From 075d6fb40ddaace0442a8d5ba9396c9f1849bddc Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:50:22 +0200 Subject: beginning of site_openvpn --- puppet/modules/site_openvpn/manifests/init.pp | 81 +++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 puppet/modules/site_openvpn/manifests/init.pp (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp new file mode 100644 index 00000000..3d753af9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -0,0 +1,81 @@ +class site_openvpn { + + $openvpn_server=$::fqdn + + openvpn::server { + $openvpn_server: + country => hiera("country"), + province => hiera("province"), + city => hiera("city"), + organization => hiera("organization"), + email => hiera("email"); + } + +# configure server + + + openvpn::option { + "dev $openvpn_server": + key => "dev", + value => "tun0", + server => "$openvpn_server"; + "script-security $openvpn_server": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_server": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_server": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_server": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_server": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_server": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_server": + key => "proto", + value => "tcp-server", + server => "$openvpn_server"; + "cipher $openvpn_server": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_server": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_server": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_server": + key => "server", + value => "10.10.10.0 255.255.255.0", + server => "$openvpn_server"; + "lport $openvpn_server": + key => "lport", + value => "1194", + server => "$openvpn_server"; + "management $openvpn_server": + key => "management", + value => "/var/run/openvpn-$openvpn_server.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_server": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_server": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_server": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 1c5eb8a64426c93d8118acac52870a6a95f73010 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 21 Sep 2012 15:03:08 +0200 Subject: oved things around --- puppet/modules/site_openvpn/manifests/init.pp | 79 -------------------- .../site_openvpn/manifests/server_config.pp | 84 ++++++++++++++++++++++ 2 files changed, 84 insertions(+), 79 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/server_config.pp (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 3d753af9..7d63d569 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,81 +1,2 @@ class site_openvpn { - - $openvpn_server=$::fqdn - - openvpn::server { - $openvpn_server: - country => hiera("country"), - province => hiera("province"), - city => hiera("city"), - organization => hiera("organization"), - email => hiera("email"); - } - -# configure server - - - openvpn::option { - "dev $openvpn_server": - key => "dev", - value => "tun0", - server => "$openvpn_server"; - "script-security $openvpn_server": - key => "script-security", - value => "3", - server => "$openvpn_server"; - "daemon $openvpn_server": - key => "daemon", - server => "$openvpn_server"; - "keepalive $openvpn_server": - key => "keepalive", - value => "10 60", - server => "$openvpn_server"; - "ping-timer-rem $openvpn_server": - key => "ping-timer-rem", - server => "$openvpn_server"; - "persist-tun $openvpn_server": - key => "persist-tun", - server => "$openvpn_server"; - "persist-key $openvpn_server": - key => "persist-key", - server => "$openvpn_server"; - "proto $openvpn_server": - key => "proto", - value => "tcp-server", - server => "$openvpn_server"; - "cipher $openvpn_server": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_server"; - "local $openvpn_server": - key => "local", - value => $ipaddress, - server => "$openvpn_server"; - "tls-server $openvpn_server": - key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_server": - key => "server", - value => "10.10.10.0 255.255.255.0", - server => "$openvpn_server"; - "lport $openvpn_server": - key => "lport", - value => "1194", - server => "$openvpn_server"; - "management $openvpn_server": - key => "management", - value => "/var/run/openvpn-$openvpn_server.sock unix", - server => "$openvpn_server"; - "comp-lzo $openvpn_server": - key => "comp-lzo", - server => "$openvpn_server"; - "topology $openvpn_server": - key => "topology", - value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_server": - key => "client-to-client", - server => "$openvpn_server"; - } - } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp new file mode 100644 index 00000000..e0e8db4f --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -0,0 +1,84 @@ +define site_openvpn::server_config($port, $protocol) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $protocol") + + $openvpn_server=$::fqdn + # we don't need a ca generated + #openvpn::server { + # $openvpn_configname: + # country => hiera("country"), + # province => hiera("province"), + # city => hiera("city"), + # organization => hiera("organization"), + # email => hiera("email"); + #} + + # configure server + # all config options need to be "hieraized" + + openvpn::option { + "dev $openvpn_configname": + key => "dev", + value => "tun", + server => "$openvpn_server"; + "script-security $openvpn_configname": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_configname": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_configname": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_configname": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_configname": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_configname": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_configname": + key => "proto", + value => "$proto", + server => "$openvpn_server"; + "cipher $openvpn_configname": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_configname": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_configname": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_configname": + key => "server", + value => "$server", + server => "$openvpn_server"; + "lport $openvpn_configname": + key => "lport", + value => "$port", + server => "$openvpn_server"; + "management $openvpn_configname": + key => "management", + value => "/var/run/openvpn-$openvpn_configname.