add vpn

files/test_vpn_ca.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFczCCA1ugAwIBAgIJAM9x76ZW4QGnMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
+BAYTAklUMRAwDgYDVQQIDAdUdXNjYW55MREwDwYDVQQHDAhGbG9yZW5jZTEOMAwG
+A1UECgwFTElMaUsxDDAKBgNVBAsMA3ZwbjAeFw0xNzAzMjYxNTU5MThaFw0xODAz
+MjYxNTU5MThaMFAxCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdUdXNjYW55MREwDwYD
+VQQHDAhGbG9yZW5jZTEOMAwGA1UECgwFTElMaUsxDDAKBgNVBAsMA3ZwbjCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANntnC79f90kiDOfR1C5toJt/Emg
+s56ajW7OtFtLPn/e/0ssKnO5eMNThs5+tYCsrZf+J/3QQUcZo77r2YFCbB9XZASv
+SNz/eFtUFQDvCtwxT6S3XmrymFd+pBgfCgC5/4qaNJGKz+HUBaVrrBWG2QnmEPJb
+ZWh45AGMla2QX7C3HmOZgMomQSQqK/kxGoOotIhBoy07pky3C8YhWthagDp5Y+wW
+Gt6RBowEPza316bQWYQcsPmVg3TOdZH4DZGnWGl2rOHcwfaYyaLPv2bdd58J2ToU
+IOhjAF8wLnU2syizeqO7zEzBInMudXxaubOOtBZUFEeKkyeq6fO7obM37nCaXDzU
+fClg/WyY3DEmGN7b/H2JUPXDpjnmX+sBZrWAUZCwnkoseaA3wqp1cigAdhNVC19q
+0Y/BhRiDNTyBC8tE0Tv5etSGog5rvFOCuoPM5psXuXUWToMOZsEZ5bMf34UF+p4C
+mx8k4eLm3NsYWndAkRQKpCVmptMBR9rW6DdChgEYM+5keI+6pIb7eTO3ndHtpY4Y
+W1IA059yA3eP1JqnqsxkvVqPBX7wr7fGUoibwZigA64w2gY4tjewocTJZrlZupqe
+hct4a/A/vRJqCQqTGSjJdbmwau0wv8N45bgQq3R2y5ERqu5/pc1n+yVrWV7KZeOb
+bXja/U2PzzYS9CdLAgMBAAGjUDBOMB0GA1UdDgQWBBR59Xeu/85H4hAhxF6bjnHs
+RBw8gzAfBgNVHSMEGDAWgBR59Xeu/85H4hAhxF6bjnHsRBw8gzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA2z+RrzF5WRwAHAECP7cOLZr1Py7qZjMeh
+pAMxP4YUYKKPjvsEIdR9ZXDCVBt6BaiVRoUJfdhq+6idb7/sYgv3QL3wfXonMpFY
+eB9mpDcV2i7ei+VhJVUTAs+F4HBZgXvu3pdy2WRyNheMCl4NqWJj6MVLR+xRjaJ4
+G/0HxnI1/rJs3GA2baXwFFgDOa8wV8iC23yDz0mlFqjpkh3u5LAYR3Le9xL7MOdd
+G+v2whzX8DDjQskkUlvt6BqSH9OGWC3yYqSG/LDFu3HkdyCyUyBlsfh9LvAu3jvA
+GCcS7F86GaE/wroPpM34U99lI96ieTN2WC1LteLxa73TLV02JiZAVbqCRSzmf1Ti
+dDelWXTZ95dyMnytB2iECwSYrHeANfnkBh45rjvWeNPMaFOPuYbfJaag/88IJbTF
+NbDlHWbXY5TJzF9E0usNABdZ00TJWqJSGIJpnKO8iTK7wKrWS7CvRhR8GEDYRFRt
+FT1T2q/0cufBF1flTndz5g0mkoJxlV/pOCh7eKGLZYFjXSbs8pS8gWjkqmAlT5q6
+6e/Ov0gITxSYiNeLRKtBii0U7IRaVDcGS1DzF7Kve4VMKooXQyaQ0BbhpcTpxSKc
+ACnFg6fDKmdXpOM75BMAOf+j08UolT/FhAuQ+YmOeAezcMejmQX+qUb+hEh35B+0
+0F7Syw/qWg==
+-----END CERTIFICATE-----
+

