evolix
/
ansible-roles
18
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity
ansible-roles/openvpn
History
Jérémy Dubois 0a4a220bdf
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2690|4|2686|3|:-1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/7//ansiblelint">Evolix » ansible-roles » unstable #7</a> Details
gitea/ansible-roles/pipeline/head This commit looks good Details
openvpn: earlier alert for CA expiration 		2024-02-21 10:51:08 +01:00
..
defaults Write an openvpn role 2022-01-24 19:12:48 +01:00
files openvpn: earlier alert for CA expiration 2024-02-21 10:51:08 +01:00
handlers Use FQCN 2023-03-20 23:33:19 +01:00
tasks force: [yes,no] → force [true,false] 2023-06-28 13:25:30 +02:00
templates openvpn: fix the client cipher configuration to match the server cipher configuration 2023-01-12 14:29:18 +01:00
README.md openvpn: updated the README file 2023-03-22 15:21:58 +01:00

README.md

OpenVPN

Install and configure OpenVPN, based on our HowtoOpenVPN wiki

Tasks

Everything is in the tasks/main.yml file.

Here is what this role does :

  • Installs and configures OpenVPN
  • Installs and configures shellpki
  • Authorizes users in shellpki group to use shellpki with sudo
  • Configures NAT if minifirewall exists, for Debian only
  • Allows connexion to UDP/1194 port publicly in minifirewall if it exists or in PacketFilter for OpenBSD
  • Enables IPv4 forwarding with sysctl
  • Configures NRPE to check OpenVPN
  • Adds a cron to warn about certificates expiration
  • Inits the CA and create the server's certificate

NAT allows servers reached through OpenVPN to be reached by the public IP of the OpenVPN server. The public IP of the OpenVPN server must therefore be allowed on the end servers.

Some manual actions are requested at the end of the playbook, to do before finishing the playbook :

  • You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn".
  • You must take note of the generated CA password and store it in your password manager.

Finally, you can use shellpki to generate client certificates.

Variables

  • openvpn_lan: network to use for OpenVPN
  • openvpn_netmask: netmask of the network to use for OpenVPN
  • openvpn_netmask_cidr: automatically generated prefix length of the netmask, in CIDR notation

By default, if the server IP is 192.0.2.42, then OpenVPN LAN will be 10.2.42.0/24 (last 2 digit of main IP of server set as 2nd and 3rd digit of OpenVPN LAN).

Dependencies

  • Files in files/shellpki/* are gotten from the upstream shellpki and must be updated when the upstream is.