diff --git a/.cache/roles/Stouts.openvpn b/.cache/roles/Stouts.openvpn deleted file mode 120000 index c25bddb..0000000 --- a/.cache/roles/Stouts.openvpn +++ /dev/null @@ -1 +0,0 @@ -../.. \ No newline at end of file diff --git a/.cache/roles/klen.Stouts.openvpn b/.cache/roles/klen.Stouts.openvpn deleted file mode 120000 index c25bddb..0000000 --- a/.cache/roles/klen.Stouts.openvpn +++ /dev/null @@ -1 +0,0 @@ -../.. \ No newline at end of file diff --git a/.cache/roles/stouts.openvpn b/.cache/roles/stouts.openvpn deleted file mode 120000 index c25bddb..0000000 --- a/.cache/roles/stouts.openvpn +++ /dev/null @@ -1 +0,0 @@ -../.. \ No newline at end of file diff --git a/defaults/main.yml b/defaults/main.yml index dbd9112..918fd3e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,6 +30,11 @@ openvpn_keydir: "{{ openvpn_etcdir }}/keys" # README. Then you can simply point this variable to the pki folder of the # easyrsa installation and all keys/certificates will be located fine. # }}} + +openvpn_ca_certs_file: '{{ openvpn_keydir }}/ca.crt' +openvpn_server_cert_file: '{{ openvpn_keydir }}/issued/server.crt' +openvpn_server_key_file: '{{ openvpn_keydir }}/private/server.key' + # Server configuration {{{ # Default settings (See OpenVPN documentation) openvpn_host: "{{ inventory_hostname }}" @@ -44,7 +49,7 @@ openvpn_log: /var/log/openvpn.log openvpn_keepalive: "10 120" openvpn_ifconfig_pool_persist: ipp.txt openvpn_compression: false -openvpn_ncp_ciphers: 'AES-256-GCM:AES-128-GCM' +openvpn_data_ciphers: 'AES-256-GCM:AES-128-GCM' openvpn_status: openvpn-status.log openvpn_verb: 3 openvpn_user: nobody @@ -177,9 +182,17 @@ openvpn_use_pam_users: [] # LDAP authentication and configuration (optional) openvpn_use_ldap: false +openvpn_ldap_config: '{{ openvpn_etcdir }}/auth-ldap.conf' +openvpn_ldap_server: # ldapserver.example.org or ldap://ldapserver.example.org openvpn_ldap_tlsenable: 'false' openvpn_ldap_follow_referrals: 'false' - +openvpn_ldap_password_is_cr: 'false' +openvpn_ldap_bind_dn: # cn=administrator,cn=users,dc=ctc,dc=local +openvpn_ldap_bind_password: +openvpn_ldap_base_dn: # dc=ctc,dc=local +openvpn_ldap_search_filter: # sAMAccountName=%u +openvpn_ldap_group_base_dn: # ou=groups,dc=ctc,dc=local if empty fallback to openvpn_ldap_base_dn +openvpn_ldap_group_search_filter: # cn=OpenVPNUsers # Use simple authentication (default is disabled) openvpn_simple_auth: false openvpn_simple_auth_password: "" @@ -204,6 +217,13 @@ openvpn_script_output_directories: [] # A path on the OpenVPN server where OpenVPN scripts should be uploaded to. openvpn_scripts_dir: "{{ openvpn_etcdir }}/scripts/" +# In some distros, the server with `foobar.conf` config file can be managed +# using `openvpn@foobar` service +openvpn_config_file: "{{ openvpn_etcdir }}/server.conf" +openvpn_service_name: '' # use the default os-dependent + +openvpn_client_config_dir: "{{ openvpn_etcdir }}/ovpns" + # A list of files located on the Ansible controller that the role should upload. # The scripts will be uploaded under `openvpn_scripts_dir`. You can reference # them in `openvpn_server_options` for the OpenVPN configuration option you diff --git a/handlers/main.yml b/handlers/main.yml index 7eec5fe..26d2ba5 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,8 +33,8 @@ - ansible_lsb.codename != "trusty" listen: openvpn save iptables -- name: Restart OpenVPN service +- name: Restart OpenVPN service ({{ openvpn_service_name or penvpn_service }}) service: - name: "{{ openvpn_service }}" + name: "{{ openvpn_service_name or penvpn_service }}" state: restarted listen: openvpn restart diff --git a/molecule/default/.cache/roles/stouts.openvpn b/molecule/default/.cache/roles/stouts.openvpn deleted file mode 120000 index c25bddb..0000000 --- a/molecule/default/.cache/roles/stouts.openvpn +++ /dev/null @@ -1 +0,0 @@ -../.. \ No newline at end of file diff --git a/tasks/assertions.yml b/tasks/assertions.yml index