From ad62cfdad04c8f8ed9d6454f716c92e850ac53ba Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 17 Mar 2013 13:15:51 -0700 Subject: added support for "limited" service levels (although vpn is not yet actually rate limited). --- .../files/service-definitions/eip-service.json.erb | 40 +++--- .../files/service-definitions/provider.json.erb | 2 +- provider_base/provider.json | 29 ++-- provider_base/services/openvpn.json | 12 +- provider_base/services/webapp.json | 4 +- provider_base/test/openvpn/client.ovpn.erb | 6 +- puppet/modules/site_openvpn/README | 20 +++ puppet/modules/site_openvpn/manifests/init.pp | 150 +++++++++++++-------- puppet/modules/site_openvpn/manifests/resolver.pp | 90 +++++++++---- .../site_openvpn/manifests/server_config.pp | 9 +- .../site_openvpn/templates/add_gateway_ips.sh.erb | 11 ++ .../templates/leap_add_second_ip.sh.erb | 11 -- .../modules/site_shorewall/manifests/dnat_rule.pp | 40 +++--- puppet/modules/site_shorewall/manifests/eip.pp | 61 +++++---- .../modules/site_webapp/templates/config.yml.erb | 13 +- 15 files changed, 309 insertions(+), 189 deletions(-) create mode 100644 puppet/modules/site_openvpn/README create mode 100644 puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb delete mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb index 09b65bbb..ca42bef5 100644 --- a/provider_base/files/service-definitions/eip-service.json.erb +++ b/provider_base/files/service-definitions/eip-service.json.erb @@ -6,41 +6,39 @@ words end - def gateway_definition(node) + def add_gateway(node, locations, options={}) + return nil if options[:ip] == 'REQUIRED' gateway = {} gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns) gateway["capabilities"]["transport"] = ["openvpn"] gateway["host"] = node.domain.full - gateway["cluster"] = underscore(node.openvpn.location) + gateway["ip_address"] = options[:ip] + gateway["capabilities"]["limited"] = options[:limited] + if node.location + location_name = underscore(node.location.name) + gateway["location"] = location_name + locations[location_name] ||= node.location + end gateway end hsh = {} hsh["serial"] = 1 hsh["version"] = 1 - clusters = {} + locations = {} gateways = [] nodes_like_me[:services => 'openvpn'].each_node do |node| - if node.openvpn.gateway_address - gateway = gateway_definition(node) - gateway["ip_address"] = node.openvpn.gateway_address - gateway["capabilities"]["free"] = false - gateways << gateway - end - if node.openvpn.free_gateway_address && node.openvpn.free_gateway_address != "REQUIRED" - gateway = gateway_definition(node) - gateway["ip_address"] = node.openvpn.free_gateway_address - gateway["capabilities"]["free"] = true - gateway["capabilities"]["rate_limit"] = node.openvpn.free_rate_limit - gateways << gateway + if node.openvpn.allow_limited && node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true) + elsif node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + elsif node.openvpn.allow_limited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true) end - clusters[gateway["cluster"]] ||= { - "name" => gateway["cluster"], - "label" => {"en" => node.openvpn.location} - } end - hsh["gateways"] = gateways - hsh["clusters"] = clusters.values + hsh["gateways"] = gateways.compact + hsh["locations"] = locations hsh["openvpn_configuration"] = { "tls-cipher" => "DHE-RSA-AES128-SHA", "auth" => "SHA1", diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 2ca34548..54919898 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -4,7 +4,7 @@ # grab some fields from provider.json hsh = global.provider.pick( :languages, :description, :name, - :enrollment_policy, :default_language, :domain + :enrollment_policy, :default_language, :domain, :service ) # advertise services that are 'user services' diff --git a/provider_base/provider.json b/provider_base/provider.json index 14eabdc2..cf1baac6 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -13,21 +13,31 @@ "languages": ["en"], "default_language": "en", "enrollment_policy": "open", - "service_levels": [ - {"name": "free", "bandwidth":102400, "storage":50}, - {"name": "basic", "bandwidth":null, "storage":1000}, - {"name": "premium", "bandwidth":null, "storage":10000} - ], - "service_allow_free": false, + "service": { + "levels": [ + // bandwidth limit is in Bytes, storage limit is in MB. + {"id": 1, "name": "free", "bandwidth":"limited", "storage":50}, + {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]}, + {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]} + ], + "default_service_level": 1, + "bandwidth_limit": 102400, + "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?", + "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?", + "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", + "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", + "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", + "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" + }, "ca": { "name": "= global.provider.ca.organization + ' Root CA'", "organization": "= global.provider.name[global.provider.default_language]", - "organizational_unit": "= 'https://' + global.common.domain.full_suffix", + "organizational_unit": "= 'https://' + global.provider.domain", "bit_size": 4096, "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 3248, + "bit_size": 2024, "digest": "SHA256", "life_span": "1y" }, @@ -35,7 +45,8 @@ "bit_size": 2024, "digest": "SHA256", "life_span": "2m", - "free_prefix": "FREE" + "limited_prefix": "LIMITED", + "unlimited_prefix": "UNLIMITED" } }, "hiera_sync_destination": "/etc/leap" diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index e78a02ac..5d77f946 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -5,17 +5,19 @@ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'" }, + "location": null, "openvpn": { - "location": "Location Unknown", "gateway_address": "REQUIRED", - "free_gateway_address": "= openvpn.allow_free ? 'REQUIRED' : nil", + "second_gateway_address": "= openvpn.allow_limited && openvpn.allow_unlimited ? 