Browse Source
roles/openvpn: updates and improvements
- TLSv1.3 mandatory - Pushed routes not hardcoded but defined by `routes` list - TLS Private Key ED25519 instead of RSA - Signing request refactored - Topology switched from `net30` to `subnet` - Ready for separated user and server CA - Server certificate validity is assessed - `tls_int` and `packages` tags added.python3
4 changed files with 104 additions and 122 deletions
Split View
Diff Options
-
+11 -6firewall.yaml
-
+1 -1roles/openvpn/handlers/main.yaml
-
+82 -108roles/openvpn/tasks/main.yaml
-
+10 -7roles/openvpn/templates/openvpn.j2
+ 11
- 6
firewall.yaml
View File
| @ -1,9 +1,14 @@ | |||
| --- | |||
| - hosts: gandalf | |||
| - hosts: 'gandalf' | |||
| roles: | |||
| - role: openvpn | |||
| - role: ssh_server | |||
| ansible_distribution: "openwrt" | |||
| - hosts: status | |||
| - role: 'openvpn' | |||
| routes: | |||
| - '10.151.42.0 255.255.255.0' | |||
| - '10.151.40.0 255.255.255.0' | |||
| - role: 'ssh_server' | |||
| ansible_distribution: 'openwrt' | |||
| - hosts: 'status' | |||
| roles: | |||
| - role: icinga2-monitoring | |||
| - role: 'icinga2-monitoring' | |||
| ... | |||
+ 1
- 1
roles/openvpn/handlers/main.yaml
View File
| @ -1,3 +1,3 @@ | |||
| --- | |||
| - name: reload openvpn | |||
| - name: 'reload openvpn' | |||
| shell: '/etc/init.d/openvpn reload' | |||
+ 82
- 108
roles/openvpn/tasks/main.yaml
View File
| @ -1,113 +1,87 @@ | |||
| --- | |||
| - name: install openvpn-openssl package | |||
| - name: 'install openvpn-openssl package' | |||
| opkg: | |||
| name: openvpn-openssl | |||
| state: present | |||
| - name: create openvpn KEY | |||
| shell: 'openssl genrsa -out {{ openvpn_key }} 2047' | |||
| args: | |||
| creates: "{{ openvpn_key }}" | |||
| notify: reload openvpn | |||
| - name: create openvpn dh2048 | |||
| shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048' | |||
| args: | |||
| creates: /etc/openvpn/dh2048.pem | |||
| notify: reload openvpn | |||
| - name: create CSR | |||
| shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ ansible_hostname }}.lilik.it" -key /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr' | |||
| name: 'openvpn-openssl' | |||
| state: 'present' | |||
| tags: | |||
| - 'packages' | |||
| - name: 'create openvpn private key' | |||
| shell: | |||
| cmd: > | |||
| openssl genpkey | |||
| -algorithm ed25519 | |||
| -out /etc/openvpn/openvpn.key | |||
| args: | |||
| creates: "{{ openvpn_csr }}" | |||
| notify: reload openvpn | |||
| - name: check if openvpn cert key exist | |||
| stat: | |||
| path: "{{ openvpn_crt }}" | |||
| register: openvpn_cert_key | |||
| - block: | |||
| - name: get pub key | |||
| shell: "cat /etc/openvpn/openvpn.csr" | |||
| register: pub_key | |||
| - debug: | |||
| var: pub_key | |||
| verbosity: 2 | |||
| - name: generate host request | |||
| set_fact: | |||
| ca_request: | |||
| type: 'sign_request' | |||
| request: | |||
| keyType: 'ssl_host' | |||
| hostName: '{{ inventory_hostname }}.lilik.it' | |||
| keyData: '{{ pub_key.stdout }}' | |||
| - debug: | |||
| var: cert_request | |||
| verbosity: 2 | |||
| - name: start sign request | |||
| include: ca-dialog.yaml | |||
| - set_fact: | |||
| request_output: "{{ request_result.stdout | string | from_json }}" | |||
| - debug: | |||
| var: request_output | |||
