summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_openvpn')
-rw-r--r--puppet/modules/site_openvpn/README20
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp150
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp90
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp9
-rw-r--r--puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb (renamed from puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb)6
5 files changed, 188 insertions, 87 deletions
diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README
new file mode 100644
index 00000000..cef5be23
--- /dev/null
+++ b/puppet/modules/site_openvpn/README
@@ -0,0 +1,20 @@
+Place to look when debugging problems
+========================================
+
+Log files:
+
+ openvpn: /var/log/syslog
+ shorewall: /var/log/syslog
+ shorewall startup: /var/log/shorewall-init.log
+
+Check NAT masq:
+
+ iptables -t nat --list-rules
+
+Check interfaces:
+
+ ip addr ls
+
+Scripts:
+
+ /usr/local/bin/add_gateway_ips.sh \ No newline at end of file
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 0c9f1795..c54bb782 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,84 +1,128 @@
+#
+# An openvpn gateway can support three modes:
+#
+# (1) limited and unlimited
+# (2) unlimited only
+# (3) limited only
+#
+# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix',
+# and 'limited' gateways only allow certs that match the 'limited_prefix'.
+#
+# We potentially create four openvpn config files (thus four daemons):
+#
+# (1) unlimited + tcp => tcp_config.conf
+# (2) unlimited + udp => udp_config.conf
+# (3) limited + tcp => limited_tcp_config.conf
+# (4) limited + udp => limited_udp_config.conf
+#
+
class site_openvpn {
tag 'leap_service'
- # parse hiera config
- $ip_address = hiera('ip_address')
- $interface = getvar("interface_${ip_address}")
- $openvpn_config = hiera('openvpn')
- $openvpn_gateway_address = $openvpn_config['gateway_address']
- $openvpn_tcp_network_prefix = '10.1.0'
- $openvpn_tcp_netmask = '255.255.248.0'
- $openvpn_tcp_cidr = '21'
- $openvpn_udp_network_prefix = '10.2.0'
- $openvpn_udp_netmask = '255.255.248.0'
- $openvpn_udp_cidr = '21'
- $openvpn_allow_free = $openvpn_config['allow_free']
- $openvpn_free_gateway_address = $openvpn_config['free_gateway_address']
- $openvpn_free_rate_limit = $openvpn_config['free_rate_limit']
- $openvpn_free_prefix = $openvpn_config['free_prefix']
- $x509_config = hiera('x509')
+ $openvpn_config = hiera('openvpn')
+ $x509_config = hiera('x509')
+ $ip_address = hiera('ip_address')
+ $interface = getvar("interface_${ip_address}")
+ $openvpn_ports = $openvpn_config['ports']
+ $openvpn_gateway_address = $openvpn_config['gateway_address']
+ $openvpn_second_gateway_address = undef
+ if $openvpn_config['second_gateway_address'] {
+ $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+ }
+
+ $openvpn_allow_unlimited = $openvpn_config['allow_unlimited']
+ $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix']
+ $openvpn_unlimited_tcp_network_prefix = '10.41.0'
+ $openvpn_unlimited_tcp_netmask = '255.255.248.0'
+ $openvpn_unlimited_tcp_cidr = '21'
+ $openvpn_unlimited_udp_network_prefix = '10.42.0'
+ $openvpn_unlimited_udp_netmask = '255.255.248.0'
+ $openvpn_unlimited_udp_cidr = '21'
+
+ $openvpn_allow_limited = $openvpn_config['allow_limited']
+ $openvpn_limited_prefix = $openvpn_config['limited_prefix']
+ $openvpn_rate_limit = $openvpn_config['rate_limit']
+ $openvpn_limited_tcp_network_prefix = '10.43.0'
+ $openvpn_limited_tcp_netmask = '255.255.248.0'
+ $openvpn_limited_tcp_cidr = '21'
+ $openvpn_limited_udp_network_prefix = '10.44.0'
+ $openvpn_limited_udp_netmask = '255.255.248.0'
+ $openvpn_limited_udp_cidr = '21'
# deploy ca + server keys
include site_openvpn::keys
- # create 2 openvpn config files, one for tcp, one for udp
- site_openvpn::server_config { 'tcp_config':
- port => '1194',
- proto => 'tcp',
- local => $openvpn_gateway_address,
- server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1000'
+ if $openvpn_allow_unlimited and $openvpn_allow_limited {
+ $unlimited_gateway_address = $openvpn_gateway_address
+ $limited_gateway_address = $openvpn_second_gateway_address
+ } elsif $openvpn_allow_unlimited {
+ $unlimited_gateway_address = $openvpn_gateway_address
+ $limited_gateway_address = undef
+ } elsif $openvpn_allow_limited {
+ $unlimited_gateway_address = undef
+ $limited_gateway_address = $openvpn_gateway_address
}
- site_openvpn::server_config { 'udp_config':
- port => '1194',
- proto => 'udp',
- local => $openvpn_gateway_address,
- server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
- management => '127.0.0.1 1001'
+ if $openvpn_allow_unlimited {
+ site_openvpn::server_config { 'tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $unlimited_gateway_address,
+ tls_remote => "\"${openvpn_unlimited_prefix}\"",
+ server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
+ management => '127.0.0.1 1000'
+ }
+ site_openvpn::server_config { 'udp_config':
+ port => '1194',
+ proto => 'udp',
+ local => $unlimited_gateway_address,
+ tls_remote => "\"${openvpn_unlimited_prefix}\"",
+ server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
+ management => '127.0.0.1 1001'
+ }
+ } else {
+ tidy { "/etc/openvpn/tcp_config.conf": }
+ tidy { "/etc/openvpn/udp_config.conf": }
}
- if $openvpn_allow_free {
- site_openvpn::server_config { 'free_tcp_config':
+ if $openvpn_allow_limited {
