From 717bd0f1061cbc4cd22a22f87b9b00ddf469f2fc Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 12:01:53 -0400 Subject: Make syslog stop logging the icmpv6_send: no reply to icmp error messages, these are spamming provider's logs and will continue to do so until we have ipv6 working for the VPN (#6540) Change-Id: I80673bb64d8239e478bc042794929640f7a7cc39 --- puppet/modules/site_openvpn/manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e2a3124e..ede35a9e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -229,6 +229,13 @@ class site_openvpn { } leap::logfile { 'openvpn': } + + # Because we currently do not support ipv6 and instead block it (so no leaks + # happen), we get a large number of these messages, so we ignore them (#6540) + rsyslog::snippet { '01-ignore_icmpv6_send': + content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~' + } + include site_check_mk::agent::openvpn } -- cgit v1.2.3 From 428ff11ca95ba91a529dff7ba3a8a40c854aa39b Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 16 Jan 2016 15:27:48 +0100 Subject: [bug] Enable openvpn services on jessie - Tested: [unstable.bitmask.net] - Resolves: #7798 --- puppet/modules/site_openvpn/manifests/server_config.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 221c79a7..d7f6f9eb 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -204,4 +204,17 @@ define site_openvpn::server_config( value => '3', server => $openvpn_configname; } + + # register openvpn services at systemd on nodes newer than wheezy + # see https://leap.se/code/issues/7798 + case $::operatingsystemrelease { + /^7.*/: { } + default: { + exec { "enable_systemd_${openvpn_configname}": + refreshonly => true, + command => "/bin/systemctl enable openvpn@${openvpn_configname}", + subscribe => File["/etc/openvpn/${openvpn_configname}.conf"]; + } + } + } } -- cgit v1.2.3 From d5ecb50e4d31fde0792a77d12006a26ef33e8d3f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Jan 2016 11:07:44 +0100 Subject: Ensure openvpn services are running on jessie --- puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d7f6f9eb..ca9926cc 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -213,7 +213,11 @@ define site_openvpn::server_config( exec { "enable_systemd_${openvpn_configname}": refreshonly => true, command => "/bin/systemctl enable openvpn@${openvpn_configname}", - subscribe => File["/etc/openvpn/${openvpn_configname}.conf"]; + subscribe => File["/etc/openvpn/${openvpn_configname}.conf"], + notify => Service["openvpn@${openvpn_configname}"]; + } + service { "openvpn@${openvpn_configname}": + ensure => running } } } -- cgit v1.2.3 From 150579fb14716892cc3e4d7d9c0f81b30d56f03a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Apr 2015 23:16:00 +0200 Subject: restructured site.pp, now only one class gets included in site.pp per service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index ede35a9e..4777464e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -24,9 +24,11 @@ class site_openvpn { include site_config::x509::key include site_config::x509::ca_bundle - + include site_config::default Class['site_config::default'] -> Class['site_openvpn'] + include ::site_obfsproxy + $openvpn = hiera('openvpn') $openvpn_ports = $openvpn['ports'] $openvpn_config = $openvpn['configuration'] -- cgit v1.2.3 From f5ecaaa1bd7412fc152b41e4cc522cd0dc43cc37 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 5 Jan 2016 21:44:30 +0100 Subject: linted puppet/modules/site_openvpn/manifests/init.pp --- puppet/modules/site_openvpn/manifests/init.pp | 64 +++++++++++++-------------- 1 file changed, 32 insertions(+), 32 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4777464e..7397d89c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -87,24 +87,24 @@ class site_openvpn { if $openvpn_allow_unlimited { site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $unlimited_gateway_address, - tls_remote => "\"${openvpn_unlimited_prefix}\"", - server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000', - config => $openvpn_config + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000', + config => $openvpn_config } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $unlimited_gateway_address, - tls_remote => "\"${openvpn_unlimited_prefix}\"", - server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", - management => '127.0.0.1 1001', - config => $openvpn_config + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001', + config => $openvpn_config } } else { tidy { '/etc/openvpn/tcp_config.conf': } @@ -113,24 +113,24 @@ class site_openvpn { if $openvpn_allow_limited { site_openvpn::server_config { 'limited_tcp_config': - port => '1194', - proto => 'tcp', - local => $limited_gateway_address, - tls_remote => "\"${openvpn_limited_prefix}\"", - server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1002', - config => $openvpn_config + port => '1194', + proto => 'tcp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002', + config => $openvpn_config } site_openvpn::server_config { 'limited_udp_config': - port => '1194', - proto => 'udp', - local => $limited_gateway_address, - tls_remote => "\"${openvpn_limited_prefix}\"", - server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", - management => '127.0.0.1 1003', - config => $openvpn_config + port => '1194', + proto => 'udp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", + management => '127.0.0.1 1003', + config => $openvpn_config } } else { tidy { '/etc/openvpn/limited_tcp_config.conf': } -- cgit v1.2.3 From ff818d6be896201adf0b1c9ded9316949dc954d2 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 16 Feb 2016 16:43:54 -0800 Subject: remove pinning of openvpn package to backports --- puppet/modules/site_openvpn/manifests/init.pp | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7397d89c..540262d0 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -174,14 +174,8 @@ class site_openvpn { include site_shorewall::eip - # In wheezy, we need the openvpn backport to get the 2.3 version of - # openvpn which has proper ipv6 support - include site_apt::preferences::openvpn - package { - 'openvpn': - ensure => latest, - require => Class['site_apt::preferences::openvpn']; + 'openvpn': ensure => latest } service { -- cgit v1.2.3 From 65d01365ac0e1ab25189ee9b58546e85cd806da4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Mar 2016 10:14:05 +0100 Subject: [bug] Fix inline template with deprecated variable notation - Resolves: #7948 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 540262d0..f5eb7fd0 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -69,7 +69,7 @@ class site_openvpn { # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ # we can do this using an inline_template: $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" - $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>') + $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>') # deploy dh keys include site_openvpn::dh_key -- cgit v1.2.3 From 0ca80b41060dd8046386f7e49d2ed5ad382948c4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 10:37:56 -0400 Subject: Put openvpn logs into leap directory (#8021) Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to /var/log/daemon.log. Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719 --- puppet/modules/site_openvpn/manifests/init.pp | 3 ++- puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index f5eb7fd0..f1ecefb9 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -224,7 +224,8 @@ class site_openvpn { order => 10; } - leap::logfile { 'openvpn': } + leap::logfile { 'openvpn_tcp': } + leap::logfile { 'openvpn_udp': } # Because we currently do not support ipv6 and instead block it (so no leaks # happen), we get a large number of these messages, so we ignore them (#6540) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index ca9926cc..6decc665 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -109,7 +109,7 @@ define site_openvpn::server_config( "cert ${openvpn_configname}": key => 'cert', value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", - server => $openvpn_configname; + server => $openvpn_configname; "key ${openvpn_configname}": key => 'key', value => "${x509::variables::keys}/${site_config::params::cert_name}.key", @@ -203,6 +203,10 @@ define site_openvpn::server_config( key => 'verb', value => '3', server => $openvpn_configname; + "log-append /var/log/leap/openvpn_${proto}.log": + key => 'log-append', + value => "/var/log/leap/openvpn_${proto}.log", + server => $openvpn_configname; } # register openvpn services at systemd on nodes newer than wheezy -- cgit v1.2.3