From 717bd0f1061cbc4cd22a22f87b9b00ddf469f2fc Mon Sep 17 00:00:00 2001 From: Micah <micah@leap.se> Date: Tue, 13 Oct 2015 12:01:53 -0400 Subject: Make syslog stop logging the icmpv6_send: no reply to icmp error messages, these are spamming provider's logs and will continue to do so until we have ipv6 working for the VPN (#6540) Change-Id: I80673bb64d8239e478bc042794929640f7a7cc39 --- puppet/modules/site_openvpn/manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests/init.pp') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e2a3124e..ede35a9e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -229,6 +229,13 @@ class site_openvpn { } leap::logfile { 'openvpn': } + + # Because we currently do not support ipv6 and instead block it (so no leaks + # happen), we get a large number of these messages, so we ignore them (#6540) + rsyslog::snippet { '01-ignore_icmpv6_send': + content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~' + } + include site_check_mk::agent::openvpn } -- cgit v1.2.3 From 150579fb14716892cc3e4d7d9c0f81b30d56f03a Mon Sep 17 00:00:00 2001 From: varac <varacanero@zeromail.org> Date: Mon, 13 Apr 2015 23:16:00 +0200 Subject: restructured site.pp, now only one class gets included in site.pp per service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests/init.pp') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index ede35a9e..4777464e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -24,9 +24,11 @@ class site_openvpn { include site_config::x509::key include site_config::x509::ca_bundle - + include site_config::default Class['site_config::default'] -> Class['site_openvpn'] + include ::site_obfsproxy + $openvpn = hiera('openvpn') $openvpn_ports = $openvpn['ports'] $openvpn_config = $openvpn['configuration'] -- cgit v1.2.3 From f5ecaaa1bd7412fc152b41e4cc522cd0dc43cc37 Mon Sep 17 00:00:00 2001 From: varac <varacanero@zeromail.org> Date: Tue, 5 Jan 2016 21:44:30 +0100 Subject: linted puppet/modules/site_openvpn/manifests/init.pp --- puppet/modules/site_openvpn/manifests/init.pp | 64 +++++++++++++-------------- 1 file changed, 32 insertions(+), 32 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/init.pp') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4777464e..7397d89c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -87,24 +87,24 @@ class site_openvpn { if $openvpn_allow_unlimited { site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $unlimited_gateway_address, - tls_remote => "\"${openvpn_unlimited_prefix}\"", - server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000', - config => $openvpn_config + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000', + config => $openvpn_config } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $unlimited_gateway_address, - tls_remote => "\"${openvpn_unlimited_prefix}\"", - server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", - management => '127.0.0.1 1001', - config => $openvpn_config + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001', + config => $openvpn_config } } else { tidy { '/etc/openvpn/tcp_config.conf': } @@ -113,24 +113,24 @@ class site_openvpn { if $openvpn_allow_limited { site_openvpn::server_config { 'limited_tcp_config': - port => '1194', - proto => 'tcp', - local => $limited_gateway_address, - tls_remote => "\"${openvpn_limited_prefix}\"", - server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1002', - config => $openvpn_config + port => '1194', + proto => 'tcp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002', + config => $openvpn_config } site_openvpn::server_config { 'limited_udp_config': - port => '1194', - proto => 'udp', - local => $limited_gateway_address, - tls_remote => "\"${openvpn_limited_prefix}\"", - server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", - management => '127.0.0.1 1003', - config => $openvpn_config + port => '1194', + proto => 'udp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", + management => '127.0.0.1 1003', + config => $openvpn_config } } else { tidy { '/etc/openvpn/limited_tcp_config.conf': } -- cgit v1.2.3 From ff818d6be896201adf0b1c9ded9316949dc954d2 Mon Sep 17 00:00:00 2001 From: elijah <elijah@riseup.net> Date: Tue, 16 Feb 2016 16:43:54 -0800 Subject: remove pinning of openvpn package to backports --- puppet/modules/site_openvpn/manifests/init.pp | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/init.pp') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7397d89c..540262d0 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -174,14 +174,8 @@ class site_openvpn { include site_shorewall::eip - # In wheezy, we need the openvpn backport to get the 2.3 version of - # openvpn which has proper ipv6 support - include site_apt::preferences::openvpn - package { - 'openvpn': - ensure => latest, - require => Class['site_apt::preferences::openvpn']; + 'openvpn': ensure => latest } service { -- cgit v1.2.3 From 65d01365ac0e1ab25189ee9b58546e85cd806da4 Mon Sep 17 00:00:00 2001 From: varac <varacanero@zeromail.org> Date: Tue, 8 Mar 2016 10:14:05 +0100 Subject: [bug] Fix inline template with deprecated variable notation - Resolves: #7948 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests/init.pp') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 540262d0..f5eb7fd0 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -69,7 +69,7 @@ class site_openvpn { # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ # we can do this using an inline_template: $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" - $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>') + $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>') # deploy dh keys include site_openvpn::dh_key -- cgit v1.2.3 From 0ca80b41060dd8046386f7e49d2ed5ad382948c4 Mon Sep 17 00:00:00 2001 From: Micah <micah@leap.se> Date: Tue, 12 Apr 2016 10:37:56 -0400 Subject: Put openvpn logs into leap directory (#8021) Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to /var/log/daemon.log. Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719 --- puppet/modules/site_openvpn/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests/init.pp') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index f5eb7fd0..f1ecefb9 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -224,7 +224,8 @@ class site_openvpn { order => 10; } - leap::logfile { 'openvpn': } + leap::logfile { 'openvpn_tcp': } + leap::logfile { 'openvpn_udp': } # Because we currently do not support ipv6 and instead block it (so no leaks # happen), we get a large number of these messages, so we ignore them (#6540) -- cgit v1.2.3