Merge tag '0.8.0'

Release 0.8.0
author: Micah <micah@leap.se> 2016-05-10 14:48:26 -0400
committer: Micah <micah@leap.se> 2016-05-10 14:48:26 -0400
commit: 86c85582065c391aa13c0b9b397dfd1aa2e2ac7b (patch)
tree: 7c027409a517d862864bf3650f4a8a66f615162d /puppet/modules/site_openvpn
parent: 70b1c648b94e6c007b9241a4661f33881e74485f (diff)
parent: 66b4c6b5ec6fe2f242020845fe92715ae2cdcc1e (diff)
2 files changed, 68 insertions, 43 deletions
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e2a3124e..f1ecefb9 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -24,9 +24,11 @@ class site_openvpn {
   include site_config::x509::key
   include site_config::x509::ca_bundle
 
-
+  include site_config::default
   Class['site_config::default'] -> Class['site_openvpn']
 
+  include ::site_obfsproxy
+
   $openvpn          = hiera('openvpn')
   $openvpn_ports    = $openvpn['ports']
   $openvpn_config   = $openvpn['configuration']
@@ -67,7 +69,7 @@ class site_openvpn {
   # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/
   # we can do this using an inline_template:
   $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}"
-  $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>')
+  $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>')
 
   # deploy dh keys
   include site_openvpn::dh_key
@@ -85,24 +87,24 @@ class site_openvpn {
 
   if $openvpn_allow_unlimited {
     site_openvpn::server_config { 'tcp_config':
-      port        => '1194',
-      proto       => 'tcp',
-      local       => $unlimited_gateway_address,
-      tls_remote  => "\"${openvpn_unlimited_prefix}\"",
-      server      => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
-      management  => '127.0.0.1 1000',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'tcp',
+      local      => $unlimited_gateway_address,
+      tls_remote => "\"${openvpn_unlimited_prefix}\"",
+      server     => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
+      management => '127.0.0.1 1000',
+      config     => $openvpn_config
     }
     site_openvpn::server_config { 'udp_config':
-      port        => '1194',
-      proto       => 'udp',
-      local       => $unlimited_gateway_address,
-      tls_remote  => "\"${openvpn_unlimited_prefix}\"",
-      server      => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
-      management  => '127.0.0.1 1001',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'udp',
+      local      => $unlimited_gateway_address,
+      tls_remote => "\"${openvpn_unlimited_prefix}\"",
+      server     => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
+      management => '127.0.0.1 1001',
+      config     => $openvpn_config
     }
   } else {
     tidy { '/etc/openvpn/tcp_config.conf': }
@@ -111,24 +113,24 @@ class site_openvpn {
 
   if $openvpn_allow_limited {
     site_openvpn::server_config { 'limited_tcp_config':
-      port        => '1194',
-      proto       => 'tcp',
-      local       => $limited_gateway_address,
-      tls_remote  => "\"${openvpn_limited_prefix}\"",
-      server      => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
-      management  => '127.0.0.1 1002',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'tcp',
+      local      => $limited_gateway_address,
+      tls_remote => "\"${openvpn_limited_prefix}\"",
+      server     => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
+      management => '127.0.0.1 1002',
+      config     => $openvpn_config
     }
     site_openvpn::server_config { 'limited_udp_config':
-      port        => '1194',
-      proto       => 'udp',
-      local       => $limited_gateway_address,
-      tls_remote  => "\"${openvpn_limited_prefix}\"",
-      server      => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
-      management  => '127.0.0.1 1003',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'udp',
+      local      => $limited_gateway_address,
+      tls_remote => "\"${openvpn_limited_prefix}\"",
+      server     => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
+      management => '127.0.0.1 1003',
+      config     => $openvpn_config
     }
   } else {
     tidy { '/etc/openvpn/limited_tcp_config.conf': }
@@ -172,14 +174,8 @@ class site_openvpn {
 
   include site_shorewall::eip
 
-  # In wheezy, we need the openvpn backport to get the 2.3 version of
-  # openvpn which has proper ipv6 support
-  include site_apt::preferences::openvpn
-
   package {
-    'openvpn':
-      ensure  => latest,
-      require => Class['site_apt::preferences::openvpn'];
+    'openvpn': ensure => latest
   }
 
   service {
@@ -228,7 +224,15 @@ class site_openvpn {
       order   => 10;
   }
 
-  leap::logfile { 'openvpn': }
+  leap::logfile { 'openvpn_tcp': }
+  leap::logfile { 'openvpn_udp': }
+
+  # Because we currently do not support ipv6 and instead block it (so no leaks
+  # happen), we get a large number of these messages, so we ignore them (#6540)
+  rsyslog::snippet { '01-ignore_icmpv6_send':
+    content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~'
+  }
+
   include site_check_mk::agent::openvpn
 
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 221c79a7..6decc665 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -109,7 +109,7 @@ define site_openvpn::server_config(
     "cert ${openvpn_configname}":
       key     => 'cert',
       value   => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
-        server  => $openvpn_configname;
+      server  => $openvpn_configname;
     "key ${openvpn_configname}":
       key     => 'key',
       value   => "${x509::variables::keys}/${site_config::params::cert_name}.key",
@@ -203,5 +203,26 @@ define site_openvpn::server_config(
       key    => 'verb',
       value  => '3',
       server => $openvpn_configname;
+    "log-append /var/log/leap/openvpn_${proto}.log":
+      key    => 'log-append',
+      value  => "/var/log/leap/openvpn_${proto}.log",
+      server => $openvpn_configname;
+  }
+
+  # register openvpn services at systemd on nodes newer than wheezy
+  # see https://leap.se/code/issues/7798
+  case $::operatingsystemrelease {
+    /^7.*/: { }
+    default:  {
+      exec { "enable_systemd_${openvpn_configname}":
+        refreshonly => true,
+        command     => "/bin/systemctl enable openvpn@${openvpn_configname}",
+        subscribe   => File["/etc/openvpn/${openvpn_configname}.conf"],
+        notify      => Service["openvpn@${openvpn_configname}"];
+      }
+      service { "openvpn@${openvpn_configname}":
+        ensure  => running
+      }
+    }
   }
 }
author	Micah <micah@leap.se>	2016-05-10 14:48:26 -0400
committer	Micah <micah@leap.se>	2016-05-10 14:48:26 -0400
commit	86c85582065c391aa13c0b9b397dfd1aa2e2ac7b (patch)
tree	7c027409a517d862864bf3650f4a8a66f615162d /puppet/modules/site_openvpn
parent	70b1c648b94e6c007b9241a4661f33881e74485f (diff)
parent	66b4c6b5ec6fe2f242020845fe92715ae2cdcc1e (diff)