option { "ca $openvpn_configname": key => 'ca', |