summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_openvpn')
-rw-r--r--puppet/modules/site_openvpn/manifests/dh_key.pp10
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp78
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp51
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp10
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp70
-rw-r--r--puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb8
6 files changed, 107 insertions, 120 deletions
diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp
new file mode 100644
index 00000000..13cc0f5b
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/dh_key.pp
@@ -0,0 +1,10 @@
+class site_openvpn::dh_key {
+
+ $x509_config = hiera('x509')
+
+ file { '/etc/openvpn/keys/dh.pem':
+ content => $x509_config['dh'],
+ mode => '0644',
+ }
+
+}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 4f900623..7aec0faa 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -5,8 +5,9 @@
# (2) unlimited only
# (3) limited only
#
-# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix',
-# and 'limited' gateways only allow certs that match the 'limited_prefix'.
+# The difference is that 'unlimited' gateways only allow client certs that match
+# the 'unlimited_prefix', and 'limited' gateways only allow certs that match the
+# 'limited_prefix'.
#
# We potentially create four openvpn config files (thus four daemons):
#
@@ -19,23 +20,30 @@
class site_openvpn {
tag 'leap_service'
- $openvpn_config = hiera('openvpn')
- $x509_config = hiera('x509')
- $openvpn_ports = $openvpn_config['ports']
+ include site_config::x509::cert
+ include site_config::x509::key
+ include site_config::x509::ca_bundle
+
+
+ Class['site_config::default'] -> Class['site_openvpn']
+
+ $openvpn = hiera('openvpn')
+ $openvpn_ports = $openvpn['ports']
+ $openvpn_config = $openvpn['configuration']
if $::ec2_instance_id {
$openvpn_gateway_address = $::ipaddress
} else {
- $openvpn_gateway_address = $openvpn_config['gateway_address']
- if $openvpn_config['second_gateway_address'] {
- $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+ $openvpn_gateway_address = $openvpn['gateway_address']
+ if $openvpn['second_gateway_address'] {
+ $openvpn_second_gateway_address = $openvpn['second_gateway_address']
} else {
$openvpn_second_gateway_address = undef
}
}
- $openvpn_allow_unlimited = $openvpn_config['allow_unlimited']
- $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix']
+ $openvpn_allow_unlimited = $openvpn['allow_unlimited']
+ $openvpn_unlimited_prefix = $openvpn['unlimited_prefix']
$openvpn_unlimited_tcp_network_prefix = '10.41.0'
$openvpn_unlimited_tcp_netmask = '255.255.248.0'
$openvpn_unlimited_tcp_cidr = '21'
@@ -44,9 +52,9 @@ class site_openvpn {
$openvpn_unlimited_udp_cidr = '21'
if !$::ec2_instance_id {
- $openvpn_allow_limited = $openvpn_config['allow_limited']
- $openvpn_limited_prefix = $openvpn_config['limited_prefix']
- $openvpn_rate_limit = $openvpn_config['rate_limit']
+ $openvpn_allow_limited = $openvpn['allow_limited']
+ $openvpn_limited_prefix = $openvpn['limited_prefix']
+ $openvpn_rate_limit = $openvpn['rate_limit']
$openvpn_limited_tcp_network_prefix = '10.43.0'
$openvpn_limited_tcp_netmask = '255.255.248.0'
$openvpn_limited_tcp_cidr = '21'
@@ -55,8 +63,14 @@ class site_openvpn {
$openvpn_limited_udp_cidr = '21'
}
- # deploy ca + server keys
- include site_openvpn::keys
+ # find out the netmask in cidr format of the primary IF
+ # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/
+ # we can do this using an inline_template:
+ $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}"
+ $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>')
+
+ # deploy dh keys
+ include site_openvpn::dh_key
if $openvpn_allow_unlimited and $openvpn_allow_limited {
$unlimited_gateway_address = $openvpn_gateway_address
@@ -77,7 +91,8 @@ class site_openvpn {
tls_remote => "\"${openvpn_unlimited_prefix}\"",
server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1000'
+ management => '127.0.0.1 1000',
+ config => $openvpn_config
}
site_openvpn::server_config { 'udp_config':
port => '1194',
@@ -86,11 +101,12 @@ class site_openvpn {
tls_remote => "\"${openvpn_unlimited_prefix}\"",
server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
- management => '127.0.0.1 1001'
+ management => '127.0.0.1 1001',
+ config => $openvpn_config
}
} else {
- tidy { "/etc/openvpn/tcp_config.conf": }
- tidy { "/etc/openvpn/udp_config.conf": }
+ tidy { '/etc/openvpn/tcp_config.conf': }
+ tidy { '/etc/openvpn/udp_config.conf': }
}
if $openvpn_allow_limited {
