ansible-roles/openvpn
Jérémy Dubois de0c4fd314
gitea/ansible-roles/pipeline/head This commit looks good Details
openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
2022-08-10 17:23:47 +02:00
..
defaults Write an openvpn role 2022-01-24 19:12:48 +01:00
files openvpn: configure logrotate 2022-06-30 10:12:36 +02:00
handlers openvpn: make it compatible with OpenBSD and add some improvements 2022-02-03 18:35:16 +01:00
tasks openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command 2022-08-10 17:23:47 +02:00
templates openvpn: use a subnet topology instead of the net30 default topology 2022-03-23 10:46:17 +01:00
README.md openvpn: update README 2022-04-14 16:38:43 +02:00

README.md

OpenVPN

Install and configure OpenVPN, based on our HowtoOpenVPN wiki

Tasks

Everything is in the tasks/main.yml file. Some manual actions are requested at the end of the playbook, to do before finishing the playbook.

Here is a copy of what is requested :

  • You have to manually create the CA on the server with shellpki init server.example.com. The command will ask you to create a password, and will ask you again to give the same one several times.
  • You have to manually generate the CRL on the server with openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf. The previously created password will be asked.
  • You have to manually create the server's certificate with shellpki create server.example.com.
  • You have to adjust the config file /etc/openvpn/server.conf for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
  • Finally, you can (re)start the OpenVPN service with systemctl restart openvpn@server.service on Debian, or rcctl restart openvpn on OpenBSD.

Then, you can use shellpki to generate client certificates.

Variables

  • openvpn_lan: network to use for OpenVPN
  • openvpn_netmask: netmask of the network to use for OpenVPN
  • openvpn_netmask_cidr: automatically generated prefix length of the netmask, in CIDR notation

Dependencies

  • Files in files/shellpki/* are gotten from the upstream shellpki and must be updated when the upstream is.