Add install package libnet-telnet-perl and add check_openvpn.pl

openvpn/README.md

@@ -0,0 +1,13 @@
+# OpenVPN
+
+Installation and custom configuration of OpenVPN server.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+NOTE: Make sure you have already cloned shellpki in ~/GIT/

openvpn/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+openvpn_lan: "192.168.42.0"
+openvpn_netmask: "255.255.255.0"

openvpn/files/check_openvpn.pl

@@ -0,0 +1,215 @@
+#!/usr/bin/perl -w
+
+#######################################################################
+#
+# Copyright (c) 2007 Jaime Gascon Romero <jgascon@gmail.com>
+#
+# License Information:
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $
+# $Revision: 1.1 $
+# Home Site: http://emergeworld.blogspot.com/
+# #####################################################################
+
+use diagnostics;
+use strict;
+use Net::Telnet ();
+use Getopt::Long qw(:config no_ignore_case);
+use vars qw($PROGNAME $VERSION);
+use lib "/usr/lib/nagios/plugins/";
+use utils qw(%ERRORS);
+
+$PROGNAME = "check_openvpn";
+$VERSION = '$Revision: 1.1 $';
+
+$ENV{'PATH'}='';
+$ENV{'BASH_ENV'}=''; 
+$ENV{'ENV'}='';
+
+my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r);
+
+sub print_help ();
+sub print_usage ();
+
+GetOptions
+  ("h"  =>  \$opt_h, "help" => \$opt_h,
+   "H=s" => \$opt_H, "host=s"  => \$opt_H,
+   "p=i" => \$opt_p, "port=i" => \$opt_p,
+   "P=s" => \$opt_P, "password=s" => \$opt_P,
+   "t=i" => \$opt_t, "timeout=i" => \$opt_t,
+   "i"  =>  \$opt_i, "ip" => \$opt_i,
+   "n" => \$opt_n, "numeric" => \$opt_n,
+   "c" => \$opt_c, "critical" => \$opt_c,
+   "w" => \$opt_w, "warning" => \$opt_w,
+   "C=s" => \$opt_C, "common_name=s" => \$opt_C,
+   "r=s" => \$opt_r, "remote_ip=s" => \$opt_r,
+  ) or exit $ERRORS{'UNKNOWN'};
+
+# default values
+unless ( defined $opt_t ) {
+   $opt_t = 10;
+}
+
+if ($opt_h) {print_help(); exit $ERRORS{'OK'};}
+
+if ( ! defined($opt_H) || ! defined($opt_p) ) {
+  print_usage();
+  exit $ERRORS{'UNKNOWN'}
+}
+
+my @lines;
+my @clients;
+my @clients_ip;
+my $t;
+
+eval { 
+$t = new Net::Telnet (Timeout => $opt_t,
+                      Port => $opt_p,
+                      Prompt => '/END$/'
+                    );
+$t->open($opt_H);
+if ( defined $opt_P ) {
+  $t->waitfor('/ENTER PASSWORD:$/');
+  $t->print($opt_P);
+}
+$t->waitfor('/^$/');
+@lines = $t->cmd("status 2");
+$t->close;
+};
+
+if ($@) {
+ print "OpenVPN Critical: Can't connect to server\n";
+ exit $ERRORS{'CRITICAL'};
+}
+
+
+if (defined $opt_i || defined $opt_r) {
+  foreach (@lines) {
+    if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) {
+      push @clients_ip, $1;
+    }
+}
+  if (defined $opt_i) {
+    print "OpenVPN OK: "."@clients_ip ";
+    exit $ERRORS{'OK'};
+  } elsif (defined $opt_r) {
+    if ( ! grep /\b$opt_r\b/, @clients_ip) {
+      if (defined $opt_c) {
+        print "OpenVPN CRITICAL: $opt_r don't found";
+        exit $ERRORS{'CRITICAL'};
+      } else {
+        print "OpenVPN WARNING: $opt_r don't found";
+        exit $ERRORS{'WARNING'};
+      }
+    }
+    print "OpenVPN OK: "."@clients_ip ";
+    exit $ERRORS{'OK'};
+  }
+}
+
+foreach (@lines) {
+  if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) {
+    push @clients, $1;
+  }
+}
+
+if (defined $opt_C) {
+  if ( ! grep /\b$opt_C\b/, @clients) {
+    if (defined $opt_c) {
+      print "OpenVPN CRITICAL: $opt_C don't found";
+      exit $ERRORS{'CRITICAL'};
+    } else {
+      print "OpenVPN WARNING: $opt_C don't found";
+      exit $ERRORS{'WARNING'};
+    }
+  }
+}
+
+
+if (defined $opt_n) {
+print "OpenVPN OK: ".@clients." connected clients.";
+exit $ERRORS{'OK'};
+}
+
+print "OpenVPN OK: "."@clients ";
+exit $ERRORS{'OK'};
+
+#######################################################################
+###### Subroutines ####################################################
+
+sub print_usage() {
+  print "Usage: $PROGNAME -H | --host <IP or hostname> -p | --port <port number> [-P | --password] <password> [-t | --timeout] <timeout in seconds> 
+                    [-i | --ip] [-n | --numeric] [-C | --common_name] <common_name> [-r | --remote_ip] <remote_ip> [-c | --critical] [-w | --warning]\n\n";
+  print "       $PROGNAME [-h | --help]\n";
+}
+
+sub print_help() {
+  print "$PROGNAME $VERSION\n\n";
+  print "Copyright (c) 2007 Jaime Gascon Romero
+
+Nagios plugin to check the clients connected to a openvpn server.
+
+";
+ print_usage();
+  print "
+-H | --host
+  IP address or hostname of the openvpn server.
+
+-p | --port
+  Management port interface of the openvpn server.
+
+-P | --password
+  Password for the management interface of the openvpn server.
+
+-t | --timeout
+  Timeout for the connection attempt. Optional, default 10 seconds.
+
+
+        Optional parameters
+        ===================
+
+-i | --ip
+  Prints the IP address of the remote client instead of the common name.
+
+-n | --numeric
+  Prints the number of clients connected to the openvpn server.
+
+
+        Matching Parameters
+        ===================
+
+-C | --common_name
+  The common name, as it is specified in the client certificate, who is wanted to check.
+
+-r | --remote_ip
+  The client remote ip address who is wanted to check.
+
+-c | --critical
+  Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected.
+
+-w | --warning
+  Exits with WARNING status if the client specified by the common name or the remote ip address is not connected.
+
+
+       Other Parameters
+       ================
+
+-h | --help
+  Show this help.
+";
+
+}
+
+# vim:sts=2:sw=2:ts=2:et