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_configname": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_configname": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_configname": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 276de1e249b25e5e00c49229132215681aee6467 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 21 Sep 2012 20:26:20 +0200 Subject: basic configuration for openvpn server files --- puppet/modules/site_openvpn/manifests/init.pp | 41 +++++++++ .../site_openvpn/manifests/server_config.pp | 100 +++++++++++++-------- 2 files changed, 105 insertions(+), 36 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7d63d569..c83b98c7 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,2 +1,43 @@ class site_openvpn { + package { + "openvpn": + ensure => installed; + } + service { + "openvpn": + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec["concat_/etc/default/openvpn"]; + } + file { + "/etc/openvpn": + ensure => directory, + require => Package["openvpn"]; + } + + include concat::setup + + concat { + "/etc/default/openvpn": + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service["openvpn"]; + } + + concat::fragment { + "openvpn.default.header": + content => template("openvpn/etc-default-openvpn.erb"), + target => "/etc/default/openvpn", + order => 01; + } + + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=all", + target => "/etc/default/openvpn", + order => 10; + } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index e0e8db4f..4a130d13 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,84 +1,112 @@ -define site_openvpn::server_config($port, $protocol) { +define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $protocol") + Port: $port, Protocol: $proto") + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package["openvpn"]; + } + + concat { + "/etc/openvpn/${openvpn_configname}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File["/etc/openvpn"], + notify => Service["openvpn"]; + } - $openvpn_server=$::fqdn - # we don't need a ca generated - #openvpn::server { - # $openvpn_configname: - # country => hiera("country"), - # province => hiera("province"), - # city => hiera("city"), - # organization => hiera("organization"), - # email => hiera("email"); - #} - # configure server - # all config options need to be "hieraized" openvpn::option { + "ca ${openvpn_configname}": + key => "ca", + value => "/etc/openvpn/ca.crt", + #require => Exec["initca ${openvpn_configname}"], + server => "${openvpn_configname}"; + "cert ${openvpn_configname}": + key => "cert", + value => "/etc/openvpn/${openvpn_configname}/server.crt", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "key ${openvpn_configname}": + key => "key", + value => "/etc/openvpn/${openvpn_configname}/server.key", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "dh ${openvpn_configname}": + key => "dh", + value => "/etc/openvpn/dh1024.pem", + #require => Exec["generate dh param ${openvpn_configname}"], + server => "${openvpn_configname}"; "dev $openvpn_configname": key => "dev", value => "tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; + "mode ${openvpn_configname}": + key => 'mode', + value => 'server', + server => $openvpn_configname; "script-security $openvpn_configname": key => "script-security", value => "3", - server => "$openvpn_server"; + server => "$openvpn_configname"; "daemon $openvpn_configname": key => "daemon", - server => "$openvpn_server"; + server => "$openvpn_configname"; "keepalive $openvpn_configname": key => "keepalive", value => "10 60", - server => "$openvpn_server"; + server => "$openvpn_configname"; "ping-timer-rem $openvpn_configname": key => "ping-timer-rem", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-tun $openvpn_configname": key => "persist-tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-key $openvpn_configname": key => "persist-key", - server => "$openvpn_server"; + server => "$openvpn_configname"; "proto $openvpn_configname": key => "proto", value => "$proto", - server => "$openvpn_server"; + server => "$openvpn_configname"; "cipher $openvpn_configname": key => "cipher", value => "BF-CBC", - server => "$openvpn_server"; + server => "$openvpn_configname"; "local $openvpn_configname": key => "local", value => $ipaddress, - server => "$openvpn_server"; + server => "$openvpn_configname"; "tls-server $openvpn_configname": key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_configname": - key => "server", - value => "$server", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"server $openvpn_configname": + # key => "server", + # value => "$server", + # server => "$openvpn_configname"; "lport $openvpn_configname": key => "lport", value => "$port", - server => "$openvpn_server"; + server => "$openvpn_configname"; "management $openvpn_configname": key => "management", value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_server"; + server => "$openvpn_configname"; "comp-lzo $openvpn_configname": key => "comp-lzo", - server => "$openvpn_server"; + server => "$openvpn_configname"; "topology $openvpn_configname": key => "topology", value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_configname": - key => "client-to-client", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"client-to-client $openvpn_configname": + # key => "client-to-client", + # server => "$openvpn_configname"; } } -- cgit v1.2.3 From 05fcb0db28279ae7c08b8c76c887f633f78a2947 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:38:01 +0200 Subject: cosmetics for server_config.pp --- .../site_openvpn/manifests/server_config.pp | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 4a130d13..1af08b4a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,52 +1,52 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package["openvpn"]; - } + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } - concat { - "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File["/etc/openvpn"], - notify => Service["openvpn"]; - } + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } openvpn::option { - "ca ${openvpn_configname}": - key => "ca", - value => "/etc/openvpn/ca.crt", - #require => Exec["initca ${openvpn_configname}"], - server => "${openvpn_configname}"; - "cert ${openvpn_configname}": - key => "cert", - value => "/etc/openvpn/${openvpn_configname}/server.crt", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "key ${openvpn_configname}": + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/ca.crt', + #require => Exec["initca $openvpn_configname"], + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => "/etc/openvpn/$openvpn_configname/server.crt", + #require => Exec["generate server cert $openvpn_configname"], + server => $openvpn_configname; + "key $openvpn_configname": key => "key", - value => "/etc/openvpn/${openvpn_configname}/server.key", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "dh ${openvpn_configname}": + value => "/etc/openvpn/$openvpn_configname/server.key", + #require => Exec["generate server cert $openvpn_configname"], + server => "$openvpn_configname"; + "dh $openvpn_configname": key => "dh", value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param ${openvpn_configname}"], - server => "${openvpn_configname}"; + #require => Exec["generate dh param $openvpn_configname"], + server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", value => "tun", server => "$openvpn_configname"; - "mode ${openvpn_configname}": + "mode $openvpn_configname": key => 'mode', value => 'server', server => $openvpn_configname; -- cgit v1.2.3 From fc72260f601fb77b90d9f2f2afd2a43c4d5916f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:35:16 +0200 Subject: + site_openvpn::keys --- puppet/modules/site_openvpn/manifests/keys.pp | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 puppet/modules/site_openvpn/manifests/keys.pp (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp new file mode 100644 index 00000000..b31369c9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -0,0 +1,23 @@ +class site_openvpn::keys { + $openvpn_keys = hiera_hash('openvpn_keys') + + file { '/etc/openvpn/keys/ca.crt': + content => $openvpn_keys['ca'], + mode => '0644', + } + + file { '/etc/openvpn/keys/dh.pem': + content => $openvpn_keys['dh'], + mode => '0644', + } + + file { '/etc/openvpn/keys/server.key': + content => $openvpn_keys['server_key'], + mode => '0600', + } + + file { '/etc/openvpn/keys/server.crt': + content => $openvpn_keys['server_cert'], + mode => '0644', + } +} -- cgit v1.2.3 From e89082114be280c7fd3c7b62863e19ff5c89df26 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:12 +0200 Subject: cosmetics --- puppet/modules/site_openvpn/manifests/init.pp | 59 +++++++++++++++------------ 1 file changed, 32 insertions(+), 27 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c83b98c7..e95e67d5 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,43 +1,48 @@ class site_openvpn { package { - "openvpn": - ensure => installed; + 'openvpn': + ensure => installed; } service { - "openvpn": - ensure => running, - hasrestart => true, - hasstatus => true, - require => Exec["concat_/etc/default/openvpn"]; + 'openvpn': + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; } + file { - "/etc/openvpn": - ensure => directory, - require => Package["openvpn"]; + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; } - include concat::setup + file { + '/etc/openvpn/keys': + ensure => directory, + require => Package['openvpn']; + } concat { - "/etc/default/openvpn": - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service["openvpn"]; + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; } concat::fragment { - "openvpn.default.header": - content => template("openvpn/etc-default-openvpn.erb"), - target => "/etc/default/openvpn", - order => 01; + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; } - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=all", - target => "/etc/default/openvpn", - order => 10; - } + concat::fragment { + "openvpn.default.autostart.${name}": + content => 'AUTOSTART=all', + target => '/etc/default/openvpn', + order => 10; + } } -- cgit v1.2.3 From c067421f34d375c2b39e88a5994353c71ac4c9af Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:48 +0200 Subject: include openvpn keys --- .../site_openvpn/manifests/server_config.pp | 23 ++++++---------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1af08b4a..5a47954a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,14 +1,9 @@ define site_openvpn::server_config($port, $proto) { - $openvpn_configname=$name + $openvpn_configname = $name + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package['openvpn']; - } - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, @@ -19,28 +14,22 @@ define site_openvpn::server_config($port, $proto) { notify => Service['openvpn']; } - - openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/ca.crt', - #require => Exec["initca $openvpn_configname"], + value => '/etc/openvpn/keys/ca.