From 1c5eb8a64426c93d8118acac52870a6a95f73010 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 21 Sep 2012 15:03:08 +0200 Subject: oved things around --- .../site_openvpn/manifests/server_config.pp | 84 ++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 puppet/modules/site_openvpn/manifests/server_config.pp (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp new file mode 100644 index 00000000..e0e8db4f --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -0,0 +1,84 @@ +define site_openvpn::server_config($port, $protocol) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $protocol") + + $openvpn_server=$::fqdn + # we don't need a ca generated + #openvpn::server { + # $openvpn_configname: + # country => hiera("country"), + # province => hiera("province"), + # city => hiera("city"), + # organization => hiera("organization"), + # email => hiera("email"); + #} + + # configure server + # all config options need to be "hieraized" + + openvpn::option { + "dev $openvpn_configname": + key => "dev", + value => "tun", + server => "$openvpn_server"; + "script-security $openvpn_configname": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_configname": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_configname": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_configname": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_configname": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_configname": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_configname": + key => "proto", + value => "$proto", + server => "$openvpn_server"; + "cipher $openvpn_configname": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_configname": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_configname": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_configname": + key => "server", + value => "$server", + server => "$openvpn_server"; + "lport $openvpn_configname": + key => "lport", + value => "$port", + server => "$openvpn_server"; + "management $openvpn_configname": + key => "management", + value => "/var/run/openvpn-$openvpn_configname.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_configname": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_configname": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_configname": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 276de1e249b25e5e00c49229132215681aee6467 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 21 Sep 2012 20:26:20 +0200 Subject: basic configuration for openvpn server files --- .../site_openvpn/manifests/server_config.pp | 100 +++++++++++++-------- 1 file changed, 64 insertions(+), 36 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index e0e8db4f..4a130d13 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,84 +1,112 @@ -define site_openvpn::server_config($port, $protocol) { +define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $protocol") + Port: $port, Protocol: $proto") + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package["openvpn"]; + } + + concat { + "/etc/openvpn/${openvpn_configname}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File["/etc/openvpn"], + notify => Service["openvpn"]; + } - $openvpn_server=$::fqdn - # we don't need a ca generated - #openvpn::server { - # $openvpn_configname: - # country => hiera("country"), - # province => hiera("province"), - # city => hiera("city"), - # organization => hiera("organization"), - # email => hiera("email"); - #} - # configure server - # all config options need to be "hieraized" openvpn::option { + "ca ${openvpn_configname}": + key => "ca", + value => "/etc/openvpn/ca.crt", + #require => Exec["initca ${openvpn_configname}"], + server => "${openvpn_configname}"; + "cert ${openvpn_configname}": + key => "cert", + value => "/etc/openvpn/${openvpn_configname}/server.crt", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "key ${openvpn_configname}": + key => "key", + value => "/etc/openvpn/${openvpn_configname}/server.key", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "dh ${openvpn_configname}": + key => "dh", + value => "/etc/openvpn/dh1024.pem", + #require => Exec["generate dh param ${openvpn_configname}"], + server => "${openvpn_configname}"; "dev $openvpn_configname": key => "dev", value => "tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; + "mode ${openvpn_configname}": + key => 'mode', + value => 'server', + server => $openvpn_configname; "script-security $openvpn_configname": key => "script-security", value => "3", - server => "$openvpn_server"; + server => "$openvpn_configname"; "daemon $openvpn_configname": key => "daemon", - server => "$openvpn_server"; + server => "$openvpn_configname"; "keepalive $openvpn_configname": key => "keepalive", value => "10 60", - server => "$openvpn_server"; + server => "$openvpn_configname"; "ping-timer-rem $openvpn_configname": key => "ping-timer-rem", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-tun $openvpn_configname": key => "persist-tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-key $openvpn_configname": key => "persist-key", - server => "$openvpn_server"; + server => "$openvpn_configname"; "proto $openvpn_configname": key => "proto", value => "$proto", - server => "$openvpn_server"; + server => "$openvpn_configname"; "cipher $openvpn_configname": key => "cipher", value => "BF-CBC", - server => "$openvpn_server"; + server => "$openvpn_configname"; "local $openvpn_configname": key => "local", value => $ipaddress, - server => "$openvpn_server"; + server => "$openvpn_configname"; "tls-server $openvpn_configname": key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_configname": - key => "server", - value => "$server", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"server $openvpn_configname": + # key => "server", + # value => "$server", + # server => "$openvpn_configname"; "lport $openvpn_configname": key => "lport", value => "$port", - server => "$openvpn_server"; + server => "$openvpn_configname"; "management $openvpn_configname": key => "management", value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_server"; + server => "$openvpn_configname"; "comp-lzo $openvpn_configname": key => "comp-lzo", - server => "$openvpn_server"; + server => "$openvpn_configname"; "topology $openvpn_configname": key => "topology", value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_configname": - key => "client-to-client", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"client-to-client $openvpn_configname": + # key => "client-to-client", + # server => "$openvpn_configname"; } } -- cgit v1.2.3 From 05fcb0db28279ae7c08b8c76c887f633f78a2947 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:38:01 +0200 Subject: cosmetics for server_config.pp --- .../site_openvpn/manifests/server_config.pp | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 4a130d13..1af08b4a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,52 +1,52 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package["openvpn"]; - } + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } - concat { - "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File["/etc/openvpn"], - notify => Service["openvpn"]; - } + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } openvpn::option { - "ca ${openvpn_configname}": - key => "ca", - value => "/etc/openvpn/ca.crt", - #require => Exec["initca ${openvpn_configname}"], - server => "${openvpn_configname}"; - "cert ${openvpn_configname}": - key => "cert", - value => "/etc/openvpn/${openvpn_configname}/server.crt", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "key ${openvpn_configname}": + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/ca.crt', + #require => Exec["initca $openvpn_configname"], + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => "/etc/openvpn/$openvpn_configname/server.crt", + #require => Exec["generate server cert $openvpn_configname"], + server => $openvpn_configname; + "key $openvpn_configname": key => "key", - value => "/etc/openvpn/${openvpn_configname}/server.key", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "dh ${openvpn_configname}": + value => "/etc/openvpn/$openvpn_configname/server.key", + #require => Exec["generate server cert $openvpn_configname"], + server => "$openvpn_configname"; + "dh $openvpn_configname": key => "dh", value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param ${openvpn_configname}"], - server => "${openvpn_configname}"; + #require => Exec["generate dh param $openvpn_configname"], + server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", value => "tun", server => "$openvpn_configname"; - "mode ${openvpn_configname}": + "mode $openvpn_configname": key => 'mode', value => 'server', server => $openvpn_configname; -- cgit v1.2.3 From c067421f34d375c2b39e88a5994353c71ac4c9af Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:48 +0200 Subject: include openvpn keys --- .../site_openvpn/manifests/server_config.pp | 23 ++++++---------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1af08b4a..5a47954a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,14 +1,9 @@ define site_openvpn::server_config($port, $proto) { - $openvpn_configname=$name + $openvpn_configname = $name + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package['openvpn']; - } - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, @@ -19,28 +14,22 @@ define site_openvpn::server_config($port, $proto) { notify => Service['openvpn']; } - - openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/ca.crt', - #require => Exec["initca $openvpn_configname"], + value => '/etc/openvpn/keys/ca.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/$openvpn_configname/server.crt", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.crt", server => $openvpn_configname; "key $openvpn_configname": key => "key", - value => "/etc/openvpn/$openvpn_configname/server.key", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.key", server => "$openvpn_configname"; "dh $openvpn_configname": key => "dh", - value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param $openvpn_configname"], + value => "/etc/openvpn/keys/dh1024.pem", server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", -- cgit v1.2.3 From b59ce36a29a770847368773db543b38c62ea55cf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:05:32 +0200 Subject: adopted most static parameters --- .../site_openvpn/manifests/server_config.pp | 137 ++++++++++----------- 1 file changed, 67 insertions(+), 70 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5a47954a..320a4add 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,8 +1,8 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname = $name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $proto") + #notice("Creating OpenVPN $openvpn_configname: + # Port: $port, Protocol: $proto") concat { "/etc/openvpn/$openvpn_configname.conf": @@ -21,81 +21,78 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/keys/server.crt", + value => '/etc/openvpn/keys/server.crt', server => $openvpn_configname; "key $openvpn_configname": - key => "key", - value => "/etc/openvpn/keys/server.key", - server => "$openvpn_configname"; + key => 'key', + value => '/etc/openvpn/keys/server.key', + server => $openvpn_configname; "dh $openvpn_configname": - key => "dh", - value => "/etc/openvpn/keys/dh1024.pem", - server => "$openvpn_configname"; + key => 'dh', + value => '/etc/openvpn/keys/dh1024.pem', + server => $openvpn_configname; + "dev $openvpn_configname": - key => "dev", - value => "tun", - server => "$openvpn_configname"; - "mode $openvpn_configname": - key => 'mode', - value => 'server', - server => $openvpn_configname; - "script-security $openvpn_configname": - key => "script-security", - value => "3", - server => "$openvpn_configname"; - "daemon $openvpn_configname": - key => "daemon", - server => "$openvpn_configname"; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive $openvpn_configname": - key => "keepalive", - value => "10 60", - server => "$openvpn_configname"; - "ping-timer-rem $openvpn_configname": - key => "ping-timer-rem", - server => "$openvpn_configname"; - "persist-tun $openvpn_configname": - key => "persist-tun", - server => "$openvpn_configname"; - "persist-key $openvpn_configname": - key => "persist-key", - server => "$openvpn_configname"; - "proto $openvpn_configname": - key => "proto", - value => "$proto", - server => "$openvpn_configname"; - "cipher $openvpn_configname": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_configname"; + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; "local $openvpn_configname": - key => "local", - value => $ipaddress, - server => "$openvpn_configname"; - "tls-server $openvpn_configname": - key => "tls-server", - server => "$openvpn_configname"; - #"server $openvpn_configname": - # key => "server", - # value => "$server", - # server => "$openvpn_configname"; - "lport $openvpn_configname": - key => "lport", - value => "$port", - server => "$openvpn_configname"; + key => 'local', + value => $::ipaddress, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; "management $openvpn_configname": - key => "management", - value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_configname"; - "comp-lzo $openvpn_configname": - key => "comp-lzo", - server => "$openvpn_configname"; + key => 'management', + value => '127.0.0.1 1000', + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push $openvpn_configname": + key => 'push', + value => "\"redirect-gateway def1\"", + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => "10.42.0.0 255.255.248.0", + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology $openvpn_configname": - key => "topology", - value => "subnet", - server => "$openvpn_configname"; - #"client-to-client $openvpn_configname": - # key => "client-to-client", - # server => "$openvpn_configname"; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + "up $openvpn_configname": + key => 'up', + value => '/etc/openvpn/server-up.sh', + server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; } - } -- cgit v1.2.3 From 1ec1b9b56bc821b81f3797ea158846b41cc03853 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:38:57 +0200 Subject: finished site_openvpn::server_config --- puppet/modules/site_openvpn/manifests/server_config.pp | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 320a4add..784152b7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,6 +1,8 @@ -define site_openvpn::server_config($port, $proto) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { + $openvpn_configname = $name + #notice("Creating OpenVPN $openvpn_configname: # Port: $port, Protocol: $proto") @@ -45,7 +47,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "local $openvpn_configname": key => 'local', - value => $::ipaddress, + value => $local, server => $openvpn_configname; "mute $openvpn_configname": key => 'mute', @@ -62,9 +64,13 @@ define site_openvpn::server_config($port, $proto) { key => 'proto', value => $proto, server => $openvpn_configname; - "push $openvpn_configname": + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": key => 'push', - value => "\"redirect-gateway def1\"", + value => '"redirect-gateway def1"', server => $openvpn_configname; "script-security $openvpn_configname": key => 'script-security', @@ -72,7 +78,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "10.42.0.0 255.255.248.0", + value => "$server", server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From c9b2c36a5e9327c011af1345bdf54a9c4b84d857 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:47:40 +0200 Subject: dh1204.pem -> dh.pen --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 784152b7..d8a8bc0b 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -31,7 +31,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', - value => '/etc/openvpn/keys/dh1024.pem', + value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; "dev $openvpn_configname": -- cgit v1.2.3 From 97e5a3270df10b8fe699a13966ee6b34b864735e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:54:37 +0200 Subject: different parameter for each config --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d8a8bc0b..441a21e3 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,4 +1,4 @@ -define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -58,7 +58,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "management $openvpn_configname": key => 'management', - value => '127.0.0.1 1000', + value => $management, server => $openvpn_configname; "proto $openvpn_configname": key => 'proto', -- cgit v1.2.3 From 7f82917633ad444e1a303df5bd02ebe29aa05921 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:02:05 +0100 Subject: no need for server-up.sh right now --- puppet/modules/site_openvpn/manifests/server_config.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..f4c5237e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -92,10 +92,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', -- cgit v1.2.3 From 038380e042289a9586141d7154febea2a2a6a56c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:18:06 +0100 Subject: prettyfying --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ---- 1 file changed, 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index f4c5237e..