diff options
Diffstat (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp')
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp new file mode 100644 index 00000000..de273b46 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -0,0 +1,166 @@ +# +# Cipher discussion +# ================================ +# +# We want to specify explicit values for the crypto options to prevent a MiTM from forcing +# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher' +# MUST be the same on both ends or no data will get transmitted). +# +# tls-cipher DHE-RSA-AES128-SHA +# +# dkg: For the TLS control channel, we want to make sure we choose a +# key exchange mechanism that has PFS (meaning probably some form of ephemeral +# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher +# (I recommend AES, and 128 bits is probably fine, since there are some known +# weaknesses in the 192- and 256-bit key schedules). That leaves us with the +# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE | +# grep AES128 | grep GCM. +# +# elijah: +# I could not get any of these working: +# * openvpn --show-tls | grep GCM +# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256 +# so, i went with this: +# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM +# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how +# our cert generation interacts with the tls-cipher algorithms. +# +# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set. +# +# auth SHA1 +# +# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists +# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# should be avoided. +# +# elijah: i am not so sure that the digest algo matters for 'auth' option, because +# i think an attacker would have to forge the digest in real time, which is still far from +# a possibility for SHA1. So, i am leaving the default for now (SHA1). +# +# cipher AES-128-CBC +# +# dkg: For the choice of cipher, we need to select an algorithm and a +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# our control channel is already relying on AES not being broken; if the +# control channel is cracked, then the key material for the tunnel is exposed, +# and the choice of algorithm is moot. So it makes more sense to me to rely on +# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to +# me, but CBC is more well-tested, and the OpenVPN man page (at least as of +# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered +# advanced modes.” +# +# note: the default is BF-CBC (blowfish) +# + +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { + + $openvpn_configname = $name + + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } + + openvpn::option { + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/ca_bundle.pem', + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => '/etc/x509/certs/leap_openvpn.crt', + server => $openvpn_configname; + "key $openvpn_configname": + key => 'key', + value => '/etc/x509/keys/leap_openvpn.key', + server => $openvpn_configname; + "dh $openvpn_configname": + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; + "tls-cipher $openvpn_configname": + key => 'tls-cipher', + value => 'DHE-RSA-AES128-SHA', + server => $openvpn_configname; + "auth $openvpn_configname": + key => 'auth', + value => 'SHA1', + server => $openvpn_configname; + "cipher $openvpn_configname": + key => 'cipher', + value => 'AES-128-CBC', + server => $openvpn_configname; + "dev $openvpn_configname": + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; + "keepalive $openvpn_configname": + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; + "local $openvpn_configname": + key => 'local', + value => $local, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; + "management $openvpn_configname": + key => 'management', + value => $management, + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => $server, + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; + "topology $openvpn_configname": + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; + } +} |