@@ -101,7 +117,8 @@ class site_openvpn {
tls_remote => "\"${openvpn_limited_prefix}\"",
server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1002'
+ management => '127.0.0.1 1002',
+ config => $openvpn_config
}
site_openvpn::server_config { 'limited_udp_config':
port => '1194',
@@ -110,11 +127,12 @@ class site_openvpn {
tls_remote => "\"${openvpn_limited_prefix}\"",
server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
- management => '127.0.0.1 1003'
+ management => '127.0.0.1 1003',
+ config => $openvpn_config
}
} else {
- tidy { "/etc/openvpn/limited_tcp_config.conf": }
- tidy { "/etc/openvpn/limited_udp_config.conf": }
+ tidy { '/etc/openvpn/limited_tcp_config.conf': }
+ tidy { '/etc/openvpn/limited_udp_config.conf': }
}
file {
@@ -131,7 +149,12 @@ class site_openvpn {
command => '/etc/init.d/openvpn restart',
refreshonly => true,
subscribe => File['/etc/openvpn'],
- require => [ Package['openvpn'], File['/etc/openvpn'] ];
+ require => [
+ Package['openvpn'],
+ File['/etc/openvpn'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
+ Class['Site_config::X509::Ca_bundle'] ];
}
cron { 'add_gateway_ips.sh':
@@ -155,7 +178,9 @@ class site_openvpn {
ensure => running,
hasrestart => true,
hasstatus => true,
- require => Exec['concat_/etc/default/openvpn'];
+ require => [
+ Package['openvpn'],
+ Exec['concat_/etc/default/openvpn'] ];
}
file {
@@ -193,4 +218,7 @@ class site_openvpn {
target => '/etc/default/openvpn',
order => 10;
}
+
+ include site_check_mk::agent::openvpn
+
}
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
deleted file mode 100644
index f3c5b423..00000000
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ /dev/null
@@ -1,51 +0,0 @@
-class site_openvpn::keys {
-
- x509::key {
- 'leap_openvpn':
- content => $site_openvpn::x509_config['key'],
- notify => Service[openvpn];
- }
-
- x509::cert {
- 'leap_openvpn':
- content => $site_openvpn::x509_config['cert'],
- notify => Service[openvpn];
- }
-
- x509::ca {
- 'leap_ca':
- content => $site_openvpn::x509_config['ca_cert'],
- notify => Service[openvpn];
- }
-
- file { '/etc/openvpn/keys/dh.pem':
- content => $site_openvpn::x509_config['dh'],
- mode => '0644',
- }
-
- #
- # CA bundle -- we want to have the possibility of allowing multiple CAs.
- # For now, the reason is to transition to using client CA. In the future,
- # we will want to be able to smoothly phase out one CA and phase in another.
- # I tried "--capath" for this, but it did not work.
- #
-
- concat {
- '/etc/openvpn/ca_bundle.pem':
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- notify => Service['openvpn'];
- }
-
- concat::fragment {
- 'client_ca_cert':
- content => $site_openvpn::x509_config['client_ca_cert'],
- target => '/etc/openvpn/ca_bundle.pem';
- 'ca_cert':
- content => $site_openvpn::x509_config['ca_cert'],
- target => '/etc/openvpn/ca_bundle.pem';
- }
-
-}
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c1bce858..c74fb509 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -60,25 +60,25 @@ class site_openvpn::resolver {
path => '/etc/unbound/unbound.conf',
line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
notify => Service['unbound'],
- require => Package['unbound'];
+ require => [ Package['openvpn'], Package['unbound'] ];
'add_unlimited_udp_resolver':
ensure => $ensure_unlimited,
path => '/etc/unbound/unbound.conf',
line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
notify => Service['unbound'],
- require => Package['unbound'];
+ require => [ Package['openvpn'], Package['unbound'] ];
'add_limited_tcp_resolver':
ensure => $ensure_limited,
path => '/etc/unbound/unbound.conf',
line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
notify => Service['unbound'],
- require => Package['unbound'];
- 'add_limited_udp_resolver':
+ require => [ Package['openvpn'], Package['unbound'] ];
+ 'add_limited_udp_resolver':
ensure => $ensure_limited,
path => '/etc/unbound/unbound.conf',
line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
notify => Service['unbound'],
- require => Package['unbound']
+ require => [ Package['openvpn'], Package['unbound'] ];
}
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6106cfbb..b1f4997c 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -54,7 +54,7 @@
define site_openvpn::server_config(
$port, $proto, $local, $server, $push,
- $management, $tls_remote = undef) {
+ $management, $config, $tls_remote = undef) {
$openvpn_configname = $name
@@ -70,97 +70,97 @@ define site_openvpn::server_config(
if $tls_remote != undef {
openvpn::option {