e7f7b8c..32a7c36 100644 --- a/tasks/assertions.yml +++ b/tasks/assertions.yml @@ -21,5 +21,5 @@ - name: openvpn_comp_lzo replacement: openpvpn_compression - name: openvpn_cipher - replacement: openvpn_ncp_ciphers + replacement: openvpn_data_ciphers diff --git a/tasks/authentication/ldap.yml b/tasks/authentication/ldap.yml index 5fbb1eb..a23982c 100644 --- a/tasks/authentication/ldap.yml +++ b/tasks/authentication/ldap.yml @@ -3,6 +3,6 @@ - name: Setup LDAP template: src: authentication/auth-ldap.conf.j2 - dest: /etc/openvpn/auth-ldap.conf + dest: '{{ openvpn_ldap_config }}' mode: 0o644 when: openvpn_use_ldap | bool diff --git a/tasks/authentication/tls.yml b/tasks/authentication/tls.yml index 1439a58..a4fb111 100644 --- a/tasks/authentication/tls.yml +++ b/tasks/authentication/tls.yml @@ -2,7 +2,7 @@ - name: Generate tls-auth key command: - openvpn --genkey --secret "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}" + openvpn --genkey --secret "{{ openvpn_client_config_dir }}/{{ openvpn_tls_key }}" args: - creates: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}" + creates: "{{ openvpn_client_config_dir }}/{{ openvpn_tls_key }}" when: openvpn_tls_auth diff --git a/tasks/core/clients.yml b/tasks/core/clients.yml index 6bbbb6a..e6d5b60 100644 --- a/tasks/core/clients.yml +++ b/tasks/core/clients.yml @@ -3,8 +3,8 @@ - name: Generate client configurations template: src: "{{ openvpn_client_conf_template }}" - dest: "{{ openvpn_etcdir }}/ovpns/{{ _openvpn__client }}.ovpn" mode: 0o644 + dest: "{{ openvpn_client_config_dir }}/{{ item }}.ovpn" loop: "{{ openvpn_clients }}" loop_control: loop_var: _openvpn__client @@ -17,14 +17,14 @@ {{ openvpn_keydir }}/issued/{{ _openvpn__client }}.crt {{ openvpn_keydir }}/private/{{ _openvpn__client }}.key {{ _openvpn__client }}.ovpn - {{ openvpn_keydir }}/ca.crt + {{ openvpn_ca_certs_file }} {{ openvpn_tls_key if openvpn_tls_auth else '' }} loop: "{{ openvpn_clients }}" loop_control: loop_var: _openvpn__client index_var: index args: - chdir: "{{ openvpn_etcdir }}/ovpns/" + chdir: "{{ openvpn_client_config_dir }}" when: openvpn_clients_changed.results[index] is changed - name: Download client credentials diff --git a/tasks/core/configure.yml b/tasks/core/configure.yml index ccee69f..51bbe10 100644 --- a/tasks/core/configure.yml +++ b/tasks/core/configure.yml @@ -15,8 +15,8 @@ - name: Configure server template: src: server.conf.j2 - dest: "{{ openvpn_etcdir }}/server.conf" mode: 0o644 + dest: "{{ openvpn_config_file }}" notify: openvpn restart # Needed by both tls-authentication tasks and client-configuration tasks. Placed @@ -24,6 +24,6 @@ # client-config tasks are located. - name: Create client configuration directory file: - path: "{{ openvpn_etcdir }}/ovpns" + path: "{{ openvpn_client_config_dir }}" state: directory mode: 0o755 diff --git a/tasks/core/install/Debian.yml b/tasks/core/install/Debian.yml index 80f5810..371c4b2 100644 --- a/tasks/core/install/Debian.yml +++ b/tasks/core/install/Debian.yml @@ -32,7 +32,7 @@ vars: dependencies: - libpam-pwdfile - - python-passlib + - python3-passlib - name: Install LDAP dependencies apt: diff --git a/tasks/core/read-client-files.yml b/tasks/core/read-client-files.yml index 6f2cae9..c582fec 100644 --- a/tasks/core/read-client-files.yml +++ b/tasks/core/read-client-files.yml @@ -1,13 +1,13 @@ --- - name: Read CA file - command: cat "{{ openvpn_keydir }}/ca.crt" + command: cat "{{ openvpn_ca_certs_file }}" no_log: true register: openvpn_read_ca_file_results changed_when: false - name: Read TLS-auth key slurp: - src: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}" + src: "{{ openvpn_client_config_dir }}/{{ openvpn_tls_key }}" no_log: true register: openvpn_read_tlsauth_file_results changed_when: false diff --git a/tasks/service.yml b/tasks/service.yml index a4507bb..1cec747 100644 --- a/tasks/service.yml +++ b/tasks/service.yml @@ -1,7 +1,7 @@ --- -- name: Ensure OpenVPN is started +- name: Ensure OpenVPN is started ({{ openvpn_service_name or penvpn_service }}) service: - name: "{{ openvpn_service }}" + name: "{{ openvpn_service_name or penvpn_service }}" state: started enabled: true diff --git a/templates/authentication/auth-ldap.conf.j2 b/templates/authentication/auth-ldap.conf.j2 index 5d49641..b7df892 100644 --- a/templates/authentication/auth-ldap.conf.j2 +++ b/templates/authentication/auth-ldap.conf.j2 @@ -5,7 +5,7 @@ # - ldap://ldapserver.example.org # - ldaps://ldapserver.example.org URL {% if openvpn_ldap_server | regex_search('(^\w+:\/\/.