summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn/manifests
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-02-27 23:46:58 -0800
committerelijah <elijah@riseup.net>2013-02-27 23:46:58 -0800
commitffb88e54c5e4e30fa61ea1009f3eee62f98ab17c (patch)
tree0d28846e9de15d7580b3b232aac16e2f4e8cb6e4 /puppet/modules/site_openvpn/manifests
parent5f8b63892ec9d08471a43ac642ed8f291d27c4f5 (diff)
openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name.
Diffstat (limited to 'puppet/modules/site_openvpn/manifests')
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp45
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp18
2 files changed, 54 insertions, 9 deletions
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 165ba96e..0c9f1795 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,9 +1,9 @@
class site_openvpn {
tag 'leap_service'
+
# parse hiera config
$ip_address = hiera('ip_address')
$interface = getvar("interface_${ip_address}")
- #$gateway_address = hiera('gateway_address')
$openvpn_config = hiera('openvpn')
$openvpn_gateway_address = $openvpn_config['gateway_address']
$openvpn_tcp_network_prefix = '10.1.0'
@@ -12,6 +12,10 @@ class site_openvpn {
$openvpn_udp_network_prefix = '10.2.0'
$openvpn_udp_netmask = '255.255.248.0'
$openvpn_udp_cidr = '21'
+ $openvpn_allow_free = $openvpn_config['allow_free']
+ $openvpn_free_gateway_address = $openvpn_config['free_gateway_address']
+ $openvpn_free_rate_limit = $openvpn_config['free_rate_limit']
+ $openvpn_free_prefix = $openvpn_config['free_prefix']
$x509_config = hiera('x509')
# deploy ca + server keys
@@ -26,22 +30,47 @@ class site_openvpn {
push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
management => '127.0.0.1 1000'
}
+
site_openvpn::server_config { 'udp_config':
port => '1194',
proto => 'udp',
+ local => $openvpn_gateway_address,
server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
- local => $openvpn_gateway_address,
management => '127.0.0.1 1001'
}
+ if $openvpn_allow_free {
+ site_openvpn::server_config { 'free_tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $openvpn_free_gateway_address,
+ tls_remote => "\"${openvpn_free_prefix}\"",
+ shaper => $openvpn_free_rate_limit,
+ server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
+ management => '127.0.0.1 1002'
+ }
+ site_openvpn::server_config { 'free_udp_config':
+ port => '1194',
+ proto => 'udp',
+ local => $openvpn_free_gateway_address,
+ tls_remote => "\"${openvpn_free_prefix}\"",
+ shaper => $openvpn_free_rate_limit,
+ server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
+ management => '127.0.0.1 1003'
+ }
+ } else {
+ tidy { "/etc/openvpn/free_tcp_config.conf": }
+ tidy { "/etc/openvpn/free_udp_config.conf": }
+ }
+
# add second IP on given interface
- file { '/usr/local/bin/leap_add_second_ip.sh':
- content => "#!/bin/sh
-ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface}
-/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
-",
- mode => '0755',
+ file {
+ '/usr/local/bin/leap_add_second_ip.sh':
+ content => template('site_openvpn/leap_add_second_ip.sh.erb'),
+ mode => '0755';
}
exec { '/usr/local/bin/leap_add_second_ip.sh':
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 436dd272..1f42400a 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -52,7 +52,9 @@
# note: the default is BF-CBC (blowfish)
#
-define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
+define site_openvpn::server_config(
+ $port, $proto, $local, $server, $push,
+ $management, $tls_remote = undef, $shaper = undef) {
$openvpn_configname = $name
@@ -66,6 +68,20 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
notify => Service['openvpn'];
}
+ # special options for the "free" gateway daemons
+ if $shaper != undef {
+ openvpn::option {
+ "shaper $openvpn_configname":
+ key => 'shaper',
+ value => $shaper,
+ server => $openvpn_configname;
+ "tls-remote $openvpn_configname":
+ key => 'tls-remote',
+ value => $tls_remote,
+ server => $openvpn_configname;
+ }
+ }
+
openvpn::option {
"ca $openvpn_configname":
key => 'ca',