From 85c0af05e5322d9b110379199978d05f011e60b2 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 11 Mar 2023 02:20:16 +0100
Subject: ele-router: add openvpn tunnel for mgmt vlan

---
 dan/ele-router.yml                         | 105 ++++++++++++++++++
 dan/group_vars/ele-router.yml              | 170 +++++++++++++++++++++++++++++
 inventory/host_vars/ele-router-hmtsaal.yml |  46 ++++++++
 inventory/host_vars/ele-router-orpheum.yml |  47 ++++++++
 inventory/hosts.ini                        |   5 +
 5 files changed, 373 insertions(+)
 create mode 100644 dan/ele-router.yml
 create mode 100644 dan/group_vars/ele-router.yml

diff --git a/dan/ele-router.yml b/dan/ele-router.yml
new file mode 100644
index 00000000..13616ad0
--- /dev/null
+++ b/dan/ele-router.yml
@@ -0,0 +1,105 @@
+---
+- name: generate TLS CA for openvpn mgmt
+  hosts: ele-router
+  connection: local
+  gather_facts: no
+  tasks:
+  - name: generate CA key and certificate
+    run_once: yes
+    block:
+    - name: generate CA key
+      community.crypto.openssl_privatekey_pipe:
+        type: "Ed25519"
+        content: "{{ vault_ovpn_mgmt_ca_key | default(omit) }}"
+        return_current_key: yes
+      register: ovpn_mgmt_ca_key_result
+      no_log: true
+
+    - name: create signing request for CA certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_content: "{{ ovpn_mgmt_ca_key_result.privatekey }}"
+        CN: "CA for ele-router mgmt vpn"
+        useCommonNameForSAN: no
+        key_usage:
+        - cRLSign
+        - keyCertSign
+        key_usage_critical: yes
+        basic_constraints:
+        - 'CA:TRUE'
+        - 'pathlen:0'
+        basic_constraints_critical: yes
+      register: ovpn_mgmt_ca_csr_result
+      changed_when: false
+
+    - name: create self-signed CA certificate
+      community.crypto.x509_certificate_pipe:
+        content: "{{ vault_ovpn_mgmt_ca_cert | default(omit) }}"
+        csr_content: "{{ ovpn_mgmt_ca_csr_result.csr }}"
+        privatekey_content: "{{ ovpn_mgmt_ca_key_result.privatekey }}"
+        provider: selfsigned
+        selfsigned_digest: sha256
+        selfsigned_not_after: "+18250d" ## 50 years
+        selfsigned_create_subject_key_identifier: always_create
+      register: ovpn_mgmt_ca_cert_result
+
+
+  - name: generate key
+    community.crypto.openssl_privatekey_pipe:
+      type: "Ed25519"
+      content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] | default(omit) }}"
+      return_current_key: yes
+    register: ovpn_mgmt_key_result
+    no_log: true
+
+  - name: create signing request for certificate
+    community.crypto.openssl_csr_pipe:
+      privatekey_content: "{{ ovpn_mgmt_key_result.privatekey }}"
+      CN: "{{ inventory_hostname }}"
+      key_usage:
+      - digitalSignature
+      - keyEncipherment
+      key_usage_critical: yes
+      extended_key_usage:
+      - "{{ (inventory_hostname == 'ele-router-hmtsaal') | ternary('serverAuth', 'clientAuth') }}"
+      extended_key_usage_critical: yes
+      basic_constraints:
+      - 'CA:FALSE'
+      basic_constraints_critical: yes
+    register: ovpn_mgmt_csr_result
+    changed_when: false
+
+  - name: create certificate
+    community.crypto.x509_certificate_pipe:
+      content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] | default(omit) }}"
+      csr_content: "{{ ovpn_mgmt_csr_result.csr }}"
+      privatekey_content: "{{ ovpn_mgmt_key_result.privatekey }}"
+      provider: ownca
+      ownca_content: "{{ ovpn_mgmt_ca_cert_result.certificate }}"
+      ownca_privatekey_content: "{{ ovpn_mgmt_ca_key_result.privatekey }}"
+      ownca_digest: sha256
+      ownca_not_after: "+18250d" ## 50 years
+    register: ovpn_mgmt_cert_result
+
+
+  - run_once: yes
+    set_fact:
+      vault_content: |
+        ---
+        vault_ovpn_mgmt_ca_key: |
+          {{ ovpn_mgmt_ca_key_result.privatekey | indent(2) }}
+        vault_ovpn_mgmt_ca_cert: |
