diff --git a/openvpn/README.md b/openvpn/README.md new file mode 100644 index 00000000..18b459ff --- /dev/null +++ b/openvpn/README.md @@ -0,0 +1,13 @@ +# OpenVPN + +Installation and custom configuration of OpenVPN server. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +NOTE: Make sure you have already cloned shellpki in ~/GIT/ diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml new file mode 100644 index 00000000..dbf2f802 --- /dev/null +++ b/openvpn/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openvpn_lan: "192.168.42.0" +openvpn_netmask: "255.255.255.0" diff --git a/openvpn/files/shellpki b/openvpn/files/shellpki new file mode 120000 index 00000000..3036d457 --- /dev/null +++ b/openvpn/files/shellpki @@ -0,0 +1 @@ +/home/tpilat/GIT/shellpki/ \ No newline at end of file diff --git a/openvpn/files/sudo_shellpki b/openvpn/files/sudo_shellpki new file mode 100644 index 00000000..08ca1ab0 --- /dev/null +++ b/openvpn/files/sudo_shellpki @@ -0,0 +1 @@ +%shellpki ALL = (root) /usr/local/sbin/shellpki diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml new file mode 100644 index 00000000..c87985aa --- /dev/null +++ b/openvpn/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: restart openvpn + service: + name: openvpn + state: restarted + +- name: restart minifirewall + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" diff --git a/openvpn/meta/main.yml b/openvpn/meta/main.yml new file mode 100644 index 00000000..7c4a6bd3 --- /dev/null +++ b/openvpn/meta/main.yml @@ -0,0 +1,19 @@ +galaxy_info: + author: Evolix + description: Installation and custom configuration of OpenVPN server. + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - stretch + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/openvpn/openvpn/README.md b/openvpn/openvpn/README.md new file mode 100644 index 00000000..18b459ff --- /dev/null +++ b/openvpn/openvpn/README.md @@ -0,0 +1,13 @@ +# OpenVPN + +Installation and custom configuration of OpenVPN server. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +NOTE: Make sure you have already cloned shellpki in ~/GIT/ diff --git a/openvpn/openvpn/defaults/main.yml b/openvpn/openvpn/defaults/main.yml new file mode 100644 index 00000000..dbf2f802 --- /dev/null +++ b/openvpn/openvpn/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openvpn_lan: "192.168.42.0" +openvpn_netmask: "255.255.255.0" diff --git a/openvpn/openvpn/files/shellpki b/openvpn/openvpn/files/shellpki new file mode 120000 index 00000000..3036d457 --- /dev/null +++ b/openvpn/openvpn/files/shellpki @@ -0,0 +1 @@ +/home/tpilat/GIT/shellpki/ \ No newline at end of file diff --git a/openvpn/openvpn/files/sudo_shellpki b/openvpn/openvpn/files/sudo_shellpki new file mode 100644 index 00000000..08ca1ab0 --- /dev/null +++ b/openvpn/openvpn/files/sudo_shellpki @@ -0,0 +1 @@ +%shellpki ALL = (root) /usr/local/sbin/shellpki diff --git a/openvpn/openvpn/handlers/main.yml b/openvpn/openvpn/handlers/main.yml new file mode 100644 index 00000000..c87985aa --- /dev/null +++ b/openvpn/openvpn/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: restart openvpn + service: + name: openvpn + state: restarted + +- name: restart minifirewall + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" diff --git a/openvpn/openvpn/meta/main.yml b/openvpn/openvpn/meta/main.yml new file mode 100644 index 00000000..7c4a6bd3 --- /dev/null +++ b/openvpn/openvpn/meta/main.yml @@ -0,0 +1,19 @@ +galaxy_info: + author: Evolix + description: Installation and custom configuration of OpenVPN server. + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - stretch + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/openvpn/openvpn/tasks/main.yml b/openvpn/openvpn/tasks/main.yml new file mode 100644 index 00000000..d58dc4bf --- /dev/null +++ b/openvpn/openvpn/tasks/main.yml @@ -0,0 +1,81 @@ +--- +- name: Install OpenVPN package + apt: + name: "openvpn" + tags: + - openvpn + +- name: Deploy OpenVPN configuration + template: + src: "server.conf.j2" + dest: "/etc/openvpn/server.conf" + mode: "0600" + notify: restart openvpn + tags: + - openvpn + +- name: Allow OpenVPN input + lineinfile: + dest: /etc/default/minifirewall + line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN" + regexp: '#OPENVPN$' + state: present + failed_when: False + tags: + - openvpn + - openvpn-minifirewall + +- name: Create /etc/shellpki directory + file: + path: /etc/shellpki + state: directory + owner: "root" + group: "root" + mode: "0755" + tags: + - openvpn + +- name: Create shellpki user + user: + name: "shellpki" + system: yes + state: present + home: "/etc/shellpki/" + shell: "/usr/sbin/nologin" + tags: + - openvpn + +- include_role: + name: remount-usr + tags: + - openvpn + +- name: Copy some shellpki files + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "{{ item.mode }}" + force: yes + with_items: + - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' } + - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' } + tags: + - openvpn + +- name: Deploy DH PARAMETERS + template: + src: "dh2048.pem.j2" + dest: "/etc/shellpki/dh2048.pem" + mode: "0600" + +- name: Verify shellpki sudoers file presence + copy: + src: "sudo_shellpki" + dest: "/etc/sudoers.d/shellpki" + force: true + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + tags: + - openvpn diff --git a/openvpn/openvpn/templates/dh2048.pem.j2 b/openvpn/openvpn/templates/dh2048.pem.j2 new file mode 100644 index 00000000..9db20bb3 --- /dev/null +++ b/openvpn/openvpn/templates/dh2048.pem.