From 717bd0f1061cbc4cd22a22f87b9b00ddf469f2fc Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Tue, 13 Oct 2015 12:01:53 -0400
Subject: Make syslog stop logging the icmpv6_send: no reply to icmp error
 messages, these are spamming provider's logs and will continue to do so until
 we have ipv6 working for the VPN (#6540)

Change-Id: I80673bb64d8239e478bc042794929640f7a7cc39
---
 puppet/modules/site_openvpn/manifests/init.pp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'puppet/modules/site_openvpn/manifests/init.pp')

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e2a3124e..ede35a9e 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -229,6 +229,13 @@ class site_openvpn {
   }
 
   leap::logfile { 'openvpn': }
+
+  # Because we currently do not support ipv6 and instead block it (so no leaks
+  # happen), we get a large number of these messages, so we ignore them (#6540)
+  rsyslog::snippet { '01-ignore_icmpv6_send':
+    content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~'
+  }
+
   include site_check_mk::agent::openvpn
 
 }
-- 
cgit v1.2.3


From 150579fb14716892cc3e4d7d9c0f81b30d56f03a Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 13 Apr 2015 23:16:00 +0200
Subject: restructured site.pp, now only one class gets included in site.pp per
 service (Bug #6851)

Also, moved global Exec{} defaults to site.pp

Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd
---
 puppet/modules/site_openvpn/manifests/init.pp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'puppet/modules/site_openvpn/manifests/init.pp')

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index ede35a9e..4777464e 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -24,9 +24,11 @@ class site_openvpn {
   include site_config::x509::key
   include site_config::x509::ca_bundle
 
-
+  include site_config::default
   Class['site_config::default'] -> Class['site_openvpn']
 
+  include ::site_obfsproxy
+
   $openvpn          = hiera('openvpn')
   $openvpn_ports    = $openvpn['ports']
   $openvpn_config   = $openvpn['configuration']
-- 
cgit v1.2.3


From f5ecaaa1bd7412fc152b41e4cc522cd0dc43cc37 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 5 Jan 2016 21:44:30 +0100
Subject: linted puppet/modules/site_openvpn/manifests/init.pp

---
 puppet/modules/site_openvpn/manifests/init.pp | 64 +++++++++++++--------------
 1 file changed, 32 insertions(+), 32 deletions(-)

(limited to 'puppet/modules/site_openvpn/manifests/init.pp')

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 4777464e..7397d89c 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -87,24 +87,24 @@ class site_openvpn {
 
   if $openvpn_allow_unlimited {
     site_openvpn::server_config { 'tcp_config':
-      port        => '1194',
-      proto       => 'tcp',
-      local       => $unlimited_gateway_address,
-      tls_remote  => "\"${openvpn_unlimited_prefix}\"",
-      server      => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
-      management  => '127.0.0.1 1000',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'tcp',
+      local      => $unlimited_gateway_address,
+      tls_remote => "\"${openvpn_unlimited_prefix}\"",
+      server     => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
+      management => '127.0.0.1 1000',
+      config     => $openvpn_config
     }
     site_openvpn::server_config { 'udp_config':
-      port        => '1194',
-      proto       => 'udp',
-      local       => $unlimited_gateway_address,
-      tls_remote  => "\"${openvpn_unlimited_prefix}\"",
-      server      => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
-      management  => '127.0.0.1 1001',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'udp',
+      local      => $unlimited_gateway_address,
+      tls_remote => "\"${openvpn_unlimited_prefix}\"",
+      server     => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
+      management => '127.0.0.1 1001',
+      config     => $openvpn_config
     }
   } else {
     tidy { '/etc/openvpn/tcp_config.conf': }
@@ -113,24 +113,24 @@ class site_openvpn {
 
   if $openvpn_allow_limited {
     site_openvpn::server_config { 'limited_tcp_config':
-      port        => '1194',
-      proto       => 'tcp',
-      local       => $limited_gateway_address,
-      tls_remote  => "\"${openvpn_limited_prefix}\"",
-      server      => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
-      management  => '127.0.0.1 1002',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'tcp',
+      local      => $limited_gateway_address,
+      tls_remote => "\"${openvpn_limited_prefix}\"",
+      server     => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
+      management => '127.0.0.1 1002',
+      config     => $openvpn_config
     }
     site_openvpn::server_config { 'limited_udp_config':
-      port        => '1194',
-      proto       => 'udp',
-      local       => $limited_gateway_address,
-      tls_remote  => "\"${openvpn_limited_prefix}\"",
-      server      => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
-      push        => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
-      management  => '127.0.0.1 1003',
-      config      => $openvpn_config
+      port       => '1194',
+      proto      => 'udp',
+      local      => $limited_gateway_address,
+      tls_remote => "\"${openvpn_limited_prefix}\"",
+      server     => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
+      push       => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
+      management => '127.0.0.1 1003',
+      config     => $openvpn_config
     }
   } else {
     tidy { '/etc/openvpn/limited_tcp_config.conf': }
-- 
cgit v1.2.3


From ff818d6be896201adf0b1c9ded9316949dc954d2 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Tue, 16 Feb 2016 16:43:54 -0800
Subject: remove pinning of openvpn package to backports

---
 puppet/modules/site_openvpn/manifests/init.pp | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

(limited to 'puppet/modules/site_openvpn/manifests/init.pp')

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 7397d89c..540262d0 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -174,14 +174,8 @@ class site_openvpn {
 
   include site_shorewall::eip
 
-  # In wheezy, we need the openvpn backport to get the 2.3 version of
-  # openvpn which has proper ipv6 support
-  include site_apt::preferences::openvpn
-
   package {
-    'openvpn':
-      ensure  => latest,
-      require => Class['site_apt::preferences::openvpn'];
+    'openvpn': ensure => latest
   }
 
   service {
-- 
cgit v1.2.3


From 65d01365ac0e1ab25189ee9b58546e85cd806da4 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 8 Mar 2016 10:14:05 +0100
Subject: [bug] Fix inline template with deprecated variable notation

- Resolves: #7948
---
 puppet/modules/site_openvpn/manifests/init.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'puppet/modules/site_openvpn/manifests/init.pp')

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 540262d0..f5eb7fd0 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -69,7 +69,7 @@ class site_openvpn {
   # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/
   # we can do this using an inline_template:
   $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}"
-  $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>')
+  $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>')
 
   # deploy dh keys
   include site_openvpn::dh_key
-- 
cgit v1.2.3


From 0ca80b41060dd8046386f7e49d2ed5ad382948c4 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Tue, 12 Apr 2016 10:37:56 -0400
Subject: Put openvpn logs into leap directory (#8021)

Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to
/var/log/daemon.log.

Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719
---
 puppet/modules/site_openvpn/manifests/init.pp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'puppet/modules/site_openvpn/manifests/init.pp')

diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index f5eb7fd0..f1ecefb9 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -224,7 +224,8 @@ class site_openvpn {
       order   => 10;
   }
 
-  leap::logfile { 'openvpn': }
+  leap::logfile { 'openvpn_tcp': }
+  leap::logfile { 'openvpn_udp': }
 
   # Because we currently do not support ipv6 and instead block it (so no leaks
   # happen), we get a large number of these messages, so we ignore them (#6540)
-- 
cgit v1.2.3