+$)') %}{{ openvpn_ldap_server }}{% else %}ldap://{{ openvpn_ldap_server }}{% endif %} - + # Bind DN (If your LDAP server doesn't support anonymous binds) # e.g. cn=administrator,cn=users,dc=ctc,dc=local @@ -44,11 +44,14 @@ BaseDN {{ openvpn_ldap_base_dn }} # e.g. "sAMAccountName=%u" SearchFilter {{ openvpn_ldap_search_filter }} + PasswordIsCR {{ openvpn_ldap_password_is_cr }} RequireGroup true + {% if openvpn_ldap_group_search_filter %} - BaseDN {{ openvpn_ldap_base_dn }} + BaseDN {{ openvpn_ldap_group_base_dn | default(openvpn_ldap_base_dn) }} # e.g. "cn=OpenVPNUsers" SearchFilter {{ openvpn_ldap_group_search_filter }} MemberAttribute Member + {% endif %} diff --git a/templates/client.conf.j2 b/templates/client.conf.j2 index fe6383a..07eecc7 100644 --- a/templates/client.conf.j2 +++ b/templates/client.conf.j2 @@ -15,8 +15,8 @@ dev {{ openvpn_client_dev }} # server. proto {{ openvpn_proto }} -{% if openvpn_ncp_ciphers | length %} -ncp-ciphers {{ openvpn_ncp_ciphers }} +{% if openvpn_data_ciphers | length %} +data-ciphers {{ openvpn_data_ciphers }} {% endif %} # The hostname/IP and port of the server. You can have multiple remote entries diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index ceb9892..45bdf06 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -19,8 +19,8 @@ proto {{ openvpn_proto }} port-share 127.0.0.1 {{ openvpn_portshare }} {% endif %} -{% if openvpn_ncp_ciphers | length %} -ncp-ciphers {{ openvpn_ncp_ciphers }} +{% if openvpn_data_ciphers | length %} +data-ciphers {{ openvpn_data_ciphers }} {% endif %} # "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet @@ -43,9 +43,9 @@ dev {{ openvpn_dev }} # # Any X509 key management system can be used. OpenVPN can also use a PKCS #12 # formatted key file (see "pkcs12" directive in man page). -ca {{ openvpn_keydir }}/ca.crt -cert {{ openvpn_keydir }}/issued/server.crt -key {{ openvpn_keydir }}/private/server.key # This file should be kept secret +ca {{ openvpn_ca_certs_file }} +cert {{ openvpn_server_cert_file }} +key {{ openvpn_server_key_file }} # This file should be kept secret # Diffie hellman parameters. Generate your own with: openssl dhparam -out # dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys. @@ -53,7 +53,7 @@ dh {{ openvpn_keydir }}/dh.pem {% if openvpn_tls_auth -%} # Use a static pre-shared key (PSK) -tls-auth {{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }} 0 +tls-auth {{ openvpn_client_config_dir }}/{{ openvpn_tls_key }} 0 tls-server {% endif %} @@ -161,12 +161,12 @@ client-to-client {% endif %} {% if openvpn_use_pam %} -client-cert-not-required +verify-client-cert none plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn {% endif %} {% if openvpn_use_ldap %} -plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" +plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "{{ openvpn_ldap_config }}" {% endif %} {% if openvpn_simple_auth and openvpn_simple_auth_password %} diff --git a/vars/os/Debian.bullseye.yml b/vars/os/Debian.bullseye.yml new file mode 100644 index 0000000..267e8bc --- /dev/null +++ b/vars/os/Debian.bullseye.yml @@ -0,0 +1,10 @@ +--- + +openvpn_use_pam_plugin_distribution: + /usr/lib/openvpn/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: + /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: + "{{ 'openvpn@server' if ansible_service_mgr == 'systemd' else 'openvpn' }}"