diff --git a/files/test_vpn_ca.crt b/files/test_vpn_ca.crt new file mode 100644 index 0000000..339e6ca --- /dev/null +++ b/files/test_vpn_ca.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFczCCA1ugAwIBAgIJAM9x76ZW4QGnMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV +BAYTAklUMRAwDgYDVQQIDAdUdXNjYW55MREwDwYDVQQHDAhGbG9yZW5jZTEOMAwG +A1UECgwFTElMaUsxDDAKBgNVBAsMA3ZwbjAeFw0xNzAzMjYxNTU5MThaFw0xODAz +MjYxNTU5MThaMFAxCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdUdXNjYW55MREwDwYD +VQQHDAhGbG9yZW5jZTEOMAwGA1UECgwFTElMaUsxDDAKBgNVBAsMA3ZwbjCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANntnC79f90kiDOfR1C5toJt/Emg +s56ajW7OtFtLPn/e/0ssKnO5eMNThs5+tYCsrZf+J/3QQUcZo77r2YFCbB9XZASv +SNz/eFtUFQDvCtwxT6S3XmrymFd+pBgfCgC5/4qaNJGKz+HUBaVrrBWG2QnmEPJb +ZWh45AGMla2QX7C3HmOZgMomQSQqK/kxGoOotIhBoy07pky3C8YhWthagDp5Y+wW +Gt6RBowEPza316bQWYQcsPmVg3TOdZH4DZGnWGl2rOHcwfaYyaLPv2bdd58J2ToU +IOhjAF8wLnU2syizeqO7zEzBInMudXxaubOOtBZUFEeKkyeq6fO7obM37nCaXDzU +fClg/WyY3DEmGN7b/H2JUPXDpjnmX+sBZrWAUZCwnkoseaA3wqp1cigAdhNVC19q +0Y/BhRiDNTyBC8tE0Tv5etSGog5rvFOCuoPM5psXuXUWToMOZsEZ5bMf34UF+p4C +mx8k4eLm3NsYWndAkRQKpCVmptMBR9rW6DdChgEYM+5keI+6pIb7eTO3ndHtpY4Y +W1IA059yA3eP1JqnqsxkvVqPBX7wr7fGUoibwZigA64w2gY4tjewocTJZrlZupqe +hct4a/A/vRJqCQqTGSjJdbmwau0wv8N45bgQq3R2y5ERqu5/pc1n+yVrWV7KZeOb +bXja/U2PzzYS9CdLAgMBAAGjUDBOMB0GA1UdDgQWBBR59Xeu/85H4hAhxF6bjnHs +RBw8gzAfBgNVHSMEGDAWgBR59Xeu/85H4hAhxF6bjnHsRBw8gzAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA2z+RrzF5WRwAHAECP7cOLZr1Py7qZjMeh +pAMxP4YUYKKPjvsEIdR9ZXDCVBt6BaiVRoUJfdhq+6idb7/sYgv3QL3wfXonMpFY +eB9mpDcV2i7ei+VhJVUTAs+F4HBZgXvu3pdy2WRyNheMCl4NqWJj6MVLR+xRjaJ4 +G/0HxnI1/rJs3GA2baXwFFgDOa8wV8iC23yDz0mlFqjpkh3u5LAYR3Le9xL7MOdd +G+v2whzX8DDjQskkUlvt6BqSH9OGWC3yYqSG/LDFu3HkdyCyUyBlsfh9LvAu3jvA +GCcS7F86GaE/wroPpM34U99lI96ieTN2WC1LteLxa73TLV02JiZAVbqCRSzmf1Ti +dDelWXTZ95dyMnytB2iECwSYrHeANfnkBh45rjvWeNPMaFOPuYbfJaag/88IJbTF +NbDlHWbXY5TJzF9E0usNABdZ00TJWqJSGIJpnKO8iTK7wKrWS7CvRhR8GEDYRFRt +FT1T2q/0cufBF1flTndz5g0mkoJxlV/pOCh7eKGLZYFjXSbs8pS8gWjkqmAlT5q6 +6e/Ov0gITxSYiNeLRKtBii0U7IRaVDcGS1DzF7Kve4VMKooXQyaQ0BbhpcTpxSKc +ACnFg6fDKmdXpOM75BMAOf+j08UolT/FhAuQ+YmOeAezcMejmQX+qUb+hEh35B+0 +0F7Syw/qWg== +-----END CERTIFICATE----- + diff --git a/firewall.yaml b/firewall.yaml new file mode 100644 index 0000000..765228d --- /dev/null +++ b/firewall.yaml @@ -0,0 +1,4 @@ +--- +- hosts: gandalf2 + roles: + - role: openvpn diff --git a/roles/openvpn/handlers/main.yaml b/roles/openvpn/handlers/main.yaml new file mode 100644 index 0000000..f9b69c4 --- /dev/null +++ b/roles/openvpn/handlers/main.yaml @@ -0,0 +1,3 @@ +--- +- name: reload openvpn + shell: '/etc/init.d/openvpn reload' diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml new file mode 100644 index 0000000..848e57a --- /dev/null +++ b/roles/openvpn/tasks/main.yaml @@ -0,0 +1,105 @@ +- name: install openvpn-openssl package + opkg: + name: openvpn-openssl + state: present + +- name: create openvpn KEY + shell: 'openssl genrsa -out /etc/openvpn/openvpn.key 2048' + args: + creates: /etc/openvpn/openvpn.key + notify: reload openvpn + + +- name: create