- "tls-remote $openvpn_configname":
- key => 'tls-remote',
- value => $tls_remote,
- server => $openvpn_configname;
+ "tls-remote ${openvpn_configname}":
+ key => 'tls-remote',
+ value => $tls_remote,
+ server => $openvpn_configname;
}
}
openvpn::option {
- "ca $openvpn_configname":
+ "ca ${openvpn_configname}":
key => 'ca',
- value => '/etc/openvpn/ca_bundle.pem',
+ value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
server => $openvpn_configname;
- "cert $openvpn_configname":
+ "cert ${openvpn_configname}":
key => 'cert',
- value => '/etc/x509/certs/leap_openvpn.crt',
+ value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
server => $openvpn_configname;
- "key $openvpn_configname":
+ "key ${openvpn_configname}":
key => 'key',
- value => '/etc/x509/keys/leap_openvpn.key',
+ value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
server => $openvpn_configname;
- "dh $openvpn_configname":
+ "dh ${openvpn_configname}":
key => 'dh',
value => '/etc/openvpn/keys/dh.pem',
server => $openvpn_configname;
- "tls-cipher $openvpn_configname":
+ "tls-cipher ${openvpn_configname}":
key => 'tls-cipher',
- value => 'DHE-RSA-AES128-SHA',
+ value => $config['tls-cipher'],
server => $openvpn_configname;
- "auth $openvpn_configname":
+ "auth ${openvpn_configname}":
key => 'auth',
- value => 'SHA1',
+ value => $config['auth'],
server => $openvpn_configname;
- "cipher $openvpn_configname":
+ "cipher ${openvpn_configname}":
key => 'cipher',
- value => 'AES-128-CBC',
+ value => $config['cipher'],
server => $openvpn_configname;
- "dev $openvpn_configname":
+ "dev ${openvpn_configname}":
key => 'dev',
value => 'tun',
server => $openvpn_configname;
- "duplicate-cn $openvpn_configname":
+ "duplicate-cn ${openvpn_configname}":
key => 'duplicate-cn',
server => $openvpn_configname;
- "keepalive $openvpn_configname":
+ "keepalive ${openvpn_configname}":
key => 'keepalive',
- value => '5 20',
+ value => $config['keepalive'],
server => $openvpn_configname;
- "local $openvpn_configname":
+ "local ${openvpn_configname}":
key => 'local',
value => $local,
server => $openvpn_configname;
- "mute $openvpn_configname":
+ "mute ${openvpn_configname}":
key => 'mute',
value => '5',
server => $openvpn_configname;
- "mute-replay-warnings $openvpn_configname":
+ "mute-replay-warnings ${openvpn_configname}":
key => 'mute-replay-warnings',
server => $openvpn_configname;
- "management $openvpn_configname":
+ "management ${openvpn_configname}":
key => 'management',
value => $management,
server => $openvpn_configname;
- "proto $openvpn_configname":
+ "proto ${openvpn_configname}":
key => 'proto',
value => $proto,
server => $openvpn_configname;
- "push1 $openvpn_configname":
+ "push1 ${openvpn_configname}":
key => 'push',
value => $push,
server => $openvpn_configname;
- "push2 $openvpn_configname":
+ "push2 ${openvpn_configname}":
key => 'push',
value => '"redirect-gateway def1"',
server => $openvpn_configname;
- "script-security $openvpn_configname":
+ "script-security ${openvpn_configname}":
key => 'script-security',
value => '2',
server => $openvpn_configname;
- "server $openvpn_configname":
+ "server ${openvpn_configname}":
key => 'server',
value => $server,
server => $openvpn_configname;
- "status $openvpn_configname":
+ "status ${openvpn_configname}":
key => 'status',
value => '/var/run/openvpn-status 10',
server => $openvpn_configname;
- "status-version $openvpn_configname":
+ "status-version ${openvpn_configname}":
key => 'status-version',
value => '3',
server => $openvpn_configname;
- "topology $openvpn_configname":
+ "topology ${openvpn_configname}":
key => 'topology',
value => 'subnet',
server => $openvpn_configname;
@@ -169,7 +169,7 @@ define site_openvpn::server_config(
# key => 'up',
# value => '/etc/openvpn/server-up.sh',
# server => $openvpn_configname;
- "verb $openvpn_configname":
+ "verb ${openvpn_configname}":
key => 'verb',
value => '3',
server => $openvpn_configname;
diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
index 05f3d16b..e76b756b 100644
--- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -1,11 +1,11 @@
#!/bin/sh
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 ||
- ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> ||
+ ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
<% if @openvpn_second_gateway_address %>
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 ||
- ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> ||
+ ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
<% end %>
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward