8 files changed, 135 insertions, 74 deletions

diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 70c97030..9da2174c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -12,7 +12,7 @@ node 'default' {
 
   # configure eip
   if 'openvpn' in $services {
-    include site_config::eip
+    include site_openvpn
   }
 
   if 'couchdb' in $services {
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
deleted file mode 100644
index 4280fb67..00000000
--- a/puppet/modules/site_config/manifests/eip.pp
+++ /dev/null
@@ -1,57 +0,0 @@
-class site_config::eip {
-
-  # parse hiera config
-  $ip_address                 = hiera('ip_address')
-  $interface                  = hiera('interface')
-  #$gateway_address           = hiera('gateway_address')
-  $openvpn_config             = hiera('openvpn')
-  $openvpn_gateway_address    = $openvpn_config['gateway_address']
-  $openvpn_tcp_network_prefix = '10.1.0'
-  $openvpn_tcp_netmask        = '255.255.248.0'
-  $openvpn_tcp_cidr           = '21'
-  $openvpn_udp_network_prefix = '10.2.0'
-  $openvpn_udp_netmask        = '255.255.248.0'
-  $openvpn_udp_cidr           = '21'
-
-  include site_openvpn
-  
-  # deploy ca + server keys
-  include site_openvpn::keys
-
-  # create 2 openvpn config files, one for tcp, one for udp
-  site_openvpn::server_config { 'tcp_config':
-    port        => '1194',
-    proto       => 'tcp',
-    local       => $openvpn_gateway_address,
-    server      => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
-    push        => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
-    management  => '127.0.0.1 1000'
-  }
-  site_openvpn::server_config { 'udp_config':
-    port        => '1194',
-    proto       => 'udp',
-    server      => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
-    push        => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
-    local       => $openvpn_gateway_address,
-    management  => '127.0.0.1 1001'
-  }
-
-  # add second IP on given interface
-  file { '/usr/local/bin/leap_add_second_ip.sh':
-    content => "#!/bin/sh
-ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface",
-    mode    => '0755',
-  }
-
-  exec { '/usr/local/bin/leap_add_second_ip.sh':
-    subscribe   => File['/usr/local/bin/leap_add_second_ip.sh'],
-  }
-
-  cron { 'leap_add_second_ip.sh':
-    command => "/usr/local/bin/leap_add_second_ip.sh",
-    user    => 'root',
-    special => 'reboot',
-  }
-
-  include site_shorewall::eip
-}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 30ce7f54..10408094 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -16,6 +16,7 @@ class site_couchdb {
   $couchdb_ca_daemon_pw   = $couchdb_ca_daemon['password']
 
   Class['site_couchdb::package']
+    -> Exec['refresh_apt']
     -> Package ['couchdb']
     -> File['/etc/init.d/couchdb']
     -> File['/etc/couchdb/local.ini']
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e95e67d5..548d1df2 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,4 +1,62 @@
 class site_openvpn {
+  # parse hiera config
+  $ip_address                 = hiera('ip_address')
+  $interface                  = hiera('interface')
+  #$gateway_address           = hiera('gateway_address')
+  $openvpn_config             = hiera('openvpn')
+  $openvpn_gateway_address    = $openvpn_config['gateway_address']
+  $openvpn_tcp_network_prefix = '10.1.0'
+  $openvpn_tcp_netmask        = '255.255.248.0'
+  $openvpn_tcp_cidr           = '21'
+  $openvpn_udp_network_prefix = '10.2.0'
+  $openvpn_udp_netmask        = '255.255.248.0'
+  $openvpn_udp_cidr           = '21'
+  $x509_config                = hiera('x509')
+
+  include site_openvpn
+  
+  # deploy ca + server keys
+  include site_openvpn::keys
+
+  # create 2 openvpn config files, one for tcp, one for udp
+  site_openvpn::server_config { 'tcp_config':
+    port        => '1194',
+    proto       => 'tcp',
+    local       => $openvpn_gateway_address,
+    server      => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
+    push        => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
+    management  => '127.0.0.1 1000'
+  }
+  site_openvpn::server_config { 'udp_config':
+    port        => '1194',
+    proto       => 'udp',
+    server      => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
+    push        => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
+    local       => $openvpn_gateway_address,
+    management  => '127.0.0.1 1001'
+  }
+
+  # add second IP on given interface
+  file { '/usr/local/bin/leap_add_second_ip.sh':
+    content => "#!/bin/sh
+ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface
+/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
+",
+    mode    => '0755',
+  }
+
+  exec { '/usr/local/bin/leap_add_second_ip.sh':
+    subscribe   => File['/usr/local/bin/leap_add_second_ip.sh'],
+  }
+
+  cron { 'leap_add_second_ip.sh':
+    command => "/usr/local/bin/leap_add_second_ip.sh",
+    user    => 'root',
+    special => 'reboot',
+  }
+
+  include site_shorewall::eip
+
   package {
     'openvpn':
       ensure => installed;
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index d029fbac..12c1bd8f 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -1,28 +1,22 @@
 class site_openvpn::keys {
-  $openvpn_keys = hiera_hash('openvpn')
-
-  file { '/etc/openvpn/keys/ca.key':
-    content => $openvpn_keys['ca_key'],
-    mode    => '0600',
-  }
 
   file { '/etc/openvpn/keys/ca.crt':
-    content => $openvpn_keys['ca_crt'],
+    content => $site_openvpn::x509_config['ca_cert'],
     mode    => '0644',
   }
 
   file { '/etc/openvpn/keys/dh.pem':
-    content => $openvpn_keys['dh_key'],
+    content => $site_openvpn::x509_config['dh'],
     mode    => '0644',
   }
 
   file { '/etc/openvpn/keys/server.key':
-    content => $openvpn_keys['server_key'],
+    content => $site_openvpn::x509_config['key'],
     mode    => '0600',
   }
 
   file { '/etc/openvpn/keys/server.crt':
-    content => $openvpn_keys['server_crt'],
+    content => $site_openvpn::x509_config['cert'],
     mode    => '0644',
   }
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 482c6ab7..6fc3a3c2 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -1,3 +1,57 @@
+#
+# Cipher discussion
+# ================================
+#
+# We want to specify explicit values for the crypto options to prevent a MiTM from forcing
+# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher'
+# MUST be the same on both ends or no data will get transmitted).
+#
+# tls-cipher DHE-RSA-AES128-SHA
+#
+#   dkg: For the TLS control channel, we want to make sure we choose a
+#   key exchange mechanism that has PFS (meaning probably some form of ephemeral
+#   Diffie-Hellman key exchange), and that uses a standard, well-tested cipher
+#   (I recommend AES, and 128 bits is probably fine, since there are some known
+#   weaknesses in the 192- and 256-bit key schedules). That leaves us with the
+#   choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE |
+#   grep AES128 | grep GCM.
+#
+#   elijah:
+#   I could not get any of these working:
+#     * openvpn --show-tls | grep GCM
+#     * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256
+#   so, i went with this:
+#     * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM
+#   Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how
+#   our cert generation interacts with the tls-cipher algorithms.
+#
+#   note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set.
+#
+# auth SHA1
+#
+#   dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists
+#   a number of “digest” with names like “RSA-SHA256”, but this are legacy and
+#   should be avoided.
+#
+#   elijah: i am not so sure that the digest algo matters for 'auth' option, because
+#   i think an attacker would have to forge the digest in real time, which is still far from
+#   a possibility for SHA1. So, i am leaving the default for now (SHA1).
+#
+# cipher AES-128-CBC
+#
+#   dkg: For the choice of cipher, we need to select an algorithm and a
+#   cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but
+#   our control channel is already relying on AES not being broken; if the
+#   control channel is cracked, then the key material for the tunnel is exposed,
+#   and the choice of algorithm is moot. So it makes more sense to me to rely on
+#   the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to
+#   me, but CBC is more well-tested, and the OpenVPN man page (at least as of
+#   version 2.2.1) says “CBC is recommended and CFB and OFB should be considered
+#   advanced modes.”
+#
+#   note: the default is BF-CBC (blowfish)
+#
+
 define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
 
   $openvpn_configname = $name
@@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
         key     => 'dh',
         value   => '/etc/openvpn/keys/dh.pem',
         server  => $openvpn_configname;
-
+    "tls-cipher $openvpn_configname":
+        key     => 'tls-cipher',
+        value   => 'DHE-RSA-AES128-SHA',
+        server  => $openvpn_configname;
+    "auth $openvpn_configname":
+        key     => 'auth',
+        value   => 'SHA1',
+        server  => $openvpn_configname;
+    "cipher $openvpn_configname":
+        key     => 'cipher',
+        value   => 'AES-128-CBC',
+        server  => $openvpn_configname;
     "dev $openvpn_configname":
         key    => 'dev',
         value  => 'tun',
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
index 4fc62f85..68f480d8 100644
--- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -6,7 +6,7 @@ define site_shorewall::dnat_rule {
         "dnat_tcp_port_$port":
           action          => 'DNAT',
           source          => 'net',
-          destination     => "\$FW:${site_config::eip::openvpn_gateway_address}:1194",
+          destination     => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
           proto           => 'tcp',
           destinationport => $port,
           order           => 100;
@@ -16,7 +16,7 @@ define site_shorewall::dnat_rule {
         "dnat_udp_port_$port":
           action          => 'DNAT',
           source          => 'net',
-          destination     => "\$FW:${site_config::eip::openvpn_gateway_address}:1194",
+          destination     => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
           proto           => 'udp',
           destinationport => $port,
           order           => 100;
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 086bf75a..57dc17e9 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -10,7 +10,7 @@ class site_shorewall::eip {
   $ssh_port       = $ssh_config['port']
   $openvpn_config = hiera('openvpn')
   $openvpn_ports  = $openvpn_config['ports']
-  $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address
+  $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
 
   # define macro for incoming services
   file { '/etc/shorewall/macro.leap_eip':
@@ -42,11 +42,11 @@ PARAM   -       -       udp     1194
 
   shorewall::masq { "${interface}_tcp":
     interface => $interface,
-    source    => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; }
+    source    => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; }
 
   shorewall::masq { "${interface}_udp":
     interface => $interface,
-    source    => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; }
+    source    => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; }
 
   shorewall::policy {
     'eip-to-all':