openvpn/files/shellpki

@@ -0,0 +1 @@
+/home/tpilat/GIT/shellpki/

openvpn/files/sudo_shellpki

@@ -0,0 +1 @@
+%shellpki ALL = (root) /usr/local/sbin/shellpki

openvpn/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
+
+- name: restart minifirewall
+  command: /etc/init.d/minifirewall restart
+  register: minifirewall_init_restart
+  failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
+  changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"

openvpn/meta/main.yml

@@ -0,0 +1,19 @@
+galaxy_info:
+  author: Evolix
+  description: Installation and custom configuration of OpenVPN server.
+
+  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
+
+  license: GPLv2
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - stretch
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.

openvpn/openvpn/README.md

@@ -0,0 +1,13 @@
+# OpenVPN
+
+Installation and custom configuration of OpenVPN server.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+NOTE: Make sure you have already cloned shellpki in ~/GIT/

openvpn/openvpn/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+openvpn_lan: "192.168.42.0"
+openvpn_netmask: "255.255.255.0"

openvpn/openvpn/files/shellpki

@@ -0,0 +1 @@
+/home/tpilat/GIT/shellpki/

openvpn/openvpn/files/sudo_shellpki

@@ -0,0 +1 @@
+%shellpki ALL = (root) /usr/local/sbin/shellpki

openvpn/openvpn/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
+
+- name: restart minifirewall
+  command: /etc/init.d/minifirewall restart
+  register: minifirewall_init_restart
+  failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
+  changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"

openvpn/openvpn/meta/main.yml

@@ -0,0 +1,19 @@
+galaxy_info:
+  author: Evolix
+  description: Installation and custom configuration of OpenVPN server.
+
+  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
+
+  license: GPLv2
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - stretch
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.

openvpn/openvpn/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+- name: Install OpenVPN package
+  apt:
+    name: "openvpn"
+    name: "libnet-telnet-perl"
+  tags:
+  - openvpn
+
+- name: Deploy OpenVPN configuration
+  template:                    
+    src: "server.conf.j2" 
+    dest: "/etc/openvpn/server.conf"
+    mode: "0600"               
+  notify: restart openvpn
+  tags:
+  - openvpn
+
+- name: Allow OpenVPN input
+  lineinfile: 
+    dest: /etc/default/minifirewall
+    line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN"
+    regexp: '#OPENVPN$'
+    state: present
+  failed_when: False
+  tags:
+  - openvpn
+  - openvpn-minifirewall
+
+- name: Create /etc/shellpki directory
+  file:
+    path: /etc/shellpki
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  tags:
+  - openvpn
+
+- name: Create shellpki user
+  user:
+    name: "shellpki"
+    system: yes
+    state: present    
+    home: "/etc/shellpki/"
+    shell: "/usr/sbin/nologin"
+  tags:
+  - openvpn
+
+- include_role:
+    name: remount-usr
+  tags:
+  - openvpn
+
+- name: Copy some shellpki files
+  copy: 
+    src: "{{ item.src }}"      
+    dest: "{{ item.dest }}"    
+    owner: root                
+    group: root
+    mode: "{{ item.mode }}"
+    force: yes                 
+  with_items:
+          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
+          - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+  tags:
+    - openvpn
+
+- name: Deploy DH PARAMETERS
+  template:                    
+    src: "dh2048.pem.j2" 
+    dest: "/etc/shellpki/dh2048.pem"
+    mode: "0600"               
+
+- name: Verify shellpki sudoers file presence
+  copy:
+    src: "sudo_shellpki"
+    dest: "/etc/sudoers.d/shellpki"
+    force: true
+    mode: "0440"               
+    validate: '/usr/sbin/visudo -cf %s'
+  tags:
+  - openvpn

