4 files changed, 35 insertions, 24 deletions

diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb
index feaea25b..3b8976fd 100644
--- a/provider_base/files/service-definitions/v1/eip-service.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service.json.erb
@@ -27,6 +27,7 @@
   hsh["version"] = 1
   locations = {}
   gateways = []
+  configuration = nil
   nodes_like_me[:services => 'openvpn'].each_node do |node|
     if node.openvpn.allow_limited && node.openvpn.allow_unlimited
       gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
@@ -36,13 +37,13 @@
     elsif node.openvpn.allow_limited
       gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
     end
+    if configuration && node.openvpn.configuration != configuration
+      log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors."
+    end
+    configuration = node.openvpn.configuration
   end
   hsh["gateways"] = gateways.compact
   hsh["locations"] = locations
-  hsh["openvpn_configuration"] = {
-    "tls-cipher" => "DHE-RSA-AES128-SHA",
-    "auth" => "SHA1",
-    "cipher" => "AES-128-CBC"
-  }
+  hsh["openvpn_configuration"] = configuration
   JSON.sorted_generate hsh
 %>
\ No newline at end of file
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 5a87335b..e5b97ed9 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -18,6 +18,11 @@
     "allow_unlimited": "= provider.service.allow_unlimited_bandwidth",
     "limited_prefix": "= provider.ca.client_certificates.limited_prefix",
     "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix",
-    "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil"
+    "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil",
+    "configuration": {
+      "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
+      "auth": "SHA1",
+      "cipher": "AES-128-CBC"
+    }
   }
 }
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 4c2a3967..7aec0faa 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -27,22 +27,23 @@ class site_openvpn {
 
   Class['site_config::default'] -> Class['site_openvpn']
 
-  $openvpn_config   = hiera('openvpn')
-  $openvpn_ports    = $openvpn_config['ports']
+  $openvpn          = hiera('openvpn')
+  $openvpn_ports    = $openvpn['ports']
+  $openvpn_config   = $openvpn['configuration']
 
   if $::ec2_instance_id {
     $openvpn_gateway_address = $::ipaddress
   } else {
-    $openvpn_gateway_address         = $openvpn_config['gateway_address']
-    if $openvpn_config['second_gateway_address'] {
-      $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+    $openvpn_gateway_address         = $openvpn['gateway_address']
+    if $openvpn['second_gateway_address'] {
+      $openvpn_second_gateway_address = $openvpn['second_gateway_address']
     } else {
       $openvpn_second_gateway_address = undef
     }
   }
 
-  $openvpn_allow_unlimited              = $openvpn_config['allow_unlimited']
-  $openvpn_unlimited_prefix             = $openvpn_config['unlimited_prefix']
+  $openvpn_allow_unlimited              = $openvpn['allow_unlimited']
+  $openvpn_unlimited_prefix             = $openvpn['unlimited_prefix']
   $openvpn_unlimited_tcp_network_prefix = '10.41.0'
   $openvpn_unlimited_tcp_netmask        = '255.255.248.0'
   $openvpn_unlimited_tcp_cidr           = '21'
@@ -51,9 +52,9 @@ class site_openvpn {
   $openvpn_unlimited_udp_cidr           = '21'
 
   if !$::ec2_instance_id {
-    $openvpn_allow_limited                = $openvpn_config['allow_limited']
-    $openvpn_limited_prefix               = $openvpn_config['limited_prefix']
-    $openvpn_rate_limit                   = $openvpn_config['rate_limit']
+    $openvpn_allow_limited                = $openvpn['allow_limited']
+    $openvpn_limited_prefix               = $openvpn['limited_prefix']
+    $openvpn_rate_limit                   = $openvpn['rate_limit']
     $openvpn_limited_tcp_network_prefix   = '10.43.0'
     $openvpn_limited_tcp_netmask          = '255.255.248.0'
     $openvpn_limited_tcp_cidr             = '21'
@@ -90,7 +91,8 @@ class site_openvpn {
       tls_remote  => "\"${openvpn_unlimited_prefix}\"",
       server      => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
       push        => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
-      management  => '127.0.0.1 1000'
+      management  => '127.0.0.1 1000',
+      config      => $openvpn_config
     }
     site_openvpn::server_config { 'udp_config':
       port        => '1194',
@@ -99,7 +101,8 @@ class site_openvpn {
       tls_remote  => "\"${openvpn_unlimited_prefix}\"",
       server      => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
       push        => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
-      management  => '127.0.0.1 1001'
+      management  => '127.0.0.1 1001',
+      config      => $openvpn_config
     }
   } else {
     tidy { '/etc/openvpn/tcp_config.conf': }
@@ -114,7 +117,8 @@ class site_openvpn {
       tls_remote  => "\"${openvpn_limited_prefix}\"",
       server      => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
       push        => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
-      management  => '127.0.0.1 1002'
+      management  => '127.0.0.1 1002',
+      config      => $openvpn_config
     }
     site_openvpn::server_config { 'limited_udp_config':
       port        => '1194',
@@ -123,7 +127,8 @@ class site_openvpn {
       tls_remote  => "\"${openvpn_limited_prefix}\"",
       server      => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
       push        => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
-      management  => '127.0.0.1 1003'
+      management  => '127.0.0.1 1003',
+      config      => $openvpn_config
     }
   } else {
     tidy { '/etc/openvpn/limited_tcp_config.conf': }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index befeaef7..6246a836 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -54,7 +54,7 @@
 
 define site_openvpn::server_config(
   $port, $proto, $local, $server, $push,
-  $management, $tls_remote = undef) {
+  $management, $config, $tls_remote = undef) {
 
   $openvpn_configname = $name
 
@@ -96,15 +96,15 @@ define site_openvpn::server_config(
         server  => $openvpn_configname;
     "tls-cipher ${openvpn_configname}":
         key     => 'tls-cipher',
-        value   => 'DHE-RSA-AES128-SHA',
+        value   => $config['tls-cipher'],
         server  => $openvpn_configname;
     "auth ${openvpn_configname}":
         key     => 'auth',
-        value   => 'SHA1',
+        value   => $config['auth'],
         server  => $openvpn_configname;
     "cipher ${openvpn_configname}":
         key     => 'cipher',
-        value   => 'AES-128-CBC',
+        value   => $config['cipher'],
         server  => $openvpn_configname;
     "dev ${openvpn_configname}":
         key    => 'dev',