+          {{ ovpn_mgmt_ca_cert_result.certificate | indent(2) }}
+        vault_ovpn_mgmt_keys:
+        {% for host in play_hosts %}
+          {{ host }}: |
+            {{ hostvars[host].ovpn_mgmt_key_result.privatekey | indent(4) }}
+        {% endfor %}
+        vault_ovpn_mgmt_certs:
+        {% for host in play_hosts %}
+          {{ host }}: |
+            {{ hostvars[host].ovpn_mgmt_cert_result.certificate | indent(4) }}
+        {% endfor %}
+
+  - pause:
+      prompt: "Please put this into a vault file: \n\n{{ vault_content }}"
+      seconds: 1
diff --git a/dan/group_vars/ele-router.yml b/dan/group_vars/ele-router.yml
new file mode 100644
index 00000000..044a7e38
--- /dev/null
+++ b/dan/group_vars/ele-router.yml
@@ -0,0 +1,170 @@
+$ANSIBLE_VAULT;1.2;AES256;dan
+34376437393833633866393338323961343666316636303233333564656265616362393131663661
+3034653237626462363234303334626236343934653061320a653464626131363830336331326138
+65613937373830643162363833623632323233386436626533613165643038373233643539363737
+3435353861623866320a646137323963323930656336663936623335323838616234393263643261
+32393335333233353565653561333233663935396661353437393635623839623835623833633864
+64623465323465396466356165626632373232613130663036383438356565666262336162303231
+62366162306134323564323032643566316232653332343937643639663664303162636236306133
+63376538303332646463386433373830636637653532306238356339326430313135643035363234
+64306236656630313432396337383366393361306461393863663863613239306634393730643866
+30333137336464356239633761373630353162376364373438393236366131653835663763363863
+35626465343138613131643330383266353762636366386433613766353862633339643137626539
+39616332646662323665313762326132663966646563626138623637663763656462623766313263
+66373636623432653161363339626532366332616239396262373831363862666466636266336238
+39356164386539316264343766636536366432393433333661343165313432306566353732313032
+38663938643433336634313732646239663064633065636336636333363330306461613631333966
+37623639636538616533366332623666373763373333376439333431333763303264316631393462
+39323065313565613337376134356537393163356337633230666666613436333463633063623561
+35616437343032333039366635363066666566303639643764353862363265333364396539326566
+38313230333263333139623636326239616130643064333436643062646339386133656462363837
+36656538306436643938386339303735666665646465656637613064383135663963353638666437
+64303463396232646635373463623432623633646436333331366564353364663065626266323137
+38646466323538353336376136623361333862356362376232613430333235373362643536313266
+31666162306364646535623965363763363161653663333337613966373032343861663865656633
+35373530333635663561643938313132316166666631666131343535306266653033333334326364
+36326262366339613431303136393230623836393661323231656165613431393731333737326430
+61653632613531623536333264303261386439353661386366623532323962653963316437313631
+36646364306338613735363537333635343564643738303763323039666363653533356533653235
+64336537313633306266336531653130326362336230633335643236346134346665666235363139
+35666139386462323439386339363230383635386534363565383030623835376537303234363265
+38366363306262613338633664363765343730653038666137376364373931663863653466643065
+61373863666264363935613239396638656431613839343138613238613165346262383933353932
+34396433656636633065313038643837663134383061636137383063623132353538363731393564
+63346531303363353737353438643762333763623533633161616236376566343362343930363234
+63613766633734376132363463663365643365373164343662303831653732306532323463336630
+34633639616134623534656262393763653739666537613932396663643534623133393939303136
+65383737383030303166313264653561316464306339373538666631323532386463303031633031
+66653739386231373030393863653064396436383131323837613565643666653261353935386137
+30393862613063343431333263323962656139376632626236336138356364616234313566646531