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/$openvpn_configname/server.crt", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.crt", server => $openvpn_configname; "key $openvpn_configname": key => "key", - value => "/etc/openvpn/$openvpn_configname/server.key", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.key", server => "$openvpn_configname"; "dh $openvpn_configname": key => "dh", - value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param $openvpn_configname"], + value => "/etc/openvpn/keys/dh1024.pem", server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", -- cgit v1.2.3 From b59ce36a29a770847368773db543b38c62ea55cf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:05:32 +0200 Subject: adopted most static parameters --- .../site_openvpn/manifests/server_config.pp | 137 ++++++++++----------- 1 file changed, 67 insertions(+), 70 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5a47954a..320a4add 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,8 +1,8 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname = $name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $proto") + #notice("Creating OpenVPN $openvpn_configname: + # Port: $port, Protocol: $proto") concat { "/etc/openvpn/$openvpn_configname.conf": @@ -21,81 +21,78 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/keys/server.crt", + value => '/etc/openvpn/keys/server.crt', server => $openvpn_configname; "key $openvpn_configname": - key => "key", - value => "/etc/openvpn/keys/server.key", - server => "$openvpn_configname"; + key => 'key', + value => '/etc/openvpn/keys/server.key', + server => $openvpn_configname; "dh $openvpn_configname": - key => "dh", - value => "/etc/openvpn/keys/dh1024.pem", - server => "$openvpn_configname"; + key => 'dh', + value => '/etc/openvpn/keys/dh1024.pem', + server => $openvpn_configname; + "dev $openvpn_configname": - key => "dev", - value => "tun", - server => "$openvpn_configname"; - "mode $openvpn_configname": - key => 'mode', - value => 'server', - server => $openvpn_configname; - "script-security $openvpn_configname": - key => "script-security", - value => "3", - server => "$openvpn_configname"; - "daemon $openvpn_configname": - key => "daemon", - server => "$openvpn_configname"; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive $openvpn_configname": - key => "keepalive", - value => "10 60", - server => "$openvpn_configname"; - "ping-timer-rem $openvpn_configname": - key => "ping-timer-rem", - server => "$openvpn_configname"; - "persist-tun $openvpn_configname": - key => "persist-tun", - server => "$openvpn_configname"; - "persist-key $openvpn_configname": - key => "persist-key", - server => "$openvpn_configname"; - "proto $openvpn_configname": - key => "proto", - value => "$proto", - server => "$openvpn_configname"; - "cipher $openvpn_configname": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_configname"; + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; "local $openvpn_configname": - key => "local", - value => $ipaddress, - server => "$openvpn_configname"; - "tls-server $openvpn_configname": - key => "tls-server", - server => "$openvpn_configname"; - #"server $openvpn_configname": - # key => "server", - # value => "$server", - # server => "$openvpn_configname"; - "lport $openvpn_configname": - key => "lport", - value => "$port", - server => "$openvpn_configname"; + key => 'local', + value => $::ipaddress, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; "management $openvpn_configname": - key => "management", - value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_configname"; - "comp-lzo $openvpn_configname": - key => "comp-lzo", - server => "$openvpn_configname"; + key => 'management', + value => '127.0.0.1 1000', + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push $openvpn_configname": + key => 'push', + value => "\"redirect-gateway def1\"", + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => "10.42.0.0 255.255.248.0", + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology $openvpn_configname": - key => "topology", - value => "subnet", - server => "$openvpn_configname"; - #"client-to-client $openvpn_configname": - # key => "client-to-client", - # server => "$openvpn_configname"; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + "up $openvpn_configname": + key => 'up', + value => '/etc/openvpn/server-up.sh', + server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; } - } -- cgit v1.2.3 From 1ec1b9b56bc821b81f3797ea158846b41cc03853 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:38:57 +0200 Subject: finished site_openvpn::server_config --- puppet/modules/site_openvpn/manifests/server_config.pp | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 320a4add..784152b7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,6 +1,8 @@ -define site_openvpn::server_config($port, $proto) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { + $openvpn_configname = $name + #notice("Creating OpenVPN $openvpn_configname: # Port: $port, Protocol: $proto") @@ -45,7 +47,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "local $openvpn_configname": key => 'local', - value => $::ipaddress, + value => $local, server => $openvpn_configname; "mute $openvpn_configname": key => 'mute', @@ -62,9 +64,13 @@ define site_openvpn::server_config($port, $proto) { key => 'proto', value => $proto, server => $openvpn_configname; - "push $openvpn_configname": + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": key => 'push', - value => "\"redirect-gateway def1\"", + value => '"redirect-gateway def1"', server => $openvpn_configname; "script-security $openvpn_configname": key => 'script-security', @@ -72,7 +78,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "10.42.0.0 255.255.248.0", + value => "$server", server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From c9b2c36a5e9327c011af1345bdf54a9c4b84d857 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:47:40 +0200 Subject: dh1204.pem -> dh.pen --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 784152b7..d8a8bc0b 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -31,7 +31,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', - value => '/etc/openvpn/keys/dh1024.pem', + value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; "dev $openvpn_configname": -- cgit v1.2.3 From 97e5a3270df10b8fe699a13966ee6b34b864735e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:54:37 +0200 Subject: different parameter for each config --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d8a8bc0b..441a21e3 