openvpn: initial support for server/client

author: Christian Pointner <equinox@spreadspace.org> 2021-11-16 22:34:30 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2021-11-16 22:34:30 +0100
commit: 65fb49fc5f3e4628353ee2e54c5ced76c5bc40fa (patch)
tree: 94ae7cb1810ccdfd732c2c71036578d226d08166 /roles/network
parent: openvpn roles - bas scaffolding and certs (diff)
5 files changed, 83 insertions, 7 deletions
diff --git a/roles/network/openvpn/client/tasks/main.yml b/roles/network/openvpn/client/tasks/main.yml
index 49f6443f..3067609c 100644
--- a/roles/network/openvpn/client/tasks/main.yml
+++ b/roles/network/openvpn/client/tasks/main.yml
@@ -2,6 +2,14 @@
 - name: create TLS certificate and key
   import_tasks: tls.yml
 
-## TODO:
-## - generate/install openvpn configuration
-## - enable/start "openvpn-server@{{ openvpn_zone.name }}"
+- name: generate openvpn config
+  template:
+    src: conf.j2
+    dest: "/etc/openvpn/client/{{ openvpn_zone.name }}.conf"
+  notify: restart openvpn-client
+
+- name: make sure openvpn-client systemd unit is enabled and started
+  systemd:
+    name: "openvpn-client@{{ openvpn_zone.name }}"
+    state: started
+    enabled: yes
diff --git a/roles/network/openvpn/client/templates/conf.j2 b/roles/network/openvpn/client/templates/conf.j2
new file mode 100644
index 00000000..f9d8775b
--- /dev/null
+++ b/roles/network/openvpn/client/templates/conf.j2
@@ -0,0 +1,18 @@
+client
+proto udp
+remote {{ openvpn_zone.server_addr }} {{ openvpn_zone.server_port }}
+ping 60
+ping-timer-rem
+
+tls-client
+ca /etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem
+cert /etc/ssl/openvpn/{{ openvpn_zone.name }}/client/crt.pem
+key /etc/ssl/openvpn/{{ openvpn_zone.name }}/client/key.pem
+remote-cert-tls server
+cipher AES-256-GCM
+persist-key
+
+dev tun
+persist-tun
+
+pull
diff --git a/roles/network/openvpn/server/tasks/main.yml b/roles/network/openvpn/server/tasks/main.yml
index 98bb220b..181feec9 100644
--- a/roles/network/openvpn/server/tasks/main.yml
+++ b/roles/network/openvpn/server/tasks/main.yml
@@ -2,7 +2,27 @@
 - name: create TLS certificate and key
   import_tasks: tls.yml
 
-## TODO:
-## - generate/install openvpn configuration
-## - generate/install client config directory
-## - enable/start "openvpn-server@{{ openvpn_zone.name }}"
+- name: generate openvpn config
+  template:
+    src: conf.j2
+    dest: "/etc/openvpn/server/{{ openvpn_zone.name }}.conf"
+  notify: restart openvpn-server
+
+- name: create client-config directory
+  file:
+    path: "/etc/openvpn/server/{{ openvpn_zone.name }}-ccd"
+    state: directory
+
+- name: generate client-config snippets
+  loop: "{{ openvpn_zone.offsets | list | difference([inventory_hostname]) }}"
+  loop_control:
+    loop_var: client
+  template:
+    src: client.j2
+    dest: "/etc/openvpn/server/{{ openvpn_zone.name }}-ccd/{{ client }}"
+
+- name: make sure openvpn-server systemd unit is enabled and started
+  systemd:
+    name: "openvpn-server@{{ openvpn_zone.name }}"
+    state: started
+    enabled: yes
diff --git a/roles/network/openvpn/server/templates/client.j2 b/roles/network/openvpn/server/templates/client.j2
new file mode 100644
index 00000000..c6cd6c8d
--- /dev/null
+++ b/roles/network/openvpn/server/templates/client.j2
@@ -0,0 +1,5 @@
+ifconfig-push {{ openvpn_zone.subnet | ipaddr(openvpn_zone.offsets[client]) | ipaddr('address') }} {{ openvpn_zone.subnet | ipaddr('netmask') }}
+{% for route in (openvpn_zone.routes[client] | default([])) %}
+iroute {{ route | ipaddr('network') }} {{ route | ipaddr('netmask') }}
+{# TODO: install route locally... #}
+{% endfor %}
diff --git a/roles/network/openvpn/server/templates/conf.j2 b/roles/network/openvpn/server/templates/conf.j2
new file mode 100644
index 00000000..b00d7ec7
--- /dev/null
+++ b/roles/network/openvpn/server/templates/conf.j2
@@ -0,0 +1,25 @@
+mode server
+
+proto udp
+lport {{ openvpn_zone.server_port }}
+ping 60
+ping-timer-rem
+
+tls-server
+ca /etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem
+dh /etc/ssl/openvpn/{{ openvpn_zone.name }}/dhparams.pem
+cert /etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem
+key /etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem
+verify-client-cert require
+remote-cert-tls client
+cipher AES-256-GCM
+persist-key
+
+dev tun
+persist-tun
+
+topology subnet
+ifconfig {{ openvpn_zone.subnet | ipaddr(openvpn_zone.offsets[inventory_hostname]) | ipaddr('address') }} {{ openvpn_zone.subnet | ipaddr('netmask') }}
+push "topology subnet"
+client-config-dir {{ openvpn_zone.name }}-ccd/
+ccd-exclusive
author	Christian Pointner <equinox@spreadspace.org>	2021-11-16 22:34:30 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2021-11-16 22:34:30 +0100
commit	65fb49fc5f3e4628353ee2e54c5ced76c5bc40fa (patch)
tree	94ae7cb1810ccdfd732c2c71036578d226d08166 /roles/network
parent	openvpn roles - bas scaffolding and certs (diff)