From 21b197953d11d69d14789bc284d72d9c5025dcb4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:11:14 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e3d2a9af..165ba96e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -38,7 +38,7 @@ class site_openvpn { # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} /bin/echo 1 > /proc/sys/net/ipv4/ip_forward ", mode => '0755', @@ -49,7 +49,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a } cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", + command => '/usr/local/bin/leap_add_second_ip.sh', user => 'root', special => 'reboot', } -- cgit v1.2.3 From 081e6f2e55d1536d4c0ebea5dfdc9f08b105c602 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:22:26 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d3963c95..939207bd 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,13 +23,17 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', + owner => root, + group => root, + mode => '0644', require => Service['openvpn'], notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', + owner => root, + group => root, + mode => '0644', require => Service['openvpn'], notify => Service['unbound']; } -- cgit v1.2.3 From b0b228edb52dc420c9f688c60af054ac6d0c7473 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:33:27 +0100 Subject: linted a bit --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index de273b46..436dd272 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -57,7 +57,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name concat { - "/etc/openvpn/$openvpn_configname.conf": + "/etc/openvpn/${openvpn_configname}.conf": owner => root, group => root, mode => 644, -- cgit v1.2.3 From cd96f130a304accaf0bbef5f751dc75976f3116e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Feb 2013 15:14:24 -0500 Subject: require that the package unbound be installed before trying to write to its configuration file, this addresses issue #1853 - [vpn1] err: /Stage[main]/Site_openvpn::Resolver/Line[add_tcp_resolver]/Exec[echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf']/returns: change from notrun to 0 failed: echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf' returned 2 instead of one of [0] at /srv/leap/puppet/modules/common/manifests/defines/line.pp:45 --- puppet/modules/site_openvpn/manifests/resolver.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 939207bd..26785edb 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -8,16 +8,18 @@ class site_openvpn::resolver { line { 'add_tcp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', - notify => Service['unbound']; + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; 'add_udp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', - notify => Service['unbound']; + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound'], + require => Package['unbound'] } file { -- cgit v1.2.3 From ffb88e54c5e4e30fa61ea1009f3eee62f98ab17c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 27 Feb 2013 23:46:58 -0800 Subject: openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name. --- puppet/modules/site_openvpn/manifests/init.pp | 45 ++++++++++++++++++---- .../site_openvpn/manifests/server_config.pp | 18 ++++++++- .../templates/leap_add_second_ip.sh.erb | 11 ++++++ 3 files changed, 65 insertions(+), 9 deletions(-) create mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 165ba96e..0c9f1795 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,9 +1,9 @@ class site_openvpn { tag 'leap_service' + # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") - #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' @@ -12,6 +12,10 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $openvpn_allow_free = $openvpn_config['allow_free'] + $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] + $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] + $openvpn_free_prefix = $openvpn_config['free_prefix'] $x509_config = hiera('x509') # deploy ca + server keys @@ -26,22 +30,47 @@ class site_openvpn { push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } + site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + local => $openvpn_gateway_address, server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - local => $openvpn_gateway_address, management => '127.0.0.1 1001' } + if $openvpn_allow_free { + site_openvpn::server_config { 'free_tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002' + } + site_openvpn::server_config { 'free_udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + management => '127.0.0.1 1003' + } + } else { + tidy { "/etc/openvpn/free_tcp_config.conf": } + tidy { "/etc/openvpn/free_udp_config.conf": } + } + # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -", - mode => '0755', + file { + '/usr/local/bin/leap_add_second_ip.sh': + content => template('site_openvpn/leap_add_second_ip.sh.erb'), + mode => '0755'; } exec { '/usr/local/bin/leap_add_second_ip.sh': diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 436dd272..1f42400a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -52,7 +52,9 @@ # note: the default is BF-CBC (blowfish) # -define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { +define site_openvpn::server_config( + $port, $proto, $local, $server, $push, + $management, $tls_remote = undef, $shaper = undef) { $openvpn_configname = $name @@ -66,6 +68,20 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana notify => Service['openvpn']; } + # special options for the "free" gateway daemons + if $shaper != undef { + openvpn::option { + "shaper $openvpn_configname": + key => 'shaper', + value => $shaper, + server => $openvpn_configname; + "tls-remote $openvpn_configname": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; + } + } + openvpn::option { "ca $openvpn_configname": key => 'ca', diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb new file mode 100644 index 00000000..40866116 --- /dev/null +++ b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_allow_free %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || + ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -- cgit v1.2.3 From ad62cfdad04c8f8ed9d6454f716c92e850ac53ba Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 17 Mar 2013 13:15:51 -0700 Subject: added support for "limited" service levels (although vpn is not yet actually rate limited). --- puppet/modules/site_openvpn/README | 20 +++ puppet/modules/site_openvpn/manifests/init.pp | 150 +++++++++++++-------- puppet/modules/site_openvpn/manifests/resolver.pp | 90 +++++++++---- .../site_openvpn/manifests/server_config.pp | 9 +- .../site_openvpn/templates/add_gateway_ips.sh.erb | 11 ++ .../templates/leap_add_second_ip.sh.erb | 11 -- 6 files changed, 196 insertions(+), 95 deletions(-) create mode 100644 puppet/modules/site_openvpn/README create mode 100644 puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb delete mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README new file mode 100644 index 00000000..cef5be23 --- /dev/null +++ b/puppet/modules/site_openvpn/README @@ -0,0 +1,20 @@ +Place to look when debugging problems +======================================== + +Log files: + + openvpn: /var/log/syslog + shorewall: /var/log/syslog + shorewall startup: /var/log/shorewall-init.log + +Check NAT masq: + + iptables -t nat --list-rules + +Check interfaces: + + ip addr ls + +Scripts: + + /usr/local/bin/add_gateway_ips.sh \ No newline at end of file diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0c9f1795..c54bb782 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,84 +1,128 @@ +# +# An openvpn gateway can support three modes: +# +# (1) limited and unlimited +# (2) unlimited only +# (3) limited only +# +# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', +# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# +# We potentially create four openvpn config files (thus four daemons): +# +# (1) unlimited + tcp => tcp_config.conf +# (2) unlimited + udp => udp_config.conf +# (3) limited + tcp => limited_tcp_config.conf +# (4) limited + udp => limited_udp_config.conf +# + class site_openvpn { tag 'leap_service' - # parse hiera config - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - $openvpn_allow_free = $openvpn_config['allow_free'] - $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] - $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] - $openvpn_free_prefix = $openvpn_config['free_prefix'] - $x509_config = hiera('x509') + $openvpn_config = hiera('openvpn') + $x509_config = hiera('x509') + $ip_address = hiera('ip_address') + $interface = getvar("interface_${ip_address}") + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_second_gateway_address = undef + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } + + $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_unlimited_tcp_network_prefix = '10.41.0' + $openvpn_unlimited_tcp_netmask = '255.255.248.0' + $openvpn_unlimited_tcp_cidr = '21' + $openvpn_unlimited_udp_network_prefix = '10.42.0' + $openvpn_unlimited_udp_netmask = '255.255.248.0' + $openvpn_unlimited_udp_cidr = '21' + + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' # deploy ca + server keys include site_openvpn::keys - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + if $openvpn_allow_unlimited and $openvpn_allow_limited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = $openvpn_second_gateway_address + } elsif $openvpn_allow_unlimited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = undef + } elsif $openvpn_allow_limited { + $unlimited_gateway_address = undef + $limited_gateway_address = $openvpn_gateway_address } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $openvpn_gateway_address, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - management => '127.0.0.1 1001' + if $openvpn_allow_unlimited { + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001' + } + } else { + tidy { "/etc/openvpn/tcp_config.conf": } + tidy { "/etc/openvpn/udp_config.conf": } } - if $openvpn_allow_free { - site_openvpn::server_config { 'free_tcp_config': + if $openvpn_allow_limited { + site_openvpn::server_config { 'limited_tcp_config': port => '1194', proto => 'tcp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", management => '127.0.0.1 1002' } - site_openvpn::server_config { 'free_udp_config': + site_openvpn::server_config { 'limited_udp_config': port => '1194', proto => 'udp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", management => '127.0.0.1 1003' } } else { - tidy { "/etc/openvpn/free_tcp_config.conf": } - tidy { "/etc/openvpn/free_udp_config.conf": } + tidy { "/etc/openvpn/limited_tcp_config.conf": } + tidy { "/etc/openvpn/limited_udp_config.conf": } } - # add second IP on given interface file { - '/usr/local/bin/leap_add_second_ip.sh': - content => template('site_openvpn/leap_add_second_ip.sh.erb'), + '/usr/local/bin/add_gateway_ips.sh': + content => template('site_openvpn/add_gateway_ips.sh.erb'), mode => '0755'; } - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + exec { '/usr/local/bin/add_gateway_ips.sh': + subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } - cron { 'leap_add_second_ip.sh': - command => '/usr/local/bin/leap_add_second_ip.sh', + cron { 'add_gateway_ips.sh': + command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', special => 'reboot', } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 26785edb..dc31767c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,53 @@ class site_openvpn::resolver { + if $site_openvpn::openvpn_allow_unlimited { + $ensure_unlimited = 'present' + file { + '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_unlimited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + } + + if $site_openvpn::openvpn_allow_limited { + $ensure_limited = 'present' + file { + '/etc/unbound/conf.d/vpn_limited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_limited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + } + # this is an unfortunate way to get around the fact that the version of # unbound we are working with does not accept a wildcard include directive # (/etc/unbound/conf.d/*), when it does, these line definitions should @@ -7,36 +55,30 @@ class site_openvpn::resolver { # include: /etc/unbound/conf.d/* line { - 'add_tcp_resolver': - ensure => present, + 'add_unlimited_tcp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', notify => Service['unbound'], require => Package['unbound']; - - 'add_udp_resolver': - ensure => present, + 'add_unlimited_udp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_tcp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_udp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', notify => Service['unbound'], require => Package['unbound'] } - file { - '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - - '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1f42400a..a2e769e1 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -54,7 +54,7 @@ define site_openvpn::server_config( $port, $proto, $local, $server, $push, - $management, $tls_remote = undef, $shaper = undef) { + $management, $tls_remote = undef) { $openvpn_configname = $name @@ -68,13 +68,8 @@ define site_openvpn::server_config( notify => Service['openvpn']; } - # special options for the "free" gateway daemons - if $shaper != undef { + if $tls_remote != undef { openvpn::option { - "shaper $openvpn_configname": - key => 'shaper', - value => $shaper, - server => $openvpn_configname; "tls-remote $openvpn_configname": key => 'tls-remote', value => $tls_remote, diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb new file mode 100644 index 00000000..ed06a95e --- /dev/null +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_second_gateway_address %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb deleted file mode 100644 index 40866116..00000000 --- a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> - -<% if @openvpn_allow_free %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || - ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> -<% end %> - -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -- cgit v1.2.3 From b7ba05040f9f1266d14947f1612fa54060dd37cb Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 29 Mar 2013 14:39:26 -0700 Subject: fixed site_openvpn bug with redefined variable. --- puppet/modules/site_openvpn/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c54bb782..1ae3fb02 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -25,9 +25,10 @@ class site_openvpn { $interface = getvar("interface_${ip_address}") $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_second_gateway_address = undef if $openvpn_config['second_gateway_address'] { $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef } $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] -- cgit v1.2.3 From 8e5716518b361aceac5c2cc5433148edf8785d89 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 30 Apr 2013 17:17:54 -0400 Subject: setup a site_config::params class that can be used to set some common variables that are used in different places to start with we setup the $interface variable, based on logic as defined in #2213 change the various places that were looking up this value to use site_config::params::interface instead --- puppet/modules/site_openvpn/manifests/init.pp | 2 -- puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb | 8 ++++---- 2 files changed, 4 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 1ae3fb02..9bfffa6f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,8 +21,6 @@ class site_openvpn { $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $openvpn_config['gateway_address'] if $openvpn_config['second_gateway_address'] { diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index ed06a95e..05f3d16b 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,11 @@ #!/bin/sh -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> <% if @openvpn_second_gateway_address %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || - ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward -- cgit v1.2.3 From 0f6d2ebd6467d1c793d1907d677ca374a1efe477 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 11 May 2013 14:05:14 -0400 Subject: special casing for pistoncloud/openstack/ec2 --- puppet/modules/site_openvpn/manifests/init.pp | 33 ++++++++++++++++----------- 1 file changed, 20 insertions(+), 13 deletions(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 9bfffa6f..685871bd 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -22,11 +22,16 @@ class site_openvpn { $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $openvpn_config['gateway_address'] - if $openvpn_config['second_gateway_address'] { - $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + + if $::ec2_instance_id { + $openvpn_gateway_address = $::ipaddress } else { - $openvpn_second_gateway_address = undef + $openvpn_gateway_address = $openvpn_config['gateway_address'] + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef + } } $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] @@ -38,15 +43,17 @@ class site_openvpn { $openvpn_unlimited_udp_netmask = '255.255.248.0' $openvpn_unlimited_udp_cidr = '21' - $openvpn_allow_limited = $openvpn_config['allow_limited'] - $openvpn_limited_prefix = $openvpn_config['limited_prefix'] - $openvpn_rate_limit = $openvpn_config['rate_limit'] - $openvpn_limited_tcp_network_prefix = '10.43.0' - $openvpn_limited_tcp_netmask = '255.255.248.0' - $openvpn_limited_tcp_cidr = '21' - $openvpn_limited_udp_network_prefix = '10.44.0' - $openvpn_limited_udp_netmask = '255.255.248.0' - $openvpn_limited_udp_cidr = '21' + if !$::ec2_instance_id { + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' + } # deploy ca + server keys include site_openvpn::keys -- cgit v1.2.3 From 7cbc4d41e35fec9dc0192cc3caf11803b562c06d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Jul 2013 16:35:51 -0400 Subject: more robust openvpn restarting this ensures that an actual restart is run on the service when config files are added or removed, instead of relying on the status parameter of the initscript, which can be confused if config files are removed out from under it Change-Id: I1c69fff26933338b707acf7dc4593547f32f92e3 --- puppet/modules/site_openvpn/manifests/init.pp | 9 +++++++++ puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 685871bd..4f900623 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -127,6 +127,13 @@ class site_openvpn { subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } + exec { 'restart_openvpn': + command => '/etc/init.d/openvpn restart', + refreshonly => true, + subscribe => File['/etc/openvpn'], + require => [ Package['openvpn'], File['/etc/openvpn'] ]; + } + cron { 'add_gateway_ips.sh': command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', @@ -142,6 +149,7 @@ class site_openvpn { 'openvpn': ensure => installed; } + service { 'openvpn': ensure => running, @@ -153,6 +161,7 @@ class site_openvpn { file { '/etc/openvpn': ensure => directory, + notify => Exec['restart_openvpn'], require => Package['openvpn']; } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index a2e769e1..6106cfbb 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -65,7 +65,7 @@ define site_openvpn::server_config( mode => 644, warn => true, require => File['/etc/openvpn'], - notify => Service['openvpn']; + notify => Exec['restart_openvpn']; } if $tls_remote != undef { -- cgit v1.2.3