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,4 +1,4 @@ -define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -58,7 +58,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "management $openvpn_configname": key => 'management', - value => '127.0.0.1 1000', + value => $management, server => $openvpn_configname; "proto $openvpn_configname": key => 'proto', -- cgit v1.2.3 From 9fc9b19057fcf322e8d3fcaead0032859f873f53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Oct 2012 19:49:48 +0200 Subject: renamed hiera keys to work with leap_cli --- puppet/modules/site_openvpn/manifests/keys.pp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index b31369c9..d029fbac 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,13 +1,18 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn_keys') + $openvpn_keys = hiera_hash('openvpn') + + file { '/etc/openvpn/keys/ca.key': + content => $openvpn_keys['ca_key'], + mode => '0600', + } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca'], + content => $openvpn_keys['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $openvpn_keys['dh_key'], mode => '0644', } @@ -17,7 +22,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_cert'], + content => $openvpn_keys['server_crt'], mode => '0644', } } -- cgit v1.2.3 From 7f82917633ad444e1a303df5bd02ebe29aa05921 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:02:05 +0100 Subject: no need for server-up.sh right now --- puppet/modules/site_openvpn/manifests/server_config.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..f4c5237e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -92,10 +92,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', -- cgit v1.2.3 From 038380e042289a9586141d7154febea2a2a6a56c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:18:06 +0100 Subject: prettyfying --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ---- 1 file changed, 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index f4c5237e..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, -- cgit v1.2.3 From a6daa12966867acae7885f48bc2cdee4553f9099 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:29:54 +0100 Subject: hiera variable for openvpn dh parameters changed --- puppet/modules/site_openvpn/manifests/keys.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index d029fbac..47d0fa26 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,7 +12,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh_key'], + content => $openvpn_keys['dh'], mode => '0644', } -- cgit v1.2.3 From c2d57624c15dfaff038f9991f04ade46b5ad1d40 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:45:44 +0100 Subject: move site_config::eip to site_openvpn (Feature #943) --- puppet/modules/site_openvpn/manifests/init.pp | 55 +++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e95e67d5..7268fe76 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,59 @@ class site_openvpn { + # parse hiera config + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' + + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + local => $openvpn_gateway_address, + management => '127.0.0.1 1001' + } + + # add second IP on given interface + file { '/usr/local/bin/leap_add_second_ip.sh': + content => "#!/bin/sh +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", + mode => '0755', + } + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + } + + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } + + include site_shorewall::eip + package { 'openvpn': ensure => installed; -- cgit v1.2.3 From 96d60568648555e28effd1398a791241a7ad3f7a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 17:07:08 +0100 Subject: deploy openvpn server.crt and server.key --- puppet/modules/site_openvpn/manifests/init.pp | 1 + puppet/modules/site_openvpn/manifests/keys.pp | 11 +++++------ 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7268fe76..ae24b276 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -11,6 +11,7 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $x509_config = hiera('x509') include site_openvpn diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 47d0fa26..e198cbf8 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,28 +1,27 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn') file { '/etc/openvpn/keys/ca.key': - content => $openvpn_keys['ca_key'], + content => $site_openvpn::openvpn_config['ca_key'], mode => '0600', } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca_crt'], + content => $site_openvpn::openvpn_config['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $site_openvpn::openvpn_config['dh'], mode => '0644', } file { '/etc/openvpn/keys/server.key': - content => $openvpn_keys['server_key'], + content => $site_openvpn::x509_config['key'], mode => '0600', } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_crt'], + content => $site_openvpn::x509_config['cert'], mode => '0644', } } -- cgit v1.2.3 From f3704fc0ac81ca6ccb7e7d19ae931d9c391f3975 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 22 Nov 2012 11:43:23 -0800 Subject: clean up openvpn and x509 paths --- puppet/modules/site_openvpn/manifests/keys.pp | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index e198cbf8..12c1bd8f 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,17 +1,12 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.key': - content => $site_openvpn::openvpn_config['ca_key'], - mode => '0600', - } - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::openvpn_config['ca_crt'], + content => $site_openvpn::x509_config['ca_cert'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::openvpn_config['dh'], + content => $site_openvpn::x509_config['dh'], mode => '0644', } -- cgit v1.2.3 From e172773fa29275853649bec14d906d2899bf1de7 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:55:05 -0800 Subject: openvpn -- enforce certain cipher choices on the server --- .../site_openvpn/manifests/server_config.pp | 67 +++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 