5 files changed, 244 insertions, 66 deletions

diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README
new file mode 100644
index 00000000..cef5be23
--- /dev/null
+++ b/puppet/modules/site_openvpn/README
@@ -0,0 +1,20 @@
+Place to look when debugging problems
+========================================
+
+Log files:
+
+    openvpn: /var/log/syslog
+    shorewall: /var/log/syslog
+    shorewall startup: /var/log/shorewall-init.log
+
+Check NAT masq:
+
+    iptables -t nat --list-rules
+
+Check interfaces:
+
+   ip addr ls
+
+Scripts:
+
+   /usr/local/bin/add_gateway_ips.sh
\ No newline at end of file
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e3d2a9af..4f900623 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,55 +1,141 @@
+#
+# An openvpn gateway can support three modes:
+#
+#   (1) limited and unlimited
+#   (2) unlimited only
+#   (3) limited only
+#
+# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix',
+# and 'limited' gateways only allow certs that match the 'limited_prefix'.
+#
+# We potentially create four openvpn config files (thus four daemons):
+#
+#   (1) unlimited + tcp => tcp_config.conf
+#   (2) unlimited + udp => udp_config.conf
+#   (3) limited + tcp => limited_tcp_config.conf
+#   (4) limited + udp => limited_udp_config.conf
+#
+
 class site_openvpn {
   tag 'leap_service'
-  # parse hiera config
-  $ip_address                 = hiera('ip_address')
-  $interface                  = getvar("interface_${ip_address}")
-  #$gateway_address           = hiera('gateway_address')
-  $openvpn_config             = hiera('openvpn')
-  $openvpn_gateway_address    = $openvpn_config['gateway_address']
-  $openvpn_tcp_network_prefix = '10.1.0'
-  $openvpn_tcp_netmask        = '255.255.248.0'
-  $openvpn_tcp_cidr           = '21'
-  $openvpn_udp_network_prefix = '10.2.0'
-  $openvpn_udp_netmask        = '255.255.248.0'
-  $openvpn_udp_cidr           = '21'
-  $x509_config                = hiera('x509')
+
+  $openvpn_config   = hiera('openvpn')
+  $x509_config      = hiera('x509')
+  $openvpn_ports    = $openvpn_config['ports']
+
+  if $::ec2_instance_id {
+    $openvpn_gateway_address = $::ipaddress
+  } else {
+    $openvpn_gateway_address         = $openvpn_config['gateway_address']
+    if $openvpn_config['second_gateway_address'] {
+      $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+    } else {
+      $openvpn_second_gateway_address = undef
+    }
+  }
+
+  $openvpn_allow_unlimited              = $openvpn_config['allow_unlimited']
+  $openvpn_unlimited_prefix             = $openvpn_config['unlimited_prefix']
+  $openvpn_unlimited_tcp_network_prefix = '10.41.0'
+  $openvpn_unlimited_tcp_netmask        = '255.255.248.0'
+  $openvpn_unlimited_tcp_cidr           = '21'
+  $openvpn_unlimited_udp_network_prefix = '10.42.0'
+  $openvpn_unlimited_udp_netmask        = '255.255.248.0'
+  $openvpn_unlimited_udp_cidr           = '21'
+
+  if !$::ec2_instance_id {
+    $openvpn_allow_limited                = $openvpn_config['allow_limited']
+    $openvpn_limited_prefix               = $openvpn_config['limited_prefix']
+    $openvpn_rate_limit                   = $openvpn_config['rate_limit']
+    $openvpn_limited_tcp_network_prefix   = '10.43.0'
+    $openvpn_limited_tcp_netmask          = '255.255.248.0'
+    $openvpn_limited_tcp_cidr             = '21'
+    $openvpn_limited_udp_network_prefix   = '10.44.0'
+    $openvpn_limited_udp_netmask          = '255.255.248.0'
+    $openvpn_limited_udp_cidr             = '21'
+  }
 
