summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_openvpn')
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp7
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp58
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp170
3 files changed, 111 insertions, 124 deletions
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 7aec0faa..b6331f12 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -168,9 +168,14 @@ class site_openvpn {
include site_shorewall::eip
+ # In wheezy, we need the openvpn backport to get the 2.3 version of
+ # openvpn which has proper ipv6 support
+ include site_apt::preferences::openvpn
+
package {
'openvpn':
- ensure => installed;
+ ensure => latest,
+ require => Class['site_apt::preferences::openvpn'];
}
service {
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c74fb509..c1367a33 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -3,82 +3,48 @@ class site_openvpn::resolver {
if $site_openvpn::openvpn_allow_unlimited {
$ensure_unlimited = 'present'
file {
- '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_unlimited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': }
}
if $site_openvpn::openvpn_allow_limited {
$ensure_limited = 'present'
file {
- '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_limited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': }
}
-
- # this is an unfortunate way to get around the fact that the version of
- # unbound we are working with does not accept a wildcard include directive
- # (/etc/unbound/conf.d/*), when it does, these line definitions should
- # go away and instead the caching_resolver should be configured to
- # include: /etc/unbound/conf.d/*
-
- file_line {
- 'add_unlimited_tcp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_unlimited_udp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_tcp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_udp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- }
-
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index b1f4997c..97cf2842 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -60,12 +60,13 @@ define site_openvpn::server_config(
concat {
"/etc/openvpn/${openvpn_configname}.conf":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- require => File['/etc/openvpn'],
- notify => Exec['restart_openvpn'];
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File['/etc/openvpn'],
+ before => Service['openvpn'],
+ notify => Exec['restart_openvpn'];
}
if $tls_remote != undef {
@@ -77,101 +78,116 @@ define site_openvpn::server_config(
}
}
+ # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization".
+ if $proto == 'tcp' {
+ openvpn::option {
+ "tcp-nodelay ${openvpn_configname}":
+ key => 'tcp-nodelay',
+ server => $openvpn_configname;
+ }
+ }
+
openvpn::option {
"ca ${openvpn_configname}":
- key => 'ca',
- value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
- server => $openvpn_configname;
+ key => 'ca',
+ value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
+ server => $openvpn_configname;
"cert ${openvpn_configname}":
- key => 'cert',
- value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
+ key => 'cert',
+ value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
server => $openvpn_configname;
"key ${openvpn_configname}":
- key => 'key',
- value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
- server => $openvpn_configname;
+ key => 'key',
+ value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
+ server => $openvpn_configname;
"dh ${openvpn_configname}":
- key => 'dh',
- value => '/etc/openvpn/keys/dh.pem',
- server => $openvpn_configname;
+ key => 'dh',
+ value => '/etc/openvpn/keys/dh.pem',
+ server => $openvpn_configname;
"tls-cipher ${openvpn_configname}":
- key => 'tls-cipher',
- value => $config['tls-cipher'],
- server => $openvpn_configname;
+ key => 'tls-cipher',
+ value => $config['tls-cipher'],
+ server => $openvpn_configname;
"auth ${openvpn_configname}":
- key => 'auth',
- value => $config['auth'],
- server => $openvpn_configname;
+ key => 'auth',
+ value => $config['auth'],
+ server => $openvpn_configname;
"cipher ${openvpn_configname}":
- key => 'cipher',
- value => $config['cipher'],
- server => $openvpn_configname;
+ key => 'cipher',
+ value => $config['cipher'],
+ server => $openvpn_configname;
"dev ${openvpn_configname}":
- key => 'dev',
- value => 'tun',
- server => $openvpn_configname;
+ key => 'dev',
+ value => 'tun',
+ server => $openvpn_configname;
+ "tun-ipv6 ${openvpn_configname}":
+ key => 'tun-ipv6',
+ server => $openvpn_configname;
"duplicate-cn ${openvpn_configname}":
- key => 'duplicate-cn',
- server => $openvpn_configname;
+ key => 'duplicate-cn',
+ server => $openvpn_configname;
"keepalive ${openvpn_configname}":
- key => 'keepalive',
- value => $config['keepalive'],
- server => $openvpn_configname;
+ key => 'keepalive',
+ value => $config['keepalive'],
+ server => $openvpn_configname;
"local ${openvpn_configname}":
- key => 'local',
- value => $local,
- server => $openvpn_configname;
+ key => 'local',
+ value => $local,
+ server => $openvpn_configname;
"mute ${openvpn_configname}":
- key => 'mute',
- value => '5',
- server => $openvpn_configname;
+ key => 'mute',
+ value => '5',
+ server => $openvpn_configname;
"mute-replay-warnings ${openvpn_configname}":
- key => 'mute-replay-warnings',
- server => $openvpn_configname;
+ key => 'mute-replay-warnings',
+ server => $openvpn_configname;
"management ${openvpn_configname}":
- key => 'management',
- value => $management,
- server => $openvpn_configname;
+ key => 'management',
+ value => $management,
+ server => $openvpn_configname;
"proto ${openvpn_configname}":
- key => 'proto',
- value => $proto,
- server => $openvpn_configname;
+ key => 'proto',
+ value => $proto,
+ server => $openvpn_configname;
"push1 ${openvpn_configname}":
- key => 'push',
- value => $push,
- server => $openvpn_configname;
+ key => 'push',
+ value => $push,
+ server => $openvpn_configname;
"push2 ${openvpn_configname}":
- key => 'push',
- value => '"redirect-gateway def1"',
- server => $openvpn_configname;
+ key => 'push',
+ value => '"redirect-gateway def1"',
+ server => $openvpn_configname;
+ "push-ipv6 ${openvpn_configname}":
+ key => 'push',
+ value => '"route-ipv6 2000::/3"',
+ server => $openvpn_configname;
"script-security ${openvpn_configname}":
- key => 'script-security',
- value => '2',
- server => $openvpn_configname;
+ key => 'script-security',
+ value => '1',
+ server => $openvpn_configname;
"server ${openvpn_configname}":
- key => 'server',
- value => $server,
- server => $openvpn_configname;
+ key => 'server',
+ value => $server,
+ server => $openvpn_configname;
+ "server-ipv6 ${openvpn_configname}":
+ key => 'server-ipv6',
+ value => '2001:db8:123::/64',
+ server => $openvpn_configname;
"status ${openvpn_configname}":
- key => 'status',
- value => '/var/run/openvpn-status 10',
- server => $openvpn_configname;
+ key => 'status',
+ value => '/var/run/openvpn-status 10',
+ server => $openvpn_configname;
"status-version ${openvpn_configname}":
- key => 'status-version',
- value => '3',
- server => $openvpn_configname;
+ key => 'status-version',
+ value => '3',
+ server => $openvpn_configname;
"topology ${openvpn_configname}":
- key => 'topology',
- value => 'subnet',
- server => $openvpn_configname;
- # no need for server-up.sh right now
- #"up $openvpn_configname":
- # key => 'up',
- # value => '/etc/openvpn/server-up.sh',
- # server => $openvpn_configname;
+ key => 'topology',
+ value => 'subnet',
+ server => $openvpn_configname;
"verb ${openvpn_configname}":
- key => 'verb',
- value => '3',
- server => $openvpn_configname;
+ key => 'verb',
+ value => '3',
+ server => $openvpn_configname;
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-11 09:30:39 +0000