diff options
Diffstat (limited to 'roles/openvpn')
| -rw-r--r-- | roles/openvpn/README | 12 | ||||
| -rw-r--r-- | roles/openvpn/defaults/main.yml | 15 | ||||
| -rw-r--r-- | roles/openvpn/files/ca/ca.crt | 22 | ||||
| -rw-r--r-- | roles/openvpn/files/ca/ca.key | 50 | ||||
| -rw-r--r-- | roles/openvpn/files/keys/dh1024.pem | 18 | ||||
| -rw-r--r-- | roles/openvpn/files/openvpn_logrotate.conf | 9 | ||||
| -rw-r--r-- | roles/openvpn/handlers/main.yml | 12 | ||||
| -rw-r--r-- | roles/openvpn/tasks/config.yml | 28 | ||||
| -rw-r--r-- | roles/openvpn/tasks/keys.yml | 13 | ||||
| -rw-r--r-- | roles/openvpn/tasks/main.yml | 62 | ||||
| -rw-r--r-- | roles/openvpn/templates/katrin/ccd.j2 | 2 | ||||
| -rw-r--r-- | roles/openvpn/templates/katrin/ccd/ikkatrinadei.ka.fzk.de.j2 | 3 | ||||
| -rw-r--r-- | roles/openvpn/templates/katrin/ccd/ipechilinga4.ka.fzk.de.j2 | 1 | ||||
| -rw-r--r-- | roles/openvpn/templates/katrin/openvpn_client.j2 | 24 | ||||
| -rw-r--r-- | roles/openvpn/templates/katrin/openvpn_server.j2 | 26 |
15 files changed, 297 insertions, 0 deletions
diff --git a/roles/openvpn/README b/roles/openvpn/README new file mode 100644 index 0000000..9c64b0d --- /dev/null +++ b/roles/openvpn/README @@ -0,0 +1,12 @@ +Dependencies: + - Runs on all OpenShift nodes + +Parameters: + - ands_openshift_lb: The load balancer which OpenVPN clients (non-master nodes) will be using to get into the network + +Facts: + +Actions: + - Sets up and configures OpenVPN servers & clients + - Opens firewall port + diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml new file mode 100644 index 0000000..513936a --- /dev/null +++ b/roles/openvpn/defaults/main.yml @@ -0,0 +1,15 @@ +openvpn_port: 1194 +openvpn_dir: "/etc/openvpn" +openvpn_config: "katrin" +openvpn_config_file: "{{openvpn_dir}}/{{openvpn_config}}.conf" +openvpn_keydir: "{{openvpn_dir}}/keys_{{openvpn_config}}" +openvpn_ccdir: "{{openvpn_dir}}/ccd_{{openvpn_config}}" +openvpn_service: "openvpn@{{openvpn_config}}.service" + +openvpn_lb: "{{ ands_openshift_lb }}" +openvpn_servers: "masters" + + +openvpn_server_id: "{{ (openvpn_servers in group_names) | ternary(groups[openvpn_servers].index((openvpn_servers in group_names) | ternary(inventory_hostname, groups[openvpn_servers][0])), -1) }}" +openvpn_subnet_id: "{{ (katrin_openvpn_subnet_offset | int) + (openvpn_server_id | int) }}" +openvpn_net: "{{ katrin_openvpn_network | ipsubnet(katrin_openvpn_subnet_bits, openvpn_subnet_id) }}" diff --git a/roles/openvpn/files/ca/ca.crt b/roles/openvpn/files/ca/ca.crt new file mode 100644 index 0000000..a37743b --- /dev/null +++ b/roles/openvpn/files/ca/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAwugAwIBAgIJAMIDvuFyaww1MA0GCSqGSIb3DQEBBQUAMIGTMQswCQYD +VQQGEwJOTzERMA8GA1UECBMIbWlkZ2FhcmQxETAPBgNVBAcTCG1pZGdhYXJkMREw +DwYDVQQKEwhEYXJrU29mdDELMAkGA1UECxMCQ0ExFDASBgNVBAMTC0RhcmtTb2Z0 +IENBMSgwJgYJKoZIhvcNAQkBFhlkYXJrc29mdEBkc2lkZS5keW5kbnMub3JnMB4X +DTA5MTAyMjAyMTgzOVoXDTE5MTAyMDAyMTgzOVowgZMxCzAJBgNVBAYTAk5PMREw +DwYDVQQIEwhtaWRnYWFyZDERMA8GA1UEBxMIbWlkZ2FhcmQxETAPBgNVBAoTCERh +cmtTb2Z0MQswCQYDVQQLEwJDQTEUMBIGA1UEAxMLRGFya1NvZnQgQ0ExKDAmBgkq +hkiG9w0BCQEWGWRhcmtzb2Z0QGRzaWRlLmR5bmRucy5vcmcwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKDdlL90dk2ixdjG6Fm5hPjvqex2ZqIWk7l+hh9AJjhT +oFYO5DKTb4JioKYA76KZ7uCgQzxhiDfma3agw7WGR8H+n28AzkxgqTEKWU4ysrxQ +CtykKO3qs79iYHdcX1NRUAx22cpBnQjq7HJkXJWg5i+3RPSyk8Vl2QC8BzfiLH/D +AgMBAAGjgfswgfgwHQYDVR0OBBYEFF+geRyB0QoAUHIRgtlq3sLwiZIIMIHIBgNV +HSMEgcAwgb2AFF+geRyB0QoAUHIRgtlq3sLwiZIIoYGZpIGWMIGTMQswCQYDVQQG +EwJOTzERMA8GA1UECBMIbWlkZ2FhcmQxETAPBgNVBAcTCG1pZGdhYXJkMREwDwYD +VQQKEwhEYXJrU29mdDELMAkGA1UECxMCQ0ExFDASBgNVBAMTC0RhcmtTb2Z0IENB +MSgwJgYJKoZIhvcNAQkBFhlkYXJrc29mdEBkc2lkZS5keW5kbnMub3JnggkAwgO+ +4XJrDDUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBey4alwOjkx6LG +csNMOeofpSVr79muQALum9rdsZVBb93x9ygSJJ8ygCgolXDGF4uAGX31kbYtiANY +rXef9gNWZLlMt2NPcJzV53hbXnFDYOSpFwUCFwvBAFkhIv4r1TjqxHSDiRdTda31 +0J1sESMtMZook/QKNx+46CQrjUGWzA== +-----END CERTIFICATE----- diff --git a/roles/openvpn/files/ca/ca.key b/roles/openvpn/files/ca/ca.key new file mode 100644 index 0000000..f1df0c4 --- /dev/null +++ b/roles/openvpn/files/ca/ca.key @@ -0,0 +1,50 @@ +$ANSIBLE_VAULT;1.1;AES256 +66303364323939633166383539303539333162653336313339616434663839353333613063623262 +6564343033366235336230326161636661393638353336320a646631393037333838633831616532 +33653431326435636135643835613738333634636566373131323634633730343836353562633464 +3561313137613166660a613534623665646637386161633031393461343762663930633634616634 +33366532313537643035623239616137616561633366303132633430636234333534383563663236 +37346239353437333362663862626334383866623338653061326632646363383563356264336665 +65383962646131393165613838623661613865343165396135633761646137306436303266336634 +63356239373032303261353937393664663265396161366163356463633539393635643762366165 +66626230386662353361646663343464643534313332323565386230613463666238356261353730 +35663337626164333233323437393432336535383437653036643338363662313138363037323666 +61343061626262316461613838653834303764623733393131303035346336393333656233383666 +32666235356231663838386530306333383463616362303563363164343230383066303732666533 +38666435313437636132393836313630323839333237623130646366363633393939646261653763 +31313634313134623639303134653264646638666563366334366235653339303031313262346465 +39613934623461393438613363376566646432313931333731333939373966316464373137363431 +62626134303730613736316263616133323863616565326463656562656462316636613933393934 +65303761343762626232633634373233386334643334613337306562613938656136303837616637 +36643363386166373432306236333438663536303065363961613236366465356232303331376233 +32656637373235643839623539633761653164323230363763383737303566326239623530633962 +30616230363434363439383838633765633632663963323337393430643966616663383662643838 +32636465363130366232643933323066383965643032643537616531306239616662633932653866 +64363939343935323137356433373538613930653332303834386436386331313334333031376533 +39346130646439326531356239376531343730656232393331313633363765316439336565353331 +61316266356161366534636138363161643363666266616662306130353334323636363062393539 +65633565333037393264346265303461333734623233306563643732613432623330623232393637 +37323635323432343738376462646639313239313465383661353763306437373939353737356437 +30323037656231653534316665633431343137666665303831346139626539316561303739633339 +61666564643766343061623031666563663962626533313264323435343734343533656430636230 +34386634613739393433306361643634646266626462626333323936306234393430343331313366 +36363537373735613235383164343764643532316561616530306636636431386336323531306639 +66376435636339613963346463653162373137393531373031316635323561393239633661383035 +62343464336639643463633766396263623966613031633666336666333233316530363961336263 +62346334303363323437356535356665393065313665663566336661356334633637646561646135 +66656664303239336263313765623836393937303937343431666234343064636533363463396434 +35366333393738373063633834323038353065616364383234326531303666643139663431613437 +38623332333733356434636462643162396137623138663132336131306137623866346339623261 +32373139376636303636643766343864666263383239316437643533303463383866643830646563 +39353138623435633162663932313130303161656462316237353766313465646332326139653066 +33333138626665363766616630333166636530663163366163373432646463303838316134306463 +39383066396237313132636339656166353336386636373336366238623965643139646138376532 +39666235353662663439353263343834653734616337623938643137396134303835363662316263 +32636337303134383737343238643736373565366462313963353434623935616537613064613931 +33656337653866376630316134326431343139306661383162373163353966633565653336643738 +65653630373638616232663966613330303133366166383135366432353865636534633733343561 +64336631653833356639316135343437343631373831666265643763363262633966656337613535 +33613432323431646334633866626633343062656532666234316565396363346332306632303861 +37393739323835363462363362333966393732643565396532613734313938643737666365376236 +63343062303563393061613436623737303634393365306563363563616665336263326337636464 +3739 diff --git a/roles/openvpn/files/keys/dh1024.pem b/roles/openvpn/files/keys/dh1024.pem new file mode 100644 index 0000000..39e2099 --- /dev/null +++ b/roles/openvpn/files/keys/dh1024.pem @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.1;AES256 +38326437373461343039653963383935386135613432376662636163636131656139393365616237 +6239376630626666303034353733383534666438636439640a663935663538366439363165613436 +35616530653061633137343034616633383833626438353131663264333565343635373239643864 +6233623239383637640a363637316237346561376264336534633563613462633464376238623165 +64653165666663663434316638633238313963383931326138396335613931306233343062346337 +65323438656461366132663266336637306435663064306636333631613135356635636136316665 +63343265616261653635303063346161613639636262363835623161626264636139326139366234 +61656336326434303038633532353334356165623438353637653162323462383962666536353938 +33633163343165353634393965663636306630623536343431633866633932666539656666626339 +38386131346365373237346230653962363639373337313130383263636130626133623838383936 +38326433666237393261616162306365336530383232343430613535356261323761626337386633 +64623637333763653462383635333035623164396130383066313238623633356665663937366563 +61333138393537653766346637656261373762636330386263333337633563356263326561313835 +30333931333966333235333732613931346538346237626664616439643737653032376363343662 +35643462646562393934316534386134663566633037613131326434323933373839653963663730 +61356166616566643665666330343039313630646438363239303039653537646566646461313530 +3566 diff --git a/roles/openvpn/files/openvpn_logrotate.conf b/roles/openvpn/files/openvpn_logrotate.conf new file mode 100644 index 0000000..7dac758 --- /dev/null +++ b/roles/openvpn/files/openvpn_logrotate.conf @@ -0,0 +1,9 @@ +/var/log/openvpn.log { + rotate 4 + weekly + missingok + notifempty + sharedscripts + copytruncate + delaycompress +} diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml new file mode 100644 index 0000000..befbcf5 --- /dev/null +++ b/roles/openvpn/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: daemon-reload + command: systemctl daemon-reload + +- name: openvpn + service: name="{{openvpn_service}}" state=restarted + +- name: firewalld + shell: firewall-cmd --reload + + +