+34326434643532643966333637646462613763373636393238353761393436303961623137613532
+33383663303438636333666332653437393764366166376532643131653861613366393434343762
+30363961343563613339643165623031633232323161646664386333336237353564643338323562
+36386535636433376462366439653133376662356266303666376334393737623836633465353234
+64306163303665333361386434386664653931613135626537373536393334303032386263663238
+61366566343661316465393139333162373035353438373864323238376133656463396365656264
+37623965626163363634363136396366313033346330383366643738376434333233363262386665
+61336261663335316363623435306136373762643363616262386361336662616334333634613235
+62666262363136616638323165316438643239643863346237616139316332373962623237303738
+34663830386434616530656261323339373666643633316264396563653263373963336331663234
+30336164316636386232613234303164343332323537623964616438303561343930333434323036
+35646535356564643139663865333639303961303661373935656234343761346261313661643963
+65616536663231366639353933343530386163343935396636376634303133666536636634306563
+32376331353034393064636333616562396364636438613235663732333039383735373233373134
+66363137643266373030333233613366383761343063356265646438656266363738663737636466
+37326233653361376531323232363761306263616461373465343135363739623764386336363633
+39363337633365353466653630653332656432313937303263636466323064653362393335336362
+38313636336630383030316465303866383038306263373137326661343337303663353834303737
+30386434323562353466343764653663383535353237393034666465353231643632653634356632
+66316239666161666231306437343662643365623136393031633364653734336236663335643032
+32613133656664336561383761386534333030636461643239316236643866373963663239636331
+39303638656362393932616236653832383935363163666635313033393737363739363439383465
+65313439666430656363343662633134373235383861623738623834643432363638623661636334
+39356263343064643164313264653831626630636232343364623162666437333166363864323233
+39333532613734633938333636303736336365343330323865356439386531616435316631373935
+61363364323864396332643332363032666334666262326562313661386635626635376437333965
+30643961323933666366626537366235643461386235643835366134346632646265613738316230
+32313933376363366664383561373431366539633736396665646431363731366136373131623263
+38383735373434383534653430313931396437346538613735613731666264316664336165363135
+36616163393565633861616563623062373433313866383833666365383566306531616534393134
+65616264346164623635643364613066353261393835303334333330363135306439653230363537
+30346161323731383237653034323432663635323639653830636464336430353466323662393938
+31303734346439303732633563326239326431333537356430613964613864663463373364356462
+38626263316131666162356639653330363966373537336365326230396464313233633063343464
+65383364386437306461353130343634333062666438643038653137303631303731663832623262
+62346130363664653931306364626632623964353863616262396133346338623464646462313336
+33663364653835303336343161353439316335393138653939316434313661663136336662663332
+30363134356635373964633665663562316363613235616339356538366166363930623361306435
+61303137346334613335333864363364653835346135303964366432623939333561343261333961
+64633161656333356633623830356439363634343266333666613035613931663036396162626438
+66306239633665393966323135316132336339386431326364363963666134363134623162333838
+36653162333566383133643161343361333830643330363432623130363864656633333764656238
+37393135623632616432313334316164656164326166343764643731373331323934653234656563
+31316235623565313465623339323830623461653033666564363463653264343835643036373163
+36666531333136303264396438653935653862316438383034323031306532333035393337363336
+36376430633930353462653266613661633530663936373831613638663530316435356531333936
+36643333323164663836353736666137353062353839633464316639633064313933613861316566
+65376439626462326662323362306533306438343539646466616263626562366464346530633139