   # deploy ca + server keys
   include site_openvpn::keys
 
-  # create 2 openvpn config files, one for tcp, one for udp
-  site_openvpn::server_config { 'tcp_config':
-    port        => '1194',
-    proto       => 'tcp',
-    local       => $openvpn_gateway_address,
-    server      => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
-    push        => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
-    management  => '127.0.0.1 1000'
+  if $openvpn_allow_unlimited and $openvpn_allow_limited {
+    $unlimited_gateway_address = $openvpn_gateway_address
+    $limited_gateway_address = $openvpn_second_gateway_address
+  } elsif $openvpn_allow_unlimited {
+    $unlimited_gateway_address = $openvpn_gateway_address
+    $limited_gateway_address = undef
+  } elsif $openvpn_allow_limited {
+    $unlimited_gateway_address = undef
+    $limited_gateway_address = $openvpn_gateway_address
   }
-  site_openvpn::server_config { 'udp_config':
-    port        => '1194',
-    proto       => 'udp',
-    server      => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
-    push        => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
-    local       => $openvpn_gateway_address,
-    management  => '127.0.0.1 1001'
+
+  if $openvpn_allow_unlimited {
+    site_openvpn::server_config { 'tcp_config':
+      port        => '1194',
+      proto       => 'tcp',
+      local       => $unlimited_gateway_address,
+      tls_remote  => "\"${openvpn_unlimited_prefix}\"",
+      server      => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
+      push        => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
+      management  => '127.0.0.1 1000'
+    }
+    site_openvpn::server_config { 'udp_config':
+      port        => '1194',
+      proto       => 'udp',
+      local       => $unlimited_gateway_address,
+      tls_remote  => "\"${openvpn_unlimited_prefix}\"",
+      server      => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
+      push        => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
+      management  => '127.0.0.1 1001'
+    }
+  } else {
+    tidy { "/etc/openvpn/tcp_config.conf": }
+    tidy { "/etc/openvpn/udp_config.conf": }
+  }
+
+  if $openvpn_allow_limited {
+    site_openvpn::server_config { 'limited_tcp_config':
+      port        => '1194',
+      proto       => 'tcp',
+      local       => $limited_gateway_address,
+      tls_remote  => "\"${openvpn_limited_prefix}\"",
+      server      => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
+      push        => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
+      management  => '127.0.0.1 1002'
+    }
+    site_openvpn::server_config { 'limited_udp_config':
+      port        => '1194',
+      proto       => 'udp',
+      local       => $limited_gateway_address,
+      tls_remote  => "\"${openvpn_limited_prefix}\"",
+      server      => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
+      push        => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
+      management  => '127.0.0.1 1003'
+    }
+  } else {
+    tidy { "/etc/openvpn/limited_tcp_config.conf": }
+    tidy { "/etc/openvpn/limited_udp_config.conf": }
   }
 
-  # add second IP on given interface
-  file { '/usr/local/bin/leap_add_second_ip.sh':
-    content => "#!/bin/sh
-ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface
-/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
-",
-    mode    => '0755',
+  file {
+    '/usr/local/bin/add_gateway_ips.sh':
+      content => template('site_openvpn/add_gateway_ips.sh.erb'),
+      mode    => '0755';
   }
 
-  exec { '/usr/local/bin/leap_add_second_ip.sh':
-    subscribe   => File['/usr/local/bin/leap_add_second_ip.sh'],
+  exec { '/usr/local/bin/add_gateway_ips.sh':
+    subscribe   => File['/usr/local/bin/add_gateway_ips.sh'],
   }
 
-  cron { 'leap_add_second_ip.sh':
-    command => "/usr/local/bin/leap_add_second_ip.sh",
+  exec { 'restart_openvpn':
+    command     => '/etc/init.d/openvpn restart',
+    refreshonly => true,
+    subscribe   => File['/etc/openvpn'],
+    require     => [ Package['openvpn'], File['/etc/openvpn'] ];
+  }
+
+  cron { 'add_gateway_ips.sh':
+    command => '/usr/local/bin/add_gateway_ips.sh',
     user    => 'root',
     special => 'reboot',
   }
@@ -63,6 +149,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a
     'openvpn':
       ensure => installed;
   }
+
   service {
     'openvpn':
       ensure     => running,
@@ -74,6 +161,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a
   file {
     '/etc/openvpn':
       ensure  => directory,
+      notify  => Exec['restart_openvpn'],
       require => Package['openvpn'];
   }
 
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index d3963c95..dc31767c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,53 @@
 class site_openvpn::resolver {
 