openvpn/openvpn/templates/dh2048.pem.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
+R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
+TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
+ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
+Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
+aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
+-----END DH PARAMETERS-----

openvpn/openvpn/templates/server.conf.j2

@@ -0,0 +1,29 @@
+user  nobody
+group nogroup
+
+local {{ ansible_default_ipv4.address }}
+port 1194
+proto udp
+dev tun
+mode server
+keepalive 10 120
+
+cipher AES-128-CBC # AES
+#comp-lzo
+# compress (à partir d'OpenVPN 2.4)
+
+persist-key
+persist-tun
+
+status /var/log/openvpn/openvpn-status.log
+log-append  /var/log/openvpn/openvpn.log
+
+ca   /etc/shellpki/cacert.pem
+cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
+key  /etc/shellpki/private/{{ ansible_fqdn }}.key
+dh   /etc/shellpki/dh2048.pem
+
+server {{ openvpn_lan }} {{ openvpn_netmask }}
+
+# Management interface (used by check_openvpn for Nagios)
+management 127.0.0.1 1195 /etc/openvpn/management-pwd

openvpn/tasks/main.yml

@@ -0,0 +1,94 @@
+---
+- name: Install OpenVPN package
+  apt:
+    name: "openvpn"
+  tags:
+  - openvpn
+
+- name: Deploy OpenVPN configuration
+  template:                    
+    src: "server.conf.j2" 
+    dest: "/etc/openvpn/server.conf"
+    mode: "0600"               
+  notify: restart openvpn
+  tags:
+  - openvpn
+
+- name: Allow OpenVPN input
+  lineinfile: 
+    dest: /etc/default/minifirewall
+    line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN"
+    regexp: '#OPENVPN$'
+    state: present
+  failed_when: False
+  tags:
+  - openvpn
+  - openvpn-minifirewall
+
+- name: Create /etc/shellpki directory
+  file:
+    path: /etc/shellpki
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  tags:
+  - openvpn
+
+- name: Create shellpki user
+  user:
+    name: "shellpki"
+    system: yes
+    state: present    
+    home: "/etc/shellpki/"
+    shell: "/usr/sbin/nologin"
+  tags:
+  - openvpn
+
+- include_role:
+    name: remount-usr
+  tags:
+  - openvpn
+
+- name: Copy some shellpki files
+  copy: 
+    src: "{{ item.src }}"      
+    dest: "{{ item.dest }}"    
+    owner: root                
+    group: root
+    mode: "{{ item.mode }}"
+    force: yes                 
+  with_items:
+          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
+          - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+  tags:
+    - openvpn
+
+- name: Deploy DH PARAMETERS
+  template:                    
+    src: "dh2048.pem.j2" 
+    dest: "/etc/shellpki/dh2048.pem"
+    mode: "0600"               
+
+- name: Verify shellpki sudoers file presence
+  copy:
+    src: "sudo_shellpki"
+    dest: "/etc/sudoers.d/shellpki"
+    force: true
+    mode: "0440"               
+    validate: '/usr/sbin/visudo -cf %s'
+  tags:
+  - openvpn
+
+- name: Copy check_openvpn
+  copy: 
+    src: "{{ item.src }}"      
+    dest: "{{ item.dest }}"    
+    owner: root                
+    group: root
+    mode: "{{ item.mode }}"
+    force: yes                 
+  with_items:
+          - { src: 'files/check_openvpn.pl', dest: '/usr/lib/nagios/plugins/check_openvpn.pl', mode: '0755' }
+  tags:
+    - openvpn

openvpn/templates/dh2048.pem.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
+R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
+TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
+ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
+Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
+aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
+-----END DH PARAMETERS-----

openvpn/templates/server.conf.j2

@@ -0,0 +1,29 @@
+user  nobody
+group nogroup
+
+local {{ ansible_default_ipv4.address }}
+port 1194
+proto udp
+dev tun
+mode server
+keepalive 10 120
+
+cipher AES-128-CBC # AES
+#comp-lzo
+# compress (à partir d'OpenVPN 2.4)
+
+persist-key
+persist-tun
+
+status /var/log/openvpn/openvpn-status.log
+log-append  /var/log/openvpn/openvpn.log
+
+ca   /etc/shellpki/cacert.pem
+cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
+key  /etc/shellpki/private/{{ ansible_fqdn }}.key
+dh   /etc/shellpki/dh2048.pem
+
+server {{ openvpn_lan }} {{ openvpn_netmask }}
+
+# Management interface (used by check_openvpn for Nagios)
+management 127.0.0.1 1195 /etc/openvpn/management-pwd