482c6ab7..6fc3a3c2 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,3 +1,57 @@ +# +# Cipher discussion +# ================================ +# +# We want to specify explicit values for the crypto options to prevent a MiTM from forcing +# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher' +# MUST be the same on both ends or no data will get transmitted). +# +# tls-cipher DHE-RSA-AES128-SHA +# +# dkg: For the TLS control channel, we want to make sure we choose a +# key exchange mechanism that has PFS (meaning probably some form of ephemeral +# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher +# (I recommend AES, and 128 bits is probably fine, since there are some known +# weaknesses in the 192- and 256-bit key schedules). That leaves us with the +# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE | +# grep AES128 | grep GCM. +# +# elijah: +# I could not get any of these working: +# * openvpn --show-tls | grep GCM +# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256 +# so, i went with this: +# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM +# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how +# our cert generation interacts with the tls-cipher algorithms. +# +# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set. +# +# auth SHA1 +# +# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists +# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# should be avoided. +# +# elijah: i am not so sure that the digest algo matters for 'auth' option, because +# i think an attacker would have to forge the digest in real time, which is still far from +# a possibility for SHA1. So, i am leaving the default for now (SHA1). +# +# cipher AES-128-CBC +# +# dkg: For the choice of cipher, we need to select an algorithm and a +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# our control channel is already relying on AES not being broken; if the +# control channel is cracked, then the key material for the tunnel is exposed, +# and the choice of algorithm is moot. So it makes more sense to me to rely on +# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to +# me, but CBC is more well-tested, and the OpenVPN man page (at least as of +# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered +# advanced modes.” +# +# note: the default is BF-CBC (blowfish) +# + define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - + "tls-cipher $openvpn_configname": + key => 'tls-cipher', + value => 'DHE-RSA-AES128-SHA', + server => $openvpn_configname; + "auth $openvpn_configname": + key => 'auth', + value => 'SHA1', + server => $openvpn_configname; + "cipher $openvpn_configname": + key => 'cipher', + value => 'AES-128-CBC', + server => $openvpn_configname; "dev $openvpn_configname": key => 'dev', value => 'tun', -- cgit v1.2.3 From d70b723f17a6ff7d22a044fe57f1e8438eef5ae7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 23 Nov 2012 19:37:22 +0100 Subject: enable ip_forwarding #1029 --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index ae24b276..548d1df2 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -39,7 +39,9 @@ class site_openvpn { # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward +", mode => '0755', } -- cgit v1.2.3 From e8f28cf269fe706ed556f84d6e03d6a574dfa26d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:45:05 +0100 Subject: openvpn: use x509 module to deploy certs (fixes #1064) --- puppet/modules/site_openvpn/manifests/keys.pp | 26 +++++++++++++--------- .../site_openvpn/manifests/server_config.pp | 6 ++--- 2 files changed, 18 insertions(+), 14 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 12c1bd8f..4c43ec05 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,22 +1,26 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::x509_config['ca_cert'], - mode => '0644', + x509::key { + 'leap_openvpn': + content => $site_openvpn::x509_config['key'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', + x509::cert { + 'leap_openvpn': + content => $site_openvpn::x509_config['cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.key': - content => $site_openvpn::x509_config['key'], - mode => '0600', + x509::ca { + 'leap_openvpn': + content => $site_openvpn::x509_config['ca_cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.crt': - content => $site_openvpn::x509_config['cert'], + file { '/etc/openvpn/keys/dh.pem': + content => $site_openvpn::x509_config['dh'], mode => '0644', } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6fc3a3c2..c4f64225 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/keys/ca.crt', + value => '/usr/local/share/ca-certificates/leap_openvpn.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => '/etc/openvpn/keys/server.crt', + value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; "key $openvpn_configname": key => 'key', - value => '/etc/openvpn/keys/server.key', + value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', -- cgit v1.2.3 From e9ddc9e157ca6491594ac3434d1838a51daa0218 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:53:37 -0500 Subject: remove unnecessary include that was left over from c2d57624c15dfaff038f9991f04ade46b5ad1d40: --- puppet/modules/site_openvpn/manifests/init.