+63636135633938393736373533383464303931656432396237366665303964663061356134373266
+38613537653732623837353461323333633636326235343534393764363636366437333166616239
+35373765313731356630623239666365336338313031376333353334373261336165383333636166
+66636534356662663466636232343764353161383464303338626366306366333362363837306239
+34303730636339356661356237666133393230623061643032356333646135316339323432316230
+33323239663432646665353963616436313762346535336336346234366436643334373833356237
+30633264366139633861663433623832336233363033636632353465636562333136666662333936
+31343136623832373436313239633737376665623962623438396634356439313133323566333161
+64633363303939386361306132353937636439323739386530653632376137613533613235393930
+66396463613563303535623563626466323937623834616436336532396463616437643037643035
+39623030656432626565333334376163343631326632633062356366376236663831363436316566
+36643564393538303732663263646663393662353236346439356334363436396336353231333830
+64323964396338636264363739656535326564323834313463623035643439346236656232313738
+61396166313937643931336635393431356661363065306331633330333135366432323765313235
+37383538656261363339363964313163663638663537313032643031343961383838323437343166
+31643161336261326666396537616663653935393434343036373561646338363734616237313961
+31313438303831323766396666626339336239653831636631383163643562383463353138303233
+65366366623035393139623230313935343835653332393035396230386361383139626236666466
+63663034396166323338303436616432323938353063326537303163373636366163383535643966
+33313237653931663234346665303635636663326236376136396130306532356532323331643336
+30343566336133343030326266303235303632623435346234616234303533323637353361646664
+39363332616230353838353732613762646231373433306230366366353331363334373834393836
+66323334623764393861393531393865656364303431386636633432616635656130343862333938
+64643964306534636539636461316265613139623066363236323332336264636438636439316238
+34636434376565346231353736623439316234393730366665383630396530353461383761616263
+61313732613739316439633431666331376330353334363134663739353462663666666635356635
+38616337666132613536323361303433613937376461353562623737313339336338353761333539
+38383765333266343262346132666536663137663531306337386332626636353735333232653266
+61306134323436626438393738613333353935616535396437323663666233613632353361383331
+35326237623636396366366431353236313261643137363766633534663065636534663036666466
+38666234303534363430396639663734666365636662626366393236643037663638376431393535
+36363431373162666566656266623531366230666139343538623332343239653938376362633265
+39333230356132663538616466396561326564333536623864396337366461663430393365653565
+30346634343263363738356666323439383938663166633337613937653462656334323765313735
+36303838653662626562373439383238653030623039306536363362346537623165636234306236
+34363138363433653833633036393234316466313266373636373737363737303339613162623839
+62636332306266623964386661343566626432626566336261303962316337353532666337656565
+62663431653465616231636163653864343730356462663263636565373866363365633461653761
+36646463303237326236366533313931373139383865326630373262333663303064323033393065
+36393633643462313761636639646165373563313166313833373630623864623334303230353632
+66336563393634313162343363326531363638623038363632363835643839616535393862346634
+33343764326530316530363566653530623733653736376365393033383866383832613865346466
+39316265353331616363396531613835373066636237643430316139656361366262393338633938
+62363632633135333333623466613364356330353861353266306532326630353064393139343830
+35313034613939633261663831663738393134356434623935343539633734663539356230396165
+37366431636132353733663531636534613834363363393436653135326162373736386166646230
+34313963353731356130356266336562313761333863646261363862666632346535653434646263
+39343230636630373435666536646334396137633964363736633430373238333565346338656139
