diff options
Diffstat (limited to 'puppet/modules')
-rw-r--r-- | puppet/modules/site_config/manifests/eip.pp | 57 | ||||
-rw-r--r-- | puppet/modules/site_couchdb/manifests/init.pp | 1 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/init.pp | 58 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/keys.pp | 14 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 67 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/dnat_rule.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 6 |
7 files changed, 134 insertions, 73 deletions
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp deleted file mode 100644 index 4280fb67..00000000 --- a/puppet/modules/site_config/manifests/eip.pp +++ /dev/null @@ -1,57 +0,0 @@ -class site_config::eip { - - # parse hiera config - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - - include site_openvpn - - # deploy ca + server keys - include site_openvpn::keys - - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", - management => '127.0.0.1 1000' - } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", - local => $openvpn_gateway_address, - management => '127.0.0.1 1001' - } - - # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", - mode => '0755', - } - - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], - } - - cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", - user => 'root', - special => 'reboot', - } - - include site_shorewall::eip -} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 30ce7f54..10408094 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,6 +16,7 @@ class site_couchdb { $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] Class['site_couchdb::package'] + -> Exec['refresh_apt'] -> Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e95e67d5..548d1df2 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,62 @@ class site_openvpn { + # parse hiera config + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' + $x509_config = hiera('x509') + + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + local => $openvpn_gateway_address, + management => '127.0.0.1 1001' + } + + # add second IP on given interface + file { '/usr/local/bin/leap_add_second_ip.sh': + content => "#!/bin/sh +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward +", + mode => '0755', + } + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + } + + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } + + include site_shorewall::eip + package { 'openvpn': ensure => installed; diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index d029fbac..12c1bd8f 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,28 +1,22 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn') - - file { '/etc/openvpn/keys/ca.key': - content => $openvpn_keys['ca_key'], - mode => '0600', - } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca_crt'], + content => $site_openvpn::x509_config['ca_cert'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh_key'], + content => $site_openvpn::x509_config['dh'], mode => '0644', } file { '/etc/openvpn/keys/server.key': - content => $openvpn_keys['server_key'], + content => $site_openvpn::x509_config['key'], mode => '0600', } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_crt'], + content => $site_openvpn::x509_config['cert'], mode => '0644', } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 482c6ab7..6fc3a3c2 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,3 +1,57 @@ +# +# Cipher discussion +# ================================ +# +# We want to specify explicit values for the crypto options to prevent a MiTM from forcing +# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher' +# MUST be the same on both ends or no data will get transmitted). +# +# tls-cipher DHE-RSA-AES128-SHA +# +# dkg: For the TLS control channel, we want to make sure we choose a +# key exchange mechanism that has PFS (meaning probably some form of ephemeral +# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher +# (I recommend AES, and 128 bits is probably fine, since there are some known +# weaknesses in the 192- and 256-bit key schedules). That leaves us with the +# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE | +# grep AES128 | grep GCM. +# +# elijah: +# I could not get any of these working: +# * openvpn --show-tls | grep GCM +# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256 +# so, i went with this: +# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM +# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how +# our cert generation interacts with the tls-cipher algorithms. +# +# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set. +# +# auth SHA1 +# +# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists +# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# should be avoided. +# +# elijah: i am not so sure that the digest algo matters for 'auth' option, because +# i think an attacker would have to forge the digest in real time, which is still far from +# a possibility for SHA1. So, i am leaving the default for now (SHA1). +# +# cipher AES-128-CBC +# +# dkg: For the choice of cipher, we need to select an algorithm and a +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# our control channel is already relying on AES not being broken; if the +# control channel is cracked, then the key material for the tunnel is exposed, +# and the choice of algorithm is moot. So it makes more sense to me to rely on +# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to +# me, but CBC is more well-tested, and the OpenVPN man page (at least as of +# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered +# advanced modes.” +# +# note: the default is BF-CBC (blowfish) +# + define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - + "tls-cipher $openvpn_configname": + key => 'tls-cipher', + value => 'DHE-RSA-AES128-SHA', + server => $openvpn_configname; + "auth $openvpn_configname": + key => 'auth', + value => 'SHA1', + server => $openvpn_configname; + "cipher $openvpn_configname": + key => 'cipher', + value => 'AES-128-CBC', + server => $openvpn_configname; "dev $openvpn_configname": key => 'dev', value => 'tun', diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 4fc62f85..68f480d8 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -6,7 +6,7 @@ define site_shorewall::dnat_rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,7 +16,7 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 086bf75a..57dc17e9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,7 +10,7 @@ class site_shorewall::eip { $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address + $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': @@ -42,11 +42,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } + source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': |