firewall.yaml

@@ -0,0 +1,4 @@
+---
+- hosts: gandalf2
+  roles:
+      - role: openvpn

roles/openvpn/handlers/main.yaml

@@ -0,0 +1,3 @@
+---
+- name: reload openvpn
+  shell: '/etc/init.d/openvpn reload'

roles/openvpn/tasks/main.yaml

@@ -0,0 +1,105 @@
+- name: install openvpn-openssl package
+  opkg:
+    name: openvpn-openssl
+    state: present
+
+- name: create openvpn KEY
+  shell: 'openssl genrsa -out /etc/openvpn/openvpn.key 2048'
+  args:
+    creates: /etc/openvpn/openvpn.key
+  notify: reload openvpn
+
+
+- name: create openvpn dh2048
+  shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
+  args:
+    creates: /etc/openvpn/dh2048.pem
+  notify: reload openvpn
+
+
+- name: create CSR
+  shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ ansible_hostname }}.lilik.it" -key /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr'
+  args:
+    creates: /etc/openvpn/openvpn.csr
+  notify: reload openvpn
+
+- name: check if openvpn cert key exist
+  stat:
+    path: /etc/openvpn/openvpn.cert
+  register: openvpn_cert_key
+
+- block:
+    - name: get pub key
+      shell: "cat /etc/openvpn/openvpn.csr"
+      register: pub_key
+    - debug: var=pub_key verbosity=2
+    - name: generate host request
+      set_fact:
+        cert_request:
+          type: 'sign_request'
+          request:
+            keyType: 'ssl_host'
+            hostName: '{{ inventory_hostname }}'
+            keyData: '{{ pub_key.stdout }}'
+    - debug: var=cert_request verbosity=2
+    - name: start sign request
+      raw: "{{ cert_request | to_json }}"
+      delegate_to: "{{item}}"
+      delegate_facts: True
+      with_items: "{{groups['cas']}}"
+      register: request_result
+    - debug: var=request_result verbosity=2
+
+    - set_fact:
+          request_output: "{{ request_result.results[0].stdout|string|from_json }}"
+    - debug: var=request_output
+
+    - name: generate get request
+      set_fact:
+        get_request:
+          type: 'get_certificate'
+          requestID: '{{ request_output.requestID }}'
+    - debug: var=get_request verbosity=2
+
+    - debug: msg="Please manualy confirm sign request with id {{ request_output.requestID }}"
+
+    - name: wait for cert
+      raw: "{{ get_request | to_json }}"
+      delegate_to: "{{item}}"
+      delegate_facts: True
+      with_items: "{{groups['cas']}}"
+      register: cert_result
+
+    - debug: var=cert_result verbosity=2
+
+    - set_fact:
+          cert_key: "{{ cert_result.results[0].stdout|string|from_json }}"
+
+    - debug: var=request_output verbosity=2
+
+    - name: set pub key
+      shell: "echo '{{ cert_key.result }}' > /etc/openvpn/openvpn.cert"
+      register: set_pub_key
+  when: not openvpn_cert_key.stat.exists
+
+- name: copy vpn ca public key
+  copy:
+    src: test_vpn_ca.crt
+    dest: /etc/openvpn/ca.crt
+
+- name: write openvpn configuration
+  template:
+    dest=/etc/config/openvpn
+    src=openvpn.j2
+    owner=root
+    group=root
+    mode=0400
+  register: new_vpn_config
+  notify: reload openvpn
+
+- name: commit openvpn configuration to uci
+  shell: 'uci commit openvpn'
+  notify: reload openvpn
+  when: new_vpn_config.changed
+
+

roles/openvpn/templates/openvpn.j2

@@ -0,0 +1,16 @@
+config openvpn 'vpn'
+        option enabled '1'
+        option verb '3'
+        option port '777'
+        option proto 'tcp'
+        option dev 'tun'
+        option server '10.8.0.0 255.255.255.0'
+        option keepalive '10 120'
+        option ca '/etc/openvpn/ca.crt'
+        option cert '/etc/openvpn/openvpn.cert'
+        option key '/etc/openvpn/openvpn.key'
+        option dh '/etc/openvpn/dh2048.pem'
+        list push 'route 192.168.0.0 255.255.255.0'
+        list push 'route 192.168.1.0 255.255.255.0'
+        list push 'route 10.150.40.0 255.255.248.0'
+        list push 'route 192.168.15.2 255.255.255.255'