'REQUIRED' : nil", "ports": ["80", "443", "53", "1194"], "protocols": ["tcp", "udp"], "filter_dns": false, "adblock": false, "user_ips": false, - "allow_free": "= global.provider.service_allow_free", - "free_prefix": "= global.provider.ca.client_certificates.free_prefix", - "free_rate_limit": "= openvpn.allow_free ? global.provider.service_levels.detect{|level| level['name'] == 'free'}['bandwidth'] : nil" + "allow_limited": "= global.provider.service.allow_limited_bandwidth", + "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth", + "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix", + "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix", + "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil" } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 5e7260a6..477d5f17 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -10,7 +10,9 @@ "head_scss": "= file_path 'branding/head.scss'", "img_dir": "= file_path 'branding/img'", "client_certificates": "= global.provider.ca.client_certificates", - "allow_free": "= global.provider.service_allow_free" + "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", + "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", + "allow_anonymous_certs": "= global.provider.service.allow_anonymous" }, "definition_files": { "provider": "= file :provider_json_template", diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb index a0bdd307..af183ef4 100644 --- a/provider_base/test/openvpn/client.ovpn.erb +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -18,9 +18,11 @@ tls-cipher DHE-RSA-AES128-SHA -<%= read_file! :test_client_cert -%> +<%# read_file! :test_client_cert -%> +<%= cert -%> -<%= read_file! :test_client_key -%> +<%# read_file! :test_client_key -%> +<%= key -%> diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README new file mode 100644 index 00000000..cef5be23 --- /dev/null +++ b/puppet/modules/site_openvpn/README @@ -0,0 +1,20 @@ +Place to look when debugging problems +======================================== + +Log files: + + openvpn: /var/log/syslog + shorewall: /var/log/syslog + shorewall startup: /var/log/shorewall-init.log + +Check NAT masq: + + iptables -t nat --list-rules + +Check interfaces: + + ip addr ls + +Scripts: + + /usr/local/bin/add_gateway_ips.sh \ No newline at end of file diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0c9f1795..c54bb782 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,84 +1,128 @@ +# +# An openvpn gateway can support three modes: +# +# (1) limited and unlimited +# (2) unlimited only +# (3) limited only +# +# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', +# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# +# We potentially create four openvpn config files (thus four daemons): +# +# (1) unlimited + tcp => tcp_config.conf +# (2) unlimited + udp => udp_config.conf +# (3) limited + tcp => limited_tcp_config.conf +# (4) limited + udp => limited_udp_config.conf +# + class site_openvpn { tag 'leap_service' - # parse hiera config - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - $openvpn_allow_free = $openvpn_config['allow_free'] - $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] - $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] - $openvpn_free_prefix = $openvpn_config['free_prefix'] - $x509_config = hiera('x509') + $openvpn_config = hiera('openvpn') + $x509_config = hiera('x509') + $ip_address = hiera('ip_address') + $interface = getvar("interface_${ip_address}") + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_second_gateway_address = undef + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } + + $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_unlimited_tcp_network_prefix = '10.41.0' + $openvpn_unlimited_tcp_netmask = '255.255.248.0' + $openvpn_unlimited_tcp_cidr = '21' + $openvpn_unlimited_udp_network_prefix = '10.42.0' + $openvpn_unlimited_udp_netmask = '255.255.248.0' + $openvpn_unlimited_udp_cidr = '21' + + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' # deploy ca + server keys include site_openvpn::keys - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + if $openvpn_allow_unlimited and $openvpn_allow_limited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = $openvpn_second_gateway_address + } elsif $openvpn_allow_unlimited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = undef + } elsif $openvpn_allow_limited { + $unlimited_gateway_address = undef + $limited_gateway_address = $openvpn_gateway_address } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $openvpn_gateway_address, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - management => '127.0.0.1 1001' + if $openvpn_allow_unlimited { + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001' + } + } else { + tidy { "/etc/openvpn/tcp_config.conf": } + tidy { "/etc/openvpn/udp_config.conf": } } - if $openvpn_allow_free { - site_openvpn::server_config { 'free_tcp_config': + if $openvpn_allow_limited { + site_openvpn::server_config { 'limited_tcp_config': port => '1194', proto => 'tcp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", management => '127.0.0.1 1002' } - site_openvpn::server_config { 'free_udp_config': + site_openvpn::server_config { 'limited_udp_config': port => '1194', proto => 'udp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", management => '127.0.0.1 1003' } } else { - tidy { "/etc/openvpn/free_tcp_config.conf": } - tidy { "/etc/openvpn/free_udp_config.conf": } + tidy { "/etc/openvpn/limited_tcp_config.conf": } + tidy { "/etc/openvpn/limited_udp_config.conf": } } - # add second IP on given interface file { - '/usr/local/bin/leap_add_second_ip.sh': - content => template('site_openvpn/leap_add_second_ip.sh.erb'), + '/usr/local/bin/add_gateway_ips.sh': + content => template('site_openvpn/add_gateway_ips.sh.erb'), mode => '0755'; } - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + exec { '/usr/local/bin/add_gateway_ips.sh': + subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } - cron { 'leap_add_second_ip.sh': - command => '/usr/local/bin/leap_add_second_ip.sh', + cron { 'add_gateway_ips.sh': + command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', special => 