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, -- cgit v1.2.3 From e172773fa29275853649bec14d906d2899bf1de7 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:55:05 -0800 Subject: openvpn -- enforce certain cipher choices on the server --- .../site_openvpn/manifests/server_config.pp | 67 +++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 482c6ab7..6fc3a3c2 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,3 +1,57 @@ +# +# Cipher discussion +# ================================ +# +# We want to specify explicit values for the crypto options to prevent a MiTM from forcing +# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher' +# MUST be the same on both ends or no data will get transmitted). +# +# tls-cipher DHE-RSA-AES128-SHA +# +# dkg: For the TLS control channel, we want to make sure we choose a +# key exchange mechanism that has PFS (meaning probably some form of ephemeral +# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher +# (I recommend AES, and 128 bits is probably fine, since there are some known +# weaknesses in the 192- and 256-bit key schedules). That leaves us with the +# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE | +# grep AES128 | grep GCM. +# +# elijah: +# I could not get any of these working: +# * openvpn --show-tls | grep GCM +# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256 +# so, i went with this: +# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM +# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how +# our cert generation interacts with the tls-cipher algorithms. +# +# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set. +# +# auth SHA1 +# +# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists +# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# should be avoided. +# +# elijah: i am not so sure that the digest algo matters for 'auth' option, because +# i think an attacker would have to forge the digest in real time, which is still far from +# a possibility for SHA1. So, i am leaving the default for now (SHA1). +# +# cipher AES-128-CBC +# +# dkg: For the choice of cipher, we need to select an algorithm and a +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# our control channel is already relying on AES not being broken; if the +# control channel is cracked, then the key material for the tunnel is exposed, +# and the choice of algorithm is moot. So it makes more sense to me to rely on +# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to +# me, but CBC is more well-tested, and the OpenVPN man page (at least as of +# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered +# advanced modes.” +# +# note: the default is BF-CBC (blowfish) +# + define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - + "tls-cipher $openvpn_configname": + key => 'tls-cipher', + value => 'DHE-RSA-AES128-SHA', + server => $openvpn_configname; + "auth $openvpn_configname": + key => 'auth', + value => 'SHA1', + server => $openvpn_configname; + "cipher $openvpn_configname": + key => 'cipher', + value => 'AES-128-CBC', + server => $openvpn_configname; "dev $openvpn_configname": key => 'dev', value => 'tun', -- cgit v1.2.3 From e8f28cf269fe706ed556f84d6e03d6a574dfa26d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:45:05 +0100 Subject: openvpn: use x509 module to deploy certs (fixes #1064) --- puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6fc3a3c2..c4f64225 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/keys/ca.crt', + value => '/usr/local/share/ca-certificates/leap_openvpn.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => '/etc/openvpn/keys/server.crt', + value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; "key $openvpn_configname": key => 'key', - value => '/etc/openvpn/keys/server.key', + value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', -- cgit v1.2.3 From a48160a4861dcfffb661bcbf8783ecdb84cbf3e6 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 29 Jan 2013 13:00:40 -0800 Subject: added support for client ca cert in site openvpn. --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index c4f64225..da40529c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -67,6 +67,10 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana } openvpn::option { + "ca $openvpn_configname": + key => 'ca', + value => '/usr/local/share/ca-certificates/leap_client_ca.crt', + server => $openvpn_configname; "ca $openvpn_configname": key => 'ca', value => '/usr/local/share/ca-certificates/leap_openvpn.crt', -- cgit v1.2.3 From d61c7bc52dd86132a96d80d498dd63f1582417be Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:16:19 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index da40529c..68387a90 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -143,7 +143,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "$server", + value => $server, server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From 3c3ed940466eabf9cb56a47614133b5bc90d4ad7 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 31 Jan 2013 04:31:54 -0800 Subject: added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used. --- puppet/modules/site_openvpn/manifests/server_config.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 68387a90..de273b46 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/usr/local/share/ca-certificates/leap_client_ca.crt', - server => $openvpn_configname; - "ca $openvpn_configname": - key => 'ca', - value => '/usr/local/share/ca-certificates/leap_openvpn.crt', + value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', -- cgit v1.2.3