+ site_openvpn::server_config { 'limited_tcp_config':
port => '1194',
proto => 'tcp',
- local => $openvpn_free_gateway_address,
- tls_remote => "\"${openvpn_free_prefix}\"",
- shaper => $openvpn_free_rate_limit,
- server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
+ local => $limited_gateway_address,
+ tls_remote => "\"${openvpn_limited_prefix}\"",
+ server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
management => '127.0.0.1 1002'
}
- site_openvpn::server_config { 'free_udp_config':
+ site_openvpn::server_config { 'limited_udp_config':
port => '1194',
proto => 'udp',
- local => $openvpn_free_gateway_address,
- tls_remote => "\"${openvpn_free_prefix}\"",
- shaper => $openvpn_free_rate_limit,
- server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
+ local => $limited_gateway_address,
+ tls_remote => "\"${openvpn_limited_prefix}\"",
+ server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
management => '127.0.0.1 1003'
}
} else {
- tidy { "/etc/openvpn/free_tcp_config.conf": }
- tidy { "/etc/openvpn/free_udp_config.conf": }
+ tidy { "/etc/openvpn/limited_tcp_config.conf": }
+ tidy { "/etc/openvpn/limited_udp_config.conf": }
}
- # add second IP on given interface
file {
- '/usr/local/bin/leap_add_second_ip.sh':
- content => template('site_openvpn/leap_add_second_ip.sh.erb'),
+ '/usr/local/bin/add_gateway_ips.sh':
+ content => template('site_openvpn/add_gateway_ips.sh.erb'),
mode => '0755';
}
- exec { '/usr/local/bin/leap_add_second_ip.sh':
- subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
+ exec { '/usr/local/bin/add_gateway_ips.sh':
+ subscribe => File['/usr/local/bin/add_gateway_ips.sh'],
}
- cron { 'leap_add_second_ip.sh':
- command => '/usr/local/bin/leap_add_second_ip.sh',
+ cron { 'add_gateway_ips.sh':
+ command => '/usr/local/bin/add_gateway_ips.sh',
user => 'root',
special => 'reboot',
}
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index 26785edb..dc31767c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,53 @@
class site_openvpn::resolver {
+ if $site_openvpn::openvpn_allow_unlimited {
+ $ensure_unlimited = 'present'
+ file {
+ '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ }
+ } else {
+ $ensure_unlimited = 'absent'
+ tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ }
+
+ if $site_openvpn::openvpn_allow_limited {
+ $ensure_limited = 'present'
+ file {
+ '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ }
+ } else {
+ $ensure_limited = 'absent'
+ tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ }
+
# this is an unfortunate way to get around the fact that the version of
# unbound we are working with does not accept a wildcard include directive
# (/etc/unbound/conf.d/*), when it does, these line definitions should
@@ -7,36 +55,30 @@ class site_openvpn::resolver {
# include: /etc/unbound/conf.d/*
line {
- 'add_tcp_resolver':
- ensure => present,
+ 'add_unlimited_tcp_resolver':
+ ensure => $ensure_unlimited,
file => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
+ line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
notify => Service['unbound'],
require => Package['unbound'];
-
- 'add_udp_resolver':
- ensure => present,
+ 'add_unlimited_udp_resolver':
+ ensure => $ensure_unlimited,
file => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
+ line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_limited_tcp_resolver':
+ ensure => $ensure_limited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_limited_udp_resolver':
+ ensure => $ensure_limited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
notify => Service['unbound'],
require => Package['unbound']
}
- file {
- '/etc/unbound/conf.d/vpn_udp_resolver':
- content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n",
- owner => root,
- group => root,
- mode => '0644',
- require => Service['openvpn'],
- notify => Service['unbound'];
-
- '/etc/unbound/conf.d/vpn_tcp_resolver':
- content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n",
- owner => root,
- group => root,
- mode => '0644',
- require => Service['openvpn'],
- notify => Service['unbound'];
- }
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 1f42400a..a2e769e1 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -54,7 +54,7 @@
define site_openvpn::server_config(
$port, $proto, $local, $server, $push,
- $management, $tls_remote = undef, $shaper = undef) {
+ $management, $tls_remote = undef) {
$openvpn_configname = $name
@@ -68,13 +68,8 @@ define site_openvpn::server_config(
notify => Service['openvpn'];
}
- # special options for the "free" gateway daemons
- if $shaper != undef {
+ if $tls_remote != undef {
openvpn::option {
- "shaper $openvpn_configname":
- key => 'shaper',
- value => $shaper,
- server => $openvpn_configname;
"tls-remote $openvpn_configname":
key => 'tls-remote',
value => $tls_remote,
diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
index 40866116..ed06a95e 100644
--- a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -3,9 +3,9 @@
ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 ||
ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %>
-<% if @openvpn_allow_free %>
-ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 ||
- ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %>
+<% if @openvpn_second_gateway_address %>
+ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 ||
+ ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %>
<% end %>
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward