1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
class site_openvpn {
tag 'leap_service'
# parse hiera config
$ip_address = hiera('ip_address')
$interface = getvar("interface_${ip_address}")
#$gateway_address = hiera('gateway_address')
$openvpn_config = hiera('openvpn')
$openvpn_gateway_address = $openvpn_config['gateway_address']
$openvpn_tcp_network_prefix = '10.1.0'
$openvpn_tcp_netmask = '255.255.248.0'
$openvpn_tcp_cidr = '21'
$openvpn_udp_network_prefix = '10.2.0'
$openvpn_udp_netmask = '255.255.248.0'
$openvpn_udp_cidr = '21'
$x509_config = hiera('x509')
# deploy ca + server keys
include site_openvpn::keys
# create 2 openvpn config files, one for tcp, one for udp
site_openvpn::server_config { 'tcp_config':
port => '1194',
proto => 'tcp',
local => $openvpn_gateway_address,
server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
management => '127.0.0.1 1000'
}
site_openvpn::server_config { 'udp_config':
port => '1194',
proto => 'udp',
server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
local => $openvpn_gateway_address,
management => '127.0.0.1 1001'
}
# add second IP on given interface
file { '/usr/local/bin/leap_add_second_ip.sh':
content => "#!/bin/sh
ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
",
mode => '0755',
}
exec { '/usr/local/bin/leap_add_second_ip.sh':
subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
}
cron { 'leap_add_second_ip.sh':
command => "/usr/local/bin/leap_add_second_ip.sh",
user => 'root',
special => 'reboot',
}
# setup the resolver to listen on the vpn IP
include site_openvpn::resolver
include site_shorewall::eip
package {
'openvpn':
ensure => installed;
}
service {
'openvpn':
ensure => running,
hasrestart => true,
hasstatus => true,
require => Exec['concat_/etc/default/openvpn'];
}
file {
'/etc/openvpn':
ensure => directory,
require => Package['openvpn'];
}
file {
'/etc/openvpn/keys':
ensure => directory,
require => Package['openvpn'];
}
concat {
'/etc/default/openvpn':
owner => root,
group => root,
mode => 644,
warn => true,
notify => Service['openvpn'];
}
concat::fragment {
'openvpn.default.header':
content => template('openvpn/etc-default-openvpn.erb'),
target => '/etc/default/openvpn',
order => 01;
}
concat::fragment {
"openvpn.default.autostart.${name}":
content => 'AUTOSTART=all',
target => '/etc/default/openvpn',
order => 10;
}
}
|
