From 8c9180388f8bd80dd15d28943460da23bb5810ac Mon Sep 17 00:00:00 2001 From: MikyTux Date: Tue, 13 Oct 2020 13:20:33 +0200 Subject: [PATCH 1/8] remove execve from script-security 3 --- templates/server.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 3b5f910..781b3dc 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -172,7 +172,7 @@ plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution {% if openvpn_simple_auth and openvpn_simple_auth_password %} auth-user-pass-verify auth-client.sh via-env -script-security 3 execve +script-security 3 {% endif %} {% for option in openvpn_server_options %} From fefb0f6b6a04b996e5a79a28b9478a5c9e65363f Mon Sep 17 00:00:00 2001 From: MikyTux Date: Tue, 13 Oct 2020 13:20:52 +0200 Subject: [PATCH 2/8] fix when --- tasks/authentication/simple.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/authentication/simple.yml b/tasks/authentication/simple.yml index 654694f..0ddc6ff 100644 --- a/tasks/authentication/simple.yml +++ b/tasks/authentication/simple.yml @@ -5,7 +5,8 @@ src: authentication/auth-client.sh.j2 dest: "{{ openvpn_etcdir }}/auth-client.sh" mode: 0o755 - when: - - openvpn_simple_auth | bool - - openvpn_simple_auth_password | bool + #when: + # - openvpn_simple_auth | bool + # - openvpn_simple_auth_password | bool + when: openvpn_simple_auth and openvpn_simple_auth_password notify: openvpn restart From 200e6017787d30fc220b9a94bbe27ed273228fce Mon Sep 17 00:00:00 2001 From: MikyTux Date: Thu, 15 Oct 2020 19:07:24 +0200 Subject: [PATCH 3/8] The option client-cert-not-required is deprecated with openvpn 2.4 and will be removed in openvpn 2.5. This is replaced with verify-client-cert none now --- templates/server.conf.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 781b3dc..8c1a6f2 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -162,7 +162,8 @@ client-to-client {% endif %} {% if openvpn_use_pam %} -client-cert-not-required +# client-cert-not-required ## Removed in openvpn 2.5 +verify-client-cert none plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn {% endif %} From 3076c55b2f08f23c26e641c8b1f7cce3ad295dfd Mon Sep 17 00:00:00 2001 From: MikyTux Date: Sat, 24 Oct 2020 14:24:05 +0200 Subject: [PATCH 4/8] deprecated openvpn config options to new options --- templates/client.conf.j2 | 6 +++--- templates/server.conf.j2 | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/client.conf.j2 b/templates/client.conf.j2 index 2881f6c..df43110 100644 --- a/templates/client.conf.j2 +++ b/templates/client.conf.j2 @@ -67,7 +67,7 @@ key {{client}}.key # To use this feature, you will need to generate your server certificates with # the nsCertType field set to "server". The build-key-server script in the # easy-rsa folder will do this. -ns-cert-type server +remote-cert-tls server {% if openvpn_tls_auth and not openvpn_unified_client_profiles -%} # Use a static pre-shared key (PSK) @@ -77,9 +77,9 @@ tls-auth {{openvpn_tls_key}} 1 # Enable compression on the VPN link. Don't enable this unless it is also # enabled in the server config file. {% if openvpn_comp_lzo -%} -comp-lzo +compress lzo {% else -%} -;comp-lzo +;compress lzo {% endif %} # Set log file verbosity. diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 8c1a6f2..142f657 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -111,9 +111,9 @@ keepalive {{ openvpn_keepalive }} # Enable compression on the VPN link. If you enable it here, you must also # enable it in the client config file. {% if openvpn_comp_lzo -%} -comp-lzo +compress lzo {% else -%} -;comp-lzo +;compress lzo {% endif %} # The persist options will try to avoid accessing certain resources on restart From f6c02ac3fe681d795a0a52de42fb149c222f2344 Mon Sep 17 00:00:00 2001 From: Michele Salerno Date: Sun, 29 Nov 2020 15:03:21 +0100 Subject: [PATCH 5/8] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index dc495d5..0e248f6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -141,7 +141,7 @@ openvpn_client_to_client: true # `openvpn_client_to_client`). openvpn_client_to_client_via_ip: false -openvpn_ccd: /etc/openvpn/ccd/ +openvpn_ccd: /etc/openvpn/ccd # The ccd (clients configuration directory). This will contain files with # configuration directives that the server will apply per connecting client. From 47e50077074597e4a479b92052a6d98eeddd64a4 Mon Sep 17 00:00:00 2001 From: MikyTux Date: Mon, 30 Nov 2020 16:03:21 +0100 Subject: [PATCH 6/8] add tls-min and tls-max --- defaults/main.yml | 2 ++ templates/client.conf.j2 | 7 +++++++ templates/server.conf.j2 | 15 +++++++++------ 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0e248f6..1117e61 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -184,6 +184,8 @@ openvpn_simple_auth_password: "" # Enable HMAC signature to TLS handshakes openvpn_tls_auth: false openvpn_tls_key: "ta.key" +openvpn_tls_version_min: [] #example: 1.2 +openvpn_tls_version_max: [] #example: 1.2 or 1.3 # }}} # Scripting {{{ # A list of directories that the role should create and that should be diff --git a/templates/client.conf.j2 b/templates/client.conf.j2 index df43110..813f461 100644 --- a/templates/client.conf.j2 +++ b/templates/client.conf.j2 @@ -47,6 +47,7 @@ persist-tun {{ openvpn_client_keys_output |default([{'item':client,'stdout':''}])|selectattr('item', 'match', client)|map(attribute='stdout')|list|first }} + {% if openvpn_tls_auth %} key-direction 1 @@ -72,6 +73,12 @@ remote-cert-tls server {% if openvpn_tls_auth and not openvpn_unified_client_profiles -%} # Use a static pre-shared key (PSK) tls-auth {{openvpn_tls_key}} 1 +{% if openvpn_tls_version_min is defined -%} +tls-version-min {{ openvpn_tls_version_min }} +{% endif %} +{% if openvpn_tls_version_max is defined -%} +tls-version-max {{ openvpn_tls_version_max }} +{% endif %} {% endif %} # Enable compression on the VPN link. Don't enable this unless it is also diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 142f657..aacb639 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -54,15 +54,21 @@ dh {{ openvpn_keydir }}/dh.pem # Use a static pre-shared key (PSK) tls-auth {{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }} 0 tls-server +{% if openvpn_tls_version_min is defined -%} +tls-version-min {{ openvpn_tls_version_min }} +{% endif %} +{% if openvpn_tls_version_max is defined -%} +tls-version-max {{ openvpn_tls_version_max }} +{% endif %} {% endif %} -# Client configuration directory. {% if openvpn_ccd is defined -%} +# Client configuration directory. client-config-dir {{ openvpn_ccd }} {% endif %} -# Which VPN topology to use? (net30, subnet, p2p) {% if openvpn_topology is defined -%} +# Which VPN topology to use? (net30, subnet, p2p) topology {{ openvpn_topology }} {% endif %} @@ -100,11 +106,11 @@ script-security 2 # the same virtual IP address from the pool that was previously assigned. ifconfig-pool-persist {{ openvpn_ifconfig_pool_persist }} +{% if openvpn_keepalive != '' %} # The keepalive directive causes ping-like messages to be sent back and forth # over the link so that each side knows when the other side has gone down. Ping # every 10 seconds, assume that remote peer is down if no ping received during # a 120 second time period. -{% if openvpn_keepalive != '' %} keepalive {{ openvpn_keepalive }} {% endif %} @@ -160,17 +166,14 @@ group nogroup {% if openvpn_client_to_client %} client-to-client {% endif %} - {% if openvpn_use_pam %} # client-cert-not-required ## Removed in openvpn 2.5 verify-client-cert none plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn {% endif %} - {% if openvpn_use_ldap %} plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" {% endif %} - {% if openvpn_simple_auth and openvpn_simple_auth_password %} auth-user-pass-verify auth-client.sh via-env script-security 3 From 5744279e13e91370be882512a64a14c5b34b14d1 Mon Sep 17 00:00:00 2001 From: MikyTux Date: Mon, 30 Nov 2020 23:23:16 +0100 Subject: [PATCH 7/8] add new wars: tls_key ta.key, tls-version min and max, mute-replay-warnings, auth digest --- defaults/main.yml | 5 +++++ templates/server.conf.j2 | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 1117e61..5e9ebb7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -163,6 +163,8 @@ openvpn_ccd_configs: [] openvpn_client_conf_template: client.conf.j2 # }}} # Authentication {{{ +openvpn_auth_digest_algorithm: SHA1 + # Use PAM authentication openvpn_use_pam: true openvpn_use_pam_users: [] @@ -186,6 +188,9 @@ openvpn_tls_auth: false openvpn_tls_key: "ta.key" openvpn_tls_version_min: [] #example: 1.2 openvpn_tls_version_max: [] #example: 1.2 or 1.3 + +# Silence the output of replay warnings, which are a common false alarm on WiFi networks +openvpn_mute_replay_warnings: false # }}} # Scripting {{{ # A list of directories that the role should create and that should be diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index aacb639..005ca05 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -18,6 +18,10 @@ proto {{ openvpn_proto }} # Port sharing port-share 127.0.0.1 {{ openvpn_portshare }} {% endif %} +{% if openvpn_auth_digest_algorithm is defined -%} +# Auth Digest +auth {{ openvpn_auth_digest_algorithm }} +{% endif %} # Encrypt packets with cipher algorithm cipher {{ openvpn_cipher }} @@ -163,6 +167,12 @@ group {{openvpn_group}} group nogroup {% endif %} +{% if openvpn_mute_replay_warnings %} +# Silence the output of replay warnings, which are a common false alarm on WiFi networks +mute-replay-warnings +{% endif %} + + {% if openvpn_client_to_client %} client-to-client {% endif %} From 14189dfcfa7a2aabced65f4c08ae7f3a7422de6d Mon Sep 17 00:00:00 2001 From: Michele Salerno Date: Mon, 7 Jun 2021 20:00:02 +0200 Subject: [PATCH 8/8] add default values for openvpn_tls_version_min and openvpn_tls_version_max --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5e9ebb7..5d6c7a5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -186,8 +186,8 @@ openvpn_simple_auth_password: "" # Enable HMAC signature to TLS handshakes openvpn_tls_auth: false openvpn_tls_key: "ta.key" -openvpn_tls_version_min: [] #example: 1.2 -openvpn_tls_version_max: [] #example: 1.2 or 1.3 +openvpn_tls_version_min: "1.2" #example: 1.2 +openvpn_tls_version_max: "1.3" #example: 1.2 or 1.3 # Silence the output of replay warnings, which are a common false alarm on WiFi networks openvpn_mute_replay_warnings: false