| - name: generate get request | |||
| set_fact: | |||
| ca_request: | |||
| type: 'get_certificate' | |||
| requestID: '{{ request_output.requestID }}' | |||
| - debug: | |||
| msg: "Please manualy confirm sign request with id {{ request_output.requestID }}" | |||
| - name: wait for cert | |||
| include: ca-dialog.yaml | |||
| - set_fact: | |||
| cert_key: "{{ request_result.stdout | string | from_json }}" | |||
| - debug: | |||
| var: request_result | |||
| verbosity: 2 | |||
| - name: set pub key | |||
| copy: | |||
| content: "{{ cert_key.result }}" | |||
| dest: "{{ openvpn_crt }}" | |||
| register: set_pub_key | |||
| when: not openvpn_cert_key.stat.exists | |||
| - set_fact: | |||
| certificates: | |||
| - files/lilik_ca_x1.pub | |||
| - files/lilik_ca_v1.pub | |||
| - name: create vpn fullchain | |||
| creates: '/etc/openvpn/openvpn.key' | |||
| notify: 'reload openvpn' | |||
| tags: | |||
| - 'tls_int' | |||
| #- name: create openvpn dh2048 | |||
| # shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048' | |||
| # args: | |||
| # creates: /etc/openvpn/dh2048.pem | |||
| # notify: reload openvpn | |||
| - name: 'upload server ca' | |||
| copy: | |||
| content: '{{ tls_vpn_server_ca }}{{ tls_root_ca }}' | |||
| dest: '/etc/openvpn/server_ca.crt' | |||
| tags: | |||
| - 'tls_int' | |||
| - name: 'upload user ca' | |||
| copy: | |||
| content: '{{ tls_vpn_user_ca }}{{ tls_root_ca }}' | |||
| dest: '/etc/openvpn/user_ca.crt' | |||
| notify: 'reload openvpn' | |||
| tags: | |||
| - 'tls_int' | |||
| - name: 'check openvpn cert status' | |||
| command: >- | |||
| openssl verify | |||
| -CAfile /etc/openvpn/server_ca.crt | |||
| /etc/openvpn/openvpn.crt | |||
| register: openvpn_cert_is_valid | |||
| changed_when: false | |||
| failed_when: false | |||
| tags: | |||
| - 'tls_int' | |||
| - name: 'create openvpn cert request' | |||
| shell: > | |||
| openssl req | |||
| -new | |||
| -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}" | |||
| -key /etc/openvpn/openvpn.key | |||
| -out /etc/openvpn/openvpn.csr | |||
| when: openvpn_cert_is_valid.rc != 0 | |||
| tags: | |||
| - 'tls_int' | |||
| - import_tasks: 'ca-signing-request.yaml' | |||
| vars: | |||
| host: '{{ server_fqdn }}' | |||
| request_path: '/etc/openvpn/openvpn.csr' | |||
| output_path: '/etc/openvpn/openvpn.crt' | |||
| when: openvpn_cert_is_valid.rc != 0 | |||
| notify: 'reload openvpn' | |||
| tags: | |||
| - 'tls_int' | |||
| - name: 'write openvpn configuration' | |||
| template: | |||
| src: fullchain.j2 | |||
| dest: /etc/openvpn/fullchain.crt | |||
| notify: reload openvpn | |||
| - name: write openvpn configuration | |||
| template: | |||
| dest: /etc/config/openvpn | |||
| src: openvpn.j2 | |||
| owner: root | |||
| group: root | |||
| mode: 0400 | |||
| register: new_vpn_config | |||
| notify: reload openvpn | |||
| - name: commit openvpn configuration to uci | |||
| dest: '/etc/config/openvpn' | |||
| src: 'openvpn.j2' | |||
| owner: 'root' | |||
| group: 'root' | |||
| mode: '0400' | |||
| register: config_updated | |||
| notify: 'reload openvpn' | |||
| - name: 'commit openvpn configuration to uci' | |||
| shell: 'uci commit openvpn' | |||
| notify: reload openvpn | |||
| when: new_vpn_config.changed | |||
| notify: 'reload openvpn' | |||
| when: config_updated.changed | |||