$ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}")
$environment = hiera('environment', undef)
-
- if $::vagrant {
+ if str2bool("$::vagrant") {
# Depending on the backend hypervisor networking is setup differently.
if $::interfaces =~ /eth1/ {
# Virtualbox: Private networking creates a second interface eth1
# we need to include shorewall::interface{eth0} in setup.pp so
# packages can be installed during main puppetrun, even before shorewall
# is configured completly
- if $::vagrant {
+ if str2bool("$::vagrant") {
include site_config::vagrant
}
# find out the netmask in cidr format of the primary IF
# thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/
# we can do this using an inline_template:
- $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}"
+ $factname_primary_netmask = "netmask_${::site_config::params::interface}"
$primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>')
# deploy dh keys
#!/bin/sh
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> ||
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "inet <%= @openvpn_gateway_address %>/" ||
ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
+EXITCODE=$?
+if [ $EXITCODE != 0 ]; then
+ exit $EXITCODE
+fi
+
<% if @openvpn_second_gateway_address %>
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> ||
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "<%= @openvpn_second_gateway_address %>/" ||
ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
+
+EXITCODE=$?
+if [ $EXITCODE != 0 ]; then
+ exit $EXITCODE
+fi
<% end %>
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
pass
end
+ def test_02_Can_connect_to_openvpn?
+ # because of the way the firewall rules are currently set up, you can only
+ # connect to the standard 1194 openvpn port when you are connecting
+ # from the same host as openvpn is running on.
+ #
+ # so, this is disabled for now:
+ # $node['openvpn']['ports'].each {|port| ...}
+ #
+
+ $node['openvpn']['protocols'].each do |protocol|
+ assert_openvpn_is_bound_to_port($node['openvpn']['gateway_address'], protocol, 1194)
+ end
+ pass
+ end
+
+ private
+
+ #
+ # asserting succeeds if openvpn appears to be correctly bound and we can
+ # connect to it. we don't actually try to establish a vpn connection in this
+ # test, we just check to see that it sort of looks like it is openvpn running
+ # on the port.
+ #
+ def assert_openvpn_is_bound_to_port(ip_address, protocol, port)
+ protocol = protocol.downcase
+ if protocol == 'udp'
+ # this sends a magic string to openvpn to attempt to start the protocol.
+ nc_output = `/bin/echo -e "\\x38\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" | timeout 0.5 nc -u #{ip_address} #{port}`.strip
+ assert !nc_output.empty?, "Could not connect to OpenVPN daemon at #{ip_address} on port #{port} (#{protocol})."
+ elsif protocol == 'tcp'
+ assert system("openssl s_client -connect #{ip_address}:#{port} 2>&1 | grep -q CONNECTED"),
+ "Could not connect to OpenVPN daemon at #{ip_address} on port #{port} (#{protocol})."
+ else
+ assert false, "invalid openvpn protocol #{protocol}"
+ end
+ end
end
projects / leap_platform.git / commitdiff