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 548d1df2..5505b8fc 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,8 +13,6 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') - include site_openvpn - # deploy ca + server keys include site_openvpn::keys -- cgit v1.2.3 From 5385602a435acb92e1588f74296b6a5339385199 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:54:32 -0500 Subject: setup site_unbound with a basic caching-only configuration and include that on the openvpn gateway (see #1172) --- puppet/modules/site_openvpn/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 5505b8fc..d3c3e387 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,6 +13,8 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') + include site_unbound + # deploy ca + server keys include site_openvpn::keys -- cgit v1.2.3 From 6375cda36fc21687c59095e4750189b65a2c3b52 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:53:09 -0500 Subject: update unbound submodule to fix infinite service restart problem --- puppet/modules/site_openvpn/manifests/init.pp | 5 +++-- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/resolver.pp (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index d3c3e387..4606179c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,8 +13,6 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') - include site_unbound - # deploy ca + server keys include site_openvpn::keys @@ -55,6 +53,9 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a special => 'reboot', } + # setup the resolver to listen on the vpn IP + include site_openvpn::resolver + include site_shorewall::eip package { diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp new file mode 100644 index 00000000..0f0510c1 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -0,0 +1,8 @@ +class site_openvpn::resolver { + + file { '/etc/unbound/conf.d/vpn_resolver': + content => "interface: $openvpn_gateway_address\n", + owner => root, group => root, mode => '0644', + require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + } +} -- cgit v1.2.3 From 4c649b08e215b229c280d0f15730418033b13fb9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:54:49 -0500 Subject: setup openvpn gateway resolver to listen on the udp/tcp virtual network ips so that queries can be made from clients on the vpn --- puppet/modules/site_openvpn/manifests/resolver.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 0f0510c1..eaa765fe 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,8 +1,14 @@ class site_openvpn::resolver { - file { '/etc/unbound/conf.d/vpn_resolver': - content => "interface: $openvpn_gateway_address\n", - owner => root, group => root, mode => '0644', - require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + file { + '/etc/unbound/conf.d/vpn_udp_resolver': + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; + + '/etc/unbound/conf.d/vpn_tcp_resolver': + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; } } -- cgit v1.2.3 From 03d2b1aec2a9ccd61f4804277c80541698f1dab8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 13:56:47 -0500 Subject: fix unbound access control --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index eaa765fe..57a2d147 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -2,12 +2,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From ad3da4a59aebb6b7facc2e6616d8b81039b29892 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:17:18 -0500 Subject: unfortunately the version of unbound that is in wheezy does not support wildcard include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead. --- puppet/modules/site_openvpn/manifests/resolver.pp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 57a2d147..c8ef729c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,25 @@ class site_openvpn::resolver { + # this is an unfortunate way to get around the fact that the version of + # unbound we are working with does not accept a wildcard include directive + # (/etc/unbound/conf.d/*), when it does, these line definitions should + # go away and instead the caching_resolver should be configured to + # include: /etc/unbound/conf.d/* + + line { + 'add_tcp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound']; + + 'add_udp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound']; + } + file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", -- cgit v1.2.3 From 7444310ba919a871cbe646501c784af3f81f3d47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:21:15 -0500 Subject: fully qualify the variables that are used in the vpn gateway resolver --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c8ef729c..c695b49a 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From 9d66c6712028c95212dba7a8d5a870efc70ce204 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:33:22 -0500 Subject: change to using the CIDR notation for unbound access list --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c695b49a..d77fd8b0 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From 1c348dee62a30e33f7e00b9584629c89dcac016a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:35:14 -0500 Subject: fix typo in cidr variable name --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d77fd8b0..590af8ac 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From fdcc33d4491470d88e1ab7e9869a3236d1e2c5fe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:38:11 -0500 Subject: notify unbound when these configuration files change --- puppet/modules/site_openvpn/manifests/resolver.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 590af8ac..d3963c95 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,12 +23,14 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; } } -- cgit v1.2.3 From 6ebc2b495d9ea920770823cd08ae4eb881b684f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:23:52 -0500 Subject: add a new fact that provides a fact for each configured ip address, telling you which interface has it (essentially the inverse of the ipaddress_${interface} fact). Switch the hiera lookups of the $interface, which was pulling from the .json to pull instead from the above fact, see #1547 and #1548 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4606179c..a9fa8b2b 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = hiera('interface') + $interface = getvar("$::{ip_address}_interface") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From bdf7beb1594b480bd438625b33f27403d2ab5959 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:24:29 -0500 Subject: enclose the variables in curly braces, as recommended by puppet-lint --- puppet/modules/site_openvpn/manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index a9fa8b2b..4e13bb5d 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,15 +21,15 @@ class site_openvpn { port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + server => "${openvpn_tcp_network_prefix.0} ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + server => "${openvpn_udp_network_prefix.0} ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", local => $openvpn_gateway_address, management => '127.0.0.1 1001' } -- cgit v1.2.3 From d6b334a20dcf495ea0b9cb7247c0e20d478dbbba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:37:42 -0500 Subject: fix syntax error from enclosing variables in curly --- puppet/modules/site_openvpn/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4e13bb5d..b4c573e7 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,14 +21,14 @@ class site_openvpn { port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix.0} ${openvpn_tcp_netmask}", + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - server => "${openvpn_udp_network_prefix.0} ${openvpn_udp_netmask}", + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", local => $openvpn_gateway_address, management => '127.0.0.1 1001' -- cgit v1.2.3 From 0e1f5ab91e7a613da7ec15495f05386a98626b08 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:54:53 -0500 Subject: fix variable scoping --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b4c573e7..d777aa81 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = getvar("$::{ip_address}_interface") + $interface = getvar("${ip_address}_interface") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From a3edca1924353a797fffd8fb8506d8be86d930d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:20:05 -0500 Subject: fix variable name for re-ordered fact --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index d777aa81..0ddb01ae 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = getvar("${ip_address}_interface") + $interface = getvar("interface_${ip_address}") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From a48160a4861dcfffb661bcbf8783ecdb84cbf3e6 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 29 Jan 2013 13:00:40 -0800 Subject: added support for client ca cert in site openvpn. --- puppet/modules/site_openvpn/manifests/keys.pp | 6 ++++++ puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++++ 2 files changed, 10 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 4c43ec05..78902676 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,6 +12,12 @@ class site_openvpn::keys { notify => Service[openvpn]; } + x509::ca { + 'leap_client_ca': + content => $site_openvpn::x509_config['client_ca_cert'], + notify => Service[openvpn]; + } + x509::ca { 'leap_openvpn': content => $site_openvpn::x509_config['ca_cert'], diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index c4f64225..da40529c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -67,6 +67,10 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana } openvpn::option { + "ca $openvpn_configname": + key => 'ca', + value => '/usr/local/share/ca-certificates/leap_client_ca.crt', + server => $openvpn_configname; "ca $openvpn_configname": key => 'ca', value => '/usr/local/share/ca-certificates/leap_openvpn.crt', -- cgit v1.2.3 From d61c7bc52dd86132a96d80d498dd63f1582417be Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:16:19 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index da40529c..68387a90 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -143,7 +143,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "$server", + value => $server, server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From dda36946d405301d9123bb455753650920d0756a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:52:32 +0100 Subject: tag 'service' for all service classes --- puppet/modules/site_openvpn/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0ddb01ae..df4277cd 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,5 @@ class site_openvpn { + tag 'service' # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") -- cgit v1.2.3 From 3c3ed940466eabf9cb56a47614133b5bc90d4ad7 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 31 Jan 2013 04:31:54 -0800 Subject: added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used. --- puppet/modules/site_openvpn/manifests/keys.pp | 33 +++++++++++++++++----- .../site_openvpn/manifests/server_config.pp | 6 +--- 2 files changed, 27 insertions(+), 12 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 78902676..f3c5b423 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -13,13 +13,7 @@ class site_openvpn::keys { } x509::ca { - 'leap_client_ca': - content => $site_openvpn::x509_config['client_ca_cert'], - notify => Service[openvpn]; - } - - x509::ca { - 'leap_openvpn': + 'leap_ca': content => $site_openvpn::x509_config['ca_cert'], notify => Service[openvpn]; } @@ -29,4 +23,29 @@ class site_openvpn::keys { mode => '0644', } + # + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + # + + concat { + '/etc/openvpn/ca_bundle.pem': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'client_ca_cert': + content => $site_openvpn::x509_config['client_ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + 'ca_cert': + content => $site_openvpn::x509_config['ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 68387a90..de273b46 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/usr/local/share/ca-certificates/leap_client_ca.crt', - server => $openvpn_configname; - "ca $openvpn_configname": - key => 'ca', - value => '/usr/local/share/ca-certificates/leap_openvpn.crt', + value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', -- cgit v1.2.3 From e6fe80f9460b8bc013068e1dda8be6230b8d60a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 19:09:19 +0100 Subject: tag 'base' is a bad idea because it invokes apache::base as well --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index df4277cd..e3d2a9af 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,5 +1,5 @@ class site_openvpn { - tag 'service' + tag 'leap_service' # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") -- cgit v1.2.3