'reboot', } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 26785edb..dc31767c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,53 @@ class site_openvpn::resolver { + if $site_openvpn::openvpn_allow_unlimited { + $ensure_unlimited = 'present' + file { + '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_unlimited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + } + + if $site_openvpn::openvpn_allow_limited { + $ensure_limited = 'present' + file { + '/etc/unbound/conf.d/vpn_limited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_limited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + } + # this is an unfortunate way to get around the fact that the version of # unbound we are working with does not accept a wildcard include directive # (/etc/unbound/conf.d/*), when it does, these line definitions should @@ -7,36 +55,30 @@ class site_openvpn::resolver { # include: /etc/unbound/conf.d/* line { - 'add_tcp_resolver': - ensure => present, + 'add_unlimited_tcp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', notify => Service['unbound'], require => Package['unbound']; - - 'add_udp_resolver': - ensure => present, + 'add_unlimited_udp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_tcp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_udp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', notify => Service['unbound'], require => Package['unbound'] } - file { - '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - - '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1f42400a..a2e769e1 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -54,7 +54,7 @@ define site_openvpn::server_config( $port, $proto, $local, $server, $push, - $management, $tls_remote = undef, $shaper = undef) { + $management, $tls_remote = undef) { $openvpn_configname = $name @@ -68,13 +68,8 @@ define site_openvpn::server_config( notify => Service['openvpn']; } - # special options for the "free" gateway daemons - if $shaper != undef { + if $tls_remote != undef { openvpn::option { - "shaper $openvpn_configname": - key => 'shaper', - value => $shaper, - server => $openvpn_configname; "tls-remote $openvpn_configname": key => 'tls-remote', value => $tls_remote, diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb new file mode 100644 index 00000000..ed06a95e --- /dev/null +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_second_gateway_address %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb deleted file mode 100644 index 40866116..00000000 --- a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> - -<% if @openvpn_allow_free %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || - ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> -<% end %> - -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 0b4370df..e1ea86ec 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,30 +2,32 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - shorewall::rule { - "dnat_tcp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'tcp', - destinationport => $port, - order => 100; - } - shorewall::rule { - "dnat_udp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'udp', - destinationport => $port, - order => 100; + if $site_openvpn::openvpn_allow_paid { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } } if $site_openvpn::openvpn_allow_free { shorewall::rule { "dnat_free_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -34,7 +36,7 @@ define site_shorewall::dnat_rule { "dnat_free_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d2bf3c4c..95c3920e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -3,10 +3,6 @@ class site_shorewall::eip { include site_shorewall::defaults include site_shorewall::ip_forward - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address - # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 @@ -16,41 +12,45 @@ PARAM - - udp 1194 require => Package['shorewall'] } - shorewall::interface { 'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; 'tun1': zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs' + options => 'tcpflags,blacklist,nosmurfs'; + 'tun2': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun3': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone { + 'eip': + type => 'ipv4'; + } - shorewall::zone {'eip': - type => 'ipv4'; } - - case $::virtual { - 'virtualbox': { - shorewall::masq { - 'eth0_tcp': - interface => 'eth0', - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; - 'eth0_udp': - interface => 'eth0', - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } - default: { - $interface = $site_shorewall::defaults::interface - shorewall::masq { - "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + if $::virtual == 'virtualbox' { + $interface = 'eth0' + } else { + $interface = $site_shorewall::defaults::interface + } - "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } + shorewall::masq { + "${interface}_unlimited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + "${interface}_unlimited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } shorewall::policy { @@ -70,7 +70,6 @@ PARAM - - udp 1194 } # create dnat rule for each port - #create_resources('site_shorewall::dnat_rule', $openvpn_ports) - site_shorewall::dnat_rule { $openvpn_ports: } + site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: } } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index cd67d1fd..af778212 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -6,8 +6,11 @@ production: client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> cert_options: - client_cert_lifespan: <%= cert_options['life_span'].to_i %> - client_cert_bit_size: <%= cert_options['bit_size'].to_i %> - client_cert_hash: <%= cert_options['digest'] %> - free_certs_enabled: <%= @webapp['allow_free'].inspect %> - free_cert_prefix: "<%= cert_options['free_prefix'] %>" + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %> + allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %> + allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> + limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" + unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" -- cgit v1.2.3