+  if $site_openvpn::openvpn_allow_unlimited {
+    $ensure_unlimited = 'present'
+    file {
+      '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+        content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
+        owner   => root,
+        group   => root,
+        mode    => '0644',
+        require => Service['openvpn'],
+        notify  => Service['unbound'];
+      '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+        content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
+        owner   => root,
+        group   => root,
+        mode    => '0644',
+        require => Service['openvpn'],
+        notify  => Service['unbound'];
+    }
+  } else {
+    $ensure_unlimited = 'absent'
+    tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
+    tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+  }
+
+  if $site_openvpn::openvpn_allow_limited {
+    $ensure_limited = 'present'
+    file {
+      '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+        content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
+        owner   => root,
+        group   => root,
+        mode    => '0644',
+        require => Service['openvpn'],
+        notify  => Service['unbound'];
+      '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+        content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
+        owner   => root,
+        group   => root,
+        mode    => '0644',
+        require => Service['openvpn'],
+        notify  => Service['unbound'];
+    }
+  } else {
+    $ensure_limited = 'absent'
+    tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
+    tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+  }
+
   # this is an unfortunate way to get around the fact that the version of
   # unbound we are working with does not accept a wildcard include directive
   # (/etc/unbound/conf.d/*), when it does, these line definitions should
@@ -7,30 +55,30 @@ class site_openvpn::resolver {
   # include: /etc/unbound/conf.d/*
 
   line {
-    'add_tcp_resolver':
-      ensure => present,
-      file   => '/etc/unbound/unbound.conf',
-      line   => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
-      notify => Service['unbound'];
-
-    'add_udp_resolver':
-      ensure => present,
-      file   => '/etc/unbound/unbound.conf',
-      line   => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
-      notify => Service['unbound'];
+    'add_unlimited_tcp_resolver':
+      ensure  => $ensure_unlimited,
+      file    => '/etc/unbound/unbound.conf',
+      line    => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
+      notify  => Service['unbound'],
+      require => Package['unbound'];
+    'add_unlimited_udp_resolver':
+      ensure  => $ensure_unlimited,
+      file    => '/etc/unbound/unbound.conf',
+      line    => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
+      notify  => Service['unbound'],
+      require => Package['unbound'];
+    'add_limited_tcp_resolver':
+      ensure  => $ensure_limited,
+      file    => '/etc/unbound/unbound.conf',
+      line    => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
+      notify  => Service['unbound'],
+      require => Package['unbound'];
+    'add_limited_udp_resolver':
+      ensure  => $ensure_limited,
+      file    => '/etc/unbound/unbound.conf',
+      line    => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
+      notify  => Service['unbound'],
+      require => Package['unbound']
   }
 
-  file {
-    '/etc/unbound/conf.d/vpn_udp_resolver':
-      content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n",
-      owner   => root, group => root, mode => '0644',
-      require => Service['openvpn'],
-      notify  => Service['unbound'];
-
-    '/etc/unbound/conf.d/vpn_tcp_resolver':
-      content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n",
-      owner   => root, group => root, mode => '0644',
-      require => Service['openvpn'],
-      notify  => Service['unbound'];
-  }
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index de273b46..6106cfbb 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -52,18 +52,29 @@
 #   note: the default is BF-CBC (blowfish)
 #
 
-define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
+define site_openvpn::server_config(
+  $port, $proto, $local, $server, $push,
+  $management, $tls_remote = undef) {
 
   $openvpn_configname = $name
 
   concat {
-    "/etc/openvpn/$openvpn_configname.conf":
+    "/etc/openvpn/${openvpn_configname}.conf":
         owner   => root,
         group   => root,
         mode    => 644,
         warn    => true,
         require => File['/etc/openvpn'],
-        notify  => Service['openvpn'];
+        notify  => Exec['restart_openvpn'];
+  }
+
+  if $tls_remote != undef {
+    openvpn::option {
+      "tls-remote $openvpn_configname":
+         key     => 'tls-remote',
+         value   => $tls_remote,
+         server  => $openvpn_configname;
+    }
   }
 
   openvpn::option {
diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
new file mode 100644
index 00000000..05f3d16b
--- /dev/null
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 ||
+  ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+
+<% if @openvpn_second_gateway_address %>
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 ||
+  ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+<% end %>
+
+/bin/echo 1 > /proc/sys/net/ipv4/ip_forward