From 98227ad8da45544ef97cb8647c377f399672a4a0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 12:04:20 -0400 Subject: update indentation to be standard Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c --- .../site_openvpn/manifests/server_config.pp | 144 ++++++++++----------- 1 file changed, 72 insertions(+), 72 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index b1f4997c..03cf9394 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -60,12 +60,12 @@ define site_openvpn::server_config( concat { "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File['/etc/openvpn'], - notify => Exec['restart_openvpn']; + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Exec['restart_openvpn']; } if $tls_remote != undef { @@ -79,99 +79,99 @@ define site_openvpn::server_config( openvpn::option { "ca ${openvpn_configname}": - key => 'ca', - value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", - server => $openvpn_configname; + key => 'ca', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", + server => $openvpn_configname; "cert ${openvpn_configname}": - key => 'cert', - value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", + key => 'cert', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": - key => 'key', - value => "${x509::variables::keys}/${site_config::params::cert_name}.key", - server => $openvpn_configname; + key => 'key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", + server => $openvpn_configname; "dh ${openvpn_configname}": - key => 'dh', - value => '/etc/openvpn/keys/dh.pem', - server => $openvpn_configname; + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; "tls-cipher ${openvpn_configname}": - key => 'tls-cipher', - value => $config['tls-cipher'], - server => $openvpn_configname; + key => 'tls-cipher', + value => $config['tls-cipher'], + server => $openvpn_configname; "auth ${openvpn_configname}": - key => 'auth', - value => $config['auth'], - server => $openvpn_configname; + key => 'auth', + value => $config['auth'], + server => $openvpn_configname; "cipher ${openvpn_configname}": - key => 'cipher', - value => $config['cipher'], - server => $openvpn_configname; + key => 'cipher', + value => $config['cipher'], + server => $openvpn_configname; "dev ${openvpn_configname}": - key => 'dev', - value => 'tun', - server => $openvpn_configname; + key => 'dev', + value => 'tun', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": - key => 'duplicate-cn', - server => $openvpn_configname; + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive ${openvpn_configname}": - key => 'keepalive', - value => $config['keepalive'], - server => $openvpn_configname; + key => 'keepalive', + value => $config['keepalive'], + server => $openvpn_configname; "local ${openvpn_configname}": - key => 'local', - value => $local, - server => $openvpn_configname; + key => 'local', + value => $local, + server => $openvpn_configname; "mute ${openvpn_configname}": - key => 'mute', - value => '5', - server => $openvpn_configname; + key => 'mute', + value => '5', + server => $openvpn_configname; "mute-replay-warnings ${openvpn_configname}": - key => 'mute-replay-warnings', - server => $openvpn_configname; + key => 'mute-replay-warnings', + server => $openvpn_configname; "management ${openvpn_configname}": - key => 'management', - value => $management, - server => $openvpn_configname; + key => 'management', + value => $management, + server => $openvpn_configname; "proto ${openvpn_configname}": - key => 'proto', - value => $proto, - server => $openvpn_configname; + key => 'proto', + value => $proto, + server => $openvpn_configname; "push1 ${openvpn_configname}": - key => 'push', - value => $push, - server => $openvpn_configname; + key => 'push', + value => $push, + server => $openvpn_configname; "push2 ${openvpn_configname}": - key => 'push', - value => '"redirect-gateway def1"', - server => $openvpn_configname; + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; "script-security ${openvpn_configname}": - key => 'script-security', - value => '2', - server => $openvpn_configname; + key => 'script-security', + value => '2', + server => $openvpn_configname; "server ${openvpn_configname}": - key => 'server', - value => $server, - server => $openvpn_configname; + key => 'server', + value => $server, + server => $openvpn_configname; "status ${openvpn_configname}": - key => 'status', - value => '/var/run/openvpn-status 10', - server => $openvpn_configname; + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; "status-version ${openvpn_configname}": - key => 'status-version', - value => '3', - server => $openvpn_configname; + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology ${openvpn_configname}": - key => 'topology', - value => 'subnet', - server => $openvpn_configname; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; # no need for server-up.sh right now #"up $openvpn_configname": # key => 'up', # value => '/etc/openvpn/server-up.sh', # server => $openvpn_configname; "verb ${openvpn_configname}": - key => 'verb', - value => '3', - server => $openvpn_configname; + key => 'verb', + value => '3', + server => $openvpn_configname; } } -- cgit v1.2.3 From b5245481bbc1fddfd1b8e6d97e8a07a20d35de6b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 12:05:11 -0400 Subject: make sure concat fragments are put together before the openvpn service is run, otherwise the openvpn service is restarted before config files are deployed (#4154) Change-Id: Ide38615714c1978bb90237986baea530c54153c3 --- puppet/modules/site_openvpn/manifests/server_config.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 03cf9394..3e0ee1a6 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -65,6 +65,7 @@ define site_openvpn::server_config( mode => 644, warn => true, require => File['/etc/openvpn'], + before => Service['openvpn'], notify => Exec['restart_openvpn']; } -- cgit v1.2.3 From 0265eb952691ee91405201836e19384ac2087507 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 16:33:02 -0400 Subject: set the ipv6 configuration options on the server some important things to note: We are hard-coding the pushing of the ipv6 route '2000::/3' and configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a reserved ipv6 prefix that is used for documentation purposes only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html), and the route being pushed redirects all internet-bound traffic. When LEAP fully supports ipv6, these network values should be turned into variables, but for now, to make sure we are blocking any clients that have functional ipv6, this will work. Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5 --- puppet/modules/site_openvpn/manifests/server_config.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 3e0ee1a6..cbc5f68e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -111,6 +111,9 @@ define site_openvpn::server_config( key => 'dev', value => 'tun', server => $openvpn_configname; + "tun-ipv6 ${openvpn_configname}": + key => 'tun-ipv6', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": key => 'duplicate-cn', server => $openvpn_configname; @@ -145,6 +148,10 @@ define site_openvpn::server_config( key => 'push', value => '"redirect-gateway def1"', server => $openvpn_configname; + "push-ipv6 ${openvpn_configname}": + key => 'push', + value => '"route-ipv6 2000::/3"', + server => $openvpn_configname; "script-security ${openvpn_configname}": key => 'script-security', value => '2', @@ -153,6 +160,10 @@ define site_openvpn::server_config( key => 'server', value => $server, server => $openvpn_configname; + "server-ipv6 ${openvpn_configname}": + key => 'server-ipv6', + value => '2001:db8:123::/64', + server => $openvpn_configname; "status ${openvpn_configname}": key => 'status', value => '/var/run/openvpn-status 10', -- cgit v1.2.3 From 3ef044034b51d992d6952a9c6b9d16cba16abc30 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 13 May 2014 02:22:05 -0700 Subject: openvpn server config: script-security should be "1", since we don't need "2"; add tcp-nodelay to tcp servers. --- puppet/modules/site_openvpn/manifests/server_config.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/server_config.pp') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index cbc5f68e..97cf2842 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -78,6 +78,15 @@ define site_openvpn::server_config( } } + # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization". + if $proto == 'tcp' { + openvpn::option { + "tcp-nodelay ${openvpn_configname}": + key => 'tcp-nodelay', + server => $openvpn_configname; + } + } + openvpn::option { "ca ${openvpn_configname}": key => 'ca', @@ -154,7 +163,7 @@ define site_openvpn::server_config( server => $openvpn_configname; "script-security ${openvpn_configname}": key => 'script-security', - value => '2', + value => '1', server => $openvpn_configname; "server ${openvpn_configname}": key => 'server', @@ -176,11 +185,6 @@ define site_openvpn::server_config( key => 'topology', value => 'subnet', server => $openvpn_configname; - # no need for server-up.sh right now - #"up $openvpn_configname": - # key => 'up', - # value => '/etc/openvpn/server-up.sh', - # server => $openvpn_configname; "verb ${openvpn_configname}": key => 'verb', value => '3', -- cgit v1.2.3