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP +R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr +TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv +ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2 +Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ +aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg== +-----END DH PARAMETERS----- diff --git a/openvpn/openvpn/templates/server.conf.j2 b/openvpn/openvpn/templates/server.conf.j2 new file mode 100644 index 00000000..466bb861 --- /dev/null +++ b/openvpn/openvpn/templates/server.conf.j2 @@ -0,0 +1,29 @@ +user nobody +group nogroup + +local {{ ansible_default_ipv4.address }} +port 1194 +proto udp +dev tun +mode server +keepalive 10 120 + +cipher AES-128-CBC # AES +#comp-lzo +# compress (à partir d'OpenVPN 2.4) + +persist-key +persist-tun + +status /var/log/openvpn/openvpn-status.log +log-append /var/log/openvpn/openvpn.log + +ca /etc/shellpki/cacert.pem +cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt +key /etc/shellpki/private/{{ ansible_fqdn }}.key +dh /etc/shellpki/dh2048.pem + +server {{ openvpn_lan }} {{ openvpn_netmask }} + +# Management interface (used by check_openvpn for Nagios) +management 127.0.0.1 1195 /etc/openvpn/management-pwd diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml new file mode 100644 index 00000000..d58dc4bf --- /dev/null +++ b/openvpn/tasks/main.yml @@ -0,0 +1,81 @@ +--- +- name: Install OpenVPN package + apt: + name: "openvpn" + tags: + - openvpn + +- name: Deploy OpenVPN configuration + template: + src: "server.conf.j2" + dest: "/etc/openvpn/server.conf" + mode: "0600" + notify: restart openvpn + tags: + - openvpn + +- name: Allow OpenVPN input + lineinfile: + dest: /etc/default/minifirewall + line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN" + regexp: '#OPENVPN$' + state: present + failed_when: False + tags: + - openvpn + - openvpn-minifirewall + +- name: Create /etc/shellpki directory + file: + path: /etc/shellpki + state: directory + owner: "root" + group: "root" + mode: "0755" + tags: + - openvpn + +- name: Create shellpki user + user: + name: "shellpki" + system: yes + state: present + home: "/etc/shellpki/" + shell: "/usr/sbin/nologin" + tags: + - openvpn + +- include_role: + name: remount-usr + tags: + - openvpn + +- name: Copy some shellpki files + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "{{ item.mode }}" + force: yes + with_items: + - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' } + - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' } + tags: + - openvpn + +- name: Deploy DH PARAMETERS + template: + src: "dh2048.pem.j2" + dest: "/etc/shellpki/dh2048.pem" + mode: "0600" + +- name: Verify shellpki sudoers file presence + copy: + src: "sudo_shellpki" + dest: "/etc/sudoers.d/shellpki" + force: true + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + tags: + - openvpn diff --git a/openvpn/templates/dh2048.pem.j2 b/openvpn/templates/dh2048.pem.j2 new file mode 100644 index 00000000..9db20bb3 --- /dev/null +++ b/openvpn/templates/dh2048.pem.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP +R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr +TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv +ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2 +Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ +aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg== +-----END DH PARAMETERS----- diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2 new file mode 100644 index 00000000..466bb861 --- /dev/null +++ b/openvpn/templates/server.conf.j2 @@ -0,0 +1,29 @@ +user nobody +group nogroup + +local {{ ansible_default_ipv4.address }} +port 1194 +proto udp +dev tun +mode server +keepalive 10 120 + +cipher AES-128-CBC # AES +#comp-lzo +# compress (à partir d'OpenVPN 2.4) + +persist-key +persist-tun + +status /var/log/openvpn/openvpn-status.log +log-append /var/log/openvpn/openvpn.log + +ca /etc/shellpki/cacert.pem +cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt +key /etc/shellpki/private/{{ ansible_fqdn }}.key +dh /etc/shellpki/dh2048.pem + +server {{ openvpn_lan }} {{ openvpn_netmask }} + +# Management interface (used by check_openvpn for Nagios) +management 127.0.0.1 1195 /etc/openvpn/management-pwd