7c632352a0
The behaviour of the `include` module is badly defined (it try to choose between statically importing the tasks and dynamically including them) and can cause problems depending on any number of constraints (mostly if it choose the wrong behaviour). Replace it with the `import_tasks` (always statically import tasks) unless the `include` is in a loop in which case we replace it with `include_tasks` (always dynamically include tasks). |
||
---|---|---|
.. | ||
defaults | ||
files | ||
handlers | ||
tasks | ||
templates | ||
README.md |
OpenVPN
Install and configure OpenVPN, based on our HowtoOpenVPN wiki
Tasks
Everything is in the tasks/main.yml
file.
Some manual actions are requested at the end of the playbook, to do before finishing the playbook.
Here is a copy of what is requested :
- You have to manually create the CA on the server with
shellpki init server.example.com
. The command will ask you to create a password, and will ask you again to give the same one several times. - You have to manually generate the CRL on the server with
openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf
. The previously created password will be asked. - You have to manually create the server's certificate with
shellpki create server.example.com
. - You have to adjust the config file
/etc/openvpn/server.conf
for the following parameters :local
(to check),cert
(to check),key
(to add),server
(to check),push
(to complete if needed). - Finally, you can (re)start the OpenVPN service with
systemctl restart openvpn@server.service
on Debian, orrcctl restart openvpn
on OpenBSD.
Then, you can use shellpki
to generate client certificates.
Variables
openvpn_lan
: network to use for OpenVPNopenvpn_netmask
: netmask of the network to use for OpenVPNopenvpn_netmask_cidr
: automatically generated prefix length of the netmask, in CIDR notation
Dependencies
- Files in
files/shellpki/*
are gotten from the upstream shellpki and must be updated when the upstream is.