From 85c0af05e5322d9b110379199978d05f011e60b2 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 11 Mar 2023 02:20:16 +0100
Subject: ele-router: add openvpn tunnel for mgmt vlan

---
 inventory/host_vars/ele-router-orpheum.yml | 47 ++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

(limited to 'inventory/host_vars/ele-router-orpheum.yml')

diff --git a/inventory/host_vars/ele-router-orpheum.yml b/inventory/host_vars/ele-router-orpheum.yml
index 6dfe2db9..867f29be 100644
--- a/inventory/host_vars/ele-router-orpheum.yml
+++ b/inventory/host_vars/ele-router-orpheum.yml
@@ -147,6 +147,7 @@ openwrt_packages_add:
   - mtr
   - iptraf-ng
   - sqm-scripts
+  - openvpn-openssl
   - prometheus-node-exporter-lua
   - prometheus-node-exporter-lua-nat_traffic
   - prometheus-node-exporter-lua-netstat
@@ -160,6 +161,23 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/hotplug.d/openvpn/10-mgmt:
+    content: |
+      #!/bin/sh
+      [ "$INSTANCE" != "mgmt" ] && exit 0
+      [ "$ACTION" = "up" ] && ip link set up mtu "$3" dev "$2" master "br-mgmt"
+      exit 0
+
+  /etc/openvpn/mgmt-ca-cert.pem:
+    content: "{{ vault_ovpn_mgmt_ca_cert }}"
+
+  /etc/openvpn/mgmt-cert.pem:
+    content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] }}"
+
+  /etc/openvpn/mgmt-key.pem:
+    content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] }}"
+    mode: '0400'
+
   /etc/rc.d/S21nftables:
     link: "../init.d/nftables"
 
@@ -203,6 +221,7 @@ openwrt_mixin:
           ip protocol icmp accept
           ip6 nexthdr ipv6-icmp accept
           tcp dport { {{ ansible_port }} } accept
+          udp dport { 1194 } accept
         }
 
         chain input_internal {
@@ -292,6 +311,34 @@ openwrt_uci:
         linklayer: 'ethernet'
         overhead: '44 mpu 84'
 
+  openvpn:
+    - name: openvpn mgmt
+      options:
+        enabled: '1'
+        port: '1194'
+        proto: 'udp'
+        dev: 'ovpn-mgmt'
+        dev_type: 'tap'
+        remote:
+        - "{{ network_zones.cc_hmtsaal.prefix | ansible.utils.ipaddr(network_zones.cc_hmtsaal.offsets['ele-router-hmtsaal']) | ansible.utils.ipaddr('address') }} 1194"
+
+        client: '1'
+        keepalive: '10 120'
+        persist_key: '1'
+        persist_tun: '1'
+        user: 'nobody'
+
+        tls_version_min: '1.3'
+        ca: '/etc/openvpn/mgmt-ca-cert.pem'
+        cert: '/etc/openvpn/mgmt-cert.pem'
+        key: '/etc/openvpn/mgmt-key.pem'
+        remote_cert_tls: 'server'
+        data_ciphers:
+        - 'CHACHA20-POLY1305'
+        data_ciphers_fallback: 'AES-256-GCM'
+        allow_compression: 'no'
+
+
 prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100"
 prometheus_exporters_default:
   - openwrt
-- 
cgit v1.2.3