diff options
Diffstat (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp')
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 170 |
1 files changed, 93 insertions, 77 deletions
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index b1f4997c..97cf2842 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -60,12 +60,13 @@ define site_openvpn::server_config( concat { "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File['/etc/openvpn'], - notify => Exec['restart_openvpn']; + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + before => Service['openvpn'], + notify => Exec['restart_openvpn']; } if $tls_remote != undef { @@ -77,101 +78,116 @@ define site_openvpn::server_config( } } + # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization". + if $proto == 'tcp' { + openvpn::option { + "tcp-nodelay ${openvpn_configname}": + key => 'tcp-nodelay', + server => $openvpn_configname; + } + } + openvpn::option { "ca ${openvpn_configname}": - key => 'ca', - value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", - server => $openvpn_configname; + key => 'ca', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", + server => $openvpn_configname; "cert ${openvpn_configname}": - key => 'cert', - value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", + key => 'cert', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": - key => 'key', - value => "${x509::variables::keys}/${site_config::params::cert_name}.key", - server => $openvpn_configname; + key => 'key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", + server => $openvpn_configname; "dh ${openvpn_configname}": - key => 'dh', - value => '/etc/openvpn/keys/dh.pem', - server => $openvpn_configname; + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; "tls-cipher ${openvpn_configname}": - key => 'tls-cipher', - value => $config['tls-cipher'], - server => $openvpn_configname; + key => 'tls-cipher', + value => $config['tls-cipher'], + server => $openvpn_configname; "auth ${openvpn_configname}": - key => 'auth', - value => $config['auth'], - server => $openvpn_configname; + key => 'auth', + value => $config['auth'], + server => $openvpn_configname; "cipher ${openvpn_configname}": - key => 'cipher', - value => $config['cipher'], - server => $openvpn_configname; + key => 'cipher', + value => $config['cipher'], + server => $openvpn_configname; "dev ${openvpn_configname}": - key => 'dev', - value => 'tun', - server => $openvpn_configname; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "tun-ipv6 ${openvpn_configname}": + key => 'tun-ipv6', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": - key => 'duplicate-cn', - server => $openvpn_configname; + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive ${openvpn_configname}": - key => 'keepalive', - value => $config['keepalive'], - server => $openvpn_configname; + key => 'keepalive', + value => $config['keepalive'], + server => $openvpn_configname; "local ${openvpn_configname}": - key => 'local', - value => $local, - server => $openvpn_configname; + key => 'local', + value => $local, + server => $openvpn_configname; "mute ${openvpn_configname}": - key => 'mute', - value => '5', - server => $openvpn_configname; + key => 'mute', + value => '5', + server => $openvpn_configname; "mute-replay-warnings ${openvpn_configname}": - key => 'mute-replay-warnings', - server => $openvpn_configname; + key => 'mute-replay-warnings', + server => $openvpn_configname; "management ${openvpn_configname}": - key => 'management', - value => $management, - server => $openvpn_configname; + key => 'management', + value => $management, + server => $openvpn_configname; "proto ${openvpn_configname}": - key => 'proto', - value => $proto, - server => $openvpn_configname; + key => 'proto', + value => $proto, + server => $openvpn_configname; "push1 ${openvpn_configname}": - key => 'push', - value => $push, - server => $openvpn_configname; + key => 'push', + value => $push, + server => $openvpn_configname; "push2 ${openvpn_configname}": - key => 'push', - value => '"redirect-gateway def1"', - server => $openvpn_configname; + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; + "push-ipv6 ${openvpn_configname}": + key => 'push', + value => '"route-ipv6 2000::/3"', + server => $openvpn_configname; "script-security ${openvpn_configname}": - key => 'script-security', - value => '2', - server => $openvpn_configname; + key => 'script-security', + value => '1', + server => $openvpn_configname; "server ${openvpn_configname}": - key => 'server', - value => $server, - server => $openvpn_configname; + key => 'server', + value => $server, + server => $openvpn_configname; + "server-ipv6 ${openvpn_configname}": + key => 'server-ipv6', + value => '2001:db8:123::/64', + server => $openvpn_configname; "status ${openvpn_configname}": - key => 'status', - value => '/var/run/openvpn-status 10', - server => $openvpn_configname; + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; "status-version ${openvpn_configname}": - key => 'status-version', - value => '3', - server => $openvpn_configname; + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology ${openvpn_configname}": - key => 'topology', - value => 'subnet', - server => $openvpn_configname; - # no need for server-up.sh right now - #"up $openvpn_configname": - # key => 'up', - # value => '/etc/openvpn/server-up.sh', - # server => $openvpn_configname; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; "verb ${openvpn_configname}": - key => 'verb', - value => '3', - server => $openvpn_configname; + key => 'verb', + value => '3', + server => $openvpn_configname; } } |