+33633834376664663664326534636536636236343338353032366531663337336364646638363464
+65353963333339393164323165323030343165363863633165366638636335356364646537313737
+36656166646338613863346261653432356562366262353364663539333530636664636632656462
+33656130316365623131326336613331326265343661623864646138356436323861353235666264
+61383735646636383833633664316232326663666535643634646336303562373135633832333033
+66323963383632396431393831663866613637333962623662326664316438316433653634393437
+36353066356431303131666163306664633466326361636334616632333634626138306265313632
+36353137623761666361323339353264333238633863343238373364623366363436363139643963
+33343838323962366236343030633837643835386336656436633063303639323936303966643936
+35613539613938363761313862303164613336313335613232336439373261393436326161323336
+63636336646562363638623337343039323339636538373164313965613764376265613330323334
+39633365376564393531633061613261366236323433393965623266383465316361393861316166
+64643433366234623632376461363935343739396465643661613266613134313637323438373930
+30613562653333333562643236393131356339303865323030383234323361393139613934643866
+61333832653462313533666564336464366264323362613330333366383131623430656561613731
+32623265396661323435613734333731643236343535323639616339333161663736396639396165
+66633839303738323862396437613736363539633864383032653762653733353830393131626538
+64663462373866386238656638633262626130623139383833383739366639323063333135316463
+32393061383131353434353432333834643063616637313437303162386634366337623333346266
+31353430316338346632366165396661663334313433386530343239393838396362613661633138
+31393764633966366662666132323635333932313136393038383265336465366335656161343765
+63616564643431623862363831613162633961333763616165376665336166366333616536383061
+38623539616433353265336230383238666534386335653630383733363939666365303235616664
+63613564343339376537313738336666396330613431663165333232323936323966623431396163
+36623430346534383133313836363564383131306531303865623835663234393366323934643462
+30616164613730666330316466383830346463356233333466613531313366616235636435306237
+38336636323335353464303337356431653166336666633765353734383737393932643034353065
+37393332343736393263636662626332613838303635396439316261313535643931383735613837
+36646634316430383533626461393664643862326339356235623132633730373237326666366337
+33396666346661376262323937633437313337633165333130633530323030336134343261653535
+61663637353835353635303964303732663530633239636335363336303533383332313163653331
+36623564623536393630343632643164646365623533393262633766616133666632613764623062
+36326463323430356436386231653938303839663531333966646534343265336431383637316363
+35666333393835363133363833613037636631326561656564636661383761313231636366663238
+3963
diff --git a/inventory/host_vars/ele-router-hmtsaal.yml b/inventory/host_vars/ele-router-hmtsaal.yml
index becaf9fa..ffb76272 100644
--- a/inventory/host_vars/ele-router-hmtsaal.yml
+++ b/inventory/host_vars/ele-router-hmtsaal.yml
@@ -149,6 +149,7 @@ openwrt_packages_add:
   - mtr
   - iptraf-ng
   - sqm-scripts
+  - openvpn-openssl
   - prometheus-node-exporter-lua
   - prometheus-node-exporter-lua-nat_traffic
   - prometheus-node-exporter-lua-netstat
@@ -166,6 +167,23 @@ openwrt_mixin:
     content: |
       {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ele-media']) | ansible.utils.ipaddr('address') }}   media.elevate.at
 
+  /etc/hotplug.d/openvpn/10-mgmt:
+    content: |
+      #!/bin/sh
+      [ "$INSTANCE" != "mgmt" ] && exit 0
+      [ "$ACTION" = "up" ] && ip link set up mtu "$3" dev "$2" master "br-mgmt"
+      exit 0
+
+  /etc/openvpn/mgmt-ca-cert.pem:
+    content: "{{ vault_ovpn_mgmt_ca_cert }}"
+
+  /etc/openvpn/mgmt-cert.pem:
+    content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] }}"
+
+  /etc/openvpn/mgmt-key.pem:
+    content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] }}"
