From 939b2358a3019e1af6d336acc9519b149488d899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Wed, 22 Mar 2023 15:21:58 +0100 Subject: [PATCH] openvpn: updated the README file --- CHANGELOG.md | 1 + openvpn/README.md | 28 ++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fafbe518..ea1a712f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * apt: with Debian 12, backports are installed but disabled by default +* openvpn: updated the README file ### Fixed diff --git a/openvpn/README.md b/openvpn/README.md index ddaffcce..79ed6246 100644 --- a/openvpn/README.md +++ b/openvpn/README.md @@ -5,17 +5,27 @@ Install and configure OpenVPN, based on [our HowtoOpenVPN wiki](https://wiki.evo ## Tasks Everything is in the `tasks/main.yml` file. -Some manual actions are requested at the end of the playbook, to do before finishing the playbook. -Here is a copy of what is requested : +Here is what this role does : -* You have to manually create the CA on the server with `shellpki init server.example.com`. The command will ask you to create a password, and will ask you again to give the same one several times. -* You have to manually generate the CRL on the server with `openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf`. The previously created password will be asked. -* You have to manually create the server's certificate with `shellpki create server.example.com`. -* You have to adjust the config file `/etc/openvpn/server.conf` for the following parameters : `local` (to check), `cert` (to check), `key` (to add), `server` (to check), `push` (to complete if needed). -* Finally, you can (re)start the OpenVPN service with `systemctl restart openvpn@server.service` on Debian, or `rcctl restart openvpn` on OpenBSD. +* Installs and configures OpenVPN +* Installs and configures shellpki +* Authorizes users in shellpki group to use shellpki with sudo +* Configures NAT if minifirewall exists, for Debian only +* Allows connexion to UDP/1194 port publicly in minifirewall if it exists or in PacketFilter for OpenBSD +* Enables IPv4 forwarding with sysctl +* Configures NRPE to check OpenVPN +* Adds a cron to warn about certificates expiration +* Inits the CA and create the server's certificate -Then, you can use `shellpki` to generate client certificates. +NAT allows servers reached through OpenVPN to be reached by the public IP of the OpenVPN server. The public IP of the OpenVPN server must therefore be allowed on the end servers. + +Some manual actions are requested at the end of the playbook, to do before finishing the playbook : + +* You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". +* You must take note of the generated CA password and store it in your password manager. + +Finally, you can use `shellpki` to generate client certificates. ## Variables @@ -23,6 +33,8 @@ Then, you can use `shellpki` to generate client certificates. * `openvpn_netmask`: netmask of the network to use for OpenVPN * `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation +By default, if the server IP is 192.0.2.42, then OpenVPN LAN will be 10.2.42.0/24 (last 2 digit of main IP of server set as 2nd and 3rd digit of OpenVPN LAN). + ## Dependencies * Files in `files/shellpki/*` are gotten from the upstream [shellpki](https://gitea.evolix.org/evolix/shellpki) and must be updated when the upstream is.