evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 33 Wiki Activity
ansible-roles/openvpn
History
Mathieu Trossevin 7c632352a0
Replace the include module with include_tasks or import_tasks 
The behaviour of the `include` module is badly defined (it try to choose
between statically importing the tasks and dynamically including them)
and can cause problems depending on any number of constraints (mostly if
it choose the wrong behaviour).

Replace it with the `import_tasks` (always statically import tasks) unless
the `include` is in a loop in which case we replace it with
`include_tasks` (always dynamically include tasks).
2023-01-03 14:43:42 +01:00
..
defaults Write an openvpn role 2022-01-24 19:12:48 +01:00
files openvpn: shellpki upstream release 22.12.2 2022-12-13 17:50:09 +01:00
handlers openvpn: make it compatible with OpenBSD and add some improvements 2022-02-03 18:35:16 +01:00
tasks Replace the include module with include_tasks or import_tasks 2023-01-03 14:43:42 +01:00
templates openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS 2022-09-06 11:27:20 +02:00
README.md openvpn: update README 2022-04-14 16:38:43 +02:00

README.md

OpenVPN

Install and configure OpenVPN, based on our HowtoOpenVPN wiki

Tasks

Everything is in the tasks/main.yml file. Some manual actions are requested at the end of the playbook, to do before finishing the playbook.

Here is a copy of what is requested :

  • You have to manually create the CA on the server with shellpki init server.example.com. The command will ask you to create a password, and will ask you again to give the same one several times.
  • You have to manually generate the CRL on the server with openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf. The previously created password will be asked.
  • You have to manually create the server's certificate with shellpki create server.example.com.
  • You have to adjust the config file /etc/openvpn/server.conf for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
  • Finally, you can (re)start the OpenVPN service with systemctl restart openvpn@server.service on Debian, or rcctl restart openvpn on OpenBSD.

Then, you can use shellpki to generate client certificates.

Variables

  • openvpn_lan: network to use for OpenVPN
  • openvpn_netmask: netmask of the network to use for OpenVPN
  • openvpn_netmask_cidr: automatically generated prefix length of the netmask, in CIDR notation

Dependencies

  • Files in files/shellpki/* are gotten from the upstream shellpki and must be updated when the upstream is.