+    mode: '0400'
+
   /etc/rc.d/S21nftables:
     link: "../init.d/nftables"
 
@@ -209,6 +227,7 @@ openwrt_mixin:
           ip protocol icmp accept
           ip6 nexthdr ipv6-icmp accept
           tcp dport { {{ ansible_port }} } accept
+          udp dport { 1194 } accept
         }
 
         chain input_internal {
@@ -298,6 +317,33 @@ openwrt_uci:
         linklayer: 'ethernet'
         overhead: '44 mpu 84'
 
+  openvpn:
+    - name: openvpn mgmt
+      options:
+        enabled: '1'
+        port: '1194'
+        proto: 'udp'
+        dev: 'ovpn-mgmt'
+        dev_type: 'tap'
+
+        server_bridge: 'nogw'
+        keepalive: '10 120'
+        persist_key: '1'
+        persist_tun: '1'
+        user: 'nobody'
+
+        tls_version_min: '1.3'
+        ca: '/etc/openvpn/mgmt-ca-cert.pem'
+        cert: '/etc/openvpn/mgmt-cert.pem'
+        key: '/etc/openvpn/mgmt-key.pem'
+        dh: 'none'
+        remote_cert_tls: 'client'
+        data_ciphers:
+        - 'CHACHA20-POLY1305'
+        data_ciphers_fallback: 'AES-256-GCM'
+        allow_compression: 'no'
+
+
 prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100"
 prometheus_exporters_default:
   - openwrt
diff --git a/inventory/host_vars/ele-router-orpheum.yml b/inventory/host_vars/ele-router-orpheum.yml
index 6dfe2db9..867f29be 100644
--- a/inventory/host_vars/ele-router-orpheum.yml
+++ b/inventory/host_vars/ele-router-orpheum.yml
@@ -147,6 +147,7 @@ openwrt_packages_add:
   - mtr
   - iptraf-ng
   - sqm-scripts
+  - openvpn-openssl
   - prometheus-node-exporter-lua
   - prometheus-node-exporter-lua-nat_traffic
   - prometheus-node-exporter-lua-netstat
@@ -160,6 +161,23 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/hotplug.d/openvpn/10-mgmt:
+    content: |
+      #!/bin/sh
+      [ "$INSTANCE" != "mgmt" ] && exit 0
+      [ "$ACTION" = "up" ] && ip link set up mtu "$3" dev "$2" master "br-mgmt"
+      exit 0
+
+  /etc/openvpn/mgmt-ca-cert.pem:
+    content: "{{ vault_ovpn_mgmt_ca_cert }}"
+
+  /etc/openvpn/mgmt-cert.pem:
+    content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] }}"
+
+  /etc/openvpn/mgmt-key.pem:
+    content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] }}"
+    mode: '0400'
+
   /etc/rc.d/S21nftables:
     link: "../init.d/nftables"
 
@@ -203,6 +221,7 @@ openwrt_mixin:
           ip protocol icmp accept
           ip6 nexthdr ipv6-icmp accept
           tcp dport { {{ ansible_port }} } accept
+          udp dport { 1194 } accept
         }
 
         chain input_internal {
@@ -292,6 +311,34 @@ openwrt_uci:
         linklayer: 'ethernet'
         overhead: '44 mpu 84'
 
+  openvpn:
+    - name: openvpn mgmt
+      options:
+        enabled: '1'
+        port: '1194'
+        proto: 'udp'
+        dev: 'ovpn-mgmt'
+        dev_type: 'tap'
+        remote:
+        - "{{ network_zones.cc_hmtsaal.prefix | ansible.utils.ipaddr(network_zones.cc_hmtsaal.offsets['ele-router-hmtsaal']) | ansible.utils.ipaddr('address') }} 1194"
+
+        client: '1'
+        keepalive: '10 120'
+        persist_key: '1'
+        persist_tun: '1'
+        user: 'nobody'
+
+        tls_version_min: '1.3'
+        ca: '/etc/openvpn/mgmt-ca-cert.pem'
+        cert: '/etc/openvpn/mgmt-cert.pem'
+        key: '/etc/openvpn/mgmt-key.pem'
+        remote_cert_tls: 'server'
+        data_ciphers:
+        - 'CHACHA20-POLY1305'
+        data_ciphers_fallback: 'AES-256-GCM'
+        allow_compression: 'no'
+
+
 prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100"
 prometheus_exporters_default:
   - openwrt
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index 5745aa27..fd316433 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -224,6 +224,11 @@ ele-ups
 ele-dolmetsch-raspi
 ele-infobeamer
 
+[ele-router]
+ele-router-hmtsaal
+ele-router-orpheum
+ele-router-emc
+
 [ele-ap]
 # ele-ap-forum[0:3]
 # ele-ap-parkhouse0
-- 
cgit v1.2.3