ansible-roles/openvpn/README.md

# OpenVPN

Install and configure OpenVPN, based on [our HowtoOpenVPN wiki](https://wiki.evolix.org/HowtoOpenVPN)

## Tasks

Everything is in the `tasks/main.yml` file.
Some manual actions are requested at the end of the playbook, to do before finishing the playbook.

Here is a copy of what is requested :

* You have to manually create the CA on the server with `shellpki init server.example.com`. The command will ask you to create a password, and will ask you again to give the same one several times.
* You have to manually generate the CRL on the server with `openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf`. The previously created password will be asked.
* You have to manually create the server's certificate with `shellpki create server.example.com`.
* You have to adjust the config file `/etc/openvpn/server.conf` for the following parameters : `local` (to check), `cert` (to check), `key` (to add), `server` (to check), `push` (to complete if needed).
* Finally, you can (re)start the OpenVPN service with `systemctl restart openvpn@server.service` on Debian, or `rcctl restart openvpn` on OpenBSD.

Then, you can use `shellpki` to generate client certificates.

## Variables

* `openvpn_lan`: network to use for OpenVPN
* `openvpn_netmask`: netmask of the network to use for OpenVPN
* `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation

## Dependencies

* Files in `files/shellpki/*` are gotten from the upstream [shellpki](https://gitea.evolix.org/evolix/shellpki) and must be updated when the upstream is.
Write an openvpn role 2022-01-24 19:12:48 +01:00			`# OpenVPN`

			`Install and configure OpenVPN, based on [our HowtoOpenVPN wiki](https://wiki.evolix.org/HowtoOpenVPN)`

			`## Tasks`

			Everything is in the `tasks/main.yml` file.
			`Some manual actions are requested at the end of the playbook, to do before finishing the playbook.`

openvpn: make it compatible with OpenBSD and add some improvements 2022-02-03 18:35:16 +01:00			`Here is a copy of what is requested :`

			* You have to manually create the CA on the server with `shellpki init server.example.com`. The command will ask you to create a password, and will ask you again to give the same one several times.
			* You have to manually generate the CRL on the server with `openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf`. The previously created password will be asked.
			* You have to manually create the server's certificate with `shellpki create server.example.com`.
			* You have to adjust the config file `/etc/openvpn/server.conf` for the following parameters : `local` (to check), `cert` (to check), `key` (to add), `server` (to check), `push` (to complete if needed).
			* Finally, you can (re)start the OpenVPN service with `systemctl restart openvpn@server.service` on Debian, or `rcctl restart openvpn` on OpenBSD.

			Then, you can use `shellpki` to generate client certificates.

Write an openvpn role 2022-01-24 19:12:48 +01:00			`## Variables`

			* `openvpn_lan`: network to use for OpenVPN
			* `openvpn_netmask`: netmask of the network to use for OpenVPN
			* `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation

openvpn: update README 2022-04-14 16:38:43 +02:00			`## Dependencies`
Write an openvpn role 2022-01-24 19:12:48 +01:00
openvpn: update README 2022-04-14 16:38:43 +02:00			* Files in `files/shellpki/*` are gotten from the upstream [shellpki](https://gitea.evolix.org/evolix/shellpki) and must be updated when the upstream is.