\ No newline at end of file diff --git a/roles/openvpn/tasks/config.yml b/roles/openvpn/tasks/config.yml new file mode 100644 index 0000000..67fdfa1 --- /dev/null +++ b/roles/openvpn/tasks/config.yml @@ -0,0 +1,28 @@ +- name: create openvpn configuration directory + file: path="{{openvpn_dir}}" state=directory + +- name: create openvpn key directory + file: path="{{openvpn_keydir}}" state=directory + +- name: create openvpn client config directory + file: path="{{openvpn_ccdir}}" state=directory + when: openvpn_servers in group_names + +- name: copy templates + template: src="{{item}}" dest="{{openvpn_ccdir}}/{{ item | basename | regex_replace('\.j2','') }}" owner=root group=root mode="0644" + with_fileglob: + - ../templates/{{ openvpn_config }}/ccd/* + when: openvpn_servers in group_names + +- name: generate cluster templates + template: src="{{ openvpn_config }}/ccd.j2" dest="{{openvpn_ccdir}}/{{ hostvars[item]['ansible_hostname'] }}" owner=root group=root mode="0644" + vars: + id: "{{ hostvars[item]['ands_host_id'] }}" + with_inventory_hostnames: + - nodes:!{{openvpn_servers}} + when: openvpn_servers in group_names + +- name: create openvpn config file + template: src="{{ openvpn_config }}/{{ (openvpn_servers in group_names) | ternary('openvpn_server.j2', 'openvpn_client.j2') }}" dest="{{ openvpn_config_file }}" owner=root group=root + notify: + - openvpn diff --git a/roles/openvpn/tasks/keys.yml b/roles/openvpn/tasks/keys.yml new file mode 100644 index 0000000..dd9f4ec --- /dev/null +++ b/roles/openvpn/tasks/keys.yml @@ -0,0 +1,13 @@ +- name: Copy CA private key + copy: src="ca/ca.key" dest="{{openvpn_keydir}}/" owner="root" group="root" mode="0400" + +- name: OpenSSL generate request + command: openssl req -subj '/CN={{ ansible_hostname }}' -new -keyout "node.key" -out "node.csr" -batch -nodes chdir="{{openvpn_keydir}}" creates="{{openvpn_keydir}}/node.csr" + +- name: Generate CA serial file + copy: content="01" dest="{{openvpn_keydir}}/ca.srl" + +- name: OpenSSL sign the request + command: openssl x509 -req -days 3650 -in "node.csr" -CA "ca.crt" -CAkey "ca.key" -out "node.crt" chdir="{{openvpn_keydir}}" creates="{{openvpn_keydir}}/node.crt" + notify: + - openvpn diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml new file mode 100644 index 0000000..df49976 --- /dev/null +++ b/roles/openvpn/tasks/main.yml @@ -0,0 +1,62 @@ +--- +- name: Ensure OpenVPN and OpenSSL are installed + yum: name={{item}} state=present + with_items: + - openvpn + - openssl + +- name: copy openvpn logrotate config file + copy: src="openvpn_logrotate.conf" dest="/etc/logrotate.d/openvpn.conf" owner="root" group="root" mode="0400" + +- name: Copy CA certificate and the keys + copy: src="{{ item }}" dest="{{openvpn_keydir}}/" owner="root" group="root" mode="0400" + with_fileglob: + - ca/ca.crt + - keys/* + +- name: Check if OpenSSL certificate is already generated + stat: path="{{ openvpn_keydir }}/node.crt" + register: result + +- name: setup openvpn keys + include: keys.yml + when: result.stat.exists == False + +- name: Ensure CA key is removed + file: path="{{openvpn_keydir}}/ca.key" state=absent + +- name: setup openvpn configuration + include: config.yml + +- name: Ensure OpenVPN service is enabled + service: name="{{openvpn_service}}" enabled=yes + +- name: Check if we already reconfigured SystemD Unit + stat: path={{ item }} + register: result + vars: + item: "/etc/systemd/system/{{openvpn_service}}" + +- name: Copy SystemD Unit + copy: src="/usr/lib/systemd/system/openvpn@.service" dest="{{ item }}" remote_src=true + vars: + item: "/etc/systemd/system/{{openvpn_service}}" + when: result.stat.exists == False + +- name: Re-configure systemd to start OpenVPN after origin-node + lineinfile: dest="/etc/systemd/system/{{openvpn_service}}" regexp="^After=" line="After=network.target origin-node.service" state=present + notify: daemon-reload + +- name: Ensure OpenVPN service is running + service: name="{{openvpn_service}}" state=started + +- name: Ensure firewalld is running + service: name=firewalld state=started enabled=yes + when: openvpn_servers in group_names + +- name: Configure firewalld + firewalld: port="{{openvpn_port}}/tcp" state="enabled" permanent="true" immediate="true" + notify: + - firewalld + when: openvpn_servers in group_names + diff --git a/roles/openvpn/templates/katrin/ccd.j2 b/roles/openvpn/templates/katrin/ccd.j2 new file mode 100644 index 0000000..d278648 --- /dev/null +++ b/roles/openvpn/templates/katrin/ccd.j2 @@ -0,0 +1,2 @@ +ifconfig-push {{ openvpn_net | ipaddr(id | int) | ipaddr('address') }} {{ openvpn_net | ipaddr('netmask') }} +push "route 192.168.110.0 255.255.255.0 {{ openvpn_net | ipaddr(181) | ipaddr('address') }}" diff --git a/roles/openvpn/templates/katrin/ccd/ikkatrinadei.ka.fzk.de.j2 b/roles/openvpn/templates/katrin/ccd/ikkatrinadei.ka.fzk.de.j2 new file mode 100644 index 0000000..e1a786d --- /dev/null +++ b/roles/openvpn/templates/katrin/ccd/ikkatrinadei.ka.fzk.de.j2 @@ -0,0 +1,3 @@ +#ifconfig-push clientIP serverIP +ifconfig-push {{ openvpn_net | ipaddr(181) | ipaddr('address') }} {{ openvpn_net | ipaddr('netmask') }} +iroute 192.168.110.0 255.255.255.0 diff --git a/roles/openvpn/templates/katrin/ccd/ipechilinga4.ka.fzk.de.j2 b/roles/openvpn/templates/katrin/ccd/ipechilinga4.ka.fzk.de.j2 new file mode 100644 index 0000000..3673a0b --- /dev/null +++ b/roles/openvpn/templates/katrin/ccd/ipechilinga4.ka.fzk.de.j2 @@ -0,0 +1 @@ +ifconfig-push {{ openvpn_net | ipaddr(90) | ipaddr('address') }} {{ openvpn_net | ipaddr('netmask') }} diff --git a/roles/openvpn/templates/katrin/openvpn_client.j2 b/roles/openvpn/templates/katrin/openvpn_client.j2 new file mode 100644 index 0000000..a09322e --- /dev/null +++ b/roles/openvpn/templates/katrin/openvpn_client.j2 @@ -0,0 +1,24 @@ +client +remote {{openvpn_lb}} {{openvpn_port}} +proto tcp +dev tun + +topology subnet + +ca {{openvpn_keydir}}/ca.crt +cert {{openvpn_keydir}}/node.crt +key {{openvpn_keydir}}/node.key +dh {{openvpn_keydir}}/dh1024.pem + +resolv-retry infinite +keepalive 5 15 +comp-lzo +#user nobody +#group nobody +persist-key +persist-tun + +log /var/log/openvpn_{{openvpn_config}}.log +status /var/log/openvpn_{{openvpn_config}}_status.log +verb 3 + diff --git a/roles/openvpn/templates/katrin/openvpn_server.j2 b/roles/openvpn/templates/katrin/openvpn_server.j2 new file mode 100644 index 0000000..22c200d --- /dev/null +++ b/roles/openvpn/templates/katrin/openvpn_server.j2 @@ -0,0 +1,26 @@ +port {{openvpn_port}} +dev tun + +topology subnet +client-to-client +server {{ openvpn_net | ipaddr('network') }} {{ openvpn_net | ipaddr('netmask') }} +proto tcp + +ca {{openvpn_keydir}}/ca.crt +cert {{openvpn_keydir}}/node.crt +key {{openvpn_keydir}}/node.key +dh {{openvpn_keydir}}/dh1024.pem + +keepalive 10 120 +comp-lzo +#user nobody +#group nobody +persist-key +persist-tun +client-config-dir {{openvpn_ccdir}} +log /var/log/openvpn_{{openvpn_config}}.log +status /var/log/openvpn_{{openvpn_config}}_status.log +verb 3 + +route 192.168.110.0 255.255.255.0 {{ openvpn_net | ipaddr(181) | ipaddr('address') }} + |