openvpn dh2048 + shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048' + args: + creates: /etc/openvpn/dh2048.pem + notify: reload openvpn + + +- name: create CSR + shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ ansible_hostname }}.lilik.it" -key /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr' + args: + creates: /etc/openvpn/openvpn.csr + notify: reload openvpn + +- name: check if openvpn cert key exist + stat: + path: /etc/openvpn/openvpn.cert + register: openvpn_cert_key + +- block: + - name: get pub key + shell: "cat /etc/openvpn/openvpn.csr" + register: pub_key + - debug: var=pub_key verbosity=2 + - name: generate host request + set_fact: + cert_request: + type: 'sign_request' + request: + keyType: 'ssl_host' + hostName: '{{ inventory_hostname }}' + keyData: '{{ pub_key.stdout }}' + - debug: var=cert_request verbosity=2 + - name: start sign request + raw: "{{ cert_request | to_json }}" + delegate_to: "{{item}}" + delegate_facts: True + with_items: "{{groups['cas']}}" + register: request_result + - debug: var=request_result verbosity=2 + + - set_fact: + request_output: "{{ request_result.results[0].stdout|string|from_json }}" + - debug: var=request_output + + - name: generate get request + set_fact: + get_request: + type: 'get_certificate' + requestID: '{{ request_output.requestID }}' + - debug: var=get_request verbosity=2 + + - debug: msg="Please manualy confirm sign request with id {{ request_output.requestID }}" + + - name: wait for cert + raw: "{{ get_request | to_json }}" + delegate_to: "{{item}}" + delegate_facts: True + with_items: "{{groups['cas']}}" + register: cert_result + + - debug: var=cert_result verbosity=2 + + - set_fact: + cert_key: "{{ cert_result.results[0].stdout|string|from_json }}" + + - debug: var=request_output verbosity=2 + + - name: set pub key + shell: "echo '{{ cert_key.result }}' > /etc/openvpn/openvpn.cert" + register: set_pub_key + when: not openvpn_cert_key.stat.exists + +- name: copy vpn ca public key + copy: + src: test_vpn_ca.crt + dest: /etc/openvpn/ca.crt + +- name: write openvpn configuration + template: + dest=/etc/config/openvpn + src=openvpn.j2 + owner=root + group=root + mode=0400 + register: new_vpn_config + notify: reload openvpn + +- name: commit openvpn configuration to uci + shell: 'uci commit openvpn' + notify: reload openvpn + when: new_vpn_config.changed + + diff --git a/roles/openvpn/templates/openvpn.j2 b/roles/openvpn/templates/openvpn.j2 new file mode 100644 index 0000000..4034c42 --- /dev/null +++ b/roles/openvpn/templates/openvpn.j2 @@ -0,0 +1,16 @@ +config openvpn 'vpn' + option enabled '1' + option verb '3' + option port '777' + option proto 'tcp' + option dev 'tun' + option server '10.8.0.0 255.255.255.0' + option keepalive '10 120' + option ca '/etc/openvpn/ca.crt' + option cert '/etc/openvpn/openvpn.cert' + option key '/etc/openvpn/openvpn.key' + option dh '/etc/openvpn/dh2048.pem' + list push 'route 192.168.0.0 255.255.255.0' + list push 'route 192.168.1.0 255.255.255.0' + list push 'route 10.150.40.0 255.255.248.0' + list push 'route 192.168.15.2 255.255.255.255'