openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name.

5 files changed, 93 insertions, 10 deletions

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 165ba96e..0c9f1795 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,9 +1,9 @@
 class site_openvpn {
   tag 'leap_service'
+
   # parse hiera config
   $ip_address                 = hiera('ip_address')
   $interface                  = getvar("interface_${ip_address}")
-  #$gateway_address           = hiera('gateway_address')
   $openvpn_config             = hiera('openvpn')
   $openvpn_gateway_address    = $openvpn_config['gateway_address']
   $openvpn_tcp_network_prefix = '10.1.0'
@@ -12,6 +12,10 @@ class site_openvpn {
   $openvpn_udp_network_prefix = '10.2.0'
   $openvpn_udp_netmask        = '255.255.248.0'
   $openvpn_udp_cidr           = '21'
+  $openvpn_allow_free         = $openvpn_config['allow_free']
+  $openvpn_free_gateway_address = $openvpn_config['free_gateway_address']
+  $openvpn_free_rate_limit    = $openvpn_config['free_rate_limit']
+  $openvpn_free_prefix        = $openvpn_config['free_prefix']
   $x509_config                = hiera('x509')
 
   # deploy ca + server keys
@@ -26,22 +30,47 @@ class site_openvpn {
     push        => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
     management  => '127.0.0.1 1000'
   }
+
   site_openvpn::server_config { 'udp_config':
     port        => '1194',
     proto       => 'udp',
+    local       => $openvpn_gateway_address,
     server      => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
     push        => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
-    local       => $openvpn_gateway_address,
     management  => '127.0.0.1 1001'
   }
 
+  if $openvpn_allow_free {
+    site_openvpn::server_config { 'free_tcp_config':
+      port        => '1194',
+      proto       => 'tcp',
+      local       => $openvpn_free_gateway_address,
+      tls_remote  => "\"${openvpn_free_prefix}\"",
+      shaper      => $openvpn_free_rate_limit,
+      server      => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
+      push        => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
+      management  => '127.0.0.1 1002'
+    }
+    site_openvpn::server_config { 'free_udp_config':
+      port        => '1194',
+      proto       => 'udp',
+      local       => $openvpn_free_gateway_address,
+      tls_remote  => "\"${openvpn_free_prefix}\"",
+      shaper      => $openvpn_free_rate_limit,
+      server      => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
+      push        => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
+      management  => '127.0.0.1 1003'
+    }
+  } else {
+    tidy { "/etc/openvpn/free_tcp_config.conf": }
+    tidy { "/etc/openvpn/free_udp_config.conf": }
+  }
+
   # add second IP on given interface
-  file { '/usr/local/bin/leap_add_second_ip.sh':
-    content => "#!/bin/sh
-ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface}
-/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
-",
-    mode    => '0755',
+  file {
+    '/usr/local/bin/leap_add_second_ip.sh':
+      content => template('site_openvpn/leap_add_second_ip.sh.erb'),
+      mode    => '0755';
   }
 
   exec { '/usr/local/bin/leap_add_second_ip.sh':
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 436dd272..1f42400a 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -52,7 +52,9 @@
 #   note: the default is BF-CBC (blowfish)
 #
 
-define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
+define site_openvpn::server_config(
+  $port, $proto, $local, $server, $push,
+  $management, $tls_remote = undef, $shaper = undef) {
 
   $openvpn_configname = $name
 
@@ -66,6 +68,20 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
         notify  => Service['openvpn'];
   }
 
+  # special options for the "free" gateway daemons
+  if $shaper != undef {
+    openvpn::option {
+      "shaper $openvpn_configname":
+         key     => 'shaper',
+         value   => $shaper,
+         server  => $openvpn_configname;
+      "tls-remote $openvpn_configname":
+         key     => 'tls-remote',
+         value   => $tls_remote,
+         server  => $openvpn_configname;
+    }
+  }
+
   openvpn::option {
     "ca $openvpn_configname":
         key     => 'ca',
diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb
new file mode 100644
index 00000000..40866116
--- /dev/null
+++ b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 ||
+  ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %>
+
+<% if @openvpn_allow_free %>
+ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 ||
+  ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %>
+<% end %>
+
+/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
index 68f480d8..0b4370df 100644
--- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -11,7 +11,6 @@ define site_shorewall::dnat_rule {
           destinationport => $port,
           order           => 100;
     }
-
     shorewall::rule {
         "dnat_udp_port_$port":
           action          => 'DNAT',
@@ -21,5 +20,25 @@ define site_shorewall::dnat_rule {
           destinationport => $port,
           order           => 100;
     }
+    if $site_openvpn::openvpn_allow_free {
+      shorewall::rule {
+          "dnat_free_tcp_port_$port":
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194",
+            proto           => 'tcp',
+            destinationport => $port,
+            order           => 100;
+      }
+      shorewall::rule {
+          "dnat_free_udp_port_$port":
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194",
+            proto           => 'udp',
+            destinationport => $port,
+            order           => 100;
+      }
+    }
   }
 }
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 9cf85f0c..cd67d1fd 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,5 +1,13 @@
+<%- cert_options = @webapp['client_certificates'] -%>
 production:
   admins: [admin]
   domain: <%= @provider_domain %>
   client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
   client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
+
+cert_options:
+  client_cert_lifespan: <%= cert_options['life_span'].to_i     %>
+  client_cert_bit_size: <%= cert_options['bit_size'].to_i      %>
+  client_cert_hash: <%=     cert_options['digest']             %>
+  free_certs_enabled: <%=   @webapp['allow_free'].inspect      %>
+  free_cert_prefix